summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/doc/arm/Bv9ARM.ch06.html
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch06.html')
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch06.html7114
1 files changed, 0 insertions, 7114 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
deleted file mode 100644
index d829a17..0000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ /dev/null
@@ -1,7114 +0,0 @@
-<!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.73 2007/10/31 01:35:58 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter�6.�BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
-<th width="60%" align="center">�</th>
-<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573480">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574092"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574282"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574726"><span><strong class="command">include</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574749"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574771"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574930"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575056"><span><strong class="command">logging</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576406"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576480"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576544"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576587"><span><strong class="command">masters</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576602"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
- Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585361"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585410"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585490"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
- Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589080">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591101">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591653">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591848">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>
- <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
- to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
- areas
- of configuration, such as views. <acronym class="acronym">BIND</acronym>
- 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
- 9, although more complex configurations should be reviewed to check
- if they can be more efficiently implemented using the new features
- found in <acronym class="acronym">BIND</acronym> 9.
- </p>
-<p>
- <acronym class="acronym">BIND</acronym> 4 configuration files can be
- converted to the new format
- using the shell script
- <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
- </p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>
- Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
- file documentation:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">acl_name</code>
- </p>
- </td>
-<td>
- <p>
- The name of an <code class="varname">address_match_list</code> as
- defined by the <span><strong class="command">acl</strong></span> statement.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">address_match_list</code>
- </p>
- </td>
-<td>
- <p>
- A list of one or more
- <code class="varname">ip_addr</code>,
- <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
- or <code class="varname">acl_name</code> elements, see
- <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">masters_list</code>
- </p>
- </td>
-<td>
- <p>
- A named list of one or more <code class="varname">ip_addr</code>
- with optional <code class="varname">key_id</code> and/or
- <code class="varname">ip_port</code>.
- A <code class="varname">masters_list</code> may include other
- <code class="varname">masters_lists</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">domain_name</code>
- </p>
- </td>
-<td>
- <p>
- A quoted string which will be used as
- a DNS name, for example "<code class="literal">my.test.domain</code>".
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">dotted_decimal</code>
- </p>
- </td>
-<td>
- <p>
- One to four integers valued 0 through
- 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
- <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip4_addr</code>
- </p>
- </td>
-<td>
- <p>
- An IPv4 address with exactly four elements
- in <code class="varname">dotted_decimal</code> notation.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip6_addr</code>
- </p>
- </td>
-<td>
- <p>
- An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
- IPv6 scoped addresses that have ambiguity on their scope
- zones must be
- disambiguated by an appropriate zone ID with the percent
- character
- (`%') as delimiter.
- It is strongly recommended to use string zone names rather
- than
- numeric identifiers, in order to be robust against system
- configuration changes.
- However, since there is no standard mapping for such names
- and
- identifier values, currently only interface names as link
- identifiers
- are supported, assuming one-to-one mapping between
- interfaces and links.
- For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
- link attached to the interface <span><strong class="command">ne0</strong></span>
- can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
- Note that on most systems link-local addresses always have
- the
- ambiguity, and need to be disambiguated.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_addr</code>
- </p>
- </td>
-<td>
- <p>
- An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_port</code>
- </p>
- </td>
-<td>
- <p>
- An IP port <code class="varname">number</code>.
- The <code class="varname">number</code> is limited to 0
- through 65535, with values
- below 1024 typically restricted to use by processes running
- as root.
- In some cases, an asterisk (`*') character can be used as a
- placeholder to
- select a random high-numbered port.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">ip_prefix</code>
- </p>
- </td>
-<td>
- <p>
- An IP network specified as an <code class="varname">ip_addr</code>,
- followed by a slash (`/') and then the number of bits in the
- netmask.
- Trailing zeros in a <code class="varname">ip_addr</code>
- may omitted.
- For example, <span><strong class="command">127/8</strong></span> is the
- network <span><strong class="command">127.0.0.0</strong></span> with
- netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
- network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">key_id</code>
- </p>
- </td>
-<td>
- <p>
- A <code class="varname">domain_name</code> representing
- the name of a shared key, to be used for transaction
- security.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">key_list</code>
- </p>
- </td>
-<td>
- <p>
- A list of one or more
- <code class="varname">key_id</code>s,
- separated by semicolons and ending with a semicolon.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">number</code>
- </p>
- </td>
-<td>
- <p>
- A non-negative 32-bit integer
- (i.e., a number between 0 and 4294967295, inclusive).
- Its acceptable value might further
- be limited by the context in which it is used.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">path_name</code>
- </p>
- </td>
-<td>
- <p>
- A quoted string which will be used as
- a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">size_spec</code>
- </p>
- </td>
-<td>
- <p>
- A number, the word <strong class="userinput"><code>unlimited</code></strong>,
- or the word <strong class="userinput"><code>default</code></strong>.
- </p>
- <p>
- An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
- use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
- the limit that was in force when the server was started.
- </p>
- <p>
- A <code class="varname">number</code> can optionally be
- followed by a scaling factor:
- <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
- for kilobytes,
- <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
- for megabytes, and
- <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
- which scale by 1024, 1024*1024, and 1024*1024*1024
- respectively.
- </p>
- <p>
- The value must be representable as a 64-bit unsigned integer
- (0 to 18446744073709551615, inclusive).
- Using <code class="varname">unlimited</code> is the best
- way
- to safely set a really large number.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">yes_or_no</code>
- </p>
- </td>
-<td>
- <p>
- Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
- The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
- also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
- and <strong class="userinput"><code>0</code></strong>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">dialup_option</code>
- </p>
- </td>
-<td>
- <p>
- One of <strong class="userinput"><code>yes</code></strong>,
- <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
- <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
- <strong class="userinput"><code>passive</code></strong>.
- When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
- <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
- are restricted to slave and stub zones.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573277"></a>Syntax</h4></div></div></div>
-<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
- [<span class="optional"> address_match_list_element; ... </span>]
-<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
- key key_id | acl_name | { address_match_list } )
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573305"></a>Definition and Usage</h4></div></div></div>
-<p>
- Address match lists are primarily used to determine access
- control for various server operations. They are also used in
- the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
- statements. The elements
- which constitute an address match list can be any of the
- following:
- </p>
-<div class="itemizedlist"><ul type="disc">
-<li>an IP address (IPv4 or IPv6)</li>
-<li>an IP prefix (in `/' notation)</li>
-<li>
- a key ID, as defined by the <span><strong class="command">key</strong></span>
- statement
- </li>
-<li>the name of an address match list defined with
- the <span><strong class="command">acl</strong></span> statement
- </li>
-<li>a nested address match list enclosed in braces</li>
-</ul></div>
-<p>
- Elements can be negated with a leading exclamation mark (`!'),
- and the match list names "any", "none", "localhost", and
- "localnets"
- are predefined. More information on those names can be found in
- the description of the acl statement.
- </p>
-<p>
- The addition of the key clause made the name of this syntactic
- element something of a misnomer, since security keys can be used
- to validate access without regard to a host or network address.
- Nonetheless,
- the term "address match list" is still used throughout the
- documentation.
- </p>
-<p>
- When a given IP address or prefix is compared to an address
- match list, the list is traversed in order until an element
- matches.
- The interpretation of a match depends on whether the list is being
- used
- for access control, defining listen-on ports, or in a sortlist,
- and whether the element was negated.
- </p>
-<p>
- When used as an access control list, a non-negated match
- allows access and a negated match denies access. If
- there is no match, access is denied. The clauses
- <span><strong class="command">allow-notify</strong></span>,
- <span><strong class="command">allow-query</strong></span>,
- <span><strong class="command">allow-query-cache</strong></span>,
- <span><strong class="command">allow-transfer</strong></span>,
- <span><strong class="command">allow-update</strong></span>,
- <span><strong class="command">allow-update-forwarding</strong></span>, and
- <span><strong class="command">blackhole</strong></span> all use address match
- lists. Similarly, the listen-on option will cause the
- server to not accept queries on any of the machine's
- addresses which do not match the list.
- </p>
-<p>
- Because of the first-match aspect of the algorithm, an element
- that defines a subset of another element in the list should come
- before the broader element, regardless of whether either is
- negated. For
- example, in
- <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
- element is
- completely useless because the algorithm will match any lookup for
- 1.2.3.13 to the 1.2.3/24 element.
- Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
- that problem by having 1.2.3.13 blocked by the negation but all
- other 1.2.3.* hosts fall through.
- </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2573480"></a>Comment Syntax</h3></div></div></div>
-<p>
- The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
- comments to appear
- anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
- file. To appeal to programmers of all kinds, they can be written
- in the C, C++, or shell/perl style.
- </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573495"></a>Syntax</h4></div></div></div>
-<p>
- </p>
-<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
-<p>
- </p>
-<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
-<p>
- </p>
-<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
-<p>
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2573525"></a>Definition and Usage</h4></div></div></div>
-<p>
- Comments may appear anywhere that whitespace may appear in
- a <acronym class="acronym">BIND</acronym> configuration file.
- </p>
-<p>
- C-style comments start with the two characters /* (slash,
- star) and end with */ (star, slash). Because they are completely
- delimited with these characters, they can be used to comment only
- a portion of a line or to span multiple lines.
- </p>
-<p>
- C-style comments cannot be nested. For example, the following
- is not valid because the entire comment ends with the first */:
- </p>
-<p>
-
-</p>
-<pre class="programlisting">/* This is the start of a comment.
- This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
- This is no longer in any comment. */
-</pre>
-<p>
-
- </p>
-<p>
- C++-style comments start with the two characters // (slash,
- slash) and continue to the end of the physical line. They cannot
- be continued across multiple physical lines; to have one logical
- comment span multiple lines, each line must use the // pair.
- </p>
-<p>
- For example:
- </p>
-<p>
-
-</p>
-<pre class="programlisting">// This is the start of a comment. The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</pre>
-<p>
-
- </p>
-<p>
- Shell-style (or perl-style, if you prefer) comments start
- with the character <code class="literal">#</code> (number sign)
- and continue to the end of the
- physical line, as in C++ comments.
- </p>
-<p>
- For example:
- </p>
-<p>
-
-</p>
-<pre class="programlisting"># This is the start of a comment. The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</pre>
-<p>
-
- </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
- You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.
- </p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>
- A <acronym class="acronym">BIND</acronym> 9 configuration consists of
- statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.
- </p>
-<p>
- The following statements are supported:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">acl</strong></span></p>
- </td>
-<td>
- <p>
- defines a named IP address
- matching list, for access control and other uses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">controls</strong></span></p>
- </td>
-<td>
- <p>
- declares control channels to be used
- by the <span><strong class="command">rndc</strong></span> utility.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">include</strong></span></p>
- </td>
-<td>
- <p>
- includes a file.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">key</strong></span></p>
- </td>
-<td>
- <p>
- specifies key information for use in
- authentication and authorization using TSIG.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">logging</strong></span></p>
- </td>
-<td>
- <p>
- specifies what the server logs, and where
- the log messages are sent.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">lwres</strong></span></p>
- </td>
-<td>
- <p>
- configures <span><strong class="command">named</strong></span> to
- also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">masters</strong></span></p>
- </td>
-<td>
- <p>
- defines a named masters list for
- inclusion in stub and slave zone masters clauses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">options</strong></span></p>
- </td>
-<td>
- <p>
- controls global server configuration
- options and sets defaults for other statements.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">server</strong></span></p>
- </td>
-<td>
- <p>
- sets certain configuration options on
- a per-server basis.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">trusted-keys</strong></span></p>
- </td>
-<td>
- <p>
- defines trusted DNSSEC keys.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">view</strong></span></p>
- </td>
-<td>
- <p>
- defines a view.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">zone</strong></span></p>
- </td>
-<td>
- <p>
- defines a zone.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The <span><strong class="command">logging</strong></span> and
- <span><strong class="command">options</strong></span> statements may only occur once
- per
- configuration.
- </p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574092"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
- address_match_list
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).
- </p>
-<p>
- Note that an address match list's name must be defined
- with <span><strong class="command">acl</strong></span> before it can be used
- elsewhere; no
- forward references are allowed.
- </p>
-<p>
- The following ACLs are built-in:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">any</strong></span></p>
- </td>
-<td>
- <p>
- Matches all hosts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">none</strong></span></p>
- </td>
-<td>
- <p>
- Matches no hosts.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">localhost</strong></span></p>
- </td>
-<td>
- <p>
- Matches the IPv4 and IPv6 addresses of all network
- interfaces on the system.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">localnets</strong></span></p>
- </td>
-<td>
- <p>
- Matches any host on an IPv4 or IPv6 network
- for which the system has an interface.
- Some systems do not provide a way to determine the prefix
- lengths of
- local IPv6 addresses.
- In such a case, <span><strong class="command">localnets</strong></span>
- only matches the local
- IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574282"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">controls</strong></span> {
- [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
- keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ inet ...; ]
- [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ unix ...; ]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span><strong class="command">rndc</strong></span> utility to send
- commands to and retrieve non-DNS results from a name server.
- </p>
-<p>
- An <span><strong class="command">inet</strong></span> control channel is a TCP socket
- listening at the specified <span><strong class="command">ip_port</strong></span> on the
- specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span><strong class="command">rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum security.
- </p>
-<p>
- If no port is specified, port 953 is used. The asterisk
- "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
- </p>
-<p>
- The ability to issue commands over the control channel is
- restricted by the <span><strong class="command">allow</strong></span> and
- <span><strong class="command">keys</strong></span> clauses.
- Connections to the control channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span><strong class="command">key_id</strong></span>
- elements of the <span><strong class="command">address_match_list</strong></span>
- are ignored.
- </p>
-<p>
- A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
- socket listening at the specified path in the file system.
- Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
- <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
- Note on some platforms (SunOS and Solaris) the permissions
- (<span><strong class="command">perm</strong></span>) are applied to the parent directory
- as the permissions on the socket itself are ignored.
- </p>
-<p>
- The primary authorization mechanism of the command
- channel is the <span><strong class="command">key_list</strong></span>, which
- contains a list of <span><strong class="command">key_id</strong></span>s.
- Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
- is authorized to execute commands over the control channel.
- See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
- for information about configuring keys in <span><strong class="command">rndc</strong></span>.
- </p>
-<p>
- If no <span><strong class="command">controls</strong></span> statement is present,
- <span><strong class="command">named</strong></span> will set up a default
- control channel listening on the loopback address 127.0.0.1
- and its IPv6 counterpart ::1.
- In this case, and also when the <span><strong class="command">controls</strong></span> statement
- is present but does not have a <span><strong class="command">keys</strong></span> clause,
- <span><strong class="command">named</strong></span> will attempt to load the command channel key
- from the file <code class="filename">rndc.key</code> in
- <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was built).
- To create a <code class="filename">rndc.key</code> file, run
- <strong class="userinput"><code>rndc-confgen -a</code></strong>.
- </p>
-<p>
- The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel
- messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
-
- It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
- configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
- and still have <span><strong class="command">rndc</strong></span> work the same way
- <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
- command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
- installed.
- </p>
-<p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this
- feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you
- wish to change
- those things. The <code class="filename">rndc.key</code> file
- also has its
- permissions set such that only the owner of the file (the user that
- <span><strong class="command">named</strong></span> is running as) can access it.
- If you
- desire greater flexibility in allowing other users to access
- <span><strong class="command">rndc</strong></span> commands, then you need to create
- a
- <code class="filename">rndc.conf</code> file and make it group
- readable by a group
- that contains the users who should have access.
- </p>
-<p>
- To disable the command channel, use an empty
- <span><strong class="command">controls</strong></span> statement:
- <span><strong class="command">controls { };</strong></span>.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574711"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574726"></a><span><strong class="command">include</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">include</strong></span> statement inserts the
- specified file at the point where the <span><strong class="command">include</strong></span>
- statement is encountered. The <span><strong class="command">include</strong></span>
- statement facilitates the administration of configuration
- files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574749"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
- algorithm <em class="replaceable"><code>string</code></em>;
- secret <em class="replaceable"><code>string</code></em>;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574771"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">key</strong></span> statement defines a shared
- secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
- or the command channel
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
- Usage&#8221;</a>).
- </p>
-<p>
- The <span><strong class="command">key</strong></span> statement can occur at the
- top level
- of the configuration file or inside a <span><strong class="command">view</strong></span>
- statement. Keys defined in top-level <span><strong class="command">key</strong></span>
- statements can be used in all views. Keys intended for use in
- a <span><strong class="command">controls</strong></span> statement
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
- Usage&#8221;</a>)
- must be defined at the top level.
- </p>
-<p>
- The <em class="replaceable"><code>key_id</code></em>, also known as the
- key name, is a domain name uniquely identifying the key. It can
- be used in a <span><strong class="command">server</strong></span>
- statement to cause requests sent to that
- server to be signed with this key, or in address match lists to
- verify that incoming requests have been signed with a key
- matching this name, algorithm, and secret.
- </p>
-<p>
- The <em class="replaceable"><code>algorithm_id</code></em> is a string
- that specifies a security/authentication algorithm. Named
- supports <code class="literal">hmac-md5</code>,
- <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
- <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
- and <code class="literal">hmac-sha512</code> TSIG authentication.
- Truncated hashes are supported by appending the minimum
- number of required bits preceded by a dash, e.g.
- <code class="literal">hmac-sha1-80</code>. The
- <em class="replaceable"><code>secret_string</code></em> is the secret
- to be used by the algorithm, and is treated as a base-64
- encoded string.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2574930"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">logging</strong></span> {
- [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
- ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
- [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
- [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
- | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
- | <span><strong class="command">stderr</strong></span>
- | <span><strong class="command">null</strong></span> );
- [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
- <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
- [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- }; ]
- [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
- <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
- }; ]
- ...
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575056"></a><span><strong class="command">logging</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">logging</strong></span> statement configures a
- wide
- variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
- associates output methods, format options and severity levels with
- a name that can then be used with the <span><strong class="command">category</strong></span> phrase
- to select how various classes of messages are logged.
- </p>
-<p>
- Only one <span><strong class="command">logging</strong></span> statement is used to
- define
- as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
- the logging configuration will be:
- </p>
-<pre class="programlisting">logging {
- category default { default_syslog; default_debug; };
- category unmatched { null; };
-};
-</pre>
-<p>
- In <acronym class="acronym">BIND</acronym> 9, the logging configuration
- is only established when
- the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
- established as soon as the <span><strong class="command">logging</strong></span>
- statement
- was parsed. When the server is starting up, all logging messages
- regarding syntax errors in the configuration file go to the default
- channels, or to standard error if the "<code class="option">-g</code>" option
- was specified.
- </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575108"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>
- All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
- you can make as many of them as you want.
- </p>
-<p>
- Every channel definition must include a destination clause that
- says whether messages selected for the channel go to a file, to a
- particular syslog facility, to the standard error stream, or are
- discarded. It can optionally also limit the message severity level
- that will be accepted by the channel (the default is
- <span><strong class="command">info</strong></span>), and whether to include a
- <span><strong class="command">named</strong></span>-generated time stamp, the
- category name
- and/or severity level (the default is not to include any).
- </p>
-<p>
- The <span><strong class="command">null</strong></span> destination clause
- causes all messages sent to the channel to be discarded;
- in that case, other options for the channel are meaningless.
- </p>
-<p>
- The <span><strong class="command">file</strong></span> destination clause directs
- the channel
- to a disk file. It can include limitations
- both on how large the file is allowed to become, and how many
- versions
- of the file will be saved each time the file is opened.
- </p>
-<p>
- If you use the <span><strong class="command">versions</strong></span> log file
- option, then
- <span><strong class="command">named</strong></span> will retain that many backup
- versions of the file by
- renaming them when opening. For example, if you choose to keep
- three old versions
- of the file <code class="filename">lamers.log</code>, then just
- before it is opened
- <code class="filename">lamers.log.1</code> is renamed to
- <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
- to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
- renamed to <code class="filename">lamers.log.0</code>.
- You can say <span><strong class="command">versions unlimited</strong></span> to
- not limit
- the number of versions.
- If a <span><strong class="command">size</strong></span> option is associated with
- the log file,
- then renaming is only done when the file being opened exceeds the
- indicated size. No backup versions are kept by default; any
- existing
- log file is simply appended.
- </p>
-<p>
- The <span><strong class="command">size</strong></span> option for files is used
- to limit log
- growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
- stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
- associated with it. If backup versions are kept, the files are
- rolled as
- described above and a new one begun. If there is no
- <span><strong class="command">versions</strong></span> option, no more data will
- be written to the log
- until some out-of-band mechanism removes or truncates the log to
- less than the
- maximum size. The default behavior is not to limit the size of
- the
- file.
- </p>
-<p>
- Example usage of the <span><strong class="command">size</strong></span> and
- <span><strong class="command">versions</strong></span> options:
- </p>
-<pre class="programlisting">channel an_example_channel {
- file "example.log" versions 3 size 20m;
- print-time yes;
- print-category yes;
-};
-</pre>
-<p>
- The <span><strong class="command">syslog</strong></span> destination clause
- directs the
- channel to the system log. Its argument is a
- syslog facility as described in the <span><strong class="command">syslog</strong></span> man
- page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
- <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
- <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
- <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
- <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
- <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
- <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
- <span><strong class="command">local7</strong></span>, however not all facilities
- are supported on
- all operating systems.
- How <span><strong class="command">syslog</strong></span> will handle messages
- sent to
- this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
- page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
- only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
- then this clause is silently ignored.
- </p>
-<p>
- The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
- "priorities", except that they can also be used if you are writing
- straight to a file rather than using <span><strong class="command">syslog</strong></span>.
- Messages which are not at least of the severity level given will
- not be selected for the channel; messages of higher severity
- levels
- will be accepted.
- </p>
-<p>
- If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
- will also determine what eventually passes through. For example,
- defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
- only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
- cause messages of severity <span><strong class="command">info</strong></span> and
- <span><strong class="command">notice</strong></span> to
- be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
- messages of only <span><strong class="command">warning</strong></span> or higher,
- then <span><strong class="command">syslogd</strong></span> would
- print all messages it received from the channel.
- </p>
-<p>
- The <span><strong class="command">stderr</strong></span> destination clause
- directs the
- channel to the server's standard error stream. This is intended
- for
- use when the server is running as a foreground process, for
- example
- when debugging a configuration.
- </p>
-<p>
- The server can supply extensive debugging information when
- it is in debugging mode. If the server's global debug level is
- greater
- than zero, then debugging mode will be active. The global debug
- level is set either by starting the <span><strong class="command">named</strong></span> server
- with the <code class="option">-d</code> flag followed by a positive integer,
- or by running <span><strong class="command">rndc trace</strong></span>.
- The global debug level
- can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
-notrace</strong></span>. All debugging messages in the server have a debug
- level, and higher debug levels give more detailed output. Channels
- that specify a specific debug severity, for example:
- </p>
-<pre class="programlisting">channel specific_debug_level {
- file "foo";
- severity debug 3;
-};
-</pre>
-<p>
- will get debugging output of level 3 or less any time the
- server is in debugging mode, regardless of the global debugging
- level. Channels with <span><strong class="command">dynamic</strong></span>
- severity use the
- server's global debug level to determine what messages to print.
- </p>
-<p>
- If <span><strong class="command">print-time</strong></span> has been turned on,
- then
- the date and time will be logged. <span><strong class="command">print-time</strong></span> may
- be specified for a <span><strong class="command">syslog</strong></span> channel,
- but is usually
- pointless since <span><strong class="command">syslog</strong></span> also prints
- the date and
- time. If <span><strong class="command">print-category</strong></span> is
- requested, then the
- category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
- on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
- be used in any combination, and will always be printed in the
- following
- order: time, category, severity. Here is an example where all
- three <span><strong class="command">print-</strong></span> options
- are on:
- </p>
-<p>
- <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
- </p>
-<p>
- There are four predefined channels that are used for
- <span><strong class="command">named</strong></span>'s default logging as follows.
- How they are
- used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
- </p>
-<pre class="programlisting">channel default_syslog {
- syslog daemon; // send to syslog's daemon
- // facility
- severity info; // only send priority info
- // and higher
-};
-
-channel default_debug {
- file "named.run"; // write to named.run in
- // the working directory
- // Note: stderr is used instead
- // of "named.run"
- // if the server is started
- // with the '-f' option.
- severity dynamic; // log at the server's
- // current debug level
-};
-
-channel default_stderr {
- stderr; // writes to stderr
- severity info; // only send priority info
- // and higher
-};
-
-channel null {
- null; // toss anything sent to
- // this channel
-};
-</pre>
-<p>
- The <span><strong class="command">default_debug</strong></span> channel has the
- special
- property that it only produces output when the server's debug
- level is
- nonzero. It normally writes to a file called <code class="filename">named.run</code>
- in the server's working directory.
- </p>
-<p>
- For security reasons, when the "<code class="option">-u</code>"
- command line option is used, the <code class="filename">named.run</code> file
- is created only after <span><strong class="command">named</strong></span> has
- changed to the
- new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
- starting up and still running as root is discarded. If you need
- to capture this output, you must run the server with the "<code class="option">-g</code>"
- option and redirect standard error to a file.
- </p>
-<p>
- Once a channel is defined, it cannot be redefined. Thus you
- cannot alter the built-in channels directly, but you can modify
- the default logging by pointing categories at channels you have
- defined.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>
- There are many categories, so you can send the logs you want
- to see wherever you want, without seeing logs you don't want. If
- you don't specify a list of channels for a category, then log
- messages
- in that category will be sent to the <span><strong class="command">default</strong></span> category
- instead. If you don't specify a default category, the following
- "default default" is used:
- </p>
-<pre class="programlisting">category default { default_syslog; default_debug; };
-</pre>
-<p>
- As an example, let's say you want to log security events to
- a file, but you also want keep the default logging behavior. You'd
- specify the following:
- </p>
-<pre class="programlisting">channel my_security_channel {
- file "my_security_file";
- severity info;
-};
-category security {
- my_security_channel;
- default_syslog;
- default_debug;
-};</pre>
-<p>
- To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
- </p>
-<pre class="programlisting">category xfer-out { null; };
-category notify { null; };
-</pre>
-<p>
- Following are the available categories and brief descriptions
- of the types of log information they contain. More
- categories may be added in future <acronym class="acronym">BIND</acronym> releases.
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">default</strong></span></p>
- </td>
-<td>
- <p>
- The default category defines the logging
- options for those categories where no specific
- configuration has been
- defined.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">general</strong></span></p>
- </td>
-<td>
- <p>
- The catch-all. Many things still aren't
- classified into categories, and they all end up here.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">database</strong></span></p>
- </td>
-<td>
- <p>
- Messages relating to the databases used
- internally by the name server to store zone and cache
- data.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">security</strong></span></p>
- </td>
-<td>
- <p>
- Approval and denial of requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">config</strong></span></p>
- </td>
-<td>
- <p>
- Configuration file parsing and processing.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">resolver</strong></span></p>
- </td>
-<td>
- <p>
- DNS resolution, such as the recursive
- lookups performed on behalf of clients by a caching name
- server.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">xfer-in</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfers the server is receiving.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">xfer-out</strong></span></p>
- </td>
-<td>
- <p>
- Zone transfers the server is sending.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">notify</strong></span></p>
- </td>
-<td>
- <p>
- The NOTIFY protocol.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">client</strong></span></p>
- </td>
-<td>
- <p>
- Processing of client requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">unmatched</strong></span></p>
- </td>
-<td>
- <p>
- Messages that named was unable to determine the
- class of or for which there was no matching <span><strong class="command">view</strong></span>.
- A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
- This category is best sent to a file or stderr, by
- default it is sent to
- the <span><strong class="command">null</strong></span> channel.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">network</strong></span></p>
- </td>
-<td>
- <p>
- Network operations.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">update</strong></span></p>
- </td>
-<td>
- <p>
- Dynamic updates.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">update-security</strong></span></p>
- </td>
-<td>
- <p>
- Approval and denial of update requests.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">queries</strong></span></p>
- </td>
-<td>
- <p>
- Specify where queries should be logged to.
- </p>
- <p>
- At startup, specifying the category <span><strong class="command">queries</strong></span> will also
- enable query logging unless <span><strong class="command">querylog</strong></span> option has been
- specified.
- </p>
- <p>
- The query log entry reports the client's IP address and
- port number, and the
- query name, class and type. It also reports whether the
- Recursion Desired
- flag was set (+ if set, - if not set), EDNS was in use
- (E) or if the
- query was signed (S).
- </p>
- <p>
- <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
- </p>
- <p>
- <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">dispatch</strong></span></p>
- </td>
-<td>
- <p>
- Dispatching of incoming packets to the
- server modules where they are to be processed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">dnssec</strong></span></p>
- </td>
-<td>
- <p>
- DNSSEC and TSIG protocol processing.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">lame-servers</strong></span></p>
- </td>
-<td>
- <p>
- Lame servers. These are misconfigurations
- in remote servers, discovered by BIND 9 when trying to
- query
- those servers during resolution.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">delegation-only</strong></span></p>
- </td>
-<td>
- <p>
- Delegation only. Logs queries that have have
- been forced to NXDOMAIN as the result of a
- delegation-only zone or
- a <span><strong class="command">delegation-only</strong></span> in a
- hint or stub zone declaration.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576406"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p>
- This is the grammar of the <span><strong class="command">lwres</strong></span>
- statement in the <code class="filename">named.conf</code> file:
- </p>
-<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
- [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
- [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
- [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576480"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">lwres</strong></span> statement configures the
- name
- server to also act as a lightweight resolver server. (See
- <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be multiple
- <span><strong class="command">lwres</strong></span> statements configuring
- lightweight resolver servers with different properties.
- </p>
-<p>
- The <span><strong class="command">listen-on</strong></span> statement specifies a
- list of
- addresses (and ports) that this instance of a lightweight resolver
- daemon
- should accept requests on. If no port is specified, port 921 is
- used.
- If this statement is omitted, requests will be accepted on
- 127.0.0.1,
- port 921.
- </p>
-<p>
- The <span><strong class="command">view</strong></span> statement binds this
- instance of a
- lightweight resolver daemon to a view in the DNS namespace, so that
- the
- response will be constructed in the same manner as a normal DNS
- query
- matching this view. If this statement is omitted, the default view
- is
- used, and if there is no default view, an error is triggered.
- </p>
-<p>
- The <span><strong class="command">search</strong></span> statement is equivalent to
- the
- <span><strong class="command">search</strong></span> statement in
- <code class="filename">/etc/resolv.conf</code>. It provides a
- list of domains
- which are appended to relative names in queries.
- </p>
-<p>
- The <span><strong class="command">ndots</strong></span> statement is equivalent to
- the
- <span><strong class="command">ndots</strong></span> statement in
- <code class="filename">/etc/resolv.conf</code>. It indicates the
- minimum
- number of dots in a relative domain name that should result in an
- exact match lookup before search path elements are appended.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576544"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576587"></a><span><strong class="command">masters</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p><span><strong class="command">masters</strong></span>
- lists allow for a common set of masters to be easily used by
- multiple stub and slave zones.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576602"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>
- This is the grammar of the <span><strong class="command">options</strong></span>
- statement in the <code class="filename">named.conf</code> file:
- </p>
-<pre class="programlisting">options {
- [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
- [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
- [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
- [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
- [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
- [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
- [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
- [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
- [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
- ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
- <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
- ... }; </span>]
- [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
- ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
- [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
- [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
- [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
- [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
- [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
- [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
- [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
- [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
- [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
- [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
- [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
- [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
- [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
- [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
- [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">options</strong></span> statement sets up global
- options
- to be used by <acronym class="acronym">BIND</acronym>. This statement
- may appear only
- once in a configuration file. If there is no <span><strong class="command">options</strong></span>
- statement, an options block with each option set to its default will
- be used.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>
- The working directory of the server.
- Any non-absolute pathnames in the configuration file will be
- taken
- as relative to this directory. The default location for most
- server
- output files (e.g. <code class="filename">named.run</code>)
- is this directory.
- If a directory is not specified, the working directory
- defaults to `<code class="filename">.</code>', the directory from
- which the server
- was started. The directory specified should be an absolute
- path.
- </p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>
- When performing dynamic update of secure zones, the
- directory where the public and private key files should be
- found,
- if different than the current working directory. The
- directory specified
- must be an absolute path.
- </p></dd>
-<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p>
- <span class="emphasis"><em>This option is obsolete.</em></span>
- It was used in <acronym class="acronym">BIND</acronym> 8 to
- specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
- In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
- needed; its functionality is built into the name server.
- </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>
- The domain appended to the names of all
- shared keys generated with
- <span><strong class="command">TKEY</strong></span>. When a client
- requests a <span><strong class="command">TKEY</strong></span> exchange, it
- may or may not specify
- the desired name for the key. If present, the name of the
- shared
- key will be "<code class="varname">client specified part</code>" +
- "<code class="varname">tkey-domain</code>".
- Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
- the <span><strong class="command">domainname</strong></span> should be the
- server's domain
- name.
- </p></dd>
-<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>
- The Diffie-Hellman key used by the server
- to generate shared keys with clients using the Diffie-Hellman
- mode
- of <span><strong class="command">TKEY</strong></span>. The server must be
- able to load the
- public and private keys from files in the working directory.
- In
- most cases, the keyname should be the server's host name.
- </p></dd>
-<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
-<dd><p>
- This is for testing only. Do not use.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>
- The pathname of the file the server dumps
- the database to when instructed to do so with
- <span><strong class="command">rndc dumpdb</strong></span>.
- If not specified, the default is <code class="filename">named_dump.db</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd>
-<p>
- The pathname of the file the server writes memory
- usage statistics to on exit. If specified the
- statistics will be written to the file on exit.
- </p>
-<p>
- In <acronym class="acronym">BIND</acronym> 9.5 and later this will
- default to <code class="filename">named.memstats</code>.
- <acronym class="acronym">BIND</acronym> 9.5 will also introduce
- <span><strong class="command">memstatistics</strong></span> to control the
- writing.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>
- The pathname of the file the server writes its process ID
- in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
- The pid-file is used by programs that want to send signals to
- the running
- name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
- use of a PID file &#8212; no file will be written and any
- existing one will be removed. Note that <span><strong class="command">none</strong></span>
- is a keyword, not a filename, and therefore is not enclosed
- in
- double quotes.
- </p></dd>
-<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
-<dd><p>
- The pathname of the file the server dumps
- the queries that are currently recursing when instructed
- to do so with <span><strong class="command">rndc recursing</strong></span>.
- If not specified, the default is <code class="filename">named.recursing</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>
- The pathname of the file the server appends statistics
- to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
- If not specified, the default is <code class="filename">named.stats</code> in the
- server's current directory. The format of the file is
- described
- in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
-<dd><p>
- The UDP/TCP port number the server uses for
- receiving and sending DNS protocol traffic.
- The default is 53. This option is mainly intended for server
- testing;
- a server using a port other than 53 will not be able to
- communicate with
- the global DNS.
- </p></dd>
-<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
-<dd><p>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <code class="filename">/dev/random</code>
- (or equivalent) when present, and none otherwise. The
- <span><strong class="command">random-device</strong></span> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
- </p></dd>
-<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
-<dd><p>
- If specified, the listed type (A or AAAA) will be emitted
- before other glue
- in the additional section of a query response.
- The default is not to prefer any type (NONE).
- </p></dd>
-<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
-<dd>
-<p>
- Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
- with an optional
- exclude list.
- </p>
-<p>
- Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
- and "MUSEUM").
- </p>
-<pre class="programlisting">
-options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</pre>
-</dd>
-<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
-<dd><p>
- Disable the specified DNSSEC algorithms at and below the
- specified name.
- Multiple <span><strong class="command">disable-algorithms</strong></span>
- statements are allowed.
- Only the most specific will be applied.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
-<dd><p>
- When set, <span><strong class="command">dnssec-lookaside</strong></span>
- provides the
- validator with an alternate method to validate DNSKEY records
- at the
- top of a zone. When a DNSKEY is at or below a domain
- specified by the
- deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
- the normal dnssec validation
- has left the key untrusted, the trust-anchor will be append to
- the key
- name and a DLV record will be looked up to see if it can
- validate the
- key. If the DLV record validates a DNSKEY (similarly to the
- way a DS
- record does) the DNSKEY RRset is deemed to be trusted.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
-<dd><p>
- Specify hierarchies which must be or may not be secure (signed and
- validated).
- If <strong class="userinput"><code>yes</code></strong>, then named will only accept
- answers if they
- are secure.
- If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
- applies
- allowing for insecure answers to be accepted.
- The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
- <span><strong class="command">dnssec-lookaside</strong></span> must be
- active.
- </p></dd>
-</dl></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
- is always set on NXDOMAIN responses, even if the server is
- not actually
- authoritative. The default is <strong class="userinput"><code>no</code></strong>;
- this is
- a change from <acronym class="acronym">BIND</acronym> 8. If you
- are using very old DNS software, you
- may need to set it to <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to enable checking
- for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
- the checks.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd>
-<p>
- If <strong class="userinput"><code>yes</code></strong>, then the
- server treats all zones as if they are doing zone transfers
- across
- a dial-on-demand dialup link, which can be brought up by
- traffic
- originating from this server. This has different effects
- according
- to zone type and concentrates the zone maintenance so that
- it all
- happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
- hopefully during the one call. It also suppresses some of
- the normal
- zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
-<p>
- The <span><strong class="command">dialup</strong></span> option
- may also be specified in the <span><strong class="command">view</strong></span> and
- <span><strong class="command">zone</strong></span> statements,
- in which case it overrides the global <span><strong class="command">dialup</strong></span>
- option.
- </p>
-<p>
- If the zone is a master zone, then the server will send out a
- NOTIFY
- request to all the slaves (default). This should trigger the
- zone serial
- number check in the slave (providing it supports NOTIFY)
- allowing the slave
- to verify the zone while the connection is active.
- The set of servers to which NOTIFY is sent can be controlled
- by
- <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
- </p>
-<p>
- If the
- zone is a slave or stub zone, then the server will suppress
- the regular
- "zone up to date" (refresh) queries and only perform them
- when the
- <span><strong class="command">heartbeat-interval</strong></span> expires in
- addition to sending
- NOTIFY requests.
- </p>
-<p>
- Finer control can be achieved by using
- <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
- messages,
- <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
- messages and
- suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
- which suppresses normal refresh processing and sends refresh
- queries
- when the <span><strong class="command">heartbeat-interval</strong></span>
- expires, and
- <strong class="userinput"><code>passive</code></strong> which just disables normal
- refresh
- processing.
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- dialup mode
- </p>
- </td>
-<td>
- <p>
- normal refresh
- </p>
- </td>
-<td>
- <p>
- heart-beat refresh
- </p>
- </td>
-<td>
- <p>
- heart-beat notify
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">no</strong></span> (default)</p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">yes</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">notify</strong></span></p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">refresh</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">passive</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">notify-passive</strong></span></p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- no
- </p>
- </td>
-<td>
- <p>
- yes
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- Note that normal NOTIFY processing is not affected by
- <span><strong class="command">dialup</strong></span>.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>
- In <acronym class="acronym">BIND</acronym> 8, this option
- enabled simulating the obsolete DNS query type
- IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
- IQUERY simulation.
- </p></dd>
-<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>
- This option is obsolete.
- In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
- caused the server to attempt to fetch glue resource records
- it
- didn't have when constructing the additional
- data section of a response. This is now considered a bad
- idea
- and BIND 9 never does it.
- </p></dd>
-<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>
- When the nameserver exits due receiving SIGTERM,
- flush or do not flush any pending zone writes. The default
- is
- <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>
- This option was incorrectly implemented
- in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
- To achieve the intended effect
- of
- <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
- the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
- and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
- </p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>
- In BIND 8, this enables keeping of
- statistics for every host that the name server interacts
- with.
- Not implemented in BIND 9.
- </p></dd>
-<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to
- determine whether a transaction log was
- kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
- log whenever possible. If you need to disable outgoing
- incremental zone
- transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then when generating
- responses the server will only add records to the authority
- and additional data sections when they are required (e.g.
- delegations, negative responses). This may improve the
- performance of the server.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>
- This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
- a domain name to have multiple CNAME records in violation of
- the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
- always strictly enforces the CNAME rules both in master
- files and dynamic updates.
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd>
-<p>
- If <strong class="userinput"><code>yes</code></strong> (the default),
- DNS NOTIFY messages are sent when a zone the server is
- authoritative for
- changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>. The messages are
- sent to the
- servers listed in the zone's NS records (except the master
- server identified
- in the SOA MNAME field), and to any servers listed in the
- <span><strong class="command">also-notify</strong></span> option.
- </p>
-<p>
- If <strong class="userinput"><code>master-only</code></strong>, notifies are only
- sent
- for master zones.
- If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
- to
- servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
- If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
- </p>
-<p>
- The <span><strong class="command">notify</strong></span> option may also be
- specified in the <span><strong class="command">zone</strong></span>
- statement,
- in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
- It would only be necessary to turn off this option if it
- caused slaves
- to crash.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, and a
- DNS query requests recursion, then the server will attempt
- to do
- all the work required to answer the query. If recursion is
- off
- and the server does not already know the answer, it will
- return a
- referral response. The default is
- <strong class="userinput"><code>yes</code></strong>.
- Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
- clients from getting data from the server's cache; it only
- prevents new data from being cached as an effect of client
- queries.
- Caching may still occur as an effect the server's internal
- operation, such as NOTIFY address lookups.
- See also <span><strong class="command">fetch-glue</strong></span> above.
- </p></dd>
-<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
-<dd>
-<p>
- Setting this to <strong class="userinput"><code>yes</code></strong> will
- cause the server to send NS records along with the SOA
- record for negative
- answers. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Not yet implemented in <acronym class="acronym">BIND</acronym>
- 9.
- </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- <acronym class="acronym">BIND</acronym> 9 always allocates query
- IDs from a pool.
- </p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, the server will collect
- statistical data on all zones (unless specifically turned
- off
- on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
- in the <span><strong class="command">zone</strong></span> statement).
- These statistics may be accessed
- using <span><strong class="command">rndc stats</strong></span>, which will
- dump them to the file listed
- in the <span><strong class="command">statistics-file</strong></span>. See
- also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- If you need to disable IXFR to a particular server or
- servers, see
- the information on the <span><strong class="command">provide-ixfr</strong></span> option
- in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
- Usage&#8221;</a>.
- See also
- <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">provide-ixfr</strong></span> in
- <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
- Usage&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">request-ixfr</strong></span> in
- <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
- Usage&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to make
- the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
- as a space or tab character,
- to facilitate loading of zone files on a UNIX system that
- were generated
- on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
- and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
- are always accepted,
- and the option is ignored.
- </p></dd>
-<dt>
-<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
-</dt>
-<dd>
-<p>
- These options control the behavior of an authoritative
- server when
- answering queries which have additional data, or when
- following CNAME
- and DNAME chains.
- </p>
-<p>
- When both of these options are set to <strong class="userinput"><code>yes</code></strong>
- (the default) and a
- query is being answered from authoritative data (a zone
- configured into the server), the additional data section of
- the
- reply will be filled in using data from other authoritative
- zones
- and from the cache. In some situations this is undesirable,
- such
- as when there is concern over the correctness of the cache,
- or
- in servers where slave zones may be added and modified by
- untrusted third parties. Also, avoiding
- the search for this additional data will speed up server
- operations
- at the possible expense of additional queries to resolve
- what would
- otherwise be provided in the additional section.
- </p>
-<p>
- For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
- and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
- records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
- if known, even though they are not in the example.com zone.
- Setting these options to <span><strong class="command">no</strong></span>
- disables this behavior and makes
- the server only search for additional data in the zone it
- answers from.
- </p>
-<p>
- These options are intended for use in authoritative-only
- servers, or in authoritative-only views. Attempts to set
- them to <span><strong class="command">no</strong></span> without also
- specifying
- <span><strong class="command">recursion no</strong></span> will cause the
- server to
- ignore the options and log a warning message.
- </p>
-<p>
- Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
- disables the use of the cache not only for additional data
- lookups
- but also when looking up the answer. This is usually the
- desired
- behavior in an authoritative-only server where the
- correctness of
- the cached data is an issue.
- </p>
-<p>
- When a name server is non-recursively queried for a name
- that is not
- below the apex of any served zone, it normally answers with
- an
- "upwards referral" to the root servers or the servers of
- some other
- known parent of the query name. Since the data in an
- upwards referral
- comes from the cache, the server will not be able to provide
- upwards
- referrals when <span><strong class="command">additional-from-cache no</strong></span>
- has been specified. Instead, it will respond to such
- queries
- with REFUSED. This should not cause any problems since
- upwards referrals are not required for the resolution
- process.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then an
- IPv4-mapped IPv6 address will match any address match
- list entries that match the corresponding IPv4 address.
- Enabling this option is sometimes useful on IPv6-enabled
- Linux
- systems, to work around a kernel quirk that causes IPv4
- TCP connections such as zone transfers to be accepted
- on an IPv6 socket using mapped addresses, causing
- address match lists designed for IPv4 to fail to match.
- The use of this option for any other purpose is discouraged.
- </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd>
-<p>
- When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
- zone from its zone file or receives a new version of a slave
- file by a non-incremental zone transfer, it will compare
- the new version to the previous one and calculate a set
- of differences. The differences are then logged in the
- zone's journal file such that the changes can be transmitted
- to downstream slaves as an incremental zone transfer.
- </p>
-<p>
- By allowing incremental zone transfers to be used for
- non-dynamic zones, this option saves bandwidth at the
- expense of increased CPU and memory consumption at the
- master.
- In particular, if the new version of a zone is completely
- different from the previous one, the set of differences
- will be of a size comparable to the combined size of the
- old and new zone version, and the server will need to
- temporarily allocate memory to hold this complete
- difference set.
- </p>
-<p><span><strong class="command">ixfr-from-differences</strong></span>
- also accepts <span><strong class="command">master</strong></span> and
- <span><strong class="command">slave</strong></span> at the view and options
- levels which causes
- <span><strong class="command">ixfr-from-differences</strong></span> to apply to
- all <span><strong class="command">master</strong></span> or
- <span><strong class="command">slave</strong></span> zones respectively.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>
- This should be set when you have multiple masters for a zone
- and the
- addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
- not log
- when the serial number on the master is less than what named
- currently
- has. The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
-<dd><p>
- Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
- named behaves as if it does not support DNSSEC.
- The default is <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
-<dd><p>
- Enable DNSSEC validation in named.
- Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> to be effective.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
-<dd><p>
- Accept expired signatures when verifying DNSSEC signatures.
- The default is <strong class="userinput"><code>no</code></strong>.
- Setting this option to "yes" leaves named vulnerable to replay attacks.
- </p></dd>
-<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
-<dd><p>
- Specify whether query logging should be started when named
- starts.
- If <span><strong class="command">querylog</strong></span> is not specified,
- then the query logging
- is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd>
-<p>
- This option is used to restrict the character set and syntax
- of
- certain domain names in master files and/or DNS responses
- received
- from the network. The default varies according to usage
- area. For
- <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
- For <span><strong class="command">slave</strong></span> zones the default
- is <span><strong class="command">warn</strong></span>.
- For answers received from the network (<span><strong class="command">response</strong></span>)
- the default is <span><strong class="command">ignore</strong></span>.
- </p>
-<p>
- The rules for legal hostnames and mail domains are derived
- from RFC 952 and RFC 821 as modified by RFC 1123.
- </p>
-<p><span><strong class="command">check-names</strong></span>
- applies to the owner names of A, AAA and MX records.
- It also applies to the domain names in the RDATA of NS, SOA
- and MX records.
- It also applies to the RDATA of PTR records where the owner
- name indicated that it is a reverse lookup of a hostname
- (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
-<dd><p>
- Check whether the MX record appears to refer to a IP address.
- The default is to <span><strong class="command">warn</strong></span>. Other possible
- values are <span><strong class="command">fail</strong></span> and
- <span><strong class="command">ignore</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
-<dd><p>
- This option is used to check for non-terminal wildcards.
- The use of non-terminal wildcards is almost always as a
- result of a failure
- to understand the wildcard matching algorithm (RFC 1034).
- This option
- affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
- for non-terminal wildcards and issue a warning.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
-<dd><p>
- Perform post load zone integrity checks on master
- zones. This checks that MX and SRV records refer
- to address (A or AAAA) records and that glue
- address records exist for delegated zones. For
- MX and SRV records only in-zone hostnames are
- checked (for out-of-zone hostnames use named-checkzone).
- For NS records only names below top of zone are
- checked (for out-of-zone names and glue consistency
- checks use named-checkzone). The default is
- <span><strong class="command">yes</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
-<dd><p>
- If <span><strong class="command">check-integrity</strong></span> is set then
- fail, warn or ignore MX records that refer
- to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
-<dd><p>
- If <span><strong class="command">check-integrity</strong></span> is set then
- fail, warn or ignore SRV records that refer
- to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
-<dd><p>
- When performing integrity checks, also check that
- sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
-<dd><p>
- When returning authoritative negative responses to
- SOA queries set the TTL of the SOA recored returned in
- the authority section to zero.
- The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
-<dd><p>
- When caching a negative response to a SOA query
- set the TTL to zero.
- The default is <span><strong class="command">no</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
-<dd><p>
- When regenerating the RRSIGs following a UPDATE
- request to a secure zone, check the KSK flag on
- the DNSKEY RR to determine if this key should be
- used to generate the RRSIG. This flag is ignored
- if there are not DNSKEY RRs both with and without
- a KSK.
- The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580536"></a>Forwarding</h4></div></div></div>
-<p>
- The forwarding facility can be used to create a large site-wide
- cache on a few servers, reducing traffic over links to external
- name servers. It can also be used to allow queries by servers that
- do not have direct access to the Internet, but wish to look up
- exterior
- names anyway. Forwarding occurs only on those queries for which
- the server is not authoritative and does not have the answer in
- its cache.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>
- This option is only meaningful if the
- forwarders list is not empty. A value of <code class="varname">first</code>,
- the default, causes the server to query the forwarders
- first &#8212; and
- if that doesn't answer the question, the server will then
- look for
- the answer itself. If <code class="varname">only</code> is
- specified, the
- server will only query the forwarders.
- </p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>
- Specifies the IP addresses to be used
- for forwarding. The default is the empty list (no
- forwarding).
- </p></dd>
-</dl></div>
-<p>
- Forwarding can also be configured on a per-domain basis, allowing
- for the global forwarding options to be overridden in a variety
- of ways. You can set particular domains to use different
- forwarders,
- or have a different <span><strong class="command">forward only/first</strong></span> behavior,
- or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
- Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
- Statement Grammar&#8221;</a>.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2580595"></a>Dual-stack Servers</h4></div></div></div>
-<p>
- Dual-stack servers are used as servers of last resort to work
- around
- problems in reachability due the lack of support for either IPv4
- or IPv6
- on the host machine.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>
- Specifies host names or addresses of machines with access to
- both IPv4 and IPv6 transports. If a hostname is used, the
- server must be able
- to resolve the name using only the transport it has. If the
- machine is dual
- stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
- access to a transport has been disabled on the command line
- (e.g. <span><strong class="command">named -4</strong></span>).
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>
- Access to the server can be restricted based on the IP address
- of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
- details on how to specify IP address lists.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>
- Specifies which hosts are allowed to
- notify this server, a slave, of zone changes in addition
- to the zone masters.
- <span><strong class="command">allow-notify</strong></span> may also be
- specified in the
- <span><strong class="command">zone</strong></span> statement, in which case
- it overrides the
- <span><strong class="command">options allow-notify</strong></span>
- statement. It is only meaningful
- for a slave zone. If not specified, the default is to
- process notify messages
- only from a zone's master.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd>
-<p>
- Specifies which hosts are allowed to ask ordinary
- DNS questions. <span><strong class="command">allow-query</strong></span> may
- also be specified in the <span><strong class="command">zone</strong></span>
- statement, in which case it overrides the
- <span><strong class="command">options allow-query</strong></span> statement.
- If not specified, the default is to allow queries
- from all hosts.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- <span><strong class="command">allow-query-cache</strong></span> is now
- used to specify access to the cache.
- </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
-<dd><p>
- Specifies which hosts are allowed to get answers
- from the cache. If <span><strong class="command">allow-query-cache</strong></span>
- is not set then <span><strong class="command">allow-recursion</strong></span>
- is used if set, otherwise <span><strong class="command">allow-query</strong></span>
- is used if set, otherwise the default
- (<span><strong class="command">localnets;</strong></span>
- <span><strong class="command">localhost;</strong></span>) is used.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>
- Specifies which hosts are allowed to make recursive
- queries through this server. If
- <span><strong class="command">allow-recursion</strong></span> is not set
- then <span><strong class="command">allow-query-cache</strong></span> is
- used if set, otherwise <span><strong class="command">allow-query</strong></span>
- is used if set, otherwise the default
- (<span><strong class="command">localnets;</strong></span>
- <span><strong class="command">localhost;</strong></span>) is used.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates for master zones. The default is
- to deny
- updates from all hosts. Note that allowing updates based
- on the requestor's IP address is insecure; see
- <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd>
-<p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates to slave zones to be forwarded to
- the
- master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
- which
- means that no update forwarding will be performed. To
- enable
- update forwarding, specify
- <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
- Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
- <strong class="userinput"><code>{ any; }</code></strong> is usually
- counterproductive, since
- the responsibility for update access control should rest
- with the
- master server, not the slaves.
- </p>
-<p>
- Note that enabling the update forwarding feature on a slave
- server
- may expose master servers relying on insecure IP address
- based
- access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
- for more details.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>
- This option was introduced for the smooth transition from
- AAAA
- to A6 and from "nibble labels" to binary labels.
- However, since both A6 and binary labels were then
- deprecated,
- this option was also deprecated.
- It is now ignored with some warning messages.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>
- Specifies which hosts are allowed to
- receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
- also be specified in the <span><strong class="command">zone</strong></span>
- statement, in which
- case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
- If not specified, the default is to allow transfers to all
- hosts.
- </p></dd>
-<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>
- Specifies a list of addresses that the
- server will not accept queries from or use to resolve a
- query. Queries
- from these addresses will not be responded to. The default
- is <strong class="userinput"><code>none</code></strong>.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581153"></a>Interfaces</h4></div></div></div>
-<p>
- The interfaces and ports that the server will answer queries
- from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
- an optional port, and an <code class="varname">address_match_list</code>.
- The server will listen on all interfaces allowed by the address
- match list. If a port is not specified, port 53 will be used.
- </p>
-<p>
- Multiple <span><strong class="command">listen-on</strong></span> statements are
- allowed.
- For example,
- </p>
-<pre class="programlisting">listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-<p>
- will enable the name server on port 53 for the IP address
- 5.6.7.8, and on port 1234 of an address on the machine in net
- 1.2 that is not 1.2.3.4.
- </p>
-<p>
- If no <span><strong class="command">listen-on</strong></span> is specified, the
- server will listen on port 53 on all interfaces.
- </p>
-<p>
- The <span><strong class="command">listen-on-v6</strong></span> option is used to
- specify the interfaces and the ports on which the server will
- listen
- for incoming queries sent using IPv6.
- </p>
-<p>
- When </p>
-<pre class="programlisting">{ any; }</pre>
-<p> is
- specified
- as the <code class="varname">address_match_list</code> for the
- <span><strong class="command">listen-on-v6</strong></span> option,
- the server does not bind a separate socket to each IPv6 interface
- address as it does for IPv4 if the operating system has enough API
- support for IPv6 (specifically if it conforms to RFC 3493 and RFC
- 3542).
- Instead, it listens on the IPv6 wildcard address.
- If the system only has incomplete API support for IPv6, however,
- the behavior is the same as that for IPv4.
- </p>
-<p>
- A list of particular IPv6 addresses can also be specified, in
- which case
- the server listens on a separate socket for each specified
- address,
- regardless of whether the desired API is supported by the system.
- </p>
-<p>
- Multiple <span><strong class="command">listen-on-v6</strong></span> options can
- be used.
- For example,
- </p>
-<pre class="programlisting">listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</pre>
-<p>
- will enable the name server on port 53 for any IPv6 addresses
- (with a single wildcard socket),
- and on port 1234 of IPv6 addresses that is not in the prefix
- 2001:db8::/32 (with separate sockets for each matched address.)
- </p>
-<p>
- To make the server not listen on any IPv6 address, use
- </p>
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-<p>
- If no <span><strong class="command">listen-on-v6</strong></span> option is
- specified,
- the server will not listen on any IPv6 address.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581241"></a>Query Address</h4></div></div></div>
-<p>
- If the server doesn't know the answer to a question, it will
- query other name servers. <span><strong class="command">query-source</strong></span> specifies
- the address and port used for such queries. For queries sent over
- IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
- If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
- a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
- will be used.
- If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
- a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
- and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
- to prevent named
- from selecting certain ports. The defaults are:
- </p>
-<pre class="programlisting">query-source address * port *;
-query-source-v6 address * port *;
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The address specified in the <span><strong class="command">query-source</strong></span> option
- is used for both UDP and TCP queries, but the port applies only
- to
- UDP queries. TCP queries always use a random
- unprivileged port.
- </p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- See also <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">notify-source</strong></span>.
- </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p>
- <acronym class="acronym">BIND</acronym> has mechanisms in place to
- facilitate zone transfers
- and set limits on the amount of load that transfers place on the
- system. The following options apply to zone transfers.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>
- Defines a global list of IP addresses of name servers
- that are also sent NOTIFY messages whenever a fresh copy of
- the
- zone is loaded, in addition to the servers listed in the
- zone's NS records.
- This helps to ensure that copies of the zones will
- quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
- is given in a <span><strong class="command">zone</strong></span> statement,
- it will override
- the <span><strong class="command">options also-notify</strong></span>
- statement. When a <span><strong class="command">zone notify</strong></span>
- statement
- is set to <span><strong class="command">no</strong></span>, the IP
- addresses in the global <span><strong class="command">also-notify</strong></span> list will
- not be sent NOTIFY messages for that zone. The default is
- the empty
- list (no global notification list).
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>
- Inbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>
- Inbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes
- (1 hour). The maximum value is 28 days (40320 minutes).
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>
- Outbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>
- Outbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes (1
- hour). The maximum value is 28 days (40320 minutes).
- </p></dd>
-<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>
- Slave servers will periodically query master servers
- to find out if zone serial numbers have changed. Each such
- query uses
- a minute amount of the slave server's network bandwidth. To
- limit the
- amount of bandwidth used, BIND 9 limits the rate at which
- queries are
- sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
- an integer, is the maximum number of queries sent per
- second.
- The default is 20.
- </p></dd>
-<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>
- In BIND 8, the <span><strong class="command">serial-queries</strong></span>
- option
- set the maximum number of concurrent serial number queries
- allowed to be outstanding at any given time.
- BIND 9 does not limit the number of outstanding
- serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
- Instead, it limits the rate at which the queries are sent
- as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
-<dd><p>
- Zone transfers can be sent using two different formats,
- <span><strong class="command">one-answer</strong></span> and
- <span><strong class="command">many-answers</strong></span>.
- The <span><strong class="command">transfer-format</strong></span> option is used
- on the master server to determine which format it sends.
- <span><strong class="command">one-answer</strong></span> uses one DNS message per
- resource record transferred.
- <span><strong class="command">many-answers</strong></span> packs as many resource
- records as possible into a message.
- <span><strong class="command">many-answers</strong></span> is more efficient, but is
- only supported by relatively new slave servers,
- such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
- The <span><strong class="command">many-answers</strong></span> format is also supported by
- recent Microsoft Windows nameservers.
- The default is <span><strong class="command">many-answers</strong></span>.
- <span><strong class="command">transfer-format</strong></span> may be overridden on a
- per-server basis by using the <span><strong class="command">server</strong></span>
- statement.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>
- The maximum number of inbound zone transfers
- that can be running concurrently. The default value is <code class="literal">10</code>.
- Increasing <span><strong class="command">transfers-in</strong></span> may
- speed up the convergence
- of slave zones, but it also may increase the load on the
- local system.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>
- The maximum number of outbound zone transfers
- that can be running concurrently. Zone transfer requests in
- excess
- of the limit will be refused. The default value is <code class="literal">10</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>
- The maximum number of inbound zone transfers
- that can be concurrently transferring from a given remote
- name server.
- The default value is <code class="literal">2</code>.
- Increasing <span><strong class="command">transfers-per-ns</strong></span>
- may
- speed up the convergence of slave zones, but it also may
- increase
- the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
- be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
- of the <span><strong class="command">server</strong></span> statement.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">transfer-source</strong></span>
- determines which local address will be bound to IPv4
- TCP connections used to fetch zones transferred
- inbound by the server. It also determines the
- source IPv4 address, and optionally the UDP port,
- used for the refresh queries and forwarded dynamic
- updates. If not set, it defaults to a system
- controlled value which will usually be the address
- of the interface "closest to" the remote end. This
- address must appear in the remote end's
- <span><strong class="command">allow-transfer</strong></span> option for the
- zone being transferred, if one is specified. This
- statement sets the
- <span><strong class="command">transfer-source</strong></span> for all zones,
- but can be overridden on a per-view or per-zone
- basis by including a
- <span><strong class="command">transfer-source</strong></span> statement within
- the <span><strong class="command">view</strong></span> or
- <span><strong class="command">zone</strong></span> block in the configuration
- file.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>
- The same as <span><strong class="command">transfer-source</strong></span>,
- except zone transfers are performed using IPv6.
- </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd>
-<p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- If you do not wish the alternate transfer source
- to be used, you should set
- <span><strong class="command">use-alt-transfer-source</strong></span>
- appropriately and you should not depend upon
- getting a answer back to the first refresh
- query.
- </div>
-</dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source-v6</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>
- Use the alternate transfer sources or not. If views are
- specified this defaults to <span><strong class="command">no</strong></span>
- otherwise it defaults to
- <span><strong class="command">yes</strong></span> (for BIND 8
- compatibility).
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">notify-source</strong></span>
- determines which local source address, and
- optionally UDP port, will be used to send NOTIFY
- messages. This address must appear in the slave
- server's <span><strong class="command">masters</strong></span> zone clause or
- in an <span><strong class="command">allow-notify</strong></span> clause. This
- statement sets the <span><strong class="command">notify-source</strong></span>
- for all zones, but can be overridden on a per-zone or
- per-view basis by including a
- <span><strong class="command">notify-source</strong></span> statement within
- the <span><strong class="command">zone</strong></span> or
- <span><strong class="command">view</strong></span> block in the configuration
- file.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>
- Like <span><strong class="command">notify-source</strong></span>,
- but applies to notify messages sent to IPv6 addresses.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581988"></a>Bad UDP Port Lists</h4></div></div></div>
-<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
- and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
- of IPv4 and IPv6 UDP ports that will not be used as system
- assigned source ports for UDP sockets. These lists
- prevent named from choosing as its random source port a
- port that is blocked by your firewall. If a query went
- out with such a source port, the answer would not get by
- the firewall and the name server would have to query
- again.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582003"></a>Operating System Resource Limits</h4></div></div></div>
-<p>
- The server's usage of many system resources can be limited.
- Scaled values are allowed when specifying resource limits. For
- example, <span><strong class="command">1G</strong></span> can be used instead of
- <span><strong class="command">1073741824</strong></span> to specify a limit of
- one
- gigabyte. <span><strong class="command">unlimited</strong></span> requests
- unlimited use, or the
- maximum available amount. <span><strong class="command">default</strong></span>
- uses the limit
- that was in force when the server was started. See the description
- of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
- </p>
-<p>
- The following options set operating system resource limits for
- the name server process. Some operating systems don't support
- some or
- any of the limits. On such systems, a warning will be issued if
- the
- unsupported limit is used.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>
- The maximum size of a core dump. The default
- is <code class="literal">default</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>
- The maximum amount of data memory the server
- may use. The default is <code class="literal">default</code>.
- This is a hard limit on server memory usage.
- If the server attempts to allocate memory in excess of this
- limit, the allocation will fail, which may in turn leave
- the server unable to perform DNS service. Therefore,
- this option is rarely useful as a way of limiting the
- amount of memory used by the server, but it can be used
- to raise an operating system data size limit that is
- too small by default. If you wish to limit the amount
- of memory used by the server, use the
- <span><strong class="command">max-cache-size</strong></span> and
- <span><strong class="command">recursive-clients</strong></span>
- options instead.
- </p></dd>
-<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>
- The maximum number of files the server
- may have open concurrently. The default is <code class="literal">unlimited</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>
- The maximum amount of stack memory the server
- may use. The default is <code class="literal">default</code>.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582186"></a>Server Resource Limits</h4></div></div></div>
-<p>
- The following options set limits on the server's
- resource consumption that are enforced internally by the
- server rather than the operating system.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>
- This option is obsolete; it is accepted
- and ignored for BIND 8 compatibility. The option
- <span><strong class="command">max-journal-size</strong></span> performs a
- similar function in BIND 9.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>
- Sets a maximum size for each journal file
- (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>). When the journal file
- approaches
- the specified size, some of the oldest transactions in the
- journal
- will be automatically removed. The default is
- <code class="literal">unlimited</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>
- In BIND 8, specifies the maximum number of host statistics
- entries to be kept.
- Not implemented in BIND 9.
- </p></dd>
-<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>
- The maximum number of simultaneous recursive lookups
- the server will perform on behalf of clients. The default
- is
- <code class="literal">1000</code>. Because each recursing
- client uses a fair
- bit of memory, on the order of 20 kilobytes, the value of
- the
- <span><strong class="command">recursive-clients</strong></span> option may
- have to be decreased
- on hosts with limited memory.
- </p></dd>
-<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>
- The maximum number of simultaneous client TCP
- connections that the server will accept.
- The default is <code class="literal">100</code>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>
- The maximum amount of memory to use for the
- server's cache, in bytes. When the amount of data in the
- cache
- reaches this limit, the server will cause records to expire
- prematurely so that the limit is not exceeded. In a server
- with
- multiple views, the limit applies separately to the cache of
- each
- view. The default is <code class="literal">unlimited</code>, meaning that
- records are purged from the cache only when their TTLs
- expire.
- </p></dd>
-<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>
- The listen queue depth. The default and minimum is 3.
- If the kernel supports the accept filter "dataready" this
- also controls how
- many TCP connections that will be queued in kernel space
- waiting for
- some data before being passed to accept. Values less than 3
- will be
- silently raised.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582320"></a>Periodic Task Intervals</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>
- The server will remove expired resource records
- from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
- The default is 60 minutes. The maximum value is 28 days
- (40320 minutes).
- If set to 0, no periodic cleaning will occur.
- </p></dd>
-<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>
- The server will perform zone maintenance tasks
- for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
- interval expires. The default is 60 minutes. Reasonable
- values are up
- to 1 day (1440 minutes). The maximum value is 28 days
- (40320 minutes).
- If set to 0, no zone maintenance for these zones will occur.
- </p></dd>
-<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>
- The server will scan the network interface list
- every <span><strong class="command">interface-interval</strong></span>
- minutes. The default
- is 60 minutes. The maximum value is 28 days (40320 minutes).
- If set to 0, interface scanning will only occur when
- the configuration file is loaded. After the scan, the
- server will
- begin listening for queries on any newly discovered
- interfaces (provided they are allowed by the
- <span><strong class="command">listen-on</strong></span> configuration), and
- will
- stop listening on interfaces that have gone away.
- </p></dd>
-<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
-<dd>
-<p>
- Name server statistics will be logged
- every <span><strong class="command">statistics-interval</strong></span>
- minutes. The default is
- 60. The maximum value is 28 days (40320 minutes).
- If set to 0, no statistics will be logged.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Not yet implemented in
- <acronym class="acronym">BIND</acronym> 9.
- </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="topology"></a>Topology</h4></div></div></div>
-<p>
- All other things being equal, when the server chooses a name
- server
- to query from a list of name servers, it prefers the one that is
- topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
- takes an <span><strong class="command">address_match_list</strong></span> and
- interprets it
- in a special way. Each top-level list element is assigned a
- distance.
- Non-negated elements get a distance based on their position in the
- list, where the closer the match is to the start of the list, the
- shorter the distance is between it and the server. A negated match
- will be assigned the maximum distance from the server. If there
- is no match, the address will get a distance which is further than
- any non-negated list element, and closer than any negated element.
- For example,
- </p>
-<pre class="programlisting">topology {
- 10/8;
- !1.2.3/24;
- { 1.2/16; 3/8; };
-};</pre>
-<p>
- will prefer servers on network 10 the most, followed by hosts
- on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
- exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
- is preferred least of all.
- </p>
-<p>
- The default topology is
- </p>
-<pre class="programlisting"> topology { localhost; localnets; };
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The <span><strong class="command">topology</strong></span> option
- is not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>
- The response to a DNS query may consist of multiple resource
- records (RRs) forming a resource records set (RRset).
- The name server will normally return the
- RRs within the RRset in an indeterminate order
- (but see the <span><strong class="command">rrset-order</strong></span>
- statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
- The client resolver code should rearrange the RRs as appropriate,
- that is, using any addresses on the local net in preference to
- other addresses.
- However, not all resolvers can do this or are correctly
- configured.
- When a client is using a local server, the sorting can be performed
- in the server, based on the client's address. This only requires
- configuring the name servers, not all the clients.
- </p>
-<p>
- The <span><strong class="command">sortlist</strong></span> statement (see below)
- takes
- an <span><strong class="command">address_match_list</strong></span> and
- interprets it even
- more specifically than the <span><strong class="command">topology</strong></span>
- statement
- does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
- Each top level statement in the <span><strong class="command">sortlist</strong></span> must
- itself be an explicit <span><strong class="command">address_match_list</strong></span> with
- one or two elements. The first element (which may be an IP
- address,
- an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
- of each top level list is checked against the source address of
- the query until a match is found.
- </p>
-<p>
- Once the source address of the query has been matched, if
- the top level statement contains only one element, the actual
- primitive
- element that matched the source address is used to select the
- address
- in the response to move to the beginning of the response. If the
- statement is a list of two elements, then the second element is
- treated the same as the <span><strong class="command">address_match_list</strong></span> in
- a <span><strong class="command">topology</strong></span> statement. Each top
- level element
- is assigned a distance and the address in the response with the
- minimum
- distance is moved to the beginning of the response.
- </p>
-<p>
- In the following example, any queries received from any of
- the addresses of the host itself will get responses preferring
- addresses
- on any of the locally connected networks. Next most preferred are
- addresses
- on the 192.168.1/24 network, and after that either the
- 192.168.2/24
- or
- 192.168.3/24 network with no preference shown between these two
- networks. Queries received from a host on the 192.168.1/24 network
- will prefer other addresses on that network to the 192.168.2/24
- and
- 192.168.3/24 networks. Queries received from a host on the
- 192.168.4/24
- or the 192.168.5/24 network will only prefer other addresses on
- their directly connected networks.
- </p>
-<pre class="programlisting">sortlist {
- { localhost; // IF the local host
- { localnets; // THEN first fit on the
- 192.168.1/24; // following nets
- { 192.168.2/24; 192.168.3/24; }; }; };
- { 192.168.1/24; // IF on class C 192.168.1
- { 192.168.1/24; // THEN use .1, or .2 or .3
- { 192.168.2/24; 192.168.3/24; }; }; };
- { 192.168.2/24; // IF on class C 192.168.2
- { 192.168.2/24; // THEN use .2, or .1 or .3
- { 192.168.1/24; 192.168.3/24; }; }; };
- { 192.168.3/24; // IF on class C 192.168.3
- { 192.168.3/24; // THEN use .3, or .1 or .2
- { 192.168.1/24; 192.168.2/24; }; }; };
- { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
- };
-};</pre>
-<p>
- The following example will give reasonable behavior for the
- local host and hosts on directly connected networks. It is similar
- to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
- to queries from the local host will favor any of the directly
- connected
- networks. Responses sent to queries from any other hosts on a
- directly
- connected network will prefer addresses on that same network.
- Responses
- to other queries will not be sorted.
- </p>
-<pre class="programlisting">sortlist {
- { localhost; localnets; };
- { localnets; };
-};
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>
- When multiple records are returned in an answer it may be
- useful to configure the order of the records placed into the
- response.
- The <span><strong class="command">rrset-order</strong></span> statement permits
- configuration
- of the ordering of the records in a multiple record response.
- See also the <span><strong class="command">sortlist</strong></span> statement,
- <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
- </p>
-<p>
- An <span><strong class="command">order_spec</strong></span> is defined as
- follows:
- </p>
-<p>
- [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
- [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
- [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
- order <em class="replaceable"><code>ordering</code></em>
- </p>
-<p>
- If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
- If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
- If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
- </p>
-<p>
- The legal values for <span><strong class="command">ordering</strong></span> are:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">fixed</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in the order they
- are defined in the zone file.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">random</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in some random order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">cyclic</strong></span></p>
- </td>
-<td>
- <p>
- Records are returned in a round-robin
- order.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- For example:
- </p>
-<pre class="programlisting">rrset-order {
- class IN type A name "host.example.com" order random;
- order cyclic;
-};
-</pre>
-<p>
- will cause any responses for type A records in class IN that
- have "<code class="literal">host.example.com</code>" as a
- suffix, to always be returned
- in random order. All other records are returned in cyclic order.
- </p>
-<p>
- If multiple <span><strong class="command">rrset-order</strong></span> statements
- appear,
- they are not combined &#8212; the last one applies.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The <span><strong class="command">rrset-order</strong></span> statement
- is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
- BIND 9 currently does not fully support "fixed" ordering.
- </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>
- Sets the number of seconds to cache a
- lame server indication. 0 disables caching. (This is
- <span class="bold"><strong>NOT</strong></span> recommended.)
- The default is <code class="literal">600</code> (10 minutes) and the
- maximum value is
- <code class="literal">1800</code> (30 minutes).
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>
- To reduce network traffic and increase performance,
- the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
- used to set a maximum retention time for these answers in
- the server
- in seconds. The default
- <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
- <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
- 7 days and will
- be silently truncated to 7 days if set to a greater value.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>
- Sets the maximum time for which the server will
- cache ordinary (positive) answers. The default is
- one week (7 days).
- </p></dd>
-<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
-<dd>
-<p>
- The minimum number of root servers that
- is required for a request for the root servers to be
- accepted. The default
- is <strong class="userinput"><code>2</code></strong>.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- Not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>
- Specifies the number of days into the
- future when DNSSEC signatures automatically generated as a
- result
- of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
- will expire. The default is <code class="literal">30</code> days.
- The maximum value is 10 years (3660 days). The signature
- inception time is unconditionally set to one hour before the
- current time
- to allow for a limited amount of clock skew.
- </p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd>
-<p>
- These options control the server's behavior on refreshing a
- zone
- (querying for SOA changes) or retrying failed transfers.
- Usually the SOA values for the zone are used, but these
- values
- are set by the master, giving slave server administrators
- little
- control over their contents.
- </p>
-<p>
- These options allow the administrator to set a minimum and
- maximum
- refresh and retry time either per-zone, per-view, or
- globally.
- These options are valid for slave and stub zones,
- and clamp the SOA refresh and retry times to the specified
- values.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
-<dd><p>
- Sets the advertised EDNS UDP buffer size in bytes. Valid
- values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value is
- 4096. The usual reason for setting edns-udp-size to
- a non-default value is to get UDP answers to pass
- through broken firewalls that block fragmented
- packets and/or block UDP packets that are greater
- than 512 bytes.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
-<dd><p>
- Sets the maximum EDNS UDP message size named will
- send in bytes. Valid values are 512 to 4096 (values outside
- this range will be silently adjusted). The default
- value is 4096. The usual reason for setting
- max-udp-size to a non-default value is to get UDP
- answers to pass through broken firewalls that
- block fragmented packets and/or block UDP packets
- that are greater than 512 bytes.
- This is independent of the advertised receive
- buffer (<span><strong class="command">edns-udp-size</strong></span>).
- </p></dd>
-<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
-<dd><p>Specifies
- the file format of zone files (see
- <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
- The default value is <code class="constant">text</code>, which is the
- standard textual representation. Files in other formats
- than <code class="constant">text</code> are typically expected
- to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
- Note that when a zone file in a different format than
- <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
- may omit some of the checks which would be performed for a
- file in the <code class="constant">text</code> format. In particular,
- <span><strong class="command">check-names</strong></span> checks do not apply
- for the <code class="constant">raw</code> format. This means
- a zone file in the <code class="constant">raw</code> format
- must be generated with the same check level as that
- specified in the <span><strong class="command">named</strong></span> configuration
- file. This statement sets the
- <span><strong class="command">masterfile-format</strong></span> for all zones,
- but can be overridden on a per-zone or per-view basis
- by including a <span><strong class="command">masterfile-format</strong></span>
- statement within the <span><strong class="command">zone</strong></span> or
- <span><strong class="command">view</strong></span> block in the configuration
- file.
- </p></dd>
-<dt>
-<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
-</dt>
-<dd>
-<p>These set the
- initial value (minimum) and maximum number of recursive
- simultanious clients for any given query
- (&lt;qname,qtype,qclass&gt;) that the server will accept
- before dropping additional clients. named will attempt to
- self tune this value and changes will be logged. The
- default values are 10 and 100.
- </p>
-<p>
- This value should reflect how many queries come in for
- a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, named will
- assume that it is dealing with a non-responsive zone
- and will drop additional queries. If it gets a response
- after dropping queries, it will raise the estimate. The
- estimate will then be lowered in 20 minutes if it has
- remained unchanged.
- </p>
-<p>
- If <span><strong class="command">clients-per-query</strong></span> is set to zero,
- then there is no limit on the number of clients per query
- and no queries will be dropped.
- </p>
-<p>
- If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
- then there is no upper bound other than imposed by
- <span><strong class="command">recursive-clients</strong></span>.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
-<dd><p>
- The delay, in seconds, between sending sets of notify
- messages for a zone. The default is zero.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>
- The server provides some helpful diagnostic information
- through a number of built-in zones under the
- pseudo-top-level-domain <code class="literal">bind</code> in the
- <span><strong class="command">CHAOS</strong></span> class. These zones are part
- of a
- built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
- class
- <span><strong class="command">CHAOS</strong></span> which is separate from the
- default view of
- class <span><strong class="command">IN</strong></span>; therefore, any global
- server options
- such as <span><strong class="command">allow-query</strong></span> do not apply
- the these zones.
- If you feel the need to disable these zones, use the options
- below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
- view by
- defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
- that matches all clients.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>
- The version the server should report
- via a query of the name <code class="literal">version.bind</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- The default is the real version number of this server.
- Specifying <span><strong class="command">version none</strong></span>
- disables processing of the queries.
- </p></dd>
-<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>
- The hostname the server should report via a query of
- the name <code class="filename">hostname.bind</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- This defaults to the hostname of the machine hosting the
- name server as
- found by the gethostname() function. The primary purpose of such queries
- is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
- disables processing of the queries.
- </p></dd>
-<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>
- The ID of the server should report via a query of
- the name <code class="filename">ID.SERVER</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- The primary purpose of such queries is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
- disables processing of the queries.
- Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
- use the hostname as found by the gethostname() function.
- The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
-<p>
- Named has some built-in empty zones (SOA and NS records only).
- These are for zones that should normally be answered locally
- and which queries should not be sent to the Internet's root
- servers. The official servers which cover these namespaces
- return NXDOMAIN responses to these queries. In particular,
- these cover the reverse namespace for addresses from RFC 1918 and
- RFC 3330. They also include the reverse namespace for IPv6 local
- address (locally assigned), IPv6 link local addresses, the IPv6
- loopback address and the IPv6 unknown addresss.
- </p>
-<p>
- Named will attempt to determine if a built in zone already exists
- or is active (covered by a forward-only forwarding declaration)
- and will not not create a empty zone in that case.
- </p>
-<p>
- The current list of empty zones is:
- </p>
-<div class="itemizedlist"><ul type="disc">
-<li>10.IN-ADDR.ARPA</li>
-<li>127.IN-ADDR.ARPA</li>
-<li>254.169.IN-ADDR.ARPA</li>
-<li>16.172.IN-ADDR.ARPA</li>
-<li>17.172.IN-ADDR.ARPA</li>
-<li>18.172.IN-ADDR.ARPA</li>
-<li>19.172.IN-ADDR.ARPA</li>
-<li>20.172.IN-ADDR.ARPA</li>
-<li>21.172.IN-ADDR.ARPA</li>
-<li>22.172.IN-ADDR.ARPA</li>
-<li>23.172.IN-ADDR.ARPA</li>
-<li>24.172.IN-ADDR.ARPA</li>
-<li>25.172.IN-ADDR.ARPA</li>
-<li>26.172.IN-ADDR.ARPA</li>
-<li>27.172.IN-ADDR.ARPA</li>
-<li>28.172.IN-ADDR.ARPA</li>
-<li>29.172.IN-ADDR.ARPA</li>
-<li>30.172.IN-ADDR.ARPA</li>
-<li>31.172.IN-ADDR.ARPA</li>
-<li>168.192.IN-ADDR.ARPA</li>
-<li>2.0.192.IN-ADDR.ARPA</li>
-<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
-<li>D.F.IP6.ARPA</li>
-<li>8.E.F.IP6.ARPA</li>
-<li>9.E.F.IP6.ARPA</li>
-<li>A.E.F.IP6.ARPA</li>
-<li>B.E.F.IP6.ARPA</li>
-</ul></div>
-<p>
- </p>
-<p>
- Empty zones are settable at the view level and only apply to
- views of class IN. Disabled empty zones are only inherited
- from options if there are no disabled empty zones specified
- at the view level. To override the options list of disabled
- zones, you can disable the root zone at the view level, for example:
-</p>
-<pre class="programlisting">
- disable-empty-zone ".";
-</pre>
-<p>
- </p>
-<p>
- If you are using the address ranges covered here, you should
- already have reverse zones covering the addresses you use.
- In practice this appears to not be the case with many queries
- being made to the infrastructure servers for names in these
- spaces. So many in fact that sacrificial servers were needed
- to be deployed to channel the query load away from the
- infrastructure servers.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
- The real parent servers for these zones should disable all
- empty zone under the parent zone they serve. For the real
- root servers, this is all built in empty zones. This will
- enable them to return referrals to deeper in the tree.
- </div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
-<dd><p>
- Specify what server name will appear in the returned
- SOA record for empty zones. If none is specified, then
- the zone's name will be used.
- </p></dd>
-<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
-<dd><p>
- Specify what contact name will appear in the returned
- SOA record for empty zones. If none is specified, then
- "." will be used.
- </p></dd>
-<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
-<dd><p>
- Enable or disable all empty zones. By default they
- are enabled.
- </p></dd>
-<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
-<dd><p>
- Disable individual empty zones. By default none are
- disabled. This option can be specified multiple times.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>
- The statistics file generated by <acronym class="acronym">BIND</acronym> 9
- is similar, but not identical, to that
- generated by <acronym class="acronym">BIND</acronym> 8.
- </p>
-<p>
- The statistics dump begins with a line, like:
- </p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>
- The number in parentheses is a standard
- Unix-style timestamp, measured as seconds since January 1, 1970.
- Following
- that line are a series of lines containing a counter type, the
- value of the
- counter, optionally a zone name, and optionally a view name.
- The lines without view and zone listed are global statistics for
- the entire server.
- Lines with a zone and view name for the given view and zone (the
- view name is
- omitted for the default view).
- </p>
-<p>
- The statistics dump ends with the line where the
- number is identical to the number in the beginning line; for example:
- </p>
-<p>
- <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
- </p>
-<p>
- The following statistics counters are maintained:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">success</strong></span></p>
- </td>
-<td>
- <p>
- The number of
- successful queries made to the server or zone. A
- successful query
- is defined as query which returns a NOERROR response
- with at least
- one answer RR.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">referral</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted
- in referral responses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">nxrrset</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted in
- NOERROR responses with no data.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">nxdomain</strong></span></p>
- </td>
-<td>
- <p>
- The number
- of queries which resulted in NXDOMAIN responses.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">failure</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which resulted in a
- failure response other than those above.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">recursion</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which caused the server
- to perform recursion in order to find the final answer.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">duplicate</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries which the server attempted to
- recurse but discover a existing query with the same
- IP address, port, query id, name, type and class
- already being processed.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">dropped</strong></span></p>
- </td>
-<td>
- <p>
- The number of queries for which the server
- discovered a excessive number of existing
- recursive queries for the same name, type and
- class and were subsequently dropped.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- Each query received by the server will cause exactly one of
- <span><strong class="command">success</strong></span>,
- <span><strong class="command">referral</strong></span>,
- <span><strong class="command">nxrrset</strong></span>,
- <span><strong class="command">nxdomain</strong></span>, or
- <span><strong class="command">failure</strong></span>
- to be incremented, and may additionally cause the
- <span><strong class="command">recursion</strong></span> counter to be
- incremented.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="acache"></a>Additional Section Caching</h4></div></div></div>
-<p>
- The additional section cache, also called <span><strong class="command">acache</strong></span>,
- is an internal cache to improve the response performance of BIND 9.
- When additional section caching is enabled, BIND 9 will
- cache an internal short-cut to the additional section content for
- each answer RR.
- Note that <span><strong class="command">acache</strong></span> is an internal caching
- mechanism of BIND 9, and is not related to the DNS caching
- server function.
- </p>
-<p>
- Additional section caching does not change the
- response content (except the RRsets ordering of the additional
- section, see below), but can improve the response performance
- significantly.
- It is particularly effective when BIND 9 acts as an authoritative
- server for a zone that has many delegations with many glue RRs.
- </p>
-<p>
- In order to obtain the maximum performance improvement
- from additional section caching, setting
- <span><strong class="command">additional-from-cache</strong></span>
- to <span><strong class="command">no</strong></span> is recommended, since the current
- implementation of <span><strong class="command">acache</strong></span>
- does not short-cut of additional section information from the
- DNS cache data.
- </p>
-<p>
- One obvious disadvantage of <span><strong class="command">acache</strong></span> is
- that it requires much more
- memory for the internal cached data.
- Thus, if the response performance does not matter and memory
- consumption is much more critical, the
- <span><strong class="command">acache</strong></span> mechanism can be
- disabled by setting <span><strong class="command">acache-enable</strong></span> to
- <span><strong class="command">no</strong></span>.
- It is also possible to specify the upper limit of memory
- consumption
- for acache by using <span><strong class="command">max-acache-size</strong></span>.
- </p>
-<p>
- Additional section caching also has a minor effect on the
- RRset ordering in the additional section.
- Without <span><strong class="command">acache</strong></span>,
- <span><strong class="command">cyclic</strong></span> order is effective for the additional
- section as well as the answer and authority sections.
- However, additional section caching fixes the ordering when it
- first caches an RRset for the additional section, and the same
- ordering will be kept in succeeding responses, regardless of the
- setting of <span><strong class="command">rrset-order</strong></span>.
- The effect of this should be minor, however, since an
- RRset in the additional section
- typically only contains a small number of RRs (and in many cases
- it only contains a single RR), in which case the
- ordering does not matter much.
- </p>
-<p>
- The following is a summary of options related to
- <span><strong class="command">acache</strong></span>.
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
-<dd><p>
- If <span><strong class="command">yes</strong></span>, additional section caching is
- enabled. The default value is <span><strong class="command">no</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
-<dd><p>
- The server will remove stale cache entries, based on an LRU
- based
- algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
- The default is 60 minutes.
- If set to 0, no periodic cleaning will occur.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
-<dd><p>
- The maximum amount of memory in bytes to use for the server's acache.
- When the amount of data in the acache reaches this limit,
- the server
- will clean more aggressively so that the limit is not
- exceeded.
- In a server with multiple views, the limit applies
- separately to the
- acache of each view.
- The default is <code class="literal">unlimited</code>,
- meaning that
- entries are purged from the acache only at the
- periodic cleaning time.
- </p></dd>
-</dl></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
- [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
- [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
- [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
- Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">server</strong></span> statement defines
- characteristics
- to be associated with a remote name server. If a prefix length is
- specified, then a range of servers is covered. Only the most
- specific
- server clause applies regardless of the order in
- <code class="filename">named.conf</code>.
- </p>
-<p>
- The <span><strong class="command">server</strong></span> statement can occur at
- the top level of the
- configuration file or inside a <span><strong class="command">view</strong></span>
- statement.
- If a <span><strong class="command">view</strong></span> statement contains
- one or more <span><strong class="command">server</strong></span> statements, only
- those
- apply to the view and any top-level ones are ignored.
- If a view contains no <span><strong class="command">server</strong></span>
- statements,
- any top-level <span><strong class="command">server</strong></span> statements are
- used as
- defaults.
- </p>
-<p>
- If you discover that a remote server is giving out bad data,
- marking it as bogus will prevent further queries to it. The
- default
- value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
- </p>
-<p>
- The <span><strong class="command">provide-ixfr</strong></span> clause determines
- whether
- the local server, acting as master, will respond with an
- incremental
- zone transfer when the given remote server, a slave, requests it.
- If set to <span><strong class="command">yes</strong></span>, incremental transfer
- will be provided
- whenever possible. If set to <span><strong class="command">no</strong></span>,
- all transfers
- to the remote server will be non-incremental. If not set, the
- value
- of the <span><strong class="command">provide-ixfr</strong></span> option in the
- view or
- global options block is used as a default.
- </p>
-<p>
- The <span><strong class="command">request-ixfr</strong></span> clause determines
- whether
- the local server, acting as a slave, will request incremental zone
- transfers from the given remote server, a master. If not set, the
- value of the <span><strong class="command">request-ixfr</strong></span> option in
- the view or
- global options block is used as a default.
- </p>
-<p>
- IXFR requests to servers that do not support IXFR will
- automatically
- fall back to AXFR. Therefore, there is no need to manually list
- which servers support IXFR and which ones do not; the global
- default
- of <span><strong class="command">yes</strong></span> should always work.
- The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
- <span><strong class="command">request-ixfr</strong></span> clauses is
- to make it possible to disable the use of IXFR even when both
- master
- and slave claim to support it, for example if one of the servers
- is buggy and crashes or corrupts data when IXFR is used.
- </p>
-<p>
- The <span><strong class="command">edns</strong></span> clause determines whether
- the local server will attempt to use EDNS when communicating
- with the remote server. The default is <span><strong class="command">yes</strong></span>.
- </p>
-<p>
- The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
- that is advertised by named when querying the remote server.
- Valid values are 512 to 4096 bytes (values outside this range will be
- silently adjusted). This option is useful when you wish to
- advertises a different value to this server than the value you
- advertise globally, for example, when there is a firewall at the
- remote site that is blocking large replies.
- </p>
-<p>
- The <span><strong class="command">max-udp-size</strong></span> option sets the
- maximum EDNS UDP message size named will send. Valid
- values are 512 to 4096 bytes (values outside this range will
- be silently adjusted). This option is useful when you
- know that there is a firewall that is blocking large
- replies from named.
- </p>
-<p>
- The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
- uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
- as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
- more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
- 4.9.5. You can specify which method
- to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
- If <span><strong class="command">transfer-format</strong></span> is not
- specified, the <span><strong class="command">transfer-format</strong></span>
- specified
- by the <span><strong class="command">options</strong></span> statement will be
- used.
- </p>
-<p><span><strong class="command">transfers</strong></span>
- is used to limit the number of concurrent inbound zone
- transfers from the specified server. If no
- <span><strong class="command">transfers</strong></span> clause is specified, the
- limit is set according to the
- <span><strong class="command">transfers-per-ns</strong></span> option.
- </p>
-<p>
- The <span><strong class="command">keys</strong></span> clause identifies a
- <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
- to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
- when talking to the remote server.
- When a request is sent to the remote server, a request signature
- will be generated using the key specified here and appended to the
- message. A request originating from the remote server is not
- required
- to be signed by this key.
- </p>
-<p>
- Although the grammar of the <span><strong class="command">keys</strong></span>
- clause
- allows for multiple keys, only a single key per server is
- currently
- supported.
- </p>
-<p>
- The <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">transfer-source-v6</strong></span> clauses specify
- the IPv4 and IPv6 source
- address to be used for zone transfer with the remote server,
- respectively.
- For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
- be specified.
- Similarly, for an IPv6 remote server, only
- <span><strong class="command">transfer-source-v6</strong></span> can be
- specified.
- For more details, see the description of
- <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">transfer-source-v6</strong></span> in
- <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p>
-<p>
- The <span><strong class="command">notify-source</strong></span> and
- <span><strong class="command">notify-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for notify
- messages sent to remote servers, respectively. For an
- IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
- can be specified. Similarly, for an IPv6 remote server,
- only <span><strong class="command">notify-source-v6</strong></span> can be specified.
- </p>
-<p>
- The <span><strong class="command">query-source</strong></span> and
- <span><strong class="command">query-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for queries
- sent to remote servers, respectively. For an IPv4
- remote server, only <span><strong class="command">query-source</strong></span> can
- be specified. Similarly, for an IPv6 remote server,
- only <span><strong class="command">query-source-v6</strong></span> can be specified.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585361"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">trusted-keys {
- <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
- [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585410"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
- </p>
-<p>
- All keys (and corresponding zones) listed in
- <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span><strong class="command">trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
- </p>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base-64
- representation of the key data.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- match-clients { <em class="replaceable"><code>address_match_list</code></em> };
- match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
- match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
- [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
- [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2585490"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">view</strong></span> statement is a powerful
- feature
- of <acronym class="acronym">BIND</acronym> 9 that lets a name server
- answer a DNS query differently
- depending on who is asking. It is particularly useful for
- implementing
- split DNS setups without having to run multiple servers.
- </p>
-<p>
- Each <span><strong class="command">view</strong></span> statement defines a view
- of the
- DNS namespace that will be seen by a subset of clients. A client
- matches
- a view if its source IP address matches the
- <code class="varname">address_match_list</code> of the view's
- <span><strong class="command">match-clients</strong></span> clause and its
- destination IP address matches
- the <code class="varname">address_match_list</code> of the
- view's
- <span><strong class="command">match-destinations</strong></span> clause. If not
- specified, both
- <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
- default to matching all addresses. In addition to checking IP
- addresses
- <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
- can also take <span><strong class="command">keys</strong></span> which provide an
- mechanism for the
- client to select the view. A view can also be specified
- as <span><strong class="command">match-recursive-only</strong></span>, which
- means that only recursive
- requests from matching clients will match that view.
- The order of the <span><strong class="command">view</strong></span> statements is
- significant &#8212;
- a client request will be resolved in the context of the first
- <span><strong class="command">view</strong></span> that it matches.
- </p>
-<p>
- Zones defined within a <span><strong class="command">view</strong></span>
- statement will
- be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
- zone data can be given to different clients, for example,
- "internal"
- and "external" clients in a split DNS setup.
- </p>
-<p>
- Many of the options given in the <span><strong class="command">options</strong></span> statement
- can also be used within a <span><strong class="command">view</strong></span>
- statement, and then
- apply only when resolving queries with that view. When no
- view-specific
- value is given, the value in the <span><strong class="command">options</strong></span> statement
- is used as a default. Also, zone options can have default values
- specified
- in the <span><strong class="command">view</strong></span> statement; these
- view-specific defaults
- take precedence over those in the <span><strong class="command">options</strong></span> statement.
- </p>
-<p>
- Views are class specific. If no class is given, class IN
- is assumed. Note that all non-IN views must contain a hint zone,
- since only the IN class has compiled-in default hints.
- </p>
-<p>
- If there are no <span><strong class="command">view</strong></span> statements in
- the config
- file, a default view that matches any client is automatically
- created
- in class IN. Any <span><strong class="command">zone</strong></span> statements
- specified on
- the top level of the configuration file are considered to be part
- of
- this default view, and the <span><strong class="command">options</strong></span>
- statement will
- apply to the default view. If any explicit <span><strong class="command">view</strong></span>
- statements are present, all <span><strong class="command">zone</strong></span>
- statements must
- occur inside <span><strong class="command">view</strong></span> statements.
- </p>
-<p>
- Here is an example of a typical split DNS setup implemented
- using <span><strong class="command">view</strong></span> statements:
- </p>
-<pre class="programlisting">view "internal" {
- // This should match our internal networks.
- match-clients { 10.0.0.0/8; };
-
- // Provide recursive service to internal clients only.
- recursion yes;
-
- // Provide a complete view of the example.com zone
- // including addresses of internal hosts.
- zone "example.com" {
- type master;
- file "example-internal.db";
- };
-};
-
-view "external" {
- // Match all clients not matched by the previous view.
- match-clients { any; };
-
- // Refuse recursive service to external clients.
- recursion no;
-
- // Provide a restricted view of the example.com zone
- // containing only publicly accessible hosts.
- zone "example.com" {
- type master;
- file "example-external.db";
- };
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
- Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type master;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
- [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type slave;
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type hint;
- file <em class="replaceable"><code>string</code></em> ;
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type stub;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type forward;
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-};
-
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type delegation-only;
-};
-
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586798"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2586806"></a>Zone Types</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">master</code>
- </p>
- </td>
-<td>
- <p>
- The server has a master copy of the data
- for the zone and will be able to provide authoritative
- answers for
- it.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">slave</code>
- </p>
- </td>
-<td>
- <p>
- A slave zone is a replica of a master
- zone. The <span><strong class="command">masters</strong></span> list
- specifies one or more IP addresses
- of master servers that the slave contacts to update
- its copy of the zone.
- Masters list elements can also be names of other
- masters lists.
- By default, transfers are made from port 53 on the
- servers; this can
- be changed for all servers by specifying a port number
- before the
- list of IP addresses, or on a per-server basis after
- the IP address.
- Authentication to the master can also be done with
- per-server TSIG keys.
- If a file is specified, then the
- replica will be written to this file whenever the zone
- is changed,
- and reloaded from this file on a server restart. Use
- of a file is
- recommended, since it often speeds server startup and
- eliminates
- a needless waste of bandwidth. Note that for large
- numbers (in the
- tens or hundreds of thousands) of zones per server, it
- is best to
- use a two-level naming scheme for zone filenames. For
- example,
- a slave server for the zone <code class="literal">example.com</code> might place
- the zone contents into a file called
- <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
- just the first two letters of the zone name. (Most
- operating systems
- behave very slowly if you put 100 000 files into
- a single directory.)
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">stub</code>
- </p>
- </td>
-<td>
- <p>
- A stub zone is similar to a slave zone,
- except that it replicates only the NS records of a
- master zone instead
- of the entire zone. Stub zones are not a standard part
- of the DNS;
- they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
- </p>
-
- <p>
- Stub zones can be used to eliminate the need for glue
- NS record
- in a parent zone at the expense of maintaining a stub
- zone entry and
- a set of name server addresses in <code class="filename">named.conf</code>.
- This usage is not recommended for new configurations,
- and BIND 9
- supports it only in a limited way.
- In <acronym class="acronym">BIND</acronym> 4/8, zone
- transfers of a parent zone
- included the NS records from stub children of that
- zone. This meant
- that, in some cases, users could get away with
- configuring child stubs
- only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
- 9 never mixes together zone data from different zones
- in this
- way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
- zone has child stub zones configured, all the slave
- servers for the
- parent zone also need to have the same child stub
- zones
- configured.
- </p>
-
- <p>
- Stub zones can also be used as a way of forcing the
- resolution
- of a given domain to use a particular set of
- authoritative servers.
- For example, the caching name servers on a private
- network using
- RFC1918 addressing may be configured with stub zones
- for
- <code class="literal">10.in-addr.arpa</code>
- to use a set of internal name servers as the
- authoritative
- servers for that domain.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">forward</code>
- </p>
- </td>
-<td>
- <p>
- A "forward zone" is a way to configure
- forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
- of type <span><strong class="command">forward</strong></span> can
- contain a <span><strong class="command">forward</strong></span>
- and/or <span><strong class="command">forwarders</strong></span>
- statement,
- which will apply to queries within the domain given by
- the zone
- name. If no <span><strong class="command">forwarders</strong></span>
- statement is present or
- an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
- forwarding will be done for the domain, canceling the
- effects of
- any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
- if you want to use this type of zone to change the
- behavior of the
- global <span><strong class="command">forward</strong></span> option
- (that is, "forward first"
- to, then "forward only", or vice versa, but want to
- use the same
- servers as set globally) you need to re-specify the
- global forwarders.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">hint</code>
- </p>
- </td>
-<td>
- <p>
- The initial set of root name servers is
- specified using a "hint zone". When the server starts
- up, it uses
- the root hints to find a root name server and get the
- most recent
- list of root name servers. If no hint zone is
- specified for class
- IN, the server uses a compiled-in default set of root
- servers hints.
- Classes other than IN have no built-in defaults hints.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">delegation-only</code>
- </p>
- </td>
-<td>
- <p>
- This is used to enforce the delegation-only
- status of infrastructure zones (e.g. COM, NET, ORG).
- Any answer that
- is received without an explicit or implicit delegation
- in the authority
- section will be treated as NXDOMAIN. This does not
- apply to the zone
- apex. This should not be applied to leaf zones.
- </p>
- <p>
- <code class="varname">delegation-only</code> has no
- effect on answers received
- from forwarders.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587362"></a>Class</h4></div></div></div>
-<p>
- The zone's name may optionally be followed by a class. If
- a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
- is assumed. This is correct for the vast majority of cases.
- </p>
-<p>
- The <code class="literal">hesiod</code> class is
- named for an information service from MIT's Project Athena. It
- is
- used to share information about various systems databases, such
- as users, groups, printers and so on. The keyword
- <code class="literal">HS</code> is
- a synonym for hesiod.
- </p>
-<p>
- Another MIT development is Chaosnet, a LAN protocol created
- in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587395"></a>Zone Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>
- See the description of <span><strong class="command">allow-transfer</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>
- See the description of <span><strong class="command">allow-update</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>
- Specifies a "Simple Secure Update" policy. See
- <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>
- See the description of <span><strong class="command">allow-update-forwarding</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>
- Only meaningful if <span><strong class="command">notify</strong></span>
- is
- active for this zone. The set of machines that will
- receive a
- <code class="literal">DNS NOTIFY</code> message
- for this zone is made up of all the listed name servers
- (other than
- the primary master) for the zone plus any IP addresses
- specified
- with <span><strong class="command">also-notify</strong></span>. A port
- may be specified
- with each <span><strong class="command">also-notify</strong></span>
- address to send the notify
- messages to a port other than the default of 53.
- <span><strong class="command">also-notify</strong></span> is not
- meaningful for stub zones.
- The default is the empty list.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd><p>
- This option is used to restrict the character set and
- syntax of
- certain domain names in master files and/or DNS responses
- received from the
- network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
- zones the default is <span><strong class="command">warn</strong></span>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
-<dd>
-<p>
- Specify the type of database to be used for storing the
- zone data. The string following the <span><strong class="command">database</strong></span> keyword
- is interpreted as a list of whitespace-delimited words.
- The first word
- identifies the database type, and any subsequent words are
- passed
- as arguments to the database to be interpreted in a way
- specific
- to the database type.
- </p>
-<p>
- The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
- native in-memory
- red-black-tree database. This database does not take
- arguments.
- </p>
-<p>
- Other values are possible if additional database drivers
- have been linked into the server. Some sample drivers are
- included
- with the distribution but none are linked in by default.
- </p>
-</dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>
- The flag only applies to hint and stub zones. If set
- to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
- treated as if it
- is also a delegation-only type zone.
- </p></dd>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>
- Only meaningful if the zone has a forwarders
- list. The <span><strong class="command">only</strong></span> value causes
- the lookup to fail
- after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
- allow a normal lookup to be tried.
- </p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>
- Used to override the list of global forwarders.
- If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
- no forwarding is done for the zone and the global options are
- not used.
- </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>
- Was used in <acronym class="acronym">BIND</acronym> 8 to
- specify the name
- of the transaction log (journal) file for dynamic update
- and IXFR.
- <acronym class="acronym">BIND</acronym> 9 ignores the option
- and constructs the name of the journal
- file by appending "<code class="filename">.jnl</code>"
- to the name of the
- zone file.
- </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>
- Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
- Ignored in <acronym class="acronym">BIND</acronym> 9.
- </p></dd>
-<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
-<dd><p>
- Allow the default journal's filename to be overridden.
- The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
- This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>
- In <acronym class="acronym">BIND</acronym> 8, this option was
- intended for specifying
- a public zone key for verification of signatures in DNSSEC
- signed
- zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
- on load and ignores the option.
- </p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>
- If <strong class="userinput"><code>yes</code></strong>, the server will keep
- statistical
- information for this zone, which can be dumped to the
- <span><strong class="command">statistics-file</strong></span> defined in
- the server options.
- </p></dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
- </p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd><p>
- See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>
- See the description of
- <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
- Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
- Usage&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>
- See the description of <span><strong class="command">multi-master</strong></span> in
- <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
- </p></dd>
-<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
-<dd><p>
- See the description of <span><strong class="command">masterfile-format</strong></span>
- in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
- </p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p>
- <acronym class="acronym">BIND</acronym> 9 supports two alternative
- methods of granting clients
- the right to perform dynamic updates to a zone,
- configured by the <span><strong class="command">allow-update</strong></span>
- and
- <span><strong class="command">update-policy</strong></span> option,
- respectively.
- </p>
-<p>
- The <span><strong class="command">allow-update</strong></span> clause works the
- same
- way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
- permission to update any record of any name in the zone.
- </p>
-<p>
- The <span><strong class="command">update-policy</strong></span> clause is new
- in <acronym class="acronym">BIND</acronym>
- 9 and allows more fine-grained control over what updates are
- allowed.
- A set of rules is specified, where each rule either grants or
- denies
- permissions for one or more names to be updated by one or more
- identities.
- If the dynamic update request message is signed (that is, it
- includes
- either a TSIG or SIG(0) record), the identity of the signer can
- be determined.
- </p>
-<p>
- Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
- option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
- is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
- to be present. The <span><strong class="command">update-policy</strong></span>
- statement only
- examines the signer of a message; the source address is not
- relevant.
- </p>
-<p>
- This is how a rule definition looks:
- </p>
-<pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-<p>
- Each rule grants or denies privileges. Once a message has
- successfully matched a rule, the operation is immediately
- granted
- or denied and no further rules are examined. A rule is matched
- when the signer matches the identity field, the name matches the
- name field in accordance with the nametype field, and the type
- matches
- the types specified in the type field.
- </p>
-<p>
- The identity field specifies a name or a wildcard name.
- Normally, this
- is the name of the TSIG or SIG(0) key used to sign the update
- request. When a
- TKEY exchange has been used to create a shared secret, the
- identity of the
- shared secret is the same as the identity of the key used to
- authenticate the
- TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
- wildcard name, it is subject to DNS wildcard expansion, so the
- rule will apply
- to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
- contain a fully-qualified domain name.
- </p>
-<p>
- The <em class="replaceable"><code>nametype</code></em> field has 6
- values:
- <code class="varname">name</code>, <code class="varname">subdomain</code>,
- <code class="varname">wildcard</code>, <code class="varname">self</code>,
- <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="varname">name</code>
- </p>
- </td>
-<td>
- <p>
- Exact-match semantics. This rule matches
- when the name being updated is identical
- to the contents of the
- <em class="replaceable"><code>name</code></em> field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">subdomain</code>
- </p>
- </td>
-<td>
- <p>
- This rule matches when the name being updated
- is a subdomain of, or identical to, the
- contents of the <em class="replaceable"><code>name</code></em>
- field.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">wildcard</code>
- </p>
- </td>
-<td>
- <p>
- The <em class="replaceable"><code>name</code></em> field
- is subject to DNS wildcard expansion, and
- this rule matches when the name being updated
- name is a valid expansion of the wildcard.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">self</code>
- </p>
- </td>
-<td>
- <p>
- This rule matches when the name being updated
- matches the contents of the
- <em class="replaceable"><code>identity</code></em> field.
- The <em class="replaceable"><code>name</code></em> field
- is ignored, but should be the same as the
- <em class="replaceable"><code>identity</code></em> field.
- The <code class="varname">self</code> nametype is
- most useful when allowing using one key per
- name to update, where the key has the same
- name as the name to be updated. The
- <em class="replaceable"><code>identity</code></em> would
- be specified as <code class="constant">*</code> (an asterisk) in
- this case.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">selfsub</code>
- </p>
- </td>
-<td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that subdomains of <code class="varname">self</code>
- can also be updated.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="varname">selfwild</code>
- </p>
- </td>
-<td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that only subdomains of
- <code class="varname">self</code> can be updated.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- In all cases, the <em class="replaceable"><code>name</code></em>
- field must
- specify a fully-qualified domain name.
- </p>
-<p>
- If no types are explicitly specified, this rule matches all
- types except
- RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
- "ANY" (ANY matches all types except NSEC, which can never be
- updated).
- Note that when an attempt is made to delete all records
- associated with a
- name, the rules are checked for each existing record type.
- </p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589080"></a>Zone File</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>
- This section, largely borrowed from RFC 1034, describes the
- concept of a Resource Record (RR) and explains when each is used.
- Since the publication of RFC 1034, several new RRs have been
- identified
- and implemented in the DNS. These are also included.
- </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589098"></a>Resource Records</h4></div></div></div>
-<p>
- A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
- </p>
-<p>
- The components of a Resource Record are:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- owner name
- </p>
- </td>
-<td>
- <p>
- The domain name where the RR is found.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- type
- </p>
- </td>
-<td>
- <p>
- An encoded 16-bit value that specifies
- the type of the resource record.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TTL
- </p>
- </td>
-<td>
- <p>
- The time-to-live of the RR. This field
- is a 32-bit integer in units of seconds, and is
- primarily used by
- resolvers when they cache RRs. The TTL describes how
- long a RR can
- be cached before it should be discarded.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- class
- </p>
- </td>
-<td>
- <p>
- An encoded 16-bit value that identifies
- a protocol family or instance of a protocol.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RDATA
- </p>
- </td>
-<td>
- <p>
- The resource data. The format of the
- data is type (and sometimes class) specific.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The following are <span class="emphasis"><em>types</em></span> of valid RRs:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- A
- </p>
- </td>
-<td>
- <p>
- A host address. In the IN class, this is a
- 32-bit IP address. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- AAAA
- </p>
- </td>
-<td>
- <p>
- IPv6 address. Described in RFC 1886.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- A6
- </p>
- </td>
-<td>
- <p>
- IPv6 address. This can be a partial
- address (a suffix) and an indirection to the name
- where the rest of the
- address (the prefix) can be found. Experimental.
- Described in RFC 2874.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- AFSDB
- </p>
- </td>
-<td>
- <p>
- Location of AFS database servers.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- APL
- </p>
- </td>
-<td>
- <p>
- Address prefix list. Experimental.
- Described in RFC 3123.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CERT
- </p>
- </td>
-<td>
- <p>
- Holds a digital certificate.
- Described in RFC 2538.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CNAME
- </p>
- </td>
-<td>
- <p>
- Identifies the canonical name of an alias.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DNAME
- </p>
- </td>
-<td>
- <p>
- Replaces the domain name specified with
- another name to be looked up, effectively aliasing an
- entire
- subtree of the domain name space rather than a single
- record
- as in the case of the CNAME RR.
- Described in RFC 2672.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DNSKEY
- </p>
- </td>
-<td>
- <p>
- Stores a public key associated with a signed
- DNS zone. Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- DS
- </p>
- </td>
-<td>
- <p>
- Stores the hash of a public key associated with a
- signed DNS zone. Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- GPOS
- </p>
- </td>
-<td>
- <p>
- Specifies the global position. Superseded by LOC.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- HINFO
- </p>
- </td>
-<td>
- <p>
- Identifies the CPU and OS used by a host.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- ISDN
- </p>
- </td>
-<td>
- <p>
- Representation of ISDN addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- KEY
- </p>
- </td>
-<td>
- <p>
- Stores a public key associated with a
- DNS name. Used in original DNSSEC; replaced
- by DNSKEY in DNSSECbis, but still used with
- SIG(0). Described in RFCs 2535 and 2931.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- KX
- </p>
- </td>
-<td>
- <p>
- Identifies a key exchanger for this
- DNS name. Described in RFC 2230.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- LOC
- </p>
- </td>
-<td>
- <p>
- For storing GPS info. Described in RFC 1876.
- Experimental.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- MX
- </p>
- </td>
-<td>
- <p>
- Identifies a mail exchange for the domain with
- a 16-bit preference value (lower is better)
- followed by the host name of the mail exchange.
- Described in RFC 974, RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NAPTR
- </p>
- </td>
-<td>
- <p>
- Name authority pointer. Described in RFC 2915.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSAP
- </p>
- </td>
-<td>
- <p>
- A network service access point.
- Described in RFC 1706.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NS
- </p>
- </td>
-<td>
- <p>
- The authoritative name server for the
- domain. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NSEC
- </p>
- </td>
-<td>
- <p>
- Used in DNSSECbis to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Described in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- NXT
- </p>
- </td>
-<td>
- <p>
- Used in DNSSEC to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Used in original DNSSEC; replaced by NSEC in
- DNSSECbis.
- Described in RFC 2535.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- PTR
- </p>
- </td>
-<td>
- <p>
- A pointer to another part of the domain
- name space. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- PX
- </p>
- </td>
-<td>
- <p>
- Provides mappings between RFC 822 and X.400
- addresses. Described in RFC 2163.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RP
- </p>
- </td>
-<td>
- <p>
- Information on persons responsible
- for the domain. Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RRSIG
- </p>
- </td>
-<td>
- <p>
- Contains DNSSECbis signature data. Described
- in RFC 4034.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RT
- </p>
- </td>
-<td>
- <p>
- Route-through binding for hosts that
- do not have their own direct wide area network
- addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SIG
- </p>
- </td>
-<td>
- <p>
- Contains DNSSEC signature data. Used in
- original DNSSEC; replaced by RRSIG in
- DNSSECbis, but still used for SIG(0).
- Described in RFCs 2535 and 2931.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SOA
- </p>
- </td>
-<td>
- <p>
- Identifies the start of a zone of authority.
- Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- SRV
- </p>
- </td>
-<td>
- <p>
- Information about well known network
- services (replaces WKS). Described in RFC 2782.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- TXT
- </p>
- </td>
-<td>
- <p>
- Text records. Described in RFC 1035.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- WKS
- </p>
- </td>
-<td>
- <p>
- Information about which well known
- network services, such as SMTP, that a domain
- supports. Historical.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- X25
- </p>
- </td>
-<td>
- <p>
- Representation of X.25 network addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The following <span class="emphasis"><em>classes</em></span> of resource records
- are currently valid in the DNS:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- IN
- </p>
- </td>
-<td>
- <p>
- The Internet.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- CH
- </p>
- </td>
-<td>
- <p>
- Chaosnet, a LAN protocol created at MIT in the
- mid-1970s.
- Rarely used for its historical purpose, but reused for
- BIND's
- built-in server information zones, e.g.,
- <code class="literal">version.bind</code>.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- HS
- </p>
- </td>
-<td>
- <p>
- Hesiod, an information service
- developed by MIT's Project Athena. It is used to share
- information
- about various systems databases, such as users,
- groups, printers
- and so on.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The owner name is often implicit, rather than forming an
- integral
- part of the RR. For example, many name servers internally form
- tree
- or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
- which is consistent for all RRs, and a variable part (RDATA)
- that
- fits the needs of the resource being described.
- </p>
-<p>
- The meaning of the TTL field is a time limit on how long an
- RR can be kept in a cache. This limit does not apply to
- authoritative
- data in zones; it is also timed out, but by the refreshing
- policies
- for the zone. The TTL is assigned by the administrator for the
- zone where the data originates. While short TTLs can be used to
- minimize caching, and a zero TTL prohibits caching, the
- realities
- of Internet performance suggest that these times should be on
- the
- order of days for the typical host. If a change can be
- anticipated,
- the TTL can be reduced prior to the change to minimize
- inconsistency
- during the change, and then increased back to its former value
- following
- the change.
- </p>
-<p>
- The data in the RDATA section of RRs is carried as a combination
- of binary strings and domain names. The domain names are
- frequently
- used as "pointers" to other data in the DNS.
- </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590513"></a>Textual expression of RRs</h4></div></div></div>
-<p>
- RRs are represented in binary form in the packets of the DNS
- protocol, and are usually represented in highly encoded form
- when
- stored in a name server or resolver. In the examples provided
- in
- RFC 1034, a style similar to that used in master files was
- employed
- in order to show the contents of RRs. In this format, most RRs
- are shown on a single line, although continuation lines are
- possible
- using parentheses.
- </p>
-<p>
- The start of the line gives the owner of the RR. If a line
- begins with a blank, then the owner is assumed to be the same as
- that of the previous RR. Blank lines are often included for
- readability.
- </p>
-<p>
- Following the owner, we list the TTL, type, and class of the
- RR. Class and type use the mnemonics defined above, and TTL is
- an integer before the type field. In order to avoid ambiguity
- in
- parsing, type and class mnemonics are disjoint, TTLs are
- integers,
- and the type mnemonic is always last. The IN class and TTL
- values
- are often omitted from examples in the interests of clarity.
- </p>
-<p>
- The resource data or RDATA section of the RR are given using
- knowledge of the typical representation for the data.
- </p>
-<p>
- For example, we might show the RRs carried in a message as:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">ISI.EDU.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10 VENERA.ISI.EDU.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10 VAXA.ISI.EDU</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">VENERA.ISI.EDU</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">128.9.0.32</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.1.0.52</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">VAXA.ISI.EDU</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.2.0.27</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">128.9.0.33</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The MX RRs have an RDATA section which consists of a 16-bit
- number followed by a domain name. The address RRs use a
- standard
- IP address format to contain a 32-bit internet address.
- </p>
-<p>
- The above example shows six RRs, with two RRs at each of three
- domain names.
- </p>
-<p>
- Similarly we might see:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">XX.LCS.MIT.EDU.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.44</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>�</td>
-<td>
- <p>
- <code class="literal">CH A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MIT.EDU. 2420</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- This example shows two addresses for
- <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
- </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591101"></a>Discussion of MX Records</h3></div></div></div>
-<p>
- As described above, domain servers store information as a
- series of resource records, each of which contains a particular
- piece of information about a given domain name (which is usually,
- but not always, a host). The simplest way to think of a RR is as
- a typed pair of data, a domain name matched with a relevant datum,
- and stored with some additional type information to help systems
- determine when the RR is relevant.
- </p>
-<p>
- MX records are used to control delivery of email. The data
- specified in the record is a priority and a domain name. The
- priority
- controls the order in which email delivery is attempted, with the
- lowest number first. If two priorities are the same, a server is
- chosen randomly. If no servers at a given priority are responding,
- the mail transport agent will fall back to the next largest
- priority.
- Priority numbers do not have any absolute meaning &#8212; they are
- relevant
- only respective to other MX records for that domain name. The
- domain
- name given is the machine to which the mail will be delivered.
- It <span class="emphasis"><em>must</em></span> have an associated address record
- (A or AAAA) &#8212; CNAME is not sufficient.
- </p>
-<p>
- For a given domain, if there is both a CNAME record and an
- MX record, the MX record is in error, and will be ignored.
- Instead,
- the mail will be delivered to the server specified in the MX
- record
- pointed to by the CNAME.
- </p>
-<p>
- For example:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p></p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">20</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">mail.backup.org.</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.1</code>
- </p>
- </td>
-<td>
- <p></p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">10.0.0.2</code>
- </p>
- </td>
-<td>
- <p></p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
- <code class="literal">mail2.example.com</code> (in
- any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
- be attempted.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>
- The time-to-live of the RR field is a 32-bit integer represented
- in units of seconds, and is primarily used by resolvers when they
- cache RRs. The TTL describes how long a RR can be cached before it
- should be discarded. The following three types of TTL are
- currently
- used in a zone file.
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- SOA
- </p>
- </td>
-<td>
- <p>
- The last field in the SOA is the negative
- caching TTL. This controls how long other servers will
- cache no-such-domain
- (NXDOMAIN) responses from you.
- </p>
- <p>
- The maximum time for
- negative caching is 3 hours (3h).
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- $TTL
- </p>
- </td>
-<td>
- <p>
- The $TTL directive at the top of the
- zone file (before the SOA) gives a default TTL for every
- RR without
- a specific TTL set.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- RR TTLs
- </p>
- </td>
-<td>
- <p>
- Each RR can have a TTL as the second
- field in the RR, which will control how long other
- servers can cache
- the it.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- All of these TTLs default to units of seconds, though units
- can be explicitly specified, for example, <code class="literal">1h30m</code>.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591653"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>
- Reverse name resolution (that is, translation from IP address
- to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
- and PTR records. Entries in the in-addr.arpa domain are made in
- least-to-most significant order, read left to right. This is the
- opposite order to the way IP addresses are usually written. Thus,
- a machine with an IP address of 10.1.2.3 would have a
- corresponding
- in-addr.arpa name of
- 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
- whose data field is the name of the machine or, optionally,
- multiple
- PTR records if the machine has more than one name. For example,
- in the [<span class="optional">example.com</span>] domain:
- </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p>
- <code class="literal">$ORIGIN</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">2.1.10.in-addr.arpa</code>
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p>
- <code class="literal">3</code>
- </p>
- </td>
-<td>
- <p>
- <code class="literal">IN PTR foo.example.com.</code>
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
- are for providing context to the examples only &#8212; they do not
- necessarily
- appear in the actual usage. They are only used here to indicate
- that the example is relative to the listed origin.
- </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591848"></a>Other Zone File Directives</h3></div></div></div>
-<p>
- The Master File Format was initially defined in RFC 1035 and
- has subsequently been extended. While the Master File Format
- itself
- is class independent all records in a Master File must be of the
- same
- class.
- </p>
-<p>
- Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
- and <span><strong class="command">$TTL.</strong></span>
- </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591870"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>
- Syntax: <span><strong class="command">$ORIGIN</strong></span>
- <em class="replaceable"><code>domain-name</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
-<p><span><strong class="command">$ORIGIN</strong></span>
- sets the domain name that will be appended to any
- unqualified records. When a zone is first read in there
- is an implicit <span><strong class="command">$ORIGIN</strong></span>
- &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
- The current <span><strong class="command">$ORIGIN</strong></span> is appended to
- the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
- argument if it is not absolute.
- </p>
-<pre class="programlisting">
-$ORIGIN example.com.
-WWW CNAME MAIN-SERVER
-</pre>
-<p>
- is equivalent to
- </p>
-<pre class="programlisting">
-WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592000"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>
- Syntax: <span><strong class="command">$INCLUDE</strong></span>
- <em class="replaceable"><code>filename</code></em>
- [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>]
- [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
- </p>
-<p>
- Read and process the file <code class="filename">filename</code> as
- if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
- specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
- to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
- used.
- </p>
-<p>
- The origin and the current domain name
- revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
- the file has been read.
- </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
- RFC 1035 specifies that the current origin should be restored
- after
- an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
- on whether the current
- domain name should also be restored. BIND 9 restores both of
- them.
- This could be construed as a deviation from RFC 1035, a
- feature, or both.
- </p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2592069"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>
- Syntax: <span><strong class="command">$TTL</strong></span>
- <em class="replaceable"><code>default-ttl</code></em>
- [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]
- </p>
-<p>
- Set the default Time To Live (TTL) for subsequent records
- with undefined TTLs. Valid TTLs are of the range 0-2147483647
- seconds.
- </p>
-<p><span><strong class="command">$TTL</strong></span>
- is defined in RFC 2308.
- </p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2592173"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>
- Syntax: <span><strong class="command">$GENERATE</strong></span>
- <em class="replaceable"><code>range</code></em>
- <em class="replaceable"><code>lhs</code></em>
- [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
- [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
- <em class="replaceable"><code>type</code></em>
- <em class="replaceable"><code>rhs</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
-<p><span><strong class="command">$GENERATE</strong></span>
- is used to create a series of resource records that only
- differ from each other by an
- iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
- easily generate the sets of records required to support
- sub /24 reverse delegations described in RFC 2317:
- Classless IN-ADDR.ARPA delegation.
- </p>
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-<p>
- is equivalent to
- </p>
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
- <p><span><strong class="command">range</strong></span></p>
- </td>
-<td>
- <p>
- This can be one of two forms: start-stop
- or start-stop/step. If the first form is used, then step
- is set to
- 1. All of start, stop and step must be positive.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">lhs</strong></span></p>
- </td>
-<td>
- <p>This
- describes the owner name of the resource records
- to be created. Any single <span><strong class="command">$</strong></span>
- (dollar sign)
- symbols within the <span><strong class="command">lhs</strong></span> side
- are replaced by the iterator value.
-
- To get a $ in the output, you need to escape the
- <span><strong class="command">$</strong></span> using a backslash
- <span><strong class="command">\</strong></span>,
- e.g. <span><strong class="command">\$</strong></span>. The
- <span><strong class="command">$</strong></span> may optionally be followed
- by modifiers which change the offset from the
- iterator, field width and base.
-
- Modifiers are introduced by a
- <span><strong class="command">{</strong></span> (left brace) immediately following the
- <span><strong class="command">$</strong></span> as
- <span><strong class="command">${offset[,width[,base]]}</strong></span>.
- For example, <span><strong class="command">${-20,3,d}</strong></span>
- subtracts 20 from the current value, prints the
- result as a decimal in a zero-padded field of
- width 3.
-
- Available output forms are decimal
- (<span><strong class="command">d</strong></span>), octal
- (<span><strong class="command">o</strong></span>) and hexadecimal
- (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
- for uppercase). The default modifier is
- <span><strong class="command">${0,0,d}</strong></span>. If the
- <span><strong class="command">lhs</strong></span> is not absolute, the
- current <span><strong class="command">$ORIGIN</strong></span> is appended
- to the name.
- </p>
- <p>
- For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
- recognized as indicating a literal $ in the output.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">ttl</strong></span></p>
- </td>
-<td>
- <p>
- Specifies the time-to-live of the generated records. If
- not specified this will be inherited using the
- normal ttl inheritance rules.
- </p>
- <p><span><strong class="command">class</strong></span>
- and <span><strong class="command">ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">class</strong></span></p>
- </td>
-<td>
- <p>
- Specifies the class of the generated records.
- This must match the zone class if it is
- specified.
- </p>
- <p><span><strong class="command">class</strong></span>
- and <span><strong class="command">ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">type</strong></span></p>
- </td>
-<td>
- <p>
- At present the only supported types are
- PTR, CNAME, DNAME, A, AAAA and NS.
- </p>
- </td>
-</tr>
-<tr>
-<td>
- <p><span><strong class="command">rhs</strong></span></p>
- </td>
-<td>
- <p>
- <span><strong class="command">rhs</strong></span> is a domain name. It is processed
- similarly to lhs.
- </p>
- </td>
-</tr>
-</tbody>
-</table></div>
-<p>
- The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
- and not part of the standard zone file format.
- </p>
-<p>
- BIND 8 does not support the optional TTL and CLASS fields.
- </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
-<p>
- In addition to the standard textual format, BIND 9
- supports the ability to read or dump to zone files in
- other formats. The <code class="constant">raw</code> format is
- currently available as an additional format. It is a
- binary format representing BIND 9's internal data
- structure directly, thereby remarkably improving the
- loading time.
- </p>
-<p>
- For a primary server, a zone file in the
- <code class="constant">raw</code> format is expected to be
- generated from a textual zone file by the
- <span><strong class="command">named-compilezone</strong></span> command. For a
- secondary server or for a dynamic zone, it is automatically
- generated (if this format is specified by the
- <span><strong class="command">masterfile-format</strong></span> option) when
- <span><strong class="command">named</strong></span> dumps the zone contents after
- zone transfer or when applying prior updates.
- </p>
-<p>
- If a zone file in a binary format needs manual modification,
- it first must be converted to a textual form by the
- <span><strong class="command">named-compilezone</strong></span> command. All
- necessary modification should go to the text file, which
- should then be converted to the binary form by the
- <span><strong class="command">named-compilezone</strong></span> command again.
- </p>
-<p>
- Although the <code class="constant">raw</code> format uses the
- network byte order and avoids architecture-dependent
- data alignment so that it is as much portable as
- possible, it is primarily expected to be used inside
- the same single system. In order to export a zone
- file in the <code class="constant">raw</code> format or make a
- portable backup of the file, it is recommended to
- convert the file to the standard textual representation.
- </p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
-<td width="20%" align="center">�</td>
-<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top">�Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
OpenPOWER on IntegriCloud