summaryrefslogtreecommitdiffstats
path: root/contrib/bind9/doc/arm/Bv9ARM.ch06.html
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch06.html')
-rw-r--r--contrib/bind9/doc/arm/Bv9ARM.ch06.html8149
1 files changed, 5614 insertions, 2535 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
index 1474685..cb17489 100644
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
<!--
- - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@@ -14,12 +14,12 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: Bv9ARM.ch06.html,v 1.56.2.12.2.43 2006/11/15 04:33:41 marka Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.63 2007/01/30 00:23:45 marka Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
@@ -48,64 +48,79 @@
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575672">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573470">Comment Syntax</a></span></dt>
</dl></dd>
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576157"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574151"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576326"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576672"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576686"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576709"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576730"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576870"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577064"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578270"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578343"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578406"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578518"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578533"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574341"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574770"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">include</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574808"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574829"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574920"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575046"><span><strong class="command">logging</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576396"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576470"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576534"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576578"><span><strong class="command">masters</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576593"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
+ Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586290"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586338"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
+ Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585018"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585136"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+ and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586420"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585216"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587635"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+ Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586586"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589173">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2588846">Zone File</a></span></dt>
<dd><dl>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590605">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590800">Discussion of MX Records</a></span></dt>
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591102">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591208">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591377"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591419">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591546">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591803"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
</dl>
</div>
-<p><acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
-to <acronym class="acronym">BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym class="acronym">BIND</acronym>
-8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym class="acronym">BIND</acronym> 9.</p>
-<p><acronym class="acronym">BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
+ to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
+ areas
+ of configuration, such as views. <acronym class="acronym">BIND</acronym>
+ 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
+ 9, although more complex configurations should be reviewed to check
+ if they can be more efficiently implemented using the new features
+ found in <acronym class="acronym">BIND</acronym> 9.
+ </p>
+<p>
+ <acronym class="acronym">BIND</acronym> 4 configuration files can be
+ converted to the new format
+ using the shell script
+ <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
+ </p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
-file documentation:</p>
+<p>
+ Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
+ file documentation:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -113,129 +128,298 @@ file documentation:</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">acl_name</code></p></td>
-<td><p>The name of an <code class="varname">address_match_list</code> as
-defined by the <span><strong class="command">acl</strong></span> statement.</p></td>
+<td>
+ <p>
+ <code class="varname">acl_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The name of an <code class="varname">address_match_list</code> as
+ defined by the <span><strong class="command">acl</strong></span> statement.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">address_match_list</code></p></td>
-<td><p>A list of one or more <code class="varname">ip_addr</code>,
-<code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
-or <code class="varname">acl_name</code> elements, see
-<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.</p></td>
+<td>
+ <p>
+ <code class="varname">address_match_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A list of one or more
+ <code class="varname">ip_addr</code>,
+ <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
+ or <code class="varname">acl_name</code> elements, see
+ <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">domain_name</code></p></td>
-<td><p>A quoted string which will be used as
-a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td>
+<td>
+ <p>
+ <code class="varname">masters_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A named list of one or more <code class="varname">ip_addr</code>
+ with optional <code class="varname">key_id</code> and/or
+ <code class="varname">ip_port</code>.
+ A <code class="varname">masters_list</code> may include other
+ <code class="varname">masters_lists</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">dotted_decimal</code></p></td>
-<td><p>One to four integers valued 0 through
-255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
-<span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td>
+<td>
+ <p>
+ <code class="varname">domain_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A quoted string which will be used as
+ a DNS name, for example "<code class="literal">my.test.domain</code>".
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip4_addr</code></p></td>
-<td><p>An IPv4 address with exactly four elements
-in <code class="varname">dotted_decimal</code> notation.</p></td>
+<td>
+ <p>
+ <code class="varname">dotted_decimal</code>
+ </p>
+ </td>
+<td>
+ <p>
+ One to four integers valued 0 through
+ 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
+ <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip6_addr</code></p></td>
-<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-link attached to the interface <span><strong class="command">ne0</strong></span>
-can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</p></td>
+<td>
+ <p>
+ <code class="varname">ip4_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IPv4 address with exactly four elements
+ in <code class="varname">dotted_decimal</code> notation.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_addr</code></p></td>
-<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td>
+<td>
+ <p>
+ <code class="varname">ip6_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
+ IPv6 scoped addresses that have ambiguity on their scope
+ zones must be
+ disambiguated by an appropriate zone ID with the percent
+ character
+ (`%') as delimiter.
+ It is strongly recommended to use string zone names rather
+ than
+ numeric identifiers, in order to be robust against system
+ configuration changes.
+ However, since there is no standard mapping for such names
+ and
+ identifier values, currently only interface names as link
+ identifiers
+ are supported, assuming one-to-one mapping between
+ interfaces and links.
+ For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
+ link attached to the interface <span><strong class="command">ne0</strong></span>
+ can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
+ Note that on most systems link-local addresses always have
+ the
+ ambiguity, and need to be disambiguated.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_port</code></p></td>
-<td><p>An IP port <code class="varname">number</code>.
-<code class="varname">number</code> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases, an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</p></td>
+<td>
+ <p>
+ <code class="varname">ip_addr</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">ip_prefix</code></p></td>
-<td><p>An IP network specified as an <code class="varname">ip_addr</code>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <code class="varname">ip_addr</code> may omitted.
-For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with
-netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td>
+<td>
+ <p>
+ <code class="varname">ip_port</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IP port <code class="varname">number</code>.
+ <code class="varname">number</code> is limited to 0
+ through 65535, with values
+ below 1024 typically restricted to use by processes running
+ as root.
+ In some cases, an asterisk (`*') character can be used as a
+ placeholder to
+ select a random high-numbered port.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">ip_prefix</code>
+ </p>
+ </td>
+<td>
+ <p>
+ An IP network specified as an <code class="varname">ip_addr</code>,
+ followed by a slash (`/') and then the number of bits in the
+ netmask.
+ Trailing zeros in a <code class="varname">ip_addr</code>
+ may omitted.
+ For example, <span><strong class="command">127/8</strong></span> is the
+ network <span><strong class="command">127.0.0.0</strong></span> with
+ netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
+ network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">key_id</code></p></td>
-<td><p>A <code class="varname">domain_name</code> representing
-the name of a shared key, to be used for transaction security.</p></td>
+<td>
+ <p>
+ <code class="varname">key_id</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A <code class="varname">domain_name</code> representing
+ the name of a shared key, to be used for transaction
+ security.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">key_list</code></p></td>
-<td><p>A list of one or more <code class="varname">key_id</code>s,
-separated by semicolons and ending with a semicolon.</p></td>
+<td>
+ <p>
+ <code class="varname">key_list</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A list of one or more
+ <code class="varname">key_id</code>s,
+ separated by semicolons and ending with a semicolon.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">number</code></p></td>
-<td><p>A non-negative 32-bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</p></td>
+<td>
+ <p>
+ <code class="varname">number</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A non-negative 32-bit integer
+ (i.e., a number between 0 and 4294967295, inclusive).
+ Its acceptable value might further
+ be limited by the context in which it is used.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">path_name</code></p></td>
-<td><p>A quoted string which will be used as
-a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td>
+<td>
+ <p>
+ <code class="varname">path_name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A quoted string which will be used as
+ a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">size_spec</code></p></td>
<td>
-<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>,
-or the word <strong class="userinput"><code>default</code></strong>.</p>
-<p>
-An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
-use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
-the limit that was in force when the server was started.</p>
-<p>A <code class="varname">number</code> can
-optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for
-kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for
-megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p>
-<p>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <code class="varname">unlimited</code> is the best way
-to safely set a really large number.</p>
-</td>
+ <p>
+ <code class="varname">size_spec</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A number, the word <strong class="userinput"><code>unlimited</code></strong>,
+ or the word <strong class="userinput"><code>default</code></strong>.
+ </p>
+ <p>
+ An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
+ use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
+ the limit that was in force when the server was started.
+ </p>
+ <p>
+ A <code class="varname">number</code> can optionally be
+ followed by a scaling factor:
+ <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
+ for kilobytes,
+ <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
+ for megabytes, and
+ <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
+ which scale by 1024, 1024*1024, and 1024*1024*1024
+ respectively.
+ </p>
+ <p>
+ The value must be representable as a 64-bit unsigned integer
+ (0 to 18446744073709551615, inclusive).
+ Using <code class="varname">unlimited</code> is the best
+ way
+ to safely set a really large number.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">yes_or_no</code></p></td>
-<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td>
+<td>
+ <p>
+ <code class="varname">yes_or_no</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
+ The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
+ also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
+ and <strong class="userinput"><code>0</code></strong>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">dialup_option</code></p></td>
-<td><p>One of <strong class="userinput"><code>yes</code></strong>,
-<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-<strong class="userinput"><code>passive</code></strong>.
-When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-are restricted to slave and stub zones.</p></td>
+<td>
+ <p>
+ <code class="varname">dialup_option</code>
+ </p>
+ </td>
+<td>
+ <p>
+ One of <strong class="userinput"><code>yes</code></strong>,
+ <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
+ <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
+ <strong class="userinput"><code>passive</code></strong>.
+ When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
+ <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
+ are restricted to slave and stub zones.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
@@ -244,7 +428,7 @@ are restricted to slave and stub zones.</p></td>
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575552"></a>Syntax</h4></div></div></div>
+<a name="id2573336"></a>Syntax</h4></div></div></div>
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
[<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -253,115 +437,181 @@ are restricted to slave and stub zones.</p></td>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575578"></a>Definition and Usage</h4></div></div></div>
-<p>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-statements. The elements
-which constitute an address match list can be any of the following:</p>
+<a name="id2573364"></a>Definition and Usage</h4></div></div></div>
+<p>
+ Address match lists are primarily used to determine access
+ control for various server operations. They are also used in
+ the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
+ statements. The elements
+ which constitute an address match list can be any of the
+ following:
+ </p>
<div class="itemizedlist"><ul type="disc">
<li>an IP address (IPv4 or IPv6)</li>
<li>an IP prefix (in `/' notation)</li>
-<li>a key ID, as defined by the <span><strong class="command">key</strong></span> statement</li>
+<li>
+ a key ID, as defined by the <span><strong class="command">key</strong></span>
+ statement
+ </li>
<li>the name of an address match list defined with
-the <span><strong class="command">acl</strong></span> statement</li>
+ the <span><strong class="command">acl</strong></span> statement
+ </li>
<li>a nested address match list enclosed in braces</li>
</ul></div>
-<p>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</p>
-<p>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</p>
-<p>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</p>
-<p>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-<span><strong class="command">allow-update</strong></span>, <span><strong class="command">allow-update-forwarding</strong></span>,
-and <span><strong class="command">blackhole</strong></span> all
-use address match lists this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</p>
-<p>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</p>
+<p>
+ Elements can be negated with a leading exclamation mark (`!'),
+ and the match list names "any", "none", "localhost", and
+ "localnets"
+ are predefined. More information on those names can be found in
+ the description of the acl statement.
+ </p>
+<p>
+ The addition of the key clause made the name of this syntactic
+ element something of a misnomer, since security keys can be used
+ to validate access without regard to a host or network address.
+ Nonetheless,
+ the term "address match list" is still used throughout the
+ documentation.
+ </p>
+<p>
+ When a given IP address or prefix is compared to an address
+ match list, the list is traversed in order until an element
+ matches.
+ The interpretation of a match depends on whether the list is being
+ used
+ for access control, defining listen-on ports, or in a sortlist,
+ and whether the element was negated.
+ </p>
+<p>
+ When used as an access control list, a non-negated match
+ allows access and a negated match denies access. If
+ there is no match, access is denied. The clauses
+ <span><strong class="command">allow-notify</strong></span>,
+ <span><strong class="command">allow-query</strong></span>,
+ <span><strong class="command">allow-query-cache</strong></span>,
+ <span><strong class="command">allow-transfer</strong></span>,
+ <span><strong class="command">allow-update</strong></span>,
+ <span><strong class="command">allow-update-forwarding</strong></span>, and
+ <span><strong class="command">blackhole</strong></span> all use address match
+ lists. Similarly, the listen-on option will cause the
+ server to not accept queries on any of the machine's
+ addresses which do not match the list.
+ </p>
+<p>
+ Because of the first-match aspect of the algorithm, an element
+ that defines a subset of another element in the list should come
+ before the broader element, regardless of whether either is
+ negated. For
+ example, in
+ <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
+ element is
+ completely useless because the algorithm will match any lookup for
+ 1.2.3.13 to the 1.2.3/24 element.
+ Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+ that problem by having 1.2.3.13 blocked by the negation but all
+ other 1.2.3.* hosts fall through.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2575672"></a>Comment Syntax</h3></div></div></div>
-<p>The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</p>
+<a name="id2573470"></a>Comment Syntax</h3></div></div></div>
+<p>
+ The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
+ comments to appear
+ anywhere that white space may appear in a <acronym class="acronym">BIND</acronym> configuration
+ file. To appeal to programmers of all kinds, they can be written
+ in the C, C++, or shell/perl style.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575687"></a>Syntax</h4></div></div></div>
+<a name="id2573485"></a>Syntax</h4></div></div></div>
+<p>
+ </p>
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
<p>
-</p>
+ </p>
<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
<p>
-</p>
+ </p>
<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
<p>
- </p>
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2575716"></a>Definition and Usage</h4></div></div></div>
-<p>Comments may appear anywhere that white space may appear in
-a <acronym class="acronym">BIND</acronym> configuration file.</p>
-<p>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</p>
-<p>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</p>
+<a name="id2573515"></a>Definition and Usage</h4></div></div></div>
+<p>
+ Comments may appear anywhere that white space may appear in
+ a <acronym class="acronym">BIND</acronym> configuration file.
+ </p>
+<p>
+ C-style comments start with the two characters /* (slash,
+ star) and end with */ (star, slash). Because they are completely
+ delimited with these characters, they can be used to comment only
+ a portion of a line or to span multiple lines.
+ </p>
+<p>
+ C-style comments cannot be nested. For example, the following
+ is not valid because the entire comment ends with the first */:
+ </p>
+<p>
+
+</p>
<pre class="programlisting">/* This is the start of a comment.
This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
This is no longer in any comment. */
</pre>
-<p>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</p>
-<p>For example:</p>
+<p>
+
+ </p>
+<p>
+ C++-style comments start with the two characters // (slash,
+ slash) and continue to the end of the physical line. They cannot
+ be continued across multiple physical lines; to have one logical
+ comment span multiple lines, each line must use the // pair.
+ </p>
+<p>
+ For example:
+ </p>
+<p>
+
+</p>
<pre class="programlisting">// This is the start of a comment. The next line
// is a new comment, even though it is logically
// part of the previous comment.
</pre>
-<p>Shell-style (or perl-style, if you prefer) comments start
-with the character <code class="literal">#</code> (number sign) and continue to the end of the
-physical line, as in C++ comments.</p>
-<p>For example:</p>
+<p>
+
+ </p>
+<p>
+ Shell-style (or perl-style, if you prefer) comments start
+ with the character <code class="literal">#</code> (number sign)
+ and continue to the end of the
+ physical line, as in C++ comments.
+ </p>
+<p>
+ For example:
+ </p>
+<p>
+
+</p>
<pre class="programlisting"># This is the start of a comment. The next line
# is a new comment, even though it is logically
# part of the previous comment.
</pre>
<p>
-</p>
+
+ </p>
<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Warning</h3>
-<p>You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.</p>
+<p>
+ You cannot use the semicolon (`;') character
+ to start a comment such as you would in a zone file. The
+ semicolon indicates the end of a configuration
+ statement.
+ </p>
</div>
</div>
</div>
@@ -369,12 +619,17 @@ physical line, as in C++ comments.</p>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>A <acronym class="acronym">BIND</acronym> 9 configuration consists of statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.</p>
-<p>The following statements are supported:</p>
+<p>
+ A <acronym class="acronym">BIND</acronym> 9 configuration consists of
+ statements and comments.
+ Statements end with a semicolon. Statements and comments are the
+ only elements that can appear without enclosing braces. Many
+ statements contain a block of sub-statements, which are also
+ terminated with a semicolon.
+ </p>
+<p>
+ The following statements are supported:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -382,85 +637,167 @@ physical line, as in C++ comments.</p>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">acl</strong></span></p></td>
-<td><p>defines a named IP address
-matching list, for access control and other uses.</p></td>
+<td>
+ <p><span><strong class="command">acl</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a named IP address
+ matching list, for access control and other uses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">controls</strong></span></p></td>
-<td><p>declares control channels to be used
-by the <span><strong class="command">rndc</strong></span> utility.</p></td>
+<td>
+ <p><span><strong class="command">controls</strong></span></p>
+ </td>
+<td>
+ <p>
+ declares control channels to be used
+ by the <span><strong class="command">rndc</strong></span> utility.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">include</strong></span></p></td>
-<td><p>includes a file.</p></td>
+<td>
+ <p><span><strong class="command">include</strong></span></p>
+ </td>
+<td>
+ <p>
+ includes a file.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">key</strong></span></p></td>
-<td><p>specifies key information for use in
-authentication and authorization using TSIG.</p></td>
+<td>
+ <p><span><strong class="command">key</strong></span></p>
+ </td>
+<td>
+ <p>
+ specifies key information for use in
+ authentication and authorization using TSIG.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">logging</strong></span></p></td>
-<td><p>specifies what the server logs, and where
-the log messages are sent.</p></td>
+<td>
+ <p><span><strong class="command">logging</strong></span></p>
+ </td>
+<td>
+ <p>
+ specifies what the server logs, and where
+ the log messages are sent.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">lwres</strong></span></p></td>
-<td><p>configures <span><strong class="command">named</strong></span> to
-also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).</p></td>
+<td>
+ <p><span><strong class="command">lwres</strong></span></p>
+ </td>
+<td>
+ <p>
+ configures <span><strong class="command">named</strong></span> to
+ also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">masters</strong></span></p></td>
-<td><p>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</p></td>
+<td>
+ <p><span><strong class="command">masters</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a named masters list for
+ inclusion in stub and slave zone masters clauses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">options</strong></span></p></td>
-<td><p>controls global server configuration
-options and sets defaults for other statements.</p></td>
+<td>
+ <p><span><strong class="command">options</strong></span></p>
+ </td>
+<td>
+ <p>
+ controls global server configuration
+ options and sets defaults for other statements.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">server</strong></span></p></td>
-<td><p>sets certain configuration options on
-a per-server basis.</p></td>
+<td>
+ <p><span><strong class="command">server</strong></span></p>
+ </td>
+<td>
+ <p>
+ sets certain configuration options on
+ a per-server basis.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">trusted-keys</strong></span></p></td>
-<td><p>defines trusted DNSSEC keys.</p></td>
+<td>
+ <p><span><strong class="command">trusted-keys</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines trusted DNSSEC keys.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">view</strong></span></p></td>
-<td><p>defines a view.</p></td>
+<td>
+ <p><span><strong class="command">view</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a view.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">zone</strong></span></p></td>
-<td><p>defines a zone.</p></td>
+<td>
+ <p><span><strong class="command">zone</strong></span></p>
+ </td>
+<td>
+ <p>
+ defines a zone.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The <span><strong class="command">logging</strong></span> and
- <span><strong class="command">options</strong></span> statements may only occur once per
- configuration.</p>
+<p>
+ The <span><strong class="command">logging</strong></span> and
+ <span><strong class="command">options</strong></span> statements may only occur once
+ per
+ configuration.
+ </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576157"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
- address_match_list
+<a name="id2574151"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
+ address_match_list
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</h3></div></div></div>
-<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).</p>
-<p>Note that an address match list's name must be defined
- with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no
- forward references are allowed.</p>
-<p>The following ACLs are built-in:</p>
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">acl</strong></span> statement assigns a symbolic
+ name to an address match list. It gets its name from a primary
+ use of address match lists: Access Control Lists (ACLs).
+ </p>
+<p>
+ Note that an address match list's name must be defined
+ with <span><strong class="command">acl</strong></span> before it can be used
+ elsewhere; no
+ forward references are allowed.
+ </p>
+<p>
+ The following ACLs are built-in:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -468,155 +805,201 @@ Usage</h3></div></div></div>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">any</strong></span></p></td>
-<td><p>Matches all hosts.</p></td>
+<td>
+ <p><span><strong class="command">any</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches all hosts.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">none</strong></span></p></td>
-<td><p>Matches no hosts.</p></td>
+<td>
+ <p><span><strong class="command">none</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches no hosts.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">localhost</strong></span></p></td>
-<td><p>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</p></td>
+<td>
+ <p><span><strong class="command">localhost</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches the IPv4 and IPv6 addresses of all network
+ interfaces on the system.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">localnets</strong></span></p></td>
-<td><p>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <span><strong class="command">localnets</strong></span> only matches the local
-IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
-</p></td>
+<td>
+ <p><span><strong class="command">localnets</strong></span></p>
+ </td>
+<td>
+ <p>
+ Matches any host on an IPv4 or IPv6 network
+ for which the system has an interface.
+ Some systems do not provide a way to determine the prefix
+ lengths of
+ local IPv6 addresses.
+ In such a case, <span><strong class="command">localnets</strong></span>
+ only matches the local
+ IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576326"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574341"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">controls</strong></span> {
- inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> }
- keys { <em class="replaceable"><code> key_list </code></em> };
- [<span class="optional"> inet ...; </span>]
+ [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
+ keys { <em class="replaceable"><code>key_list</code></em> }; ]
+ [ inet ...; ]
+ [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
+ [ unix ...; ]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span><strong class="command">rndc</strong></span> utility to send commands to
- and retrieve non-DNS results from a name server.</p>
-<p>An <span><strong class="command">inet</strong></span> control channel is a TCP
- socket listening at the specified
- <span><strong class="command">ip_port</strong></span> on the specified
- <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span>
- of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard
- address; connections will be accepted on any of the system's
- IPv4 addresses. To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span><strong class="command">rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum
- security.
- </p>
+<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
<p>
- If no port is specified, port 953
- is used. The asterisk "<code class="literal">*</code>" cannot be used for
- <span><strong class="command">ip_port</strong></span>.</p>
-<p>The ability to issue commands over the control channel is
- restricted by the <span><strong class="command">allow</strong></span> and
- <span><strong class="command">keys</strong></span> clauses. Connections to the control
- channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span><strong class="command">key_id</strong></span>
- elements of the <span><strong class="command">address_match_list</strong></span> are
- ignored.
- </p>
-<p>The primary authorization mechanism of the command
- channel is the <span><strong class="command">key_list</strong></span>, which contains
- a list of <span><strong class="command">key_id</strong></span>s.
- Each <span><strong class="command">key_id</strong></span> in
- the <span><strong class="command">key_list</strong></span> is authorized to execute
- commands over the control channel.
- See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in
- <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>) for information about
- configuring keys in <span><strong class="command">rndc</strong></span>.</p>
-<p>
-If no <span><strong class="command">controls</strong></span> statement is present,
-<span><strong class="command">named</strong></span> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <span><strong class="command">controls</strong></span> statement
-is present but does not have a <span><strong class="command">keys</strong></span> clause,
-<span><strong class="command">named</strong></span> will attempt to load the command channel key
-from the file <code class="filename">rndc.key</code> in
-<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-was specified as when <acronym class="acronym">BIND</acronym> was built).
-To create a <code class="filename">rndc.key</code> file, run
-<strong class="userinput"><code>rndc-confgen -a</code></strong>.
-</p>
-<p>The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel messages
- and thus did not have a <span><strong class="command">keys</strong></span> clause.
+ The <span><strong class="command">controls</strong></span> statement declares control
+ channels to be used by system administrators to control the
+ operation of the name server. These control channels are
+ used by the <span><strong class="command">rndc</strong></span> utility to send
+ commands to and retrieve non-DNS results from a name server.
+ </p>
+<p>
+ An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+ listening at the specified <span><strong class="command">ip_port</strong></span> on the
+ specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+ address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+ interpreted as the IPv4 wildcard address; connections will be
+ accepted on any of the system's IPv4 addresses.
+ To listen on the IPv6 wildcard address,
+ use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+ If you will only use <span><strong class="command">rndc</strong></span> on the local host,
+ using the loopback address (<code class="literal">127.0.0.1</code>
+ or <code class="literal">::1</code>) is recommended for maximum security.
+ </p>
+<p>
+ If no port is specified, port 953 is used. The asterisk
+ "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
+ </p>
+<p>
+ The ability to issue commands over the control channel is
+ restricted by the <span><strong class="command">allow</strong></span> and
+ <span><strong class="command">keys</strong></span> clauses.
+ Connections to the control channel are permitted based on the
+ <span><strong class="command">address_match_list</strong></span>. This is for simple
+ IP address based filtering only; any <span><strong class="command">key_id</strong></span>
+ elements of the <span><strong class="command">address_match_list</strong></span>
+ are ignored.
+ </p>
+<p>
+ A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
+ socket listening at the specified path in the file system.
+ Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
+ <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
+ Note on some platforms (SunOS and Solaris) the permissions
+ (<span><strong class="command">perm</strong></span>) are applied to the parent directory
+ as the permissions on the socket itself are ignored.
+ </p>
+<p>
+ The primary authorization mechanism of the command
+ channel is the <span><strong class="command">key_list</strong></span>, which
+ contains a list of <span><strong class="command">key_id</strong></span>s.
+ Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
+ is authorized to execute commands over the control channel.
+ See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
+ for information about configuring keys in <span><strong class="command">rndc</strong></span>.
+ </p>
+<p>
+ If no <span><strong class="command">controls</strong></span> statement is present,
+ <span><strong class="command">named</strong></span> will set up a default
+ control channel listening on the loopback address 127.0.0.1
+ and its IPv6 counterpart ::1.
+ In this case, and also when the <span><strong class="command">controls</strong></span> statement
+ is present but does not have a <span><strong class="command">keys</strong></span> clause,
+ <span><strong class="command">named</strong></span> will attempt to load the command channel key
+ from the file <code class="filename">rndc.key</code> in
+ <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
+ was specified as when <acronym class="acronym">BIND</acronym> was built).
+ To create a <code class="filename">rndc.key</code> file, run
+ <strong class="userinput"><code>rndc-confgen -a</code></strong>.
+ </p>
+<p>
+ The <code class="filename">rndc.key</code> feature was created to
+ ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
+ which did not have digital signatures on its command channel
+ messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
-It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
-configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
-and still have <span><strong class="command">rndc</strong></span> work the same way
-<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-installed.
-</p>
+ It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
+ configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
+ and still have <span><strong class="command">rndc</strong></span> work the same way
+ <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
+ command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
+ installed.
+ </p>
<p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you wish to change
- those things. The <code class="filename">rndc.key</code> file also has its
- permissions set such that only the owner of the file (the user that
- <span><strong class="command">named</strong></span> is running as) can access it. If you
- desire greater flexibility in allowing other users to access
- <span><strong class="command">rndc</strong></span> commands, then you need to create a
- <code class="filename">rndc.conf</code> file and make it group readable by a group
- that contains the users who should have access.</p>
-<p>The UNIX control channel type of <acronym class="acronym">BIND</acronym> 8 is not supported
- in <acronym class="acronym">BIND</acronym> 9.0, <acronym class="acronym">BIND</acronym> 9.1,
- <acronym class="acronym">BIND</acronym> 9.2 and <acronym class="acronym">BIND</acronym> 9.3.
- If it is present in the controls statement from a
- <acronym class="acronym">BIND</acronym> 8 configuration file, it is ignored
- and a warning is logged.</p>
-<p>
-To disable the command channel, use an empty <span><strong class="command">controls</strong></span>
-statement: <span><strong class="command">controls { };</strong></span>.
-</p>
+ Since the <code class="filename">rndc.key</code> feature
+ is only intended to allow the backward-compatible usage of
+ <acronym class="acronym">BIND</acronym> 8 configuration files, this
+ feature does not
+ have a high degree of configurability. You cannot easily change
+ the key name or the size of the secret, so you should make a
+ <code class="filename">rndc.conf</code> with your own key if you
+ wish to change
+ those things. The <code class="filename">rndc.key</code> file
+ also has its
+ permissions set such that only the owner of the file (the user that
+ <span><strong class="command">named</strong></span> is running as) can access it.
+ If you
+ desire greater flexibility in allowing other users to access
+ <span><strong class="command">rndc</strong></span> commands, then you need to create
+ a
+ <code class="filename">rndc.conf</code> file and make it group
+ readable by a group
+ that contains the users who should have access.
+ </p>
+<p>
+ To disable the command channel, use an empty
+ <span><strong class="command">controls</strong></span> statement:
+ <span><strong class="command">controls { };</strong></span>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576672"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574770"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576686"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">include</strong></span> statement inserts the
- specified file at the point where the <span><strong class="command">include</strong></span>
- statement is encountered. The <span><strong class="command">include</strong></span>
- statement facilitates the administration of configuration files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.</p>
+<a name="id2574785"></a><span><strong class="command">include</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">include</strong></span> statement inserts the
+ specified file at the point where the <span><strong class="command">include</strong></span>
+ statement is encountered. The <span><strong class="command">include</strong></span>
+ statement facilitates the administration of configuration
+ files
+ by permitting the reading or writing of some things but not
+ others. For example, the statement could include private keys
+ that are readable only by the name server.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576709"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574808"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
algorithm <em class="replaceable"><code>string</code></em>;
secret <em class="replaceable"><code>string</code></em>;
@@ -625,43 +1008,58 @@ statement: <span><strong class="command">controls { };</strong></span>.
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576730"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">key</strong></span> statement defines a shared
-secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-or the command channel
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>).
-</p>
+<a name="id2574829"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
<p>
-The <span><strong class="command">key</strong></span> statement can occur at the top level
-of the configuration file or inside a <span><strong class="command">view</strong></span>
-statement. Keys defined in top-level <span><strong class="command">key</strong></span>
-statements can be used in all views. Keys intended for use in
-a <span><strong class="command">controls</strong></span> statement
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>)
-must be defined at the top level.
-</p>
-<p>The <em class="replaceable"><code>key_id</code></em>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <span><strong class="command">server</strong></span>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</p>
-<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<code class="literal">hmac-md5</code>. The
-<em class="replaceable"><code>secret_string</code></em> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</p>
+ The <span><strong class="command">key</strong></span> statement defines a shared
+ secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+ or the command channel
+ (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+ Usage&#8221;</a>).
+ </p>
+<p>
+ The <span><strong class="command">key</strong></span> statement can occur at the
+ top level
+ of the configuration file or inside a <span><strong class="command">view</strong></span>
+ statement. Keys defined in top-level <span><strong class="command">key</strong></span>
+ statements can be used in all views. Keys intended for use in
+ a <span><strong class="command">controls</strong></span> statement
+ (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
+ Usage&#8221;</a>)
+ must be defined at the top level.
+ </p>
+<p>
+ The <em class="replaceable"><code>key_id</code></em>, also known as the
+ key name, is a domain name uniquely identifying the key. It can
+ be used in a <span><strong class="command">server</strong></span>
+ statement to cause requests sent to that
+ server to be signed with this key, or in address match lists to
+ verify that incoming requests have been signed with a key
+ matching this name, algorithm, and secret.
+ </p>
+<p>
+ The <em class="replaceable"><code>algorithm_id</code></em> is a string
+ that specifies a security/authentication algorithm. Named
+ supports <code class="literal">hmac-md5</code>,
+ <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
+ <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
+ and <code class="literal">hmac-sha512</code> TSIG authentication.
+ Truncated hashes are supported by appending the minimum
+ number of required bits preceeded by a dash, e.g.
+ <code class="literal">hmac-sha1-80</code>. The
+ <em class="replaceable"><code>secret_string</code></em> is the secret
+ to be used by the algorithm, and is treated as a base-64
+ encoded string.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2576870"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574920"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting"><span><strong class="command">logging</strong></span> {
[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
- [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="literal">unlimited</code> ) ]
+ [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
[ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
| <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
| <span><strong class="command">stderr</strong></span>
@@ -673,7 +1071,7 @@ string.</p>
[ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
}; ]
[ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
- <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ]
+ <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
}; ]
...
};
@@ -681,148 +1079,223 @@ string.</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2577064"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">logging</strong></span> statement configures a wide
-variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-to select how various classes of messages are logged.</p>
-<p>Only one <span><strong class="command">logging</strong></span> statement is used to define
-as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-the logging configuration will be:</p>
+<a name="id2575046"></a><span><strong class="command">logging</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">logging</strong></span> statement configures a
+ wide
+ variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
+ associates output methods, format options and severity levels with
+ a name that can then be used with the <span><strong class="command">category</strong></span> phrase
+ to select how various classes of messages are logged.
+ </p>
+<p>
+ Only one <span><strong class="command">logging</strong></span> statement is used to
+ define
+ as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
+ the logging configuration will be:
+ </p>
<pre class="programlisting">logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
</pre>
-<p>In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
-established as soon as the <span><strong class="command">logging</strong></span> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<code class="option">-g</code>" option
-was specified.</p>
+<p>
+ In <acronym class="acronym">BIND</acronym> 9, the logging configuration
+ is only established when
+ the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
+ established as soon as the <span><strong class="command">logging</strong></span>
+ statement
+ was parsed. When the server is starting up, all logging messages
+ regarding syntax errors in the configuration file go to the default
+ channels, or to standard error if the "<code class="option">-g</code>" option
+ was specified.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2577116"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-you can make as many of them as you want.</p>
-<p>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<span><strong class="command">info</strong></span>), and whether to include a
-<span><strong class="command">named</strong></span>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</p>
-<p>The <span><strong class="command">null</strong></span> destination clause
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</p>
-<p>The <span><strong class="command">file</strong></span> destination clause directs the channel
-to a disk file. It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</p>
-<p>If you use the <span><strong class="command">versions</strong></span> log file option, then
-<span><strong class="command">named</strong></span> will retain that many backup versions of the file by
-renaming them when opening. For example, if you choose to keep three old versions
-of the file <code class="filename">lamers.log</code>, then just before it is opened
-<code class="filename">lamers.log.1</code> is renamed to
-<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-renamed to <code class="filename">lamers.log.0</code>.
-You can say <span><strong class="command">versions unlimited</strong></span> to not limit
-the number of versions.
-If a <span><strong class="command">size</strong></span> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size. No backup versions are kept by default; any existing
-log file is simply appended.</p>
-<p>The <span><strong class="command">size</strong></span> option for files is used to limit log
-growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
-associated with it. If backup versions are kept, the files are rolled as
-described above and a new one begun. If there is no
-<span><strong class="command">versions</strong></span> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size. The default behavior is not to limit the size of the
-file.</p>
-<p>Example usage of the <span><strong class="command">size</strong></span> and
-<span><strong class="command">versions</strong></span> options:</p>
+<a name="id2575098"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<p>
+ All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
+ you can make as many of them as you want.
+ </p>
+<p>
+ Every channel definition must include a destination clause that
+ says whether messages selected for the channel go to a file, to a
+ particular syslog facility, to the standard error stream, or are
+ discarded. It can optionally also limit the message severity level
+ that will be accepted by the channel (the default is
+ <span><strong class="command">info</strong></span>), and whether to include a
+ <span><strong class="command">named</strong></span>-generated time stamp, the
+ category name
+ and/or severity level (the default is not to include any).
+ </p>
+<p>
+ The <span><strong class="command">null</strong></span> destination clause
+ causes all messages sent to the channel to be discarded;
+ in that case, other options for the channel are meaningless.
+ </p>
+<p>
+ The <span><strong class="command">file</strong></span> destination clause directs
+ the channel
+ to a disk file. It can include limitations
+ both on how large the file is allowed to become, and how many
+ versions
+ of the file will be saved each time the file is opened.
+ </p>
+<p>
+ If you use the <span><strong class="command">versions</strong></span> log file
+ option, then
+ <span><strong class="command">named</strong></span> will retain that many backup
+ versions of the file by
+ renaming them when opening. For example, if you choose to keep
+ three old versions
+ of the file <code class="filename">lamers.log</code>, then just
+ before it is opened
+ <code class="filename">lamers.log.1</code> is renamed to
+ <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
+ to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
+ renamed to <code class="filename">lamers.log.0</code>.
+ You can say <span><strong class="command">versions unlimited</strong></span> to
+ not limit
+ the number of versions.
+ If a <span><strong class="command">size</strong></span> option is associated with
+ the log file,
+ then renaming is only done when the file being opened exceeds the
+ indicated size. No backup versions are kept by default; any
+ existing
+ log file is simply appended.
+ </p>
+<p>
+ The <span><strong class="command">size</strong></span> option for files is used
+ to limit log
+ growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
+ stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
+ associated with it. If backup versions are kept, the files are
+ rolled as
+ described above and a new one begun. If there is no
+ <span><strong class="command">versions</strong></span> option, no more data will
+ be written to the log
+ until some out-of-band mechanism removes or truncates the log to
+ less than the
+ maximum size. The default behavior is not to limit the size of
+ the
+ file.
+ </p>
+<p>
+ Example usage of the <span><strong class="command">size</strong></span> and
+ <span><strong class="command">versions</strong></span> options:
+ </p>
<pre class="programlisting">channel an_example_channel {
file "example.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
</pre>
-<p>The <span><strong class="command">syslog</strong></span> destination clause directs the
-channel to the system log. Its argument is a
-syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-<span><strong class="command">local7</strong></span>, however not all facilities are supported on
-all operating systems.
-How <span><strong class="command">syslog</strong></span> will handle messages sent to
-this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-then this clause is silently ignored.</p>
-<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <span><strong class="command">syslog</strong></span>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</p>
-<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to
-be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would
-print all messages it received from the channel.</p>
-<p>The <span><strong class="command">stderr</strong></span> destination clause directs the
-channel to the server's standard error stream. This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</p>
-<p>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <span><strong class="command">named</strong></span> server
-with the <code class="option">-d</code> flag followed by a positive integer,
-or by running <span><strong class="command">rndc trace</strong></span>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
+<p>
+ The <span><strong class="command">syslog</strong></span> destination clause
+ directs the
+ channel to the system log. Its argument is a
+ syslog facility as described in the <span><strong class="command">syslog</strong></span> man
+ page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
+ <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
+ <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
+ <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
+ <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
+ <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
+ <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
+ <span><strong class="command">local7</strong></span>, however not all facilities
+ are supported on
+ all operating systems.
+ How <span><strong class="command">syslog</strong></span> will handle messages
+ sent to
+ this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
+ page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
+ only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
+ then this clause is silently ignored.
+ </p>
+<p>
+ The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
+ "priorities", except that they can also be used if you are writing
+ straight to a file rather than using <span><strong class="command">syslog</strong></span>.
+ Messages which are not at least of the severity level given will
+ not be selected for the channel; messages of higher severity
+ levels
+ will be accepted.
+ </p>
+<p>
+ If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
+ will also determine what eventually passes through. For example,
+ defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
+ only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
+ cause messages of severity <span><strong class="command">info</strong></span> and
+ <span><strong class="command">notice</strong></span> to
+ be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
+ messages of only <span><strong class="command">warning</strong></span> or higher,
+ then <span><strong class="command">syslogd</strong></span> would
+ print all messages it received from the channel.
+ </p>
+<p>
+ The <span><strong class="command">stderr</strong></span> destination clause
+ directs the
+ channel to the server's standard error stream. This is intended
+ for
+ use when the server is running as a foreground process, for
+ example
+ when debugging a configuration.
+ </p>
+<p>
+ The server can supply extensive debugging information when
+ it is in debugging mode. If the server's global debug level is
+ greater
+ than zero, then debugging mode will be active. The global debug
+ level is set either by starting the <span><strong class="command">named</strong></span> server
+ with the <code class="option">-d</code> flag followed by a positive integer,
+ or by running <span><strong class="command">rndc trace</strong></span>.
+ The global debug level
+ can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
notrace</strong></span>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</p>
+ level, and higher debug levels give more detailed output. Channels
+ that specify a specific debug severity, for example:
+ </p>
<pre class="programlisting">channel specific_debug_level {
file "foo";
severity debug 3;
};
</pre>
-<p>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <span><strong class="command">dynamic</strong></span> severity use the
-server's global debug level to determine what messages to print.</p>
-<p>If <span><strong class="command">print-time</strong></span> has been turned on, then
-the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually
-pointless since <span><strong class="command">syslog</strong></span> also prints the date and
-time. If <span><strong class="command">print-category</strong></span> is requested, then the
-category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options
-are on:</p>
-<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p>
-<p>There are four predefined channels that are used for
-<span><strong class="command">named</strong></span>'s default logging as follows. How they are
-used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-</p>
+<p>
+ will get debugging output of level 3 or less any time the
+ server is in debugging mode, regardless of the global debugging
+ level. Channels with <span><strong class="command">dynamic</strong></span>
+ severity use the
+ server's global debug level to determine what messages to print.
+ </p>
+<p>
+ If <span><strong class="command">print-time</strong></span> has been turned on,
+ then
+ the date and time will be logged. <span><strong class="command">print-time</strong></span> may
+ be specified for a <span><strong class="command">syslog</strong></span> channel,
+ but is usually
+ pointless since <span><strong class="command">syslog</strong></span> also prints
+ the date and
+ time. If <span><strong class="command">print-category</strong></span> is
+ requested, then the
+ category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
+ on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
+ be used in any combination, and will always be printed in the
+ following
+ order: time, category, severity. Here is an example where all
+ three <span><strong class="command">print-</strong></span> options
+ are on:
+ </p>
+<p>
+ <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
+ </p>
+<p>
+ There are four predefined channels that are used for
+ <span><strong class="command">named</strong></span>'s default logging as follows.
+ How they are
+ used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
+ </p>
<pre class="programlisting">channel default_syslog {
syslog daemon; // send to syslog's daemon
// facility
@@ -852,35 +1325,50 @@ channel null {
// this channel
};
</pre>
-<p>The <span><strong class="command">default_debug</strong></span> channel has the special
-property that it only produces output when the server's debug level is
-nonzero. It normally writes to a file called <code class="filename">named.run</code>
-in the server's working directory.</p>
-<p>For security reasons, when the "<code class="option">-u</code>"
-command line option is used, the <code class="filename">named.run</code> file
-is created only after <span><strong class="command">named</strong></span> has changed to the
-new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
-starting up and still running as root is discarded. If you need
-to capture this output, you must run the server with the "<code class="option">-g</code>"
-option and redirect standard error to a file.</p>
-<p>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</p>
+<p>
+ The <span><strong class="command">default_debug</strong></span> channel has the
+ special
+ property that it only produces output when the server's debug
+ level is
+ nonzero. It normally writes to a file called <code class="filename">named.run</code>
+ in the server's working directory.
+ </p>
+<p>
+ For security reasons, when the "<code class="option">-u</code>"
+ command line option is used, the <code class="filename">named.run</code> file
+ is created only after <span><strong class="command">named</strong></span> has
+ changed to the
+ new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
+ starting up and still running as root is discarded. If you need
+ to capture this output, you must run the server with the "<code class="option">-g</code>"
+ option and redirect standard error to a file.
+ </p>
+<p>
+ Once a channel is defined, it cannot be redefined. Thus you
+ cannot alter the built-in channels directly, but you can modify
+ the default logging by pointing categories at channels you have
+ defined.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <span><strong class="command">default</strong></span> category
-instead. If you don't specify a default category, the following
-"default default" is used:</p>
+<p>
+ There are many categories, so you can send the logs you want
+ to see wherever you want, without seeing logs you don't want. If
+ you don't specify a list of channels for a category, then log
+ messages
+ in that category will be sent to the <span><strong class="command">default</strong></span> category
+ instead. If you don't specify a default category, the following
+ "default default" is used:
+ </p>
<pre class="programlisting">category default { default_syslog; default_debug; };
</pre>
-<p>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</p>
+<p>
+ As an example, let's say you want to log security events to
+ a file, but you also want keep the default logging behavior. You'd
+ specify the following:
+ </p>
<pre class="programlisting">channel my_security_channel {
file "my_security_file";
severity info;
@@ -890,13 +1378,17 @@ category security {
default_syslog;
default_debug;
};</pre>
-<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p>
+<p>
+ To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
+ </p>
<pre class="programlisting">category xfer-out { null; };
category notify { null; };
</pre>
-<p>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym class="acronym">BIND</acronym> releases.</p>
+<p>
+ Following are the available categories and brief descriptions
+ of the types of log information they contain. More
+ categories may be added in future <acronym class="acronym">BIND</acronym> releases.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -904,114 +1396,235 @@ categories may be added in future <acronym class="acronym">BIND</acronym> releas
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">default</strong></span></p></td>
-<td><p>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</p></td>
+<td>
+ <p><span><strong class="command">default</strong></span></p>
+ </td>
+<td>
+ <p>
+ The default category defines the logging
+ options for those categories where no specific
+ configuration has been
+ defined.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">general</strong></span></p></td>
-<td><p>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</p></td>
+<td>
+ <p><span><strong class="command">general</strong></span></p>
+ </td>
+<td>
+ <p>
+ The catch-all. Many things still aren't
+ classified into categories, and they all end up here.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">database</strong></span></p></td>
-<td><p>Messages relating to the databases used
-internally by the name server to store zone and cache data.</p></td>
+<td>
+ <p><span><strong class="command">database</strong></span></p>
+ </td>
+<td>
+ <p>
+ Messages relating to the databases used
+ internally by the name server to store zone and cache
+ data.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">security</strong></span></p></td>
-<td><p>Approval and denial of requests.</p></td>
+<td>
+ <p><span><strong class="command">security</strong></span></p>
+ </td>
+<td>
+ <p>
+ Approval and denial of requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">config</strong></span></p></td>
-<td><p>Configuration file parsing and processing.</p></td>
+<td>
+ <p><span><strong class="command">config</strong></span></p>
+ </td>
+<td>
+ <p>
+ Configuration file parsing and processing.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">resolver</strong></span></p></td>
-<td><p>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</p></td>
+<td>
+ <p><span><strong class="command">resolver</strong></span></p>
+ </td>
+<td>
+ <p>
+ DNS resolution, such as the recursive
+ lookups performed on behalf of clients by a caching name
+ server.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">xfer-in</strong></span></p></td>
-<td><p>Zone transfers the server is receiving.</p></td>
+<td>
+ <p><span><strong class="command">xfer-in</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfers the server is receiving.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">xfer-out</strong></span></p></td>
-<td><p>Zone transfers the server is sending.</p></td>
+<td>
+ <p><span><strong class="command">xfer-out</strong></span></p>
+ </td>
+<td>
+ <p>
+ Zone transfers the server is sending.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>The NOTIFY protocol.</p></td>
+<td>
+ <p><span><strong class="command">notify</strong></span></p>
+ </td>
+<td>
+ <p>
+ The NOTIFY protocol.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">client</strong></span></p></td>
-<td><p>Processing of client requests.</p></td>
+<td>
+ <p><span><strong class="command">client</strong></span></p>
+ </td>
+<td>
+ <p>
+ Processing of client requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">unmatched</strong></span></p></td>
-<td><p>Messages that named was unable to determine the
-class of or for which there was no matching <span><strong class="command">view</strong></span>.
-A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <span><strong class="command">null</strong></span> channel.</p></td>
+<td>
+ <p><span><strong class="command">unmatched</strong></span></p>
+ </td>
+<td>
+ <p>
+ Messages that named was unable to determine the
+ class of or for which there was no matching <span><strong class="command">view</strong></span>.
+ A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
+ This category is best sent to a file or stderr, by
+ default it is sent to
+ the <span><strong class="command">null</strong></span> channel.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">network</strong></span></p></td>
-<td><p>Network operations.</p></td>
+<td>
+ <p><span><strong class="command">network</strong></span></p>
+ </td>
+<td>
+ <p>
+ Network operations.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">update</strong></span></p></td>
-<td><p>Dynamic updates.</p></td>
+<td>
+ <p><span><strong class="command">update</strong></span></p>
+ </td>
+<td>
+ <p>
+ Dynamic updates.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">update-security</strong></span></p></td>
-<td><p>Approval and denial of update requests.</p></td>
+<td>
+ <p><span><strong class="command">update-security</strong></span></p>
+ </td>
+<td>
+ <p>
+ Approval and denial of update requests.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">queries</strong></span></p></td>
<td>
-<p>Specify where queries should be logged to.</p>
-<p>
-At startup, specifying the category <span><strong class="command">queries</strong></span> will also
-enable query logging unless <span><strong class="command">querylog</strong></span> option has been
-specified.
-</p>
-<p>
-The query log entry reports the client's IP address and port number, and the
-query name, class and type. It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</p>
-<p><code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
-</p>
-<p><code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
-</p>
-</td>
+ <p><span><strong class="command">queries</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specify where queries should be logged to.
+ </p>
+ <p>
+ At startup, specifying the category <span><strong class="command">queries</strong></span> will also
+ enable query logging unless <span><strong class="command">querylog</strong></span> option has been
+ specified.
+ </p>
+ <p>
+ The query log entry reports the client's IP address and
+ port number, and the
+ query name, class and type. It also reports whether the
+ Recursion Desired
+ flag was set (+ if set, - if not set), EDNS was in use
+ (E) or if the
+ query was signed (S).
+ </p>
+ <p>
+ <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
+ </p>
+ <p>
+ <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">dispatch</strong></span></p></td>
-<td><p>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</p></td>
+<td>
+ <p><span><strong class="command">dispatch</strong></span></p>
+ </td>
+<td>
+ <p>
+ Dispatching of incoming packets to the
+ server modules where they are to be processed.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">dnssec</strong></span></p></td>
-<td><p>DNSSEC and TSIG protocol processing.
-</p></td>
+<td>
+ <p><span><strong class="command">dnssec</strong></span></p>
+ </td>
+<td>
+ <p>
+ DNSSEC and TSIG protocol processing.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">lame-servers</strong></span></p></td>
-<td><p>Lame servers. These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</p></td>
+<td>
+ <p><span><strong class="command">lame-servers</strong></span></p>
+ </td>
+<td>
+ <p>
+ Lame servers. These are misconfigurations
+ in remote servers, discovered by BIND 9 when trying to
+ query
+ those servers during resolution.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">delegation-only</strong></span></p></td>
-<td><p>Delegation only. Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declaration.
-</p></td>
+<td>
+ <p><span><strong class="command">delegation-only</strong></span></p>
+ </td>
+<td>
+ <p>
+ Delegation only. Logs queries that have have
+ been forced to NXDOMAIN as the result of a
+ delegation-only zone or
+ a <span><strong class="command">delegation-only</strong></span> in a
+ hint or stub zone declaration.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
@@ -1019,9 +1632,11 @@ a <span><strong class="command">delegation-only</strong></span> in a hint or stu
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578270"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p> This is the grammar of the <span><strong class="command">lwres</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576396"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+ This is the grammar of the <span><strong class="command">lwres</strong></span>
+ statement in the <code class="filename">named.conf</code> file:
+ </p>
<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
[<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
@@ -1032,50 +1647,78 @@ statement in the <code class="filename">named.conf</code> file:</p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578343"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">lwres</strong></span> statement configures the name
-server to also act as a lightweight resolver server. (See
-<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be be multiple
-<span><strong class="command">lwres</strong></span> statements configuring
-lightweight resolver servers with different properties.</p>
-<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on. If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</p>
-<p>The <span><strong class="command">view</strong></span> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view. If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</p>
-<p>The <span><strong class="command">search</strong></span> statement is equivalent to the
-<span><strong class="command">search</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>. It provides a list of domains
-which are appended to relative names in queries.</p>
-<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the
-<span><strong class="command">ndots</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>. It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</p>
+<a name="id2576470"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">lwres</strong></span> statement configures the
+ name
+ server to also act as a lightweight resolver server. (See
+ <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.) There may be be multiple
+ <span><strong class="command">lwres</strong></span> statements configuring
+ lightweight resolver servers with different properties.
+ </p>
+<p>
+ The <span><strong class="command">listen-on</strong></span> statement specifies a
+ list of
+ addresses (and ports) that this instance of a lightweight resolver
+ daemon
+ should accept requests on. If no port is specified, port 921 is
+ used.
+ If this statement is omitted, requests will be accepted on
+ 127.0.0.1,
+ port 921.
+ </p>
+<p>
+ The <span><strong class="command">view</strong></span> statement binds this
+ instance of a
+ lightweight resolver daemon to a view in the DNS namespace, so that
+ the
+ response will be constructed in the same manner as a normal DNS
+ query
+ matching this view. If this statement is omitted, the default view
+ is
+ used, and if there is no default view, an error is triggered.
+ </p>
+<p>
+ The <span><strong class="command">search</strong></span> statement is equivalent to
+ the
+ <span><strong class="command">search</strong></span> statement in
+ <code class="filename">/etc/resolv.conf</code>. It provides a
+ list of domains
+ which are appended to relative names in queries.
+ </p>
+<p>
+ The <span><strong class="command">ndots</strong></span> statement is equivalent to
+ the
+ <span><strong class="command">ndots</strong></span> statement in
+ <code class="filename">/etc/resolv.conf</code>. It indicates the
+ minimum
+ number of dots in a relative domain name that should result in an
+ exact match lookup before search path elements are appended.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578406"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2576534"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ;
+<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578518"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage </h3></div></div></div>
-<p><span><strong class="command">masters</strong></span> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</p>
+<a name="id2576578"></a><span><strong class="command">masters</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p><span><strong class="command">masters</strong></span>
+ lists allow for a common set of masters to be easily used by
+ multiple stub and slave zones.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2578533"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>This is the grammar of the <span><strong class="command">options</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
+<a name="id2576593"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<p>
+ This is the grammar of the <span><strong class="command">options</strong></span>
+ statement in the <code class="filename">named.conf</code> file:
+ </p>
<pre class="programlisting">options {
[<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
[<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
@@ -1102,31 +1745,52 @@ statement in the <code class="filename">named.conf</code> file:</p>
[<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
[<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
+ [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; ... }; </span>]
- [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
+ ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
+ <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
+ ... }; </span>]
+ [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
+ ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
+ [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
[<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
- [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+ [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
+ [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+ [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
+ [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
+ [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1182,202 +1846,316 @@ statement in the <code class="filename">named.conf</code> file:</p>
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
[<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
[<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
[<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
+ [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
+ [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
+ [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
+ [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
+ [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">options</strong></span> statement sets up global options
-to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <span><strong class="command">options</strong></span>
-statement, an options block with each option set to its default will
-be used.</p>
+<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">options</strong></span> statement sets up global
+ options
+ to be used by <acronym class="acronym">BIND</acronym>. This statement
+ may appear only
+ once in a configuration file. If there is no <span><strong class="command">options</strong></span>
+ statement, an options block with each option set to its default will
+ be used.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <code class="filename">named.run</code>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<code class="filename">.</code>', the directory from which the server
-was started. The directory specified should be an absolute path.</p></dd>
+<dd><p>
+ The working directory of the server.
+ Any non-absolute pathnames in the configuration file will be
+ taken
+ as relative to this directory. The default location for most
+ server
+ output files (e.g. <code class="filename">named.run</code>)
+ is this directory.
+ If a directory is not specified, the working directory
+ defaults to `<code class="filename">.</code>', the directory from
+ which the server
+ was started. The directory specified should be an absolute
+ path.
+ </p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory. The directory specified
-must be an absolute path.</p></dd>
+<dd><p>
+ When performing dynamic update of secure zones, the
+ directory where the public and private key files should be
+ found,
+ if different than the current working directory. The
+ directory specified
+ must be an absolute path.
+ </p></dd>
<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete.</em></span>
-It was used in <acronym class="acronym">BIND</acronym> 8 to
-specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-needed; its functionality is built into the name server.</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete.</em></span>
+ It was used in <acronym class="acronym">BIND</acronym> 8 to
+ specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
+ In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
+ needed; its functionality is built into the name server.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>The domain appended to the names of all
-shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client
-requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<code class="varname">client specified part</code>" +
-"<code class="varname">tkey-domain</code>".
-Otherwise, the name of the shared key will be "<code class="varname">random hex
+<dd><p>
+ The domain appended to the names of all
+ shared keys generated with
+ <span><strong class="command">TKEY</strong></span>. When a client
+ requests a <span><strong class="command">TKEY</strong></span> exchange, it
+ may or may not specify
+ the desired name for the key. If present, the name of the
+ shared
+ key will be "<code class="varname">client specified part</code>" +
+ "<code class="varname">tkey-domain</code>".
+ Otherwise, the name of the shared key will be "<code class="varname">random hex
digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-the <span><strong class="command">domainname</strong></span> should be the server's domain
-name.</p></dd>
+ the <span><strong class="command">domainname</strong></span> should be the
+ server's domain
+ name.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <span><strong class="command">TKEY</strong></span>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</p></dd>
+<dd><p>
+ The Diffie-Hellman key used by the server
+ to generate shared keys with clients using the Diffie-Hellman
+ mode
+ of <span><strong class="command">TKEY</strong></span>. The server must be
+ able to load the
+ public and private keys from files in the working directory.
+ In
+ most cases, the keyname should be the server's host name.
+ </p></dd>
<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
<dd><p>
- This is for testing only. Do not use.
+ This is for testing only. Do not use.
</p></dd>
<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server dumps
-the database to when instructed to do so with
-<span><strong class="command">rndc dumpdb</strong></span>.
-If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd>
+<dd><p>
+ The pathname of the file the server dumps
+ the database to when instructed to do so with
+ <span><strong class="command">rndc dumpdb</strong></span>.
+ If not specified, the default is <code class="filename">named_dump.db</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <code class="filename">named.memstats</code>.</p></dd>
+<dd><p>
+ The pathname of the file the server writes memory
+ usage statistics to on exit. If not specified,
+ the default is
+ <code class="filename">named.memstats</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes its process ID
-in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
-use of a PID file &#8212; no file will be written and any
-existing one will be removed. Note that <span><strong class="command">none</strong></span>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</p></dd>
+<dd><p>
+ The pathname of the file the server writes its process ID
+ in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
+ The pid-file is used by programs that want to send signals to
+ the running
+ name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
+ use of a PID file &#8212; no file will be written and any
+ existing one will be removed. Note that <span><strong class="command">none</strong></span>
+ is a keyword, not a file name, and therefore is not enclosed
+ in
+ double quotes.
+ </p></dd>
<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server appends statistics
-to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-If not specified, the default is <code class="filename">named.stats</code> in the
-server's current directory. The format of the file is described
-in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.</p></dd>
+<dd><p>
+ The pathname of the file the server appends statistics
+ to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
+ If not specified, the default is <code class="filename">named.stats</code> in the
+ server's current directory. The format of the file is
+ described
+ in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
<dd><p>
-The UDP/TCP port number the server uses for
-receiving and sending DNS protocol traffic.
-The default is 53. This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</p></dd>
+ The UDP/TCP port number the server uses for
+ receiving and sending DNS protocol traffic.
+ The default is 53. This option is mainly intended for server
+ testing;
+ a server using a port other than 53 will not be able to
+ communicate with
+ the global DNS.
+ </p></dd>
<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
<dd><p>
-The source of entropy to be used by the server. Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones. This options specifies the device (or file) from which to read
-entropy. If this is a file, operations requiring entropy will fail when the
-file has been exhausted. If not specified, the default value is
-<code class="filename">/dev/random</code>
-(or equivalent) when present, and none otherwise. The
-<span><strong class="command">random-device</strong></span> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</p></dd>
+ The source of entropy to be used by the server. Entropy is
+ primarily needed
+ for DNSSEC operations, such as TKEY transactions and dynamic
+ update of signed
+ zones. This options specifies the device (or file) from which
+ to read
+ entropy. If this is a file, operations requiring entropy will
+ fail when the
+ file has been exhausted. If not specified, the default value
+ is
+ <code class="filename">/dev/random</code>
+ (or equivalent) when present, and none otherwise. The
+ <span><strong class="command">random-device</strong></span> option takes
+ effect during
+ the initial configuration load at server startup time and
+ is ignored on subsequent reloads.
+ </p></dd>
<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
<dd><p>
-If specified, the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to prefer any type (NONE).
-</p></dd>
+ If specified, the listed type (A or AAAA) will be emitted
+ before other glue
+ in the additional section of a query response.
+ The default is not to prefer any type (NONE).
+ </p></dd>
<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
<dd>
<p>
-Turn on enforcement of delegation-only in TLDs (top level domains)
-and root zones with an optional exclude list.
-</p>
+ Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
+ with an optional
+ exclude list.
+ </p>
<p>
-Note some TLDs are not delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</p>
+ Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
+ and "MUSEUM").
+ </p>
<pre class="programlisting">
options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+ root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
</pre>
</dd>
<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
<dd><p>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <span><strong class="command">disable-algorithms</strong></span> statements are allowed.
-Only the most specific will be applied.
-</p></dd>
+ Disable the specified DNSSEC algorithms at and below the
+ specified name.
+ Multiple <span><strong class="command">disable-algorithms</strong></span>
+ statements are allowed.
+ Only the most specific will be applied.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
<dd><p>
-When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone. When a DNSKEY is at or below a domain specified by the
-deepest <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key. If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</p></dd>
+ When set, <span><strong class="command">dnssec-lookaside</strong></span>
+ provides the
+ validator with an alternate method to validate DNSKEY records
+ at the
+ top of a zone. When a DNSKEY is at or below a domain
+ specified by the
+ deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
+ the normal dnssec validation
+ has left the key untrusted, the trust-anchor will be append to
+ the key
+ name and a DLV record will be looked up to see if it can
+ validate the
+ key. If the DLV record validates a DNSKEY (similarly to the
+ way a DS
+ record does) the DNSKEY RRset is deemed to be trusted.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
<dd><p>
-Specify heirarchies which must be or may not be secure (signed and validated).
-If <strong class="userinput"><code>yes</code></strong>, then named will only accept answers if they
-are secure.
-If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-<span><strong class="command">dnssec-lookaside</strong></span> must be active.
-</p></dd>
+ Specify hierarchies which must be or may not be secure (signed and
+ validated).
+ If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+ answers if they
+ are secure.
+ If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+ applies
+ allowing for insecure answers to be accepted.
+ The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
+ <span><strong class="command">dnssec-lookaside</strong></span> must be
+ active.
+ </p></dd>
</dl></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is
-a change from <acronym class="acronym">BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
+ is always set on NXDOMAIN responses, even if the server is
+ not actually
+ authoritative. The default is <strong class="userinput"><code>no</code></strong>;
+ this is
+ a change from <acronym class="acronym">BIND</acronym> 8. If you
+ are using very old DNS software, you
+ may need to set it to <strong class="userinput"><code>yes</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
-the checks.</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym>
+ 8 to enable checking
+ for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
+ the checks.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
<dd>
-<p>If <strong class="userinput"><code>yes</code></strong>, then the
-server treats all zones as if they are doing zone transfers across
-a dial-on-demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<p>The <span><strong class="command">dialup</strong></span> option
-may also be specified in the <span><strong class="command">view</strong></span> and
-<span><strong class="command">zone</strong></span> statements,
-in which case it overrides the global <span><strong class="command">dialup</strong></span>
-option.</p>
-<p>If the zone is a master zone, then the server will send out a NOTIFY
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.</p>
-<p>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending
-NOTIFY requests.</p>
-<p>Finer control can be achieved by using
-<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages,
-<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and
-suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-which suppresses normal refresh processing and sends refresh queries
-when the <span><strong class="command">heartbeat-interval</strong></span> expires, and
-<strong class="userinput"><code>passive</code></strong> which just disables normal refresh
-processing.</p>
+<p>
+ If <strong class="userinput"><code>yes</code></strong>, then the
+ server treats all zones as if they are doing zone transfers
+ across
+ a dial-on-demand dialup link, which can be brought up by
+ traffic
+ originating from this server. This has different effects
+ according
+ to zone type and concentrates the zone maintenance so that
+ it all
+ happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
+ hopefully during the one call. It also suppresses some of
+ the normal
+ zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
+ </p>
+<p>
+ The <span><strong class="command">dialup</strong></span> option
+ may also be specified in the <span><strong class="command">view</strong></span> and
+ <span><strong class="command">zone</strong></span> statements,
+ in which case it overrides the global <span><strong class="command">dialup</strong></span>
+ option.
+ </p>
+<p>
+ If the zone is a master zone, then the server will send out a
+ NOTIFY
+ request to all the slaves (default). This should trigger the
+ zone serial
+ number check in the slave (providing it supports NOTIFY)
+ allowing the slave
+ to verify the zone while the connection is active.
+ The set of servers to which NOTIFY is sent can be controlled
+ by
+ <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
+ </p>
+<p>
+ If the
+ zone is a slave or stub zone, then the server will suppress
+ the regular
+ "zone up to date" (refresh) queries and only perform them
+ when the
+ <span><strong class="command">heartbeat-interval</strong></span> expires in
+ addition to sending
+ NOTIFY requests.
+ </p>
+<p>
+ Finer control can be achieved by using
+ <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
+ messages,
+ <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
+ messages and
+ suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
+ which suppresses normal refresh processing and sends refresh
+ queries
+ when the <span><strong class="command">heartbeat-interval</strong></span>
+ expires, and
+ <strong class="userinput"><code>passive</code></strong> which just disables normal
+ refresh
+ processing.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -1387,818 +2165,1377 @@ processing.</p>
</colgroup>
<tbody>
<tr>
-<td><p>dialup mode</p></td>
-<td><p>normal refresh</p></td>
-<td><p>heart-beat refresh</p></td>
-<td><p>heart-beat notify</p></td>
+<td>
+ <p>
+ dialup mode
+ </p>
+ </td>
+<td>
+ <p>
+ normal refresh
+ </p>
+ </td>
+<td>
+ <p>
+ heart-beat refresh
+ </p>
+ </td>
+<td>
+ <p>
+ heart-beat notify
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">no</strong></span> (default)</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">no</strong></span> (default)</p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">yes</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">yes</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">notify</strong></span></p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">refresh</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">refresh</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
+<td>
+ <p><span><strong class="command">passive</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">notify-passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
+<td>
+ <p><span><strong class="command">notify-passive</strong></span></p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ no
+ </p>
+ </td>
+<td>
+ <p>
+ yes
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>Note that normal NOTIFY processing is not affected by
-<span><strong class="command">dialup</strong></span>.</p>
+<p>
+ Note that normal NOTIFY processing is not affected by
+ <span><strong class="command">dialup</strong></span>.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation.
-</p></dd>
+<dd><p>
+ In <acronym class="acronym">BIND</acronym> 8, this option
+ enabled simulating the obsolete DNS query type
+ IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
+ IQUERY simulation.
+ </p></dd>
<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>This option is obsolete.
-In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response. This is now considered a bad idea
-and BIND 9 never does it.</p></dd>
+<dd><p>
+ This option is obsolete.
+ In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
+ caused the server to attempt to fetch glue resource records
+ it
+ didn't have when constructing the additional
+ data section of a response. This is now considered a bad
+ idea
+ and BIND 9 never does it.
+ </p></dd>
<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>When the nameserver exits due receiving SIGTERM,
-flush or do not flush any pending zone writes. The default is
-<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ When the nameserver exits due receiving SIGTERM,
+ flush or do not flush any pending zone writes. The default
+ is
+ <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>This option was incorrectly implemented
-in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
-To achieve the intended effect
-of
-<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-</p></dd>
+<dd><p>
+ This option was incorrectly implemented
+ in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
+ To achieve the intended effect
+ of
+ <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
+ the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
+ and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
+ </p></dd>
<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+ In BIND 8, this enables keeping of
+ statistics for every host that the name server interacts
+ with.
+ Not implemented in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
-log whenever possible. If you need to disable outgoing incremental zone
-transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ It was used in <acronym class="acronym">BIND</acronym> 8 to
+ determine whether a transaction log was
+ kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
+ log whenever possible. If you need to disable outgoing
+ incremental zone
+ transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses). This may improve the performance of the server.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then when generating
+ responses the server will only add records to the authority
+ and additional data sections when they are required (e.g.
+ delegations, negative responses). This may improve the
+ performance of the server.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards. <acronym class="acronym">BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
+ a domain name to have multiple CNAME records in violation of
+ the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
+ always strictly enforces the CNAME rules both in master
+ files and dynamic updates.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
<dd>
-<p>If <strong class="userinput"><code>yes</code></strong> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>. The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<span><strong class="command">also-notify</strong></span> option.
-</p>
<p>
-If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to
-servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-</p>
+ If <strong class="userinput"><code>yes</code></strong> (the default),
+ DNS NOTIFY messages are sent when a zone the server is
+ authoritative for
+ changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>. The messages are
+ sent to the
+ servers listed in the zone's NS records (except the master
+ server identified
+ in the SOA MNAME field), and to any servers listed in the
+ <span><strong class="command">also-notify</strong></span> option.
+ </p>
<p>
-The <span><strong class="command">notify</strong></span> option may also be
-specified in the <span><strong class="command">zone</strong></span> statement,
-in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</p>
+ If <strong class="userinput"><code>master-only</code></strong>, notifies are only
+ sent
+ for master zones.
+ If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
+ to
+ servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
+ If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
+ </p>
+<p>
+ The <span><strong class="command">notify</strong></span> option may also be
+ specified in the <span><strong class="command">zone</strong></span>
+ statement,
+ in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
+ It would only be necessary to turn off this option if it
+ caused slaves
+ to crash.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <strong class="userinput"><code>yes</code></strong>.
-Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <span><strong class="command">fetch-glue</strong></span> above.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, and a
+ DNS query requests recursion, then the server will attempt
+ to do
+ all the work required to answer the query. If recursion is
+ off
+ and the server does not already know the answer, it will
+ return a
+ referral response. The default is
+ <strong class="userinput"><code>yes</code></strong>.
+ Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
+ clients from getting data from the server's cache; it only
+ prevents new data from being cached as an effect of client
+ queries.
+ Caching may still occur as an effect the server's internal
+ operation, such as NOTIFY address lookups.
+ See also <span><strong class="command">fetch-glue</strong></span> above.
+ </p></dd>
<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
<dd>
-<p>Setting this to <strong class="userinput"><code>yes</code></strong> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <strong class="userinput"><code>no</code></strong>.</p>
+<p>
+ Setting this to <strong class="userinput"><code>yes</code></strong> will
+ cause the server to send NS records along with the SOA
+ record for negative
+ answers. The default is <strong class="userinput"><code>no</code></strong>.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+ Not yet implemented in <acronym class="acronym">BIND</acronym>
+ 9.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-<acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ <acronym class="acronym">BIND</acronym> 9 always allocates query
+ IDs from a pool.
+ </p></dd>
<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
-in the <span><strong class="command">zone</strong></span> statement). These statistics may be accessed
-using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed
-in the <span><strong class="command">statistics-file</strong></span>. See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, the server will collect
+ statistical data on all zones (unless specifically turned
+ off
+ on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
+ in the <span><strong class="command">zone</strong></span> statement).
+ These statistics may be accessed
+ using <span><strong class="command">rndc stats</strong></span>, which will
+ dump them to the file listed
+ in the <span><strong class="command">statistics-file</strong></span>. See
+ also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <span><strong class="command">provide-ixfr</strong></span> option
-in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>. See also
-<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-</p></dd>
+<dd><p>
+ <span class="emphasis"><em>This option is obsolete</em></span>.
+ If you need to disable IXFR to a particular server or
+ servers see
+ the information on the <span><strong class="command">provide-ixfr</strong></span> option
+ in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ See also
+ <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
<dd><p>
-See the description of
-<span><strong class="command">provide-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+ See the description of
+ <span><strong class="command">provide-ixfr</strong></span> in
+ <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
<dd><p>
-See the description of
-<span><strong class="command">request-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>.
-</p></dd>
+ See the description of
+ <span><strong class="command">request-ixfr</strong></span> in
+ <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>This option was used in <acronym class="acronym">BIND</acronym> 8 to make
-the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted,
-and the option is ignored.</p></dd>
+<dd><p>
+ This option was used in <acronym class="acronym">BIND</acronym>
+ 8 to make
+ the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
+ as a space or tab character,
+ to facilitate loading of zone files on a UNIX system that
+ were generated
+ on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
+ and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
+ are always accepted,
+ and the option is ignored.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
</dt>
<dd>
<p>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</p>
+ These options control the behavior of an authoritative
+ server when
+ answering queries which have additional data, or when
+ following CNAME
+ and DNAME chains.
+ </p>
<p>
-When both of these options are set to <strong class="userinput"><code>yes</code></strong>
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache. In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties. Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</p>
+ When both of these options are set to <strong class="userinput"><code>yes</code></strong>
+ (the default) and a
+ query is being answered from authoritative data (a zone
+ configured into the server), the additional data section of
+ the
+ reply will be filled in using data from other authoritative
+ zones
+ and from the cache. In some situations this is undesirable,
+ such
+ as when there is concern over the correctness of the cache,
+ or
+ in servers where slave zones may be added and modified by
+ untrusted third parties. Also, avoiding
+ the search for this additional data will speed up server
+ operations
+ at the possible expense of additional queries to resolve
+ what would
+ otherwise be provided in the additional section.
+ </p>
<p>
-For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <span><strong class="command">no</strong></span> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</p>
+ For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
+ and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
+ records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
+ if known, even though they are not in the example.com zone.
+ Setting these options to <span><strong class="command">no</strong></span>
+ disables this behavior and makes
+ the server only search for additional data in the zone it
+ answers from.
+ </p>
<p>
-These options are intended for use in authoritative-only
-servers, or in authoritative-only views. Attempts to set
-them to <span><strong class="command">no</strong></span> without also specifying
-<span><strong class="command">recursion no</strong></span> will cause the server to
-ignore the options and log a warning message.
-</p>
+ These options are intended for use in authoritative-only
+ servers, or in authoritative-only views. Attempts to set
+ them to <span><strong class="command">no</strong></span> without also
+ specifying
+ <span><strong class="command">recursion no</strong></span> will cause the
+ server to
+ ignore the options and log a warning message.
+ </p>
<p>
-Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer. This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</p>
+ Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
+ disables the use of the cache not only for additional data
+ lookups
+ but also when looking up the answer. This is usually the
+ desired
+ behavior in an authoritative-only server where the
+ correctness of
+ the cached data is an issue.
+ </p>
<p>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name. Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <span><strong class="command">additional-from-cache no</strong></span>
-has been specified. Instead, it will respond to such queries
-with REFUSED. This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</p>
+ When a name server is non-recursively queried for a name
+ that is not
+ below the apex of any served zone, it normally answers with
+ an
+ "upwards referral" to the root servers or the servers of
+ some other
+ known parent of the query name. Since the data in an
+ upwards referral
+ comes from the cache, the server will not be able to provide
+ upwards
+ referrals when <span><strong class="command">additional-from-cache no</strong></span>
+ has been specified. Instead, it will respond to such
+ queries
+ with REFUSED. This should not cause any problems since
+ upwards referrals are not required for the resolution
+ process.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, then an
+ IPv4-mapped IPv6 address will match any address match
+ list entries that match the corresponding IPv4 address.
+ Enabling this option is sometimes useful on IPv6-enabled
+ Linux
+ systems, to work around a kernel quirk that causes IPv4
+ TCP connections such as zone transfers to be accepted
+ on an IPv6 socket using mapped addresses, causing
+ address match lists designed for IPv4 to fail to match.
+ The use of this option for any other purpose is discouraged.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
<dd>
<p>
-When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences. The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</p>
+ When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
+ zone from its zone file or receives a new version of a slave
+ file by a non-incremental zone transfer, it will compare
+ the new version to the previous one and calculate a set
+ of differences. The differences are then logged in the
+ zone's journal file such that the changes can be transmitted
+ to downstream slaves as an incremental zone transfer.
+ </p>
<p>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</p>
+ By allowing incremental zone transfers to be used for
+ non-dynamic zones, this option saves bandwidth at the
+ expense of increased CPU and memory consumption at the
+ master.
+ In particular, if the new version of a zone is completely
+ different from the previous one, the set of differences
+ will be of a size comparable to the combined size of the
+ old and new zone version, and the server will need to
+ temporarily allocate memory to hold this complete
+ difference set.
+ </p>
+<p><span><strong class="command">ixfr-from-differences</strong></span>
+ also accepts <span><strong class="command">master</strong></span> and
+ <span><strong class="command">slave</strong></span> at the view and options
+ levels which causes
+ <span><strong class="command">ixfr-from-differences</strong></span> to apply to
+ all <span><strong class="command">master</strong></span> or
+ <span><strong class="command">slave</strong></span> zones respectively.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
<dd><p>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will not log
-when the serial number on the master is less than what named currently
-has. The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+ This should be set when you have multiple masters for a zone
+ and the
+ addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
+ not log
+ when the serial number on the master is less than what named
+ currently
+ has. The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
<dd><p>
-Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
-named behaves as if it does not support DNSSEC.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
+ Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
+ named behaves as if it does not support DNSSEC.
+ The default is <strong class="userinput"><code>yes</code></strong>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
+<dd><p>
+ Enable DNSSEC validation in named.
+ Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
+ set to <strong class="userinput"><code>yes</code></strong> to be effective.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
+<dd><p>
+ Accept expired signatures when verifying DNSSEC signatures.
+ The default is <strong class="userinput"><code>no</code></strong>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
<dd><p>
-Specify whether query logging should be started when named starts.
-If <span><strong class="command">querylog</strong></span> is not specified, then the query logging
-is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
-</p></dd>
+ Specify whether query logging should be started when named
+ starts.
+ If <span><strong class="command">querylog</strong></span> is not specified,
+ then the query logging
+ is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
<dd>
<p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network. The default varies according to usage area. For
-<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
-For <span><strong class="command">slave</strong></span> zones the default is <span><strong class="command">warn</strong></span>.
-For answers received from the network (<span><strong class="command">response</strong></span>)
-the default is <span><strong class="command">ignore</strong></span>.
-</p>
-<p>The rules for legal hostnames and mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</p>
-<p><span><strong class="command">check-names</strong></span> applies to the owner names of A, AAA and
-MX records. It also applies to the domain names in the RDATA of NS, SOA and MX
-records. It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</p>
+ This option is used to restrict the character set and syntax
+ of
+ certain domain names in master files and/or DNS responses
+ received
+ from the network. The default varies according to usage
+ area. For
+ <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
+ For <span><strong class="command">slave</strong></span> zones the default
+ is <span><strong class="command">warn</strong></span>.
+ For answers received from the network (<span><strong class="command">response</strong></span>)
+ the default is <span><strong class="command">ignore</strong></span>.
+ </p>
+<p>
+ The rules for legal hostnames and mail domains are derived
+ from RFC 952 and RFC 821 as modified by RFC 1123.
+ </p>
+<p><span><strong class="command">check-names</strong></span>
+ applies to the owner names of A, AAA and MX records.
+ It also applies to the domain names in the RDATA of NS, SOA
+ and MX records.
+ It also applies to the RDATA of PTR records where the owner
+ name indicated that it is a reverse lookup of a hostname
+ (the owner name ends in IN-ADDR.ARPA, IP6.ARPA or IP6.INT).
+ </p>
</dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+ Check whether the MX record appears to refer to a IP address.
+ The default is to <span><strong class="command">warn</strong></span>. Other possible
+ values are <span><strong class="command">fail</strong></span> and
+ <span><strong class="command">ignore</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+ This option is used to check for non-terminal wildcards.
+ The use of non-terminal wildcards is almost always as a
+ result of a failure
+ to understand the wildcard matching algorithm (RFC 1034).
+ This option
+ affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
+ for non-terminal wildcards and issue a warning.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+ Perform post load zone integrity checks on master
+ zones. This checks that MX and SRV records refer
+ to address (A or AAAA) records and that glue
+ address records exist for delegated zones. For
+ MX and SRV records only in-zone hostnames are
+ checked (for out-of-zone hostnames use named-checkzone).
+ For NS records only names below top of zone are
+ checked (for out-of-zone names and glue consistancy
+ checks use named-checkzone). The default is
+ <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">check-integrity</strong></span> is set then
+ fail, warn or ignore MX records that refer
+ to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">check-integrity</strong></span> is set then
+ fail, warn or ignore SRV records that refer
+ to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+ When performing integrity checks, also check that
+ sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+ When returning authoritative negative responses to
+ SOA queries set the TTL of the SOA recored returned in
+ the authority section to zero.
+ The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
+<dd><p>
+ When caching a negative response to a SOA query
+ set the TTL to zero.
+ The default is <span><strong class="command">no</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+ When regenerating the RRSIGs following a UPDATE
+ request to a secure zone, check the KSK flag on
+ the DNSKEY RR to determine if this key should be
+ used to generate the RRSIG. This flag is ignored
+ if there are not DNSKEY RRs both with and without
+ a KSK.
+ The default is <span><strong class="command">yes</strong></span>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581312"></a>Forwarding</h4></div></div></div>
-<p>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</p>
+<a name="id2580408"></a>Forwarding</h4></div></div></div>
+<p>
+ The forwarding facility can be used to create a large site-wide
+ cache on a few servers, reducing traffic over links to external
+ name servers. It can also be used to allow queries by servers that
+ do not have direct access to the Internet, but wish to look up
+ exterior
+ names anyway. Forwarding occurs only on those queries for which
+ the server is not authoritative and does not have the answer in
+ its cache.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>This option is only meaningful if the
-forwarders list is not empty. A value of <code class="varname">first</code>,
-the default, causes the server to query the forwarders first &#8212; and
-if that doesn't answer the question, the server will then look for
-the answer itself. If <code class="varname">only</code> is specified, the
-server will only query the forwarders.
-</p></dd>
+<dd><p>
+ This option is only meaningful if the
+ forwarders list is not empty. A value of <code class="varname">first</code>,
+ the default, causes the server to query the forwarders
+ first &#8212; and
+ if that doesn't answer the question, the server will then
+ look for
+ the answer itself. If <code class="varname">only</code> is
+ specified, the
+ server will only query the forwarders.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</p></dd>
+<dd><p>
+ Specifies the IP addresses to be used
+ for forwarding. The default is the empty list (no
+ forwarding).
+ </p></dd>
</dl></div>
-<p>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-Statement Grammar&#8221;</a>.</p>
+<p>
+ Forwarding can also be configured on a per-domain basis, allowing
+ for the global forwarding options to be overridden in a variety
+ of ways. You can set particular domains to use different
+ forwarders,
+ or have a different <span><strong class="command">forward only/first</strong></span> behavior,
+ or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
+ Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
+ Statement Grammar&#8221;</a>.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581362"></a>Dual-stack Servers</h4></div></div></div>
-<p>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</p>
+<a name="id2580467"></a>Dual-stack Servers</h4></div></div></div>
+<p>
+ Dual-stack servers are used as servers of last resort to work
+ around
+ problems in reachability due the lack of support for either IPv4
+ or IPv6
+ on the host machine.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>Specifies host names or addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used, the server must be able
-to resolve the name using only the transport it has. If the machine is dual
-stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <span><strong class="command">named -4</strong></span>).</p></dd>
+<dd><p>
+ Specifies host names or addresses of machines with access to
+ both IPv4 and IPv6 transports. If a hostname is used, the
+ server must be able
+ to resolve the name using only the transport it has. If the
+ machine is dual
+ stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
+ access to a transport has been disabled on the command line
+ (e.g. <span><strong class="command">named -4</strong></span>).
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>Access to the server can be restricted based on the IP address
-of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-details on how to specify IP address lists.</p>
+<p>
+ Access to the server can be restricted based on the IP address
+ of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
+ details on how to specify IP address lists.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<span><strong class="command">allow-notify</strong></span> may also be specified in the
-<span><strong class="command">zone</strong></span> statement, in which case it overrides the
-<span><strong class="command">options allow-notify</strong></span> statement. It is only meaningful
-for a slave zone. If not specified, the default is to process notify messages
-only from a zone's master.</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to
+ notify this server, a slave, of zone changes in addition
+ to the zone masters.
+ <span><strong class="command">allow-notify</strong></span> may also be
+ specified in the
+ <span><strong class="command">zone</strong></span> statement, in which case
+ it overrides the
+ <span><strong class="command">options allow-notify</strong></span>
+ statement. It is only meaningful
+ for a slave zone. If not specified, the default is to
+ process notify messages
+ only from a zone's master.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-ask ordinary DNS questions. <span><strong class="command">allow-query</strong></span> may also
-be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If
-not specified, the default is to allow queries from all hosts.</p></dd>
+<dd>
+<p>
+ Specifies which hosts are allowed to ask ordinary
+ DNS questions. <span><strong class="command">allow-query</strong></span> may
+ also be specified in the <span><strong class="command">zone</strong></span>
+ statement, in which case it overrides the
+ <span><strong class="command">options allow-query</strong></span> statement.
+ If not specified, the default is to allow queries
+ from all hosts.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ <span><strong class="command">allow-query-cache</strong></span> is now
+ used to specify access to the cache.
+ </p>
+</div>
+</dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
+<dd>
+<p>
+ Specifies which hosts are allowed to get answers
+ from the cache. The default is the builtin acls
+ <span><strong class="command">localnets</strong></span> and
+ <span><strong class="command">localhost</strong></span>.
+ </p>
+<p>
+ The way to set query access to the cache is now
+ via <span><strong class="command">allow-query-cache</strong></span>.
+ This differs from earlier versions which used
+ <span><strong class="command">allow-query</strong></span>.
+ </p>
+</dd>
<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts.
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to make recursive
+ queries through this server. If not specified,
+ the default is to allow recursive queries from
+ the builtin acls <span><strong class="command">localnets</strong></span> and
+ <span><strong class="command">localhost</strong></span>.
+ Note that disallowing recursive queries for a
+ host does not prevent the host from retrieving
+ data that is already in the server's cache.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
+<dd><p>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates for master zones. The default is
+ to deny
+ updates from all hosts. Note that allowing updates based
+ on the requestor's IP address is insecure; see
+ <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
<dd>
-<p>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master. The default is <strong class="userinput"><code>{ none; }</code></strong>, which
-means that no update forwarding will be performed. To enable
-update forwarding, specify
-<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since
-the responsibility for update access control should rest with the
-master server, not the slaves.</p>
-<p>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-for more details.</p>
+<p>
+ Specifies which hosts are allowed to
+ submit Dynamic DNS updates to slave zones to be forwarded to
+ the
+ master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
+ which
+ means that no update forwarding will be performed. To
+ enable
+ update forwarding, specify
+ <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
+ Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
+ <strong class="userinput"><code>{ any; }</code></strong> is usually
+ counterproductive, since
+ the responsibility for update access control should rest
+ with the
+ master server, not the slaves.
+ </p>
+<p>
+ Note that enabling the update forwarding feature on a slave
+ server
+ may expose master servers relying on insecure IP address
+ based
+ access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
+ for more details.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</p></dd>
+<dd><p>
+ This option was introduced for the smooth transition from
+ AAAA
+ to A6 and from "nibble labels" to binary labels.
+ However, since both A6 and binary labels were then
+ deprecated,
+ this option was also deprecated.
+ It is now ignored with some warning messages.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-also be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-If not specified, the default is to allow transfers to all hosts.</p></dd>
+<dd><p>
+ Specifies which hosts are allowed to
+ receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
+ also be specified in the <span><strong class="command">zone</strong></span>
+ statement, in which
+ case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
+ If not specified, the default is to allow transfers to all
+ hosts.
+ </p></dd>
<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd>
+<dd><p>
+ Specifies a list of addresses that the
+ server will not accept queries from or use to resolve a
+ query. Queries
+ from these addresses will not be responded to. The default
+ is <strong class="userinput"><code>none</code></strong>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581677"></a>Interfaces</h4></div></div></div>
-<p>The interfaces and ports that the server will answer queries
-from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-an optional port, and an <code class="varname">address_match_list</code>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</p>
-<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed.
-For example,</p>
+<a name="id2580942"></a>Interfaces</h4></div></div></div>
+<p>
+ The interfaces and ports that the server will answer queries
+ from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
+ an optional port, and an <code class="varname">address_match_list</code>.
+ The server will listen on all interfaces allowed by the address
+ match list. If a port is not specified, port 53 will be used.
+ </p>
+<p>
+ Multiple <span><strong class="command">listen-on</strong></span> statements are
+ allowed.
+ For example,
+ </p>
<pre class="programlisting">listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
</pre>
-<p>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</p>
-<p>If no <span><strong class="command">listen-on</strong></span> is specified, the
-server will listen on port 53 on all interfaces.</p>
-<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</p>
-<p>When </p>
+<p>
+ will enable the name server on port 53 for the IP address
+ 5.6.7.8, and on port 1234 of an address on the machine in net
+ 1.2 that is not 1.2.3.4.
+ </p>
+<p>
+ If no <span><strong class="command">listen-on</strong></span> is specified, the
+ server will listen on port 53 on all interfaces.
+ </p>
+<p>
+ The <span><strong class="command">listen-on-v6</strong></span> option is used to
+ specify the interfaces and the ports on which the server will
+ listen
+ for incoming queries sent using IPv6.
+ </p>
+<p>
+ When </p>
<pre class="programlisting">{ any; }</pre>
-<p> is specified
-as the <code class="varname">address_match_list</code> for the
-<span><strong class="command">listen-on-v6</strong></span> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</p>
-<p>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</p>
-<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be used.
-For example,</p>
+<p> is
+ specified
+ as the <code class="varname">address_match_list</code> for the
+ <span><strong class="command">listen-on-v6</strong></span> option,
+ the server does not bind a separate socket to each IPv6 interface
+ address as it does for IPv4 if the operating system has enough API
+ support for IPv6 (specifically if it conforms to RFC 3493 and RFC
+ 3542).
+ Instead, it listens on the IPv6 wildcard address.
+ If the system only has incomplete API support for IPv6, however,
+ the behavior is the same as that for IPv4.
+ </p>
+<p>
+ A list of particular IPv6 addresses can also be specified, in
+ which case
+ the server listens on a separate socket for each specified
+ address,
+ regardless of whether the desired API is supported by the system.
+ </p>
+<p>
+ Multiple <span><strong class="command">listen-on-v6</strong></span> options can
+ be used.
+ For example,
+ </p>
<pre class="programlisting">listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };
</pre>
-<p>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</p>
-<p>To make the server not listen on any IPv6 address, use</p>
+<p>
+ will enable the name server on port 53 for any IPv6 addresses
+ (with a single wildcard socket),
+ and on port 1234 of IPv6 addresses that is not in the prefix
+ 2001:db8::/32 (with separate sockets for each matched address.)
+ </p>
+<p>
+ To make the server not listen on any IPv6 address, use
+ </p>
<pre class="programlisting">listen-on-v6 { none; };
</pre>
-<p>If no <span><strong class="command">listen-on-v6</strong></span> option is specified,
-the server will not listen on any IPv6 address.</p>
+<p>
+ If no <span><strong class="command">listen-on-v6</strong></span> option is
+ specified,
+ the server will not listen on any IPv6 address.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2581834"></a>Query Address</h4></div></div></div>
-<p>If the server doesn't know the answer to a question, it will
-query other name servers. <span><strong class="command">query-source</strong></span> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
-a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used.
-If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
-and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used to prevent named
-from selecting certain ports. The defaults are:</p>
+<a name="id2581099"></a>Query Address</h4></div></div></div>
+<p>
+ If the server doesn't know the answer to a question, it will
+ query other name servers. <span><strong class="command">query-source</strong></span> specifies
+ the address and port used for such queries. For queries sent over
+ IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
+ If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
+ a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
+ will be used.
+ If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
+ a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span>
+ and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
+ to prevent named
+ from selecting certain ports. The defaults are:
+ </p>
<pre class="programlisting">query-source address * port *;
query-source-v6 address * port *;
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The address specified in the <span><strong class="command">query-source</strong></span> option
-is used for both UDP and TCP queries, but the port applies only to
-UDP queries. TCP queries always use a random
-unprivileged port.</p>
+<p>
+ The address specified in the <span><strong class="command">query-source</strong></span> option
+ is used for both UDP and TCP queries, but the port applies only
+ to
+ UDP queries. TCP queries always use a random
+ unprivileged port.
+ </p>
</div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>See also <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">notify-source</strong></span>.</p>
+<p>
+ Solaris 2.5.1 and earlier does not support setting the source
+ address for TCP sockets.
+ </p>
</div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </p>
+ See also <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">notify-source</strong></span>.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</p>
+<p>
+ <acronym class="acronym">BIND</acronym> has mechanisms in place to
+ facilitate zone transfers
+ and set limits on the amount of load that transfers place on the
+ system. The following options apply to zone transfers.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
-is given in a <span><strong class="command">zone</strong></span> statement, it will override
-the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement
-is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</p></dd>
+<dd><p>
+ Defines a global list of IP addresses of name servers
+ that are also sent NOTIFY messages whenever a fresh copy of
+ the
+ zone is loaded, in addition to the servers listed in the
+ zone's NS records.
+ This helps to ensure that copies of the zones will
+ quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+ is given in a <span><strong class="command">zone</strong></span> statement,
+ it will override
+ the <span><strong class="command">options also-notify</strong></span>
+ statement. When a <span><strong class="command">zone notify</strong></span>
+ statement
+ is set to <span><strong class="command">no</strong></span>, the IP
+ addresses in the global <span><strong class="command">also-notify</strong></span> list will
+ not be sent NOTIFY messages for that zone. The default is
+ the empty
+ list (no global notification list).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Inbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Inbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes
+ (1 hour). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Outbound zone transfers running longer than
+ this many minutes will be terminated. The default is 120
+ minutes
+ (2 hours). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes (1
-hour). The maximum value is 28 days (40320 minutes).</p></dd>
+<dd><p>
+ Outbound zone transfers making no progress
+ in this many minutes will be terminated. The default is 60
+ minutes (1
+ hour). The maximum value is 28 days (40320 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth. To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</p></dd>
+<dd><p>
+ Slave servers will periodically query master servers
+ to find out if zone serial numbers have changed. Each such
+ query uses
+ a minute amount of the slave server's network bandwidth. To
+ limit the
+ amount of bandwidth used, BIND 9 limits the rate at which
+ queries are
+ sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
+ an integer, is the maximum number of queries sent per
+ second.
+ The default is 20.
+ </p></dd>
<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-</p></dd>
+<dd><p>
+ In BIND 8, the <span><strong class="command">serial-queries</strong></span>
+ option
+ set the maximum number of concurrent serial number queries
+ allowed to be outstanding at any given time.
+ BIND 9 does not limit the number of outstanding
+ serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
+ Instead, it limits the rate at which the queries are sent
+ as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
<dd><p>
-Zone transfers can be sent using two different formats,
-<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>.
-The <span><strong class="command">transfer-format</strong></span> option is used
-on the master server to determine which format it sends.
-<span><strong class="command">one-answer</strong></span> uses one DNS message per
-resource record transferred.
-<span><strong class="command">many-answers</strong></span> packs as many resource records as
-possible into a message. <span><strong class="command">many-answers</strong></span> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and patched
-versions of <acronym class="acronym">BIND</acronym> 4.9.5. The <span><strong class="command">many-answers</strong></span>
-format is also supported by recent Microsoft Windows nameservers. The default is
-<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span>
-may be overridden on a per-server basis by using the
-<span><strong class="command">server</strong></span> statement.
-</p></dd>
+ Zone transfers can be sent using two different formats,
+ <span><strong class="command">one-answer</strong></span> and
+ <span><strong class="command">many-answers</strong></span>.
+ The <span><strong class="command">transfer-format</strong></span> option is used
+ on the master server to determine which format it sends.
+ <span><strong class="command">one-answer</strong></span> uses one DNS message per
+ resource record transferred.
+ <span><strong class="command">many-answers</strong></span> packs as many resource
+ records as possible into a message.
+ <span><strong class="command">many-answers</strong></span> is more efficient, but is
+ only supported by relatively new slave servers,
+ such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+ 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
+ The <span><strong class="command">many-answers</strong></span> format is also supported by
+ recent Microsoft Windows nameservers.
+ The default is <span><strong class="command">many-answers</strong></span>.
+ <span><strong class="command">transfer-format</strong></span> may be overridden on a
+ per-server basis by using the <span><strong class="command">server</strong></span>
+ statement.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <code class="literal">10</code>.
-Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</p></dd>
+<dd><p>
+ The maximum number of inbound zone transfers
+ that can be running concurrently. The default value is <code class="literal">10</code>.
+ Increasing <span><strong class="command">transfers-in</strong></span> may
+ speed up the convergence
+ of slave zones, but it also may increase the load on the
+ local system.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd>
+<dd><p>
+ The maximum number of outbound zone transfers
+ that can be running concurrently. Zone transfer requests in
+ excess
+ of the limit will be refused. The default value is <code class="literal">10</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
-be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-of the <span><strong class="command">server</strong></span> statement.</p></dd>
+<dd><p>
+ The maximum number of inbound zone transfers
+ that can be concurrently transferring from a given remote
+ name server.
+ The default value is <code class="literal">2</code>.
+ Increasing <span><strong class="command">transfers-per-ns</strong></span>
+ may
+ speed up the convergence of slave zones, but it also may
+ increase
+ the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
+ be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
+ of the <span><strong class="command">server</strong></span> statement.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p><span><strong class="command">transfer-source</strong></span> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server. It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates. If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <span><strong class="command">allow-transfer</strong></span> option for
-the zone being transferred, if one is specified. This statement
-sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<span><strong class="command">transfer-source</strong></span> statement within the
-<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block
-in the configuration file.</p></dd>
+<dd>
+<p><span><strong class="command">transfer-source</strong></span>
+ determines which local address will be bound to IPv4
+ TCP connections used to fetch zones transferred
+ inbound by the server. It also determines the
+ source IPv4 address, and optionally the UDP port,
+ used for the refresh queries and forwarded dynamic
+ updates. If not set, it defaults to a system
+ controlled value which will usually be the address
+ of the interface "closest to" the remote end. This
+ address must appear in the remote end's
+ <span><strong class="command">allow-transfer</strong></span> option for the
+ zone being transferred, if one is specified. This
+ statement sets the
+ <span><strong class="command">transfer-source</strong></span> for all zones,
+ but can be overridden on a per-view or per-zone
+ basis by including a
+ <span><strong class="command">transfer-source</strong></span> statement within
+ the <span><strong class="command">view</strong></span> or
+ <span><strong class="command">zone</strong></span> block in the configuration
+ file.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </p>
+</div>
+</dd>
<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>The same as <span><strong class="command">transfer-source</strong></span>,
-except zone transfers are performed using IPv6.</p></dd>
+<dd><p>
+ The same as <span><strong class="command">transfer-source</strong></span>,
+ except zone transfers are performed using IPv6.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
<dd>
<p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p>
+ An alternate transfer source if the one listed in
+ <span><strong class="command">transfer-source</strong></span> fails and
+ <span><strong class="command">use-alt-transfer-source</strong></span> is
+ set.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
- If you do not wish the alternate transfer source
- to be used, you should set
- <span><strong class="command">use-alt-transfer-source</strong></span>
- appropriately and you should not depend upon
- getting a answer back to the first refresh
- query.
- </div>
+ If you do not wish the alternate transfer source
+ to be used, you should set
+ <span><strong class="command">use-alt-transfer-source</strong></span>
+ appropriately and you should not depend upon
+ getting a answer back to the first refresh
+ query.
+ </div>
</dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>An alternate transfer source if the one listed in
-<span><strong class="command">transfer-source-v6</strong></span> fails and
-<span><strong class="command">use-alt-transfer-source</strong></span> is set.</p></dd>
+<dd><p>
+ An alternate transfer source if the one listed in
+ <span><strong class="command">transfer-source-v6</strong></span> fails and
+ <span><strong class="command">use-alt-transfer-source</strong></span> is
+ set.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>Use the alternate transfer sources or not. If views are
-specified this defaults to <span><strong class="command">no</strong></span> otherwise it defaults to
-<span><strong class="command">yes</strong></span> (for BIND 8 compatibility).</p></dd>
+<dd><p>
+ Use the alternate transfer sources or not. If views are
+ specified this defaults to <span><strong class="command">no</strong></span>
+ otherwise it defaults to
+ <span><strong class="command">yes</strong></span> (for BIND 8
+ compatibility).
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
<dd>
-<p><span><strong class="command">notify-source</strong></span> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <span><strong class="command">masters</strong></span>
-zone clause or in an <span><strong class="command">allow-notify</strong></span> clause.
-This statement sets the <span><strong class="command">notify-source</strong></span> for all zones,
-but can be overridden on a per-zone or per-view basis by including a
-<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span>
-or <span><strong class="command">view</strong></span> block in the configuration file.</p>
+<p><span><strong class="command">notify-source</strong></span>
+ determines which local source address, and
+ optionally UDP port, will be used to send NOTIFY
+ messages. This address must appear in the slave
+ server's <span><strong class="command">masters</strong></span> zone clause or
+ in an <span><strong class="command">allow-notify</strong></span> clause. This
+ statement sets the <span><strong class="command">notify-source</strong></span>
+ for all zones, but can be overridden on a per-zone or
+ per-view basis by including a
+ <span><strong class="command">notify-source</strong></span> statement within
+ the <span><strong class="command">zone</strong></span> or
+ <span><strong class="command">view</strong></span> block in the configuration
+ file.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
+ Solaris 2.5.1 and earlier does not support setting the
+ source address for TCP sockets.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>Like <span><strong class="command">notify-source</strong></span>,
-but applies to notify messages sent to IPv6 addresses.</p></dd>
+<dd><p>
+ Like <span><strong class="command">notify-source</strong></span>,
+ but applies to notify messages sent to IPv6 addresses.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2582444"></a>Bad UDP Port Lists</h4></div></div></div>
-<p>
-<span><strong class="command">avoid-v4-udp-ports</strong></span> and <span><strong class="command">avoid-v6-udp-ports</strong></span>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets. These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall. If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</p>
+<a name="id2581778"></a>Bad UDP Port Lists</h4></div></div></div>
+<p><span><strong class="command">avoid-v4-udp-ports</strong></span>
+ and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
+ of IPv4 and IPv6 UDP ports that will not be used as system
+ assigned source ports for UDP sockets. These lists
+ prevent named from choosing as its random source port a
+ port that is blocked by your firewall. If a query went
+ out with such a source port, the answer would not get by
+ the firewall and the name server would have to query
+ again.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570036"></a>Operating System Resource Limits</h4></div></div></div>
-<p>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits. For
-example, <span><strong class="command">1G</strong></span> can be used instead of
-<span><strong class="command">1073741824</strong></span> to specify a limit of one
-gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the
-maximum available amount. <span><strong class="command">default</strong></span> uses the limit
-that was in force when the server was started. See the description
-of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.</p>
-<p>The following options set operating system resource limits for
-the name server process. Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</p>
+<a name="id2581793"></a>Operating System Resource Limits</h4></div></div></div>
+<p>
+ The server's usage of many system resources can be limited.
+ Scaled values are allowed when specifying resource limits. For
+ example, <span><strong class="command">1G</strong></span> can be used instead of
+ <span><strong class="command">1073741824</strong></span> to specify a limit of
+ one
+ gigabyte. <span><strong class="command">unlimited</strong></span> requests
+ unlimited use, or the
+ maximum available amount. <span><strong class="command">default</strong></span>
+ uses the limit
+ that was in force when the server was started. See the description
+ of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
+ </p>
+<p>
+ The following options set operating system resource limits for
+ the name server process. Some operating systems don't support
+ some or
+ any of the limits. On such systems, a warning will be issued if
+ the
+ unsupported limit is used.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>The maximum size of a core dump. The default
-is <code class="literal">default</code>.</p></dd>
+<dd><p>
+ The maximum size of a core dump. The default
+ is <code class="literal">default</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>The maximum amount of data memory the server
-may use. The default is <code class="literal">default</code>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service. Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default. If you wish to limit the amount
-of memory used by the server, use the
-<span><strong class="command">max-cache-size</strong></span> and
-<span><strong class="command">recursive-clients</strong></span>
-options instead.
-</p></dd>
+<dd><p>
+ The maximum amount of data memory the server
+ may use. The default is <code class="literal">default</code>.
+ This is a hard limit on server memory usage.
+ If the server attempts to allocate memory in excess of this
+ limit, the allocation will fail, which may in turn leave
+ the server unable to perform DNS service. Therefore,
+ this option is rarely useful as a way of limiting the
+ amount of memory used by the server, but it can be used
+ to raise an operating system data size limit that is
+ too small by default. If you wish to limit the amount
+ of memory used by the server, use the
+ <span><strong class="command">max-cache-size</strong></span> and
+ <span><strong class="command">recursive-clients</strong></span>
+ options instead.
+ </p></dd>
<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>The maximum number of files the server
-may have open concurrently. The default is <code class="literal">unlimited</code>.
-</p></dd>
+<dd><p>
+ The maximum number of files the server
+ may have open concurrently. The default is <code class="literal">unlimited</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>The maximum amount of stack memory the server
-may use. The default is <code class="literal">default</code>.</p></dd>
+<dd><p>
+ The maximum amount of stack memory the server
+ may use. The default is <code class="literal">default</code>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570205"></a>Server Resource Limits</h4></div></div></div>
-<p>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</p>
+<a name="id2581976"></a>Server Resource Limits</h4></div></div></div>
+<p>
+ The following options set limits on the server's
+ resource consumption that are enforced internally by the
+ server rather than the operating system.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility. The option
-<span><strong class="command">max-journal-size</strong></span> performs a similar
-function in BIND 8.
-</p></dd>
+<dd><p>
+ This option is obsolete; it is accepted
+ and ignored for BIND 8 compatibility. The option
+ <span><strong class="command">max-journal-size</strong></span> performs a
+ similar function in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>Sets a maximum size for each journal file
-(see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>). When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed. The default is
-<code class="literal">unlimited</code>.</p></dd>
+<dd><p>
+ Sets a maximum size for each journal file
+ (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>). When the journal file
+ approaches
+ the specified size, some of the oldest transactions in the
+ journal
+ will be automatically removed. The default is
+ <code class="literal">unlimited</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>In BIND 8, specifies the maximum number of host statistics
-entries to be kept.
-Not implemented in BIND 9.
-</p></dd>
+<dd><p>
+ In BIND 8, specifies the maximum number of host statistics
+ entries to be kept.
+ Not implemented in BIND 9.
+ </p></dd>
<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients. The default is
-<code class="literal">1000</code>. Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<span><strong class="command">recursive-clients</strong></span> option may have to be decreased
-on hosts with limited memory.
-</p></dd>
+<dd><p>
+ The maximum number of simultaneous recursive lookups
+ the server will perform on behalf of clients. The default
+ is
+ <code class="literal">1000</code>. Because each recursing
+ client uses a fair
+ bit of memory, on the order of 20 kilobytes, the value of
+ the
+ <span><strong class="command">recursive-clients</strong></span> option may
+ have to be decreased
+ on hosts with limited memory.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <code class="literal">100</code>.</p></dd>
+<dd><p>
+ The maximum number of simultaneous client TCP
+ connections that the server will accept.
+ The default is <code class="literal">100</code>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>The maximum amount of memory to use for the
-server's cache, in bytes. When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded. In a server with
-multiple views, the limit applies separately to the cache of each
-view. The default is <code class="literal">unlimited</code>, meaning that
-records are purged from the cache only when their TTLs expire.
-</p></dd>
+<dd><p>
+ The maximum amount of memory to use for the
+ server's cache, in bytes. When the amount of data in the
+ cache
+ reaches this limit, the server will cause records to expire
+ prematurely so that the limit is not exceeded. In a server
+ with
+ multiple views, the limit applies separately to the cache of
+ each
+ view. The default is <code class="literal">unlimited</code>, meaning that
+ records are purged from the cache only when their TTLs
+ expire.
+ </p></dd>
<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>The listen queue depth. The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept. Values less than 3 will be
-silently raised.
-</p></dd>
+<dd><p>
+ The listen queue depth. The default and minimum is 3.
+ If the kernel supports the accept filter "dataready" this
+ also controls how
+ many TCP connections that will be queued in kernel space
+ waiting for
+ some data before being passed to accept. Values less than 3
+ will be
+ silently raised.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2584723"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2582178"></a>Periodic Task Intervals</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>The server will remove expired resource records
-from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-The default is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, no periodic cleaning will occur.</p></dd>
+<dd><p>
+ The server will remove expired resource records
+ from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
+ The default is 60 minutes. The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no periodic cleaning will occur.
+ </p></dd>
<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>The server will perform zone maintenance tasks
-for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</p></dd>
+<dd><p>
+ The server will perform zone maintenance tasks
+ for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
+ interval expires. The default is 60 minutes. Reasonable
+ values are up
+ to 1 day (1440 minutes). The maximum value is 28 days
+ (40320 minutes).
+ If set to 0, no zone maintenance for these zones will occur.
+ </p></dd>
<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>The server will scan the network interface list
-every <span><strong class="command">interface-interval</strong></span> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<span><strong class="command">listen-on</strong></span> configuration), and will
-stop listening on interfaces that have gone away.</p></dd>
+<dd><p>
+ The server will scan the network interface list
+ every <span><strong class="command">interface-interval</strong></span>
+ minutes. The default
+ is 60 minutes. The maximum value is 28 days (40320 minutes).
+ If set to 0, interface scanning will only occur when
+ the configuration file is loaded. After the scan, the
+ server will
+ begin listening for queries on any newly discovered
+ interfaces (provided they are allowed by the
+ <span><strong class="command">listen-on</strong></span> configuration), and
+ will
+ stop listening on interfaces that have gone away.
+ </p></dd>
<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
<dd>
-<p>Name server statistics will be logged
-every <span><strong class="command">statistics-interval</strong></span> minutes. The default is
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</p>
+<p>
+ Name server statistics will be logged
+ every <span><strong class="command">statistics-interval</strong></span>
+ minutes. The default is
+ 60. The maximum value is 28 days (40320 minutes).
+ If set to 0, no statistics will be logged.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not yet implemented in <acronym class="acronym">BIND</acronym>9.</p>
+<p>
+ Not yet implemented in
+ <acronym class="acronym">BIND</acronym>9.
+ </p>
</div>
</dd>
</dl></div>
@@ -2206,83 +3543,115 @@ If set to 0, no statistics will be logged.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="topology"></a>Topology</h4></div></div></div>
-<p>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-takes an <span><strong class="command">address_match_list</strong></span> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</p>
+<p>
+ All other things being equal, when the server chooses a name
+ server
+ to query from a list of name servers, it prefers the one that is
+ topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
+ takes an <span><strong class="command">address_match_list</strong></span> and
+ interprets it
+ in a special way. Each top-level list element is assigned a
+ distance.
+ Non-negated elements get a distance based on their position in the
+ list, where the closer the match is to the start of the list, the
+ shorter the distance is between it and the server. A negated match
+ will be assigned the maximum distance from the server. If there
+ is no match, the address will get a distance which is further than
+ any non-negated list element, and closer than any negated element.
+ For example,
+ </p>
<pre class="programlisting">topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};</pre>
-<p>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</p>
-<p>The default topology is</p>
+<p>
+ will prefer servers on network 10 the most, followed by hosts
+ on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+ exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+ is preferred least of all.
+ </p>
+<p>
+ The default topology is
+ </p>
<pre class="programlisting"> topology { localhost; localnets; };
</pre>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">topology</strong></span> option
-is not implemented in <acronym class="acronym">BIND</acronym> 9.
-</p>
+<p>
+ The <span><strong class="command">topology</strong></span> option
+ is not implemented in <acronym class="acronym">BIND</acronym> 9.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <span><strong class="command">rrset-order</strong></span>
-statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server, the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</p>
-<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes
-an <span><strong class="command">address_match_list</strong></span> and interprets it even
-more specifically than the <span><strong class="command">topology</strong></span> statement
-does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-itself be an explicit <span><strong class="command">address_match_list</strong></span> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
-of each top level list is checked against the source address of
-the query until a match is found.</p>
-<p>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <span><strong class="command">address_match_list</strong></span> in
-a <span><strong class="command">topology</strong></span> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</p>
-<p>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</p>
+<p>
+ The response to a DNS query may consist of multiple resource
+ records (RRs) forming a resource records set (RRset).
+ The name server will normally return the
+ RRs within the RRset in an indeterminate order
+ (but see the <span><strong class="command">rrset-order</strong></span>
+ statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
+ The client resolver code should rearrange the RRs as appropriate,
+ that is, using any addresses on the local net in preference to
+ other addresses.
+ However, not all resolvers can do this or are correctly
+ configured.
+ When a client is using a local server, the sorting can be performed
+ in the server, based on the client's address. This only requires
+ configuring the name servers, not all the clients.
+ </p>
+<p>
+ The <span><strong class="command">sortlist</strong></span> statement (see below)
+ takes
+ an <span><strong class="command">address_match_list</strong></span> and
+ interprets it even
+ more specifically than the <span><strong class="command">topology</strong></span>
+ statement
+ does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
+ Each top level statement in the <span><strong class="command">sortlist</strong></span> must
+ itself be an explicit <span><strong class="command">address_match_list</strong></span> with
+ one or two elements. The first element (which may be an IP
+ address,
+ an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
+ of each top level list is checked against the source address of
+ the query until a match is found.
+ </p>
+<p>
+ Once the source address of the query has been matched, if
+ the top level statement contains only one element, the actual
+ primitive
+ element that matched the source address is used to select the
+ address
+ in the response to move to the beginning of the response. If the
+ statement is a list of two elements, then the second element is
+ treated the same as the <span><strong class="command">address_match_list</strong></span> in
+ a <span><strong class="command">topology</strong></span> statement. Each top
+ level element
+ is assigned a distance and the address in the response with the
+ minimum
+ distance is moved to the beginning of the response.
+ </p>
+<p>
+ In the following example, any queries received from any of
+ the addresses of the host itself will get responses preferring
+ addresses
+ on any of the locally connected networks. Next most preferred are
+ addresses
+ on the 192.168.1/24 network, and after that either the
+ 192.168.2/24
+ or
+ 192.168.3/24 network with no preference shown between these two
+ networks. Queries received from a host on the 192.168.1/24 network
+ will prefer other addresses on that network to the 192.168.2/24
+ and
+ 192.168.3/24 networks. Queries received from a host on the
+ 192.168.4/24
+ or the 192.168.5/24 network will only prefer other addresses on
+ their directly connected networks.
+ </p>
<pre class="programlisting">sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
@@ -2300,13 +3669,18 @@ their directly connected networks.</p>
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
};
};</pre>
-<p>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</p>
+<p>
+ The following example will give reasonable behavior for the
+ local host and hosts on directly connected networks. It is similar
+ to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
+ to queries from the local host will favor any of the directly
+ connected
+ networks. Responses sent to queries from any other hosts on a
+ directly
+ connected network will prefer addresses on that same network.
+ Responses
+ to other queries will not be sorted.
+ </p>
<pre class="programlisting">sortlist {
{ localhost; localnets; };
{ localnets; };
@@ -2316,21 +3690,34 @@ to other queries will not be sorted.</p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <span><strong class="command">rrset-order</strong></span> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <span><strong class="command">sortlist</strong></span> statement,
-<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-</p>
-<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p>
-<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>]
- order <em class="replaceable"><code>ordering</code></em>
-</pre>
-<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).</p>
-<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p>
+<p>
+ When multiple records are returned in an answer it may be
+ useful to configure the order of the records placed into the
+ response.
+ The <span><strong class="command">rrset-order</strong></span> statement permits
+ configuration
+ of the ordering of the records in a multiple record response.
+ See also the <span><strong class="command">sortlist</strong></span> statement,
+ <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
+ </p>
+<p>
+ An <span><strong class="command">order_spec</strong></span> is defined as
+ follows:
+ </p>
+<p>
+ [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
+ [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
+ [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
+ order <em class="replaceable"><code>ordering</code></em>
+ </p>
+<p>
+ If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
+ If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
+ If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
+ </p>
+<p>
+ The legal values for <span><strong class="command">ordering</strong></span> are:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2338,38 +3725,65 @@ If no name is specified, the default is "<span><strong class="command">*</strong
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">fixed</strong></span></p></td>
-<td><p>Records are returned in the order they
-are defined in the zone file.</p></td>
+<td>
+ <p><span><strong class="command">fixed</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in the order they
+ are defined in the zone file.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">random</strong></span></p></td>
-<td><p>Records are returned in some random order.</p></td>
+<td>
+ <p><span><strong class="command">random</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in some random order.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">cyclic</strong></span></p></td>
-<td><p>Records are returned in a round-robin
-order.</p></td>
+<td>
+ <p><span><strong class="command">cyclic</strong></span></p>
+ </td>
+<td>
+ <p>
+ Records are returned in a round-robin
+ order.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>For example:</p>
+<p>
+ For example:
+ </p>
<pre class="programlisting">rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
</pre>
-<p>will cause any responses for type A records in class IN that
-have "<code class="literal">host.example.com</code>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</p>
-<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear,
-they are not combined &#8212; the last one applies.</p>
+<p>
+ will cause any responses for type A records in class IN that
+ have "<code class="literal">host.example.com</code>" as a
+ suffix, to always be returned
+ in random order. All other records are returned in cyclic order.
+ </p>
+<p>
+ If multiple <span><strong class="command">rrset-order</strong></span> statements
+ appear,
+ they are not combined &#8212; the last one applies.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">rrset-order</strong></span> statement
-is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</p>
+<p>
+ The <span><strong class="command">rrset-order</strong></span> statement
+ is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
+ BIND 9 currently does not fully support "fixed" ordering.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
@@ -2377,143 +3791,370 @@ BIND 9 currently does not support "fixed" ordering.
<a name="tuning"></a>Tuning</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<span class="bold"><strong>NOT</strong></span> recommended.)
-The default is <code class="literal">600</code> (10 minutes) and the maximum value is
-<code class="literal">1800</code> (30 minutes).</p></dd>
+<dd><p>
+ Sets the number of seconds to cache a
+ lame server indication. 0 disables caching. (This is
+ <span class="bold"><strong>NOT</strong></span> recommended.)
+ The default is <code class="literal">600</code> (10 minutes) and the
+ maximum value is
+ <code class="literal">1800</code> (30 minutes).
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>To reduce network traffic and increase performance,
-the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</p></dd>
+<dd><p>
+ To reduce network traffic and increase performance,
+ the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
+ used to set a maximum retention time for these answers in
+ the server
+ in seconds. The default
+ <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
+ <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
+ 7 days and will
+ be silently truncated to 7 days if set to a greater value.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p>Sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</p></dd>
+<dd><p>
+ Sets the maximum time for which the server will
+ cache ordinary (positive) answers. The default is
+ one week (7 days).
+ </p></dd>
<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
<dd>
-<p>The minimum number of root servers that
-is required for a request for the root servers to be accepted. The default
-is <strong class="userinput"><code>2</code></strong>.</p>
+<p>
+ The minimum number of root servers that
+ is required for a request for the root servers to be
+ accepted. The default
+ is <strong class="userinput"><code>2</code></strong>.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>Not implemented in <acronym class="acronym">BIND</acronym> 9.</p>
+<p>
+ Not implemented in <acronym class="acronym">BIND</acronym> 9.
+ </p>
</div>
</dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-will expire. The default is <code class="literal">30</code> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</p></dd>
+<dd><p>
+ Specifies the number of days into the
+ future when DNSSEC signatures automatically generated as a
+ result
+ of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
+ will expire. The default is <code class="literal">30</code> days.
+ The maximum value is 10 years (3660 days). The signature
+ inception time is unconditionally set to one hour before the
+ current time
+ to allow for a limited amount of clock skew.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
<dd>
<p>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</p>
+ These options control the server's behavior on refreshing a
+ zone
+ (querying for SOA changes) or retrying failed transfers.
+ Usually the SOA values for the zone are used, but these
+ values
+ are set by the master, giving slave server administrators
+ little
+ control over their contents.
+ </p>
<p>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</p>
+ These options allow the administrator to set a minimum and
+ maximum
+ refresh and retry time either per-zone, per-view, or
+ globally.
+ These options are valid for slave and stub zones,
+ and clamp the SOA refresh and retry times to the specified
+ values.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
<dd><p>
-<span><strong class="command">edns-udp-size</strong></span> sets the advertised EDNS UDP buffer
-size in bytes. Valid values are 512 to 4096 bytes (values outside this range will be
-silently adjusted). The default value is 4096. The usual reason for
-setting edns-udp-size to a non-default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</p></dd>
+ Sets the advertised EDNS UDP buffer size in bytes. Valid
+ values are 512 to 4096 (values outside this range
+ will be silently adjusted). The default value is
+ 4096. The usual reason for setting edns-udp-size to
+ a non-default value it to get UDP answers to pass
+ through broken firewalls that block fragmented
+ packets and/or block UDP packets that are greater
+ than 512 bytes.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
+<dd><p>
+ Sets the maximum EDNS UDP message size named will
+ send in bytes. Valid values are 512 to 4096 (values outside
+ this range will be silently adjusted). The default
+ value is 4096. The usual reason for setting
+ max-udp-size to a non-default value is to get UDP
+ answers to pass through broken firewalls that
+ block fragmented packets and/or block UDP packets
+ that are greater than 512 bytes.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>Specifies
+ the file format of zone files (see
+ <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
+ The default value is <code class="constant">text</code>, which is the
+ standard textual representation. Files in other formats
+ than <code class="constant">text</code> are typically expected
+ to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
+ Note that when a zone file in a different format than
+ <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
+ may omit some of the checks which would be performed for a
+ file in the <code class="constant">text</code> format. In particular,
+ <span><strong class="command">check-names</strong></span> checks do not apply
+ for the <code class="constant">raw</code> format. This means
+ a zone file in the <code class="constant">raw</code> format
+ must be generated with the same check level as that
+ specified in the <span><strong class="command">named</strong></span> configuration
+ file. This statement sets the
+ <span><strong class="command">masterfile-format</strong></span> for all zones,
+ but can be overridden on a per-zone or per-view basis
+ by including a <span><strong class="command">masterfile-format</strong></span>
+ statement within the <span><strong class="command">zone</strong></span> or
+ <span><strong class="command">view</strong></span> block in the configuration
+ file.
+ </p></dd>
+<dt>
+<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
+</dt>
+<dd>
+<p>These set the
+ initial value (minimum) and maximum number of recursive
+ simultanious clients for any given query
+ (&lt;qname,qtype,qclass&gt;) that the server will accept
+ before dropping additional clients. named will attempt to
+ self tune this value and changes will be logged. The
+ default values are 10 and 100.
+ </p>
+<p>
+ This value should reflect how many queries come in for
+ a given name in the time it takes to resolve that name.
+ If the number of queries exceed this value, named will
+ assume that it is dealing with a non-responsive zone
+ and will drop additional queries. If it gets a response
+ after dropping queries, it will raise the estimate. The
+ estimate will then be lowered in 20 minutes if it has
+ remained unchanged.
+ </p>
+<p>
+ If <span><strong class="command">clients-per-query</strong></span> is set to zero,
+ then there is no limit on the number of clients per query
+ and no queries will be dropped.
+ </p>
+<p>
+ If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
+ then there is no upper bound other than imposed by
+ <span><strong class="command">recursive-clients</strong></span>.
+ </p>
+</dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <code class="literal">bind</code> in the
-<span><strong class="command">CHAOS</strong></span> class. These zones are part of a
-built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of class
-<span><strong class="command">CHAOS</strong></span> which is separate from the default view of
-class <span><strong class="command">IN</strong></span>; therefore, any global server options
-such as <span><strong class="command">allow-query</strong></span> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <span><strong class="command">CHAOS</strong></span> view by
-defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
-that matches all clients.</p>
+<p>
+ The server provides some helpful diagnostic information
+ through a number of built-in zones under the
+ pseudo-top-level-domain <code class="literal">bind</code> in the
+ <span><strong class="command">CHAOS</strong></span> class. These zones are part
+ of a
+ built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of
+ class
+ <span><strong class="command">CHAOS</strong></span> which is separate from the
+ default view of
+ class <span><strong class="command">IN</strong></span>; therefore, any global
+ server options
+ such as <span><strong class="command">allow-query</strong></span> do not apply
+ the these zones.
+ If you feel the need to disable these zones, use the options
+ below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
+ view by
+ defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
+ that matches all clients.
+ </p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>The version the server should report
-via a query of the name <code class="literal">version.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The default is the real version number of this server.
-Specifying <span><strong class="command">version none</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+ The version the server should report
+ via a query of the name <code class="literal">version.bind</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ The default is the real version number of this server.
+ Specifying <span><strong class="command">version none</strong></span>
+ disables processing of the queries.
+ </p></dd>
<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>The hostname the server should report via a query of
-the name <code class="filename">hostname.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-This defaults to the hostname of the machine hosting the name server as
-found by the gethostname() function. The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
-disables processing of the queries.</p></dd>
+<dd><p>
+ The hostname the server should report via a query of
+ the name <code class="filename">hostname.bind</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ This defaults to the hostname of the machine hosting the
+ name server as
+ found by the gethostname() function. The primary purpose of such queries
+ is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
+ disables processing of the queries.
+ </p></dd>
<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>The ID of the server should report via a query of
-the name <code class="filename">ID.SERVER</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
-disables processing of the queries.
-Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
-use the hostname as found by the gethostname() function.
-The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
-</p></dd>
+<dd><p>
+ The ID of the server should report via a query of
+ the name <code class="filename">ID.SERVER</code>
+ with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+ The primary purpose of such queries is to
+ identify which of a group of anycast servers is actually
+ answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
+ disables processing of the queries.
+ Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+ use the hostname as found by the gethostname() function.
+ The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>The statistics file generated by <acronym class="acronym">BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym class="acronym">BIND</acronym> 8.
-</p>
-<p>The statistics dump begins with a line, like:</p>
-<p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
-<p>The numberr in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970. Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).
-</p>
+<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
<p>
-The statistics dump ends with the line where the
-number is identical to the number in the beginning line; for example:
-</p>
+ Named has some built-in empty zones (SOA and NS records only).
+ These are for zones that should normally be answered locally
+ and which queries should not be sent to the Internet's root
+ servers. The offical servers which cover these namespaces
+ return NXDOMAIN responses to these queries. In particular,
+ these cover the reverse namespace for addresses from RFC 1918 and
+ RFC 3330. They also include the reverse namespace for IPv6 local
+ address (locally assigned), IPv6 link local addresses, the IPv6
+ loopback address and the IPv6 unknown addresss.
+ </p>
+<p>
+ Named will attempt to determine if a built in zone already exists
+ or is active (covered by a forward-only forwarding declaration)
+ and will not not create a empty zone in that case.
+ </p>
+<p>
+ The current list of empty zones is:
+ </p>
+<div class="itemizedlist"><ul type="disc">
+<li>10.IN-ADDR.ARPA</li>
+<li>127.IN-ADDR.ARPA</li>
+<li>254.169.IN-ADDR.ARPA</li>
+<li>16.172.IN-ADDR.ARPA</li>
+<li>17.172.IN-ADDR.ARPA</li>
+<li>18.172.IN-ADDR.ARPA</li>
+<li>19.172.IN-ADDR.ARPA</li>
+<li>20.172.IN-ADDR.ARPA</li>
+<li>21.172.IN-ADDR.ARPA</li>
+<li>22.172.IN-ADDR.ARPA</li>
+<li>23.172.IN-ADDR.ARPA</li>
+<li>24.172.IN-ADDR.ARPA</li>
+<li>25.172.IN-ADDR.ARPA</li>
+<li>26.172.IN-ADDR.ARPA</li>
+<li>27.172.IN-ADDR.ARPA</li>
+<li>28.172.IN-ADDR.ARPA</li>
+<li>29.172.IN-ADDR.ARPA</li>
+<li>30.172.IN-ADDR.ARPA</li>
+<li>31.172.IN-ADDR.ARPA</li>
+<li>168.192.IN-ADDR.ARPA</li>
+<li>2.0.192.IN-ADDR.ARPA</li>
+<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
+<li>D.F.IP6.ARPA</li>
+<li>8.E.F.IP6.ARPA</li>
+<li>9.E.F.IP6.ARPA</li>
+<li>A.E.F.IP6.ARPA</li>
+<li>B.E.F.IP6.ARPA</li>
+</ul></div>
+<p>
+ </p>
<p>
-<span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+ Empty zones are settable at the view level and only apply to
+ views of class IN. Disabled empty zones are only inherited
+ from options if there are no disabled empty zones specified
+ at the view level. To override the options list of disabled
+ zones, you can disable the root zone at the view level, for example:
</p>
-<p>The following statistics counters are maintained:</p>
+<pre class="programlisting">
+ disable-empty-zone ".";
+</pre>
+<p>
+ </p>
+<p>
+ If you are using the address ranges covered here, you should
+ already have reverse zones covering the addresses you use.
+ In practice this appears to not be the case with many queries
+ being made to the infrustructure servers for names in these
+ spaces. So many in fact that sacrificial servers were needed
+ to be deployed to channel the query load away from the
+ infrustructure servers.
+ </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+ The real parent servers for these zones should disable all
+ empty zone under the parent zone they serve. For the real
+ root servers, this is all built in empty zones. This will
+ enable them to return referrals to deeper in the tree.
+ </div>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
+<dd><p>
+ Specify what server name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ the zone's name will be used.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
+<dd><p>
+ Specify what contact name will appear in the returned
+ SOA record for empty zones. If none is specified, then
+ "." will be used.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
+<dd><p>
+ Enable or disable all empty zones. By default they
+ are enabled.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
+<dd><p>
+ Disable individual empty zones. By default none are
+ disabled. This option can be specified multiple times.
+ </p></dd>
+</dl></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="statsfile"></a>The Statistics File</h4></div></div></div>
+<p>
+ The statistics file generated by <acronym class="acronym">BIND</acronym> 9
+ is similar, but not identical, to that
+ generated by <acronym class="acronym">BIND</acronym> 8.
+ </p>
+<p>
+ The statistics dump begins with a line, like:
+ </p>
+<p>
+ <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
+ </p>
+<p>
+ The number in parentheses is a standard
+ Unix-style timestamp, measured as seconds since January 1, 1970.
+ Following
+ that line are a series of lines containing a counter type, the
+ value of the
+ counter, optionally a zone name, and optionally a view name.
+ The lines without view and zone listed are global statistics for
+ the entire server.
+ Lines with a zone and view name for the given view and zone (the
+ view name is
+ omitted for the default view).
+ </p>
+<p>
+ The statistics dump ends with the line where the
+ number is identical to the number in the beginning line; for example:
+ </p>
+<p>
+ <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+ </p>
+<p>
+ The following statistics counters are maintained:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2521,148 +4162,378 @@ number is identical to the number in the beginning line; for example:
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">success</strong></span></p></td>
-<td><p>The number of
-successful queries made to the server or zone. A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</p></td>
+<td>
+ <p><span><strong class="command">success</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of
+ successful queries made to the server or zone. A
+ successful query
+ is defined as query which returns a NOERROR response
+ with at least
+ one answer RR.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">referral</strong></span></p></td>
-<td><p>The number of queries which resulted
-in referral responses.</p></td>
+<td>
+ <p><span><strong class="command">referral</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted
+ in referral responses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">nxrrset</strong></span></p></td>
-<td><p>The number of queries which resulted in
-NOERROR responses with no data.</p></td>
+<td>
+ <p><span><strong class="command">nxrrset</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted in
+ NOERROR responses with no data.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">nxdomain</strong></span></p></td>
-<td><p>The number
-of queries which resulted in NXDOMAIN responses.</p></td>
+<td>
+ <p><span><strong class="command">nxdomain</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number
+ of queries which resulted in NXDOMAIN responses.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">failure</strong></span></p></td>
-<td><p>The number of queries which resulted in a
-failure response other than those above.</p></td>
+<td>
+ <p><span><strong class="command">failure</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which resulted in a
+ failure response other than those above.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">recursion</strong></span></p></td>
-<td><p>The number of queries which caused the server
-to perform recursion in order to find the final answer.</p></td>
+<td>
+ <p><span><strong class="command">recursion</strong></span></p>
+ </td>
+<td>
+ <p>
+ The number of queries which caused the server
+ to perform recursion in order to find the final answer.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
<p>
-Each query received by the server will cause exactly one of
-<span><strong class="command">success</strong></span>,
-<span><strong class="command">referral</strong></span>,
-<span><strong class="command">nxrrset</strong></span>,
-<span><strong class="command">nxdomain</strong></span>, or
-<span><strong class="command">failure</strong></span>
-to be incremented, and may additionally cause the
-<span><strong class="command">recursion</strong></span> counter to be incremented.
-</p>
+ Each query received by the server will cause exactly one of
+ <span><strong class="command">success</strong></span>,
+ <span><strong class="command">referral</strong></span>,
+ <span><strong class="command">nxrrset</strong></span>,
+ <span><strong class="command">nxdomain</strong></span>, or
+ <span><strong class="command">failure</strong></span>
+ to be incremented, and may additionally cause the
+ <span><strong class="command">recursion</strong></span> counter to be
+ incremented.
+ </p>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="acache"></a>Additional Section Caching</h4></div></div></div>
+<p>
+ The additional section cache, also called <span><strong class="command">acache</strong></span>,
+ is an internal cache to improve the response performance of BIND 9.
+ When additional section caching is enabled, BIND 9 will
+ cache an internal short-cut to the additional section content for
+ each answer RR.
+ Note that <span><strong class="command">acache</strong></span> is an internal caching
+ mechanism of BIND 9, and is not related to the DNS caching
+ server function.
+ </p>
+<p>
+ Additional section caching does not change the
+ response content (except the RRsets ordering of the additional
+ section, see below), but can improve the response performance
+ significantly.
+ It is particularly effective when BIND 9 acts as an authoritative
+ server for a zone that has many delegations with many glue RRs.
+ </p>
+<p>
+ In order to obtain the maximum performance improvement
+ from additional section caching, setting
+ <span><strong class="command">additional-from-cache</strong></span>
+ to <span><strong class="command">no</strong></span> is recommended, since the current
+ implementation of <span><strong class="command">acache</strong></span>
+ does not short-cut of additional section information from the
+ DNS cache data.
+ </p>
+<p>
+ One obvious disadvantage of <span><strong class="command">acache</strong></span> is
+ that it requires much more
+ memory for the internal cached data.
+ Thus, if the response performance does not matter and memory
+ consumption is much more critical, the
+ <span><strong class="command">acache</strong></span> mechanism can be
+ disabled by setting <span><strong class="command">acache-enable</strong></span> to
+ <span><strong class="command">no</strong></span>.
+ It is also possible to specify the upper limit of memory
+ consumption
+ for acache by using <span><strong class="command">max-acache-size</strong></span>.
+ </p>
+<p>
+ Additional section caching also has a minor effect on the
+ RRset ordering in the additional section.
+ Without <span><strong class="command">acache</strong></span>,
+ <span><strong class="command">cyclic</strong></span> order is effective for the additional
+ section as well as the answer and authority sections.
+ However, additional section caching fixes the ordering when it
+ first caches an RRset for the additional section, and the same
+ ordering will be kept in succeeding responses, regardless of the
+ setting of <span><strong class="command">rrset-order</strong></span>.
+ The effect of this should be minor, however, since an
+ RRset in the additional section
+ typically only contains a small number of RRs (and in many cases
+ it only contains a single RR), in which case the
+ ordering does not matter much.
+ </p>
+<p>
+ The following is a summary of options related to
+ <span><strong class="command">acache</strong></span>.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
+<dd><p>
+ If <span><strong class="command">yes</strong></span>, additional section caching is
+ enabled. The default value is <span><strong class="command">no</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
+<dd><p>
+ The server will remove stale cache entries, based on an LRU
+ based
+ algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
+ The default is 60 minutes.
+ If set to 0, no periodic cleaning will occur.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
+<dd><p>
+ The maximum amount of memory in bytes to use for the server's acache.
+ When the amount of data in the acache reaches this limit,
+ the server
+ will clean more aggressively so that the limit is not
+ exceeded.
+ In a server with multiple views, the limit applies
+ separately to the
+ acache of each view.
+ The default is <code class="literal">unlimited</code>,
+ meaning that
+ entries are purged from the acache only at the
+ periodic cleaning time.
+ </p></dd>
+</dl></div>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> {
+<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
[<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
+ [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
[<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+ [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+ [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
};
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">server</strong></span> statement defines characteristics
-to be associated with a remote name server.</p>
-<p>
-The <span><strong class="command">server</strong></span> statement can occur at the top level of the
-configuration file or inside a <span><strong class="command">view</strong></span> statement.
-If a <span><strong class="command">view</strong></span> statement contains
-one or more <span><strong class="command">server</strong></span> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <span><strong class="command">server</strong></span> statements,
-any top-level <span><strong class="command">server</strong></span> statements are used as
-defaults.
-</p>
-<p>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p>
-<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided
-whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <span><strong class="command">provide-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <span><strong class="command">request-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR. Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <span><strong class="command">yes</strong></span> should always work.
-The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-<span><strong class="command">request-ixfr</strong></span> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</p>
-<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server. The
-default is <span><strong class="command">yes</strong></span>.</p>
-<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
-8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified
-by the <span><strong class="command">options</strong></span> statement will be used.</p>
-<p><span><strong class="command">transfers</strong></span> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <span><strong class="command">transfers</strong></span> clause is specified, the limit is
-set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p>
-<p>The <span><strong class="command">keys</strong></span> clause identifies a
-<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
-to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-when talking to the remote server.
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</p>
-<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause
-allows for multiple keys, only a single key per server is currently
-supported.</p>
-<p>The <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<span><strong class="command">transfer-source-v6</strong></span> can be specified.
-For more details, see the description of
-<span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p>
+<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
+ Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">server</strong></span> statement defines
+ characteristics
+ to be associated with a remote name server. If a prefix length is
+ specified, then a range of servers is covered. Only the most
+ specific
+ server clause applies regardless of the order in
+ <code class="filename">named.conf</code>.
+ </p>
+<p>
+ The <span><strong class="command">server</strong></span> statement can occur at
+ the top level of the
+ configuration file or inside a <span><strong class="command">view</strong></span>
+ statement.
+ If a <span><strong class="command">view</strong></span> statement contains
+ one or more <span><strong class="command">server</strong></span> statements, only
+ those
+ apply to the view and any top-level ones are ignored.
+ If a view contains no <span><strong class="command">server</strong></span>
+ statements,
+ any top-level <span><strong class="command">server</strong></span> statements are
+ used as
+ defaults.
+ </p>
+<p>
+ If you discover that a remote server is giving out bad data,
+ marking it as bogus will prevent further queries to it. The
+ default
+ value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
+ </p>
+<p>
+ The <span><strong class="command">provide-ixfr</strong></span> clause determines
+ whether
+ the local server, acting as master, will respond with an
+ incremental
+ zone transfer when the given remote server, a slave, requests it.
+ If set to <span><strong class="command">yes</strong></span>, incremental transfer
+ will be provided
+ whenever possible. If set to <span><strong class="command">no</strong></span>,
+ all transfers
+ to the remote server will be non-incremental. If not set, the
+ value
+ of the <span><strong class="command">provide-ixfr</strong></span> option in the
+ view or
+ global options block is used as a default.
+ </p>
+<p>
+ The <span><strong class="command">request-ixfr</strong></span> clause determines
+ whether
+ the local server, acting as a slave, will request incremental zone
+ transfers from the given remote server, a master. If not set, the
+ value of the <span><strong class="command">request-ixfr</strong></span> option in
+ the view or
+ global options block is used as a default.
+ </p>
+<p>
+ IXFR requests to servers that do not support IXFR will
+ automatically
+ fall back to AXFR. Therefore, there is no need to manually list
+ which servers support IXFR and which ones do not; the global
+ default
+ of <span><strong class="command">yes</strong></span> should always work.
+ The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
+ <span><strong class="command">request-ixfr</strong></span> clauses is
+ to make it possible to disable the use of IXFR even when both
+ master
+ and slave claim to support it, for example if one of the servers
+ is buggy and crashes or corrupts data when IXFR is used.
+ </p>
+<p>
+ The <span><strong class="command">edns</strong></span> clause determines whether
+ the local server will attempt to use EDNS when communicating
+ with the remote server. The default is <span><strong class="command">yes</strong></span>.
+ </p>
+<p>
+ The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
+ that is advertised by named when querying the remote server.
+ Valid values are 512 to 4096 bytes (values outside this range will be
+ silently adjusted). This option is useful when you wish to
+ advertises a different value to this server than the value you
+ advertise globally, for example, when there is a firewall at the
+ remote site that is blocking large replies.
+ </p>
+<p>
+ The <span><strong class="command">max-udp-size</strong></span> option sets the
+ maximum EDNS UDP message size named will send. Valid
+ values are 512 to 4096 bytes (values outside this range will
+ be silently adjusted). This option is useful when you
+ know that there is a firewall that is blocking large
+ replies from named.
+ </p>
+<p>
+ The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
+ uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
+ as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
+ more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
+ 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
+ 4.9.5. You can specify which method
+ to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
+ If <span><strong class="command">transfer-format</strong></span> is not
+ specified, the <span><strong class="command">transfer-format</strong></span>
+ specified
+ by the <span><strong class="command">options</strong></span> statement will be
+ used.
+ </p>
+<p><span><strong class="command">transfers</strong></span>
+ is used to limit the number of concurrent inbound zone
+ transfers from the specified server. If no
+ <span><strong class="command">transfers</strong></span> clause is specified, the
+ limit is set according to the
+ <span><strong class="command">transfers-per-ns</strong></span> option.
+ </p>
+<p>
+ The <span><strong class="command">keys</strong></span> clause identifies a
+ <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
+ to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
+ when talking to the remote server.
+ When a request is sent to the remote server, a request signature
+ will be generated using the key specified here and appended to the
+ message. A request originating from the remote server is not
+ required
+ to be signed by this key.
+ </p>
+<p>
+ Although the grammar of the <span><strong class="command">keys</strong></span>
+ clause
+ allows for multiple keys, only a single key per server is
+ currently
+ supported.
+ </p>
+<p>
+ The <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">transfer-source-v6</strong></span> clauses specify
+ the IPv4 and IPv6 source
+ address to be used for zone transfer with the remote server,
+ respectively.
+ For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
+ be specified.
+ Similarly, for an IPv6 remote server, only
+ <span><strong class="command">transfer-source-v6</strong></span> can be
+ specified.
+ For more details, see the description of
+ <span><strong class="command">transfer-source</strong></span> and
+ <span><strong class="command">transfer-source-v6</strong></span> in
+ <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p>
+<p>
+ The <span><strong class="command">notify-source</strong></span> and
+ <span><strong class="command">notify-source-v6</strong></span> clauses specify the
+ IPv4 and IPv6 source address to be used for notify
+ messages sent to remote servers, respectively. For an
+ IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
+ can be specified. Similarly, for an IPv6 remote server,
+ only <span><strong class="command">notify-source-v6</strong></span> can be specified.
+ </p>
+<p>
+ The <span><strong class="command">query-source</strong></span> and
+ <span><strong class="command">query-source-v6</strong></span> clauses specify the
+ IPv4 and IPv6 source address to be used for queries
+ sent to remote servers, respectively. For an IPv4
+ remote server, only <span><strong class="command">query-source</strong></span> can
+ be specified. Similarly, for an IPv6 remote server,
+ only <span><strong class="command">query-source-v6</strong></span> can be specified.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586290"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2585018"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
<pre class="programlisting">trusted-keys {
<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -2671,41 +4542,41 @@ For more details, see the description of
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586338"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
- </p>
-<p>
- All keys (and corresponding zones) listed in
- <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span><strong class="command">trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
- </p>
-<p>
- The <span><strong class="command">trusted-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base-64
- representation of the key data.
- </p>
+<a name="id2585136"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+ and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">trusted-keys</strong></span> statement defines
+ DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
+ public key for a non-authoritative zone is known, but
+ cannot be securely obtained through DNS, either because
+ it is the DNS root zone or because its parent zone is
+ unsigned. Once a key has been configured as a trusted
+ key, it is treated as if it had been validated and
+ proven secure. The resolver attempts DNSSEC validation
+ on all DNS data in subdomains of a security root.
+ </p>
+<p>
+ All keys (and corresponding zones) listed in
+ <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
+ of what parent zones say. Similarly for all keys listed in
+ <span><strong class="command">trusted-keys</strong></span> only those keys are
+ used to validate the DNSKEY RRset. The parent's DS RRset
+ will not be used.
+ </p>
+<p>
+ The <span><strong class="command">trusted-keys</strong></span> statement can contain
+ multiple key entries, each consisting of the key's
+ domain name, flags, protocol, algorithm, and the Base-64
+ representation of the key data.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
+<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
[<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- match-clients { <em class="replaceable"><code>address_match_list</code></em> } ;
- match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ;
+ match-clients { <em class="replaceable"><code>address_match_list</code></em> };
+ match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
[<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
[<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
@@ -2714,53 +4585,91 @@ For more details, see the description of
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2586420"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature
-of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</p>
-<p>Each <span><strong class="command">view</strong></span> statement defines a view of the
-DNS namespace that will be seen by a subset of clients. A client matches
-a view if its source IP address matches the
-<code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches
-the <code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-destinations</strong></span> clause. If not specified, both
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-default to matching all addresses. In addition to checking IP addresses
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-can also take <span><strong class="command">keys</strong></span> which provide an mechanism for the
-client to select the view. A view can also be specified
-as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <span><strong class="command">view</strong></span> statements is significant &#8212;
-a client request will be resolved in the context of the first
-<span><strong class="command">view</strong></span> that it matches.</p>
-<p>Zones defined within a <span><strong class="command">view</strong></span> statement will
-be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</p>
-<p>Many of the options given in the <span><strong class="command">options</strong></span> statement
-can also be used within a <span><strong class="command">view</strong></span> statement, and then
-apply only when resolving queries with that view. When no view-specific
-value is given, the value in the <span><strong class="command">options</strong></span> statement
-is used as a default. Also, zone options can have default values specified
-in the <span><strong class="command">view</strong></span> statement; these view-specific defaults
-take precedence over those in the <span><strong class="command">options</strong></span> statement.</p>
-<p>Views are class specific. If no class is given, class IN
-is assumed. Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</p>
-<p>If there are no <span><strong class="command">view</strong></span> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <span><strong class="command">zone</strong></span> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <span><strong class="command">options</strong></span> statement will
-apply to the default view. If any explicit <span><strong class="command">view</strong></span>
-statements are present, all <span><strong class="command">zone</strong></span> statements must
-occur inside <span><strong class="command">view</strong></span> statements.</p>
-<p>Here is an example of a typical split DNS setup implemented
-using <span><strong class="command">view</strong></span> statements:</p>
+<a name="id2585216"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<p>
+ The <span><strong class="command">view</strong></span> statement is a powerful
+ feature
+ of <acronym class="acronym">BIND</acronym> 9 that lets a name server
+ answer a DNS query differently
+ depending on who is asking. It is particularly useful for
+ implementing
+ split DNS setups without having to run multiple servers.
+ </p>
+<p>
+ Each <span><strong class="command">view</strong></span> statement defines a view
+ of the
+ DNS namespace that will be seen by a subset of clients. A client
+ matches
+ a view if its source IP address matches the
+ <code class="varname">address_match_list</code> of the view's
+ <span><strong class="command">match-clients</strong></span> clause and its
+ destination IP address matches
+ the <code class="varname">address_match_list</code> of the
+ view's
+ <span><strong class="command">match-destinations</strong></span> clause. If not
+ specified, both
+ <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+ default to matching all addresses. In addition to checking IP
+ addresses
+ <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
+ can also take <span><strong class="command">keys</strong></span> which provide an
+ mechanism for the
+ client to select the view. A view can also be specified
+ as <span><strong class="command">match-recursive-only</strong></span>, which
+ means that only recursive
+ requests from matching clients will match that view.
+ The order of the <span><strong class="command">view</strong></span> statements is
+ significant &#8212;
+ a client request will be resolved in the context of the first
+ <span><strong class="command">view</strong></span> that it matches.
+ </p>
+<p>
+ Zones defined within a <span><strong class="command">view</strong></span>
+ statement will
+ be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
+ By defining a zone of the same name in multiple views, different
+ zone data can be given to different clients, for example,
+ "internal"
+ and "external" clients in a split DNS setup.
+ </p>
+<p>
+ Many of the options given in the <span><strong class="command">options</strong></span> statement
+ can also be used within a <span><strong class="command">view</strong></span>
+ statement, and then
+ apply only when resolving queries with that view. When no
+ view-specific
+ value is given, the value in the <span><strong class="command">options</strong></span> statement
+ is used as a default. Also, zone options can have default values
+ specified
+ in the <span><strong class="command">view</strong></span> statement; these
+ view-specific defaults
+ take precedence over those in the <span><strong class="command">options</strong></span> statement.
+ </p>
+<p>
+ Views are class specific. If no class is given, class IN
+ is assumed. Note that all non-IN views must contain a hint zone,
+ since only the IN class has compiled-in default hints.
+ </p>
+<p>
+ If there are no <span><strong class="command">view</strong></span> statements in
+ the config
+ file, a default view that matches any client is automatically
+ created
+ in class IN. Any <span><strong class="command">zone</strong></span> statements
+ specified on
+ the top level of the configuration file are considered to be part
+ of
+ this default view, and the <span><strong class="command">options</strong></span>
+ statement will
+ apply to the default view. If any explicit <span><strong class="command">view</strong></span>
+ statements are present, all <span><strong class="command">zone</strong></span>
+ statements must
+ occur inside <span><strong class="command">view</strong></span> statements.
+ </p>
+<p>
+ Here is an example of a typical split DNS setup implemented
+ using <span><strong class="command">view</strong></span> statements:
+ </p>
<pre class="programlisting">view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
@@ -2795,17 +4704,22 @@ view "external" {
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+ Statement Grammar</h3></div></div></div>
+<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type master;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+ [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
+ [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+ [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2814,7 +4728,7 @@ Statement Grammar</h3></div></div></div>
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2826,30 +4740,34 @@ Statement Grammar</h3></div></div></div>
[<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type slave;
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+ [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+ [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
+ [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
+ [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -2865,25 +4783,27 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
+ [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type hint;
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ file <em class="replaceable"><code>string</code></em> ;
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type stub;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
+ [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
[<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
[<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
[<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
+ [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
+ [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
[<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
@@ -2893,7 +4813,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
[<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
[<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
[<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
@@ -2902,24 +4821,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
[<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type forward;
[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
[<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
};
-zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
+zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
type delegation-only;
};
+
</pre>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2587635"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2586586"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2587641"></a>Zone Types</h4></div></div></div>
+<a name="id2586594"></a>Zone Types</h4></div></div></div>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -2927,324 +4847,587 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">master</code></p></td>
-<td><p>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">slave</code></p></td>
-<td><p>A slave zone is a replica of a master
-zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server startup and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two-level naming scheme for zone file names. For example,
-a slave server for the zone <code class="literal">example.com</code> might place
-the zone contents into a file called
-<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">stub</code></p></td>
-<td>
-<p>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
-</p>
+<td>
+ <p>
+ <code class="varname">master</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The server has a master copy of the data
+ for the zone and will be able to provide authoritative
+ answers for
+ it.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">slave</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A slave zone is a replica of a master
+ zone. The <span><strong class="command">masters</strong></span> list
+ specifies one or more IP addresses
+ of master servers that the slave contacts to update
+ its copy of the zone.
+ Masters list elements can also be names of other
+ masters lists.
+ By default, transfers are made from port 53 on the
+ servers; this can
+ be changed for all servers by specifying a port number
+ before the
+ list of IP addresses, or on a per-server basis after
+ the IP address.
+ Authentication to the master can also be done with
+ per-server TSIG keys.
+ If a file is specified, then the
+ replica will be written to this file whenever the zone
+ is changed,
+ and reloaded from this file on a server restart. Use
+ of a file is
+ recommended, since it often speeds server startup and
+ eliminates
+ a needless waste of bandwidth. Note that for large
+ numbers (in the
+ tens or hundreds of thousands) of zones per server, it
+ is best to
+ use a two-level naming scheme for zone file names. For
+ example,
+ a slave server for the zone <code class="literal">example.com</code> might place
+ the zone contents into a file called
+ <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
+ just the first two letters of the zone name. (Most
+ operating systems
+ behave very slowly if you put 100 000 files into
+ a single directory.)
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">stub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A stub zone is similar to a slave zone,
+ except that it replicates only the NS records of a
+ master zone instead
+ of the entire zone. Stub zones are not a standard part
+ of the DNS;
+ they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
+ </p>
-<p>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <code class="filename">named.conf</code>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym class="acronym">BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</p>
+ <p>
+ Stub zones can be used to eliminate the need for glue
+ NS record
+ in a parent zone at the expense of maintaining a stub
+ zone entry and
+ a set of name server addresses in <code class="filename">named.conf</code>.
+ This usage is not recommended for new configurations,
+ and BIND 9
+ supports it only in a limited way.
+ In <acronym class="acronym">BIND</acronym> 4/8, zone
+ transfers of a parent zone
+ included the NS records from stub children of that
+ zone. This meant
+ that, in some cases, users could get away with
+ configuring child stubs
+ only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
+ 9 never mixes together zone data from different zones
+ in this
+ way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
+ zone has child stub zones configured, all the slave
+ servers for the
+ parent zone also need to have the same child stub
+ zones
+ configured.
+ </p>
-<p>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1918 addressing may be configured with stub zones for
-<code class="literal">10.in-addr.arpa</code>
-to use a set of internal name servers as the authoritative
-servers for that domain.</p>
-</td>
+ <p>
+ Stub zones can also be used as a way of forcing the
+ resolution
+ of a given domain to use a particular set of
+ authoritative servers.
+ For example, the caching name servers on a private
+ network using
+ RFC1918 addressing may be configured with stub zones
+ for
+ <code class="literal">10.in-addr.arpa</code>
+ to use a set of internal name servers as the
+ authoritative
+ servers for that domain.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">forward</code></p></td>
-<td>
-<p>A "forward zone" is a way to configure
-forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
-of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement,
-which will apply to queries within the domain given by the zone
-name. If no <span><strong class="command">forwarders</strong></span> statement is present or
-an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <span><strong class="command">forward</strong></span> option (that is, "forward first"
-to, then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</p>
-</td>
+<td>
+ <p>
+ <code class="varname">forward</code>
+ </p>
+ </td>
+<td>
+ <p>
+ A "forward zone" is a way to configure
+ forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
+ of type <span><strong class="command">forward</strong></span> can
+ contain a <span><strong class="command">forward</strong></span>
+ and/or <span><strong class="command">forwarders</strong></span>
+ statement,
+ which will apply to queries within the domain given by
+ the zone
+ name. If no <span><strong class="command">forwarders</strong></span>
+ statement is present or
+ an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
+ forwarding will be done for the domain, canceling the
+ effects of
+ any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
+ if you want to use this type of zone to change the
+ behavior of the
+ global <span><strong class="command">forward</strong></span> option
+ (that is, "forward first"
+ to, then "forward only", or vice versa, but want to
+ use the same
+ servers as set globally) you need to re-specify the
+ global forwarders.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">hint</code></p></td>
-<td><p>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</p></td>
+<td>
+ <p>
+ <code class="varname">hint</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The initial set of root name servers is
+ specified using a "hint zone". When the server starts
+ up, it uses
+ the root hints to find a root name server and get the
+ most recent
+ list of root name servers. If no hint zone is
+ specified for class
+ IN, the server uses a compiled-in default set of root
+ servers hints.
+ Classes other than IN have no built-in defaults hints.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">delegation-only</code></p></td>
<td>
-<p>This is used to enforce the delegation-only
-status of infrastructure zones (e.g. COM, NET, ORG). Any answer that
-is received without an explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN. This does not apply to the zone
-apex. This should not be applied to leaf zones.</p>
-<p><code class="varname">delegation-only</code> has no effect on answers received
-from forwarders.</p>
-</td>
+ <p>
+ <code class="varname">delegation-only</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This is used to enforce the delegation-only
+ status of infrastructure zones (e.g. COM, NET, ORG).
+ Any answer that
+ is received without an explicit or implicit delegation
+ in the authority
+ section will be treated as NXDOMAIN. This does not
+ apply to the zone
+ apex. This should not be applied to leaf zones.
+ </p>
+ <p>
+ <code class="varname">delegation-only</code> has no
+ effect on answers received
+ from forwarders.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2588084"></a>Class</h4></div></div></div>
-<p>The zone's name may optionally be followed by a class. If
-a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-is assumed. This is correct for the vast majority of cases.</p>
-<p>The <code class="literal">hesiod</code> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword
-<code class="literal">HS</code> is
-a synonym for hesiod.</p>
-<p>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p>
+<a name="id2587013"></a>Class</h4></div></div></div>
+<p>
+ The zone's name may optionally be followed by a class. If
+ a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
+ is assumed. This is correct for the vast majority of cases.
+ </p>
+<p>
+ The <code class="literal">hesiod</code> class is
+ named for an information service from MIT's Project Athena. It
+ is
+ used to share information about various systems databases, such
+ as users, groups, printers and so on. The keyword
+ <code class="literal">HS</code> is
+ a synonym for hesiod.
+ </p>
+<p>
+ Another MIT development is CHAOSnet, a LAN protocol created
+ in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2588115"></a>Zone Options</h4></div></div></div>
+<a name="id2587046"></a>Zone Options</h4></div></div></div>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-transfer</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts. Note that allowing updates based
-on the requestor's IP address is insecure; see
-<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-update</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>Specifies a "Simple Secure Update" policy. See
-<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p></dd>
+<dd><p>
+ Specifies a "Simple Secure Update" policy. See
+ <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-update-forwarding</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">allow-update-forwarding</strong></span>
+ in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is
-active for this zone. The set of machines that will receive a
-<code class="literal">DNS NOTIFY</code> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <span><strong class="command">also-notify</strong></span>. A port may be specified
-with each <span><strong class="command">also-notify</strong></span> address to send the notify
-messages to a port other than the default of 53.
-<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones.
-The default is the empty list.</p></dd>
+<dd><p>
+ Only meaningful if <span><strong class="command">notify</strong></span>
+ is
+ active for this zone. The set of machines that will
+ receive a
+ <code class="literal">DNS NOTIFY</code> message
+ for this zone is made up of all the listed name servers
+ (other than
+ the primary master) for the zone plus any IP addresses
+ specified
+ with <span><strong class="command">also-notify</strong></span>. A port
+ may be specified
+ with each <span><strong class="command">also-notify</strong></span>
+ address to send the notify
+ messages to a port other than the default of 53.
+ <span><strong class="command">also-notify</strong></span> is not
+ meaningful for stub zones.
+ The default is the empty list.
+ </p></dd>
<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
<dd><p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
-zones the default is <span><strong class="command">warn</strong></span>.
-</p></dd>
+ This option is used to restrict the character set and
+ syntax of
+ certain domain names in master files and/or DNS responses
+ received from the
+ network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
+ zones the default is <span><strong class="command">warn</strong></span>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
+<dd><p>
+ See the description of
+ <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
<dd>
-<p>Specify the type of database to be used for storing the
-zone data. The string following the <span><strong class="command">database</strong></span> keyword
-is interpreted as a list of whitespace-delimited words. The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</p>
-<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory
-red-black-tree database. This database does not take arguments.</p>
-<p>Other values are possible if additional database drivers
-have been linked into the server. Some sample drivers are included
-with the distribution but none are linked in by default.</p>
+<p>
+ Specify the type of database to be used for storing the
+ zone data. The string following the <span><strong class="command">database</strong></span> keyword
+ is interpreted as a list of whitespace-delimited words.
+ The first word
+ identifies the database type, and any subsequent words are
+ passed
+ as arguments to the database to be interpreted in a way
+ specific
+ to the database type.
+ </p>
+<p>
+ The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
+ native in-memory
+ red-black-tree database. This database does not take
+ arguments.
+ </p>
+<p>
+ Other values are possible if additional database drivers
+ have been linked into the server. Some sample drivers are
+ included
+ with the distribution but none are linked in by default.
+ </p>
</dd>
<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>The flag only applies to hint and stub zones. If set
-to <strong class="userinput"><code>yes</code></strong>, then the zone will also be treated as if it
-is also a delegation-only type zone.
-</p></dd>
+<dd><p>
+ The flag only applies to hint and stub zones. If set
+ to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
+ treated as if it
+ is also a delegation-only type zone.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>Only meaningful if the zone has a forwarders
-list. The <span><strong class="command">only</strong></span> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-allow a normal lookup to be tried.</p></dd>
+<dd><p>
+ Only meaningful if the zone has a forwarders
+ list. The <span><strong class="command">only</strong></span> value causes
+ the lookup to fail
+ after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
+ allow a normal lookup to be tried.
+ </p></dd>
<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Used to override the list of global forwarders.
-If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-no forwarding is done for the zone and the global options are not used.</p></dd>
+<dd><p>
+ Used to override the list of global forwarders.
+ If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
+ no forwarding is done for the zone and the global options are
+ not used.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym class="acronym">BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<code class="filename">.jnl</code>" to the name of the
-zone file.</p></dd>
+<dd><p>
+ Was used in <acronym class="acronym">BIND</acronym> 8 to
+ specify the name
+ of the transaction log (journal) file for dynamic update
+ and IXFR.
+ <acronym class="acronym">BIND</acronym> 9 ignores the option
+ and constructs the name of the journal
+ file by appending "<code class="filename">.jnl</code>"
+ to the name of the
+ zone file.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
-Ignored in <acronym class="acronym">BIND</acronym> 9.</p></dd>
+<dd><p>
+ Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
+ Ignored in <acronym class="acronym">BIND</acronym> 9.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
+<dd><p>
+ Allow the default journal's file name to be overridden.
+ The default is the zone's file with "<code class="filename">.jnl</code>" appended.
+ This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</p></dd>
+<dd><p>
+ In <acronym class="acronym">BIND</acronym> 8, this option was
+ intended for specifying
+ a public zone key for verification of signatures in DNSSEC
+ signed
+ zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
+ on load and ignores the option.
+ </p></dd>
<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical
-information for this zone, which can be dumped to the
-<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd>
+<dd><p>
+ If <strong class="userinput"><code>yes</code></strong>, the server will keep
+ statistical
+ information for this zone, which can be dumped to the
+ <span><strong class="command">statistics-file</strong></span> defined in
+ the server options.
+ </p></dd>
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
+ </p></dd>
<dt>
<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
</dt>
<dd><p>
-See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-</p></dd>
+ See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and Usage&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of
+ <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
+ Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and
+ Usage&#8221;</a>.
+ </p></dd>
<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">multi-master</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
+<dd><p>
+ See the description of <span><strong class="command">multi-master</strong></span> in
+ <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+ </p></dd>
+<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
+<dd><p>
+ See the description of <span><strong class="command">masterfile-format</strong></span>
+ in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+ </p></dd>
</dl></div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone,
-configured by the <span><strong class="command">allow-update</strong></span> and
-<span><strong class="command">update-policy</strong></span> option, respectively.</p>
-<p>The <span><strong class="command">allow-update</strong></span> clause works the same
-way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</p>
-<p>The <span><strong class="command">update-policy</strong></span> clause is new in <acronym class="acronym">BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</p>
-<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
-is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-to be present. The <span><strong class="command">update-policy</strong></span> statement only
-examines the signer of a message; the source address is not relevant.</p>
-<p>This is how a rule definition looks:</p>
+<p>
+ <acronym class="acronym">BIND</acronym> 9 supports two alternative
+ methods of granting clients
+ the right to perform dynamic updates to a zone,
+ configured by the <span><strong class="command">allow-update</strong></span>
+ and
+ <span><strong class="command">update-policy</strong></span> option,
+ respectively.
+ </p>
+<p>
+ The <span><strong class="command">allow-update</strong></span> clause works the
+ same
+ way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
+ permission to update any record of any name in the zone.
+ </p>
+<p>
+ The <span><strong class="command">update-policy</strong></span> clause is new
+ in <acronym class="acronym">BIND</acronym>
+ 9 and allows more fine-grained control over what updates are
+ allowed.
+ A set of rules is specified, where each rule either grants or
+ denies
+ permissions for one or more names to be updated by one or more
+ identities.
+ If the dynamic update request message is signed (that is, it
+ includes
+ either a TSIG or SIG(0) record), the identity of the signer can
+ be determined.
+ </p>
+<p>
+ Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
+ option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
+ is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
+ to be present. The <span><strong class="command">update-policy</strong></span>
+ statement only
+ examines the signer of a message; the source address is not
+ relevant.
+ </p>
+<p>
+ This is how a rule definition looks:
+ </p>
<pre class="programlisting">
( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
</pre>
-<p>Each rule grants or denies privileges. Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined. A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</p>
-<p>The identity field specifies a name or a wildcard name. Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request. When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
-contain a fully qualified domain name.</p>
-<p>The <em class="replaceable"><code>nametype</code></em> field has 4 values:
-<code class="varname">name</code>, <code class="varname">subdomain</code>,
-<code class="varname">wildcard</code>, and <code class="varname">self</code>.
-</p>
+<p>
+ Each rule grants or denies privileges. Once a message has
+ successfully matched a rule, the operation is immediately
+ granted
+ or denied and no further rules are examined. A rule is matched
+ when the signer matches the identity field, the name matches the
+ name field in accordance with the nametype field, and the type
+ matches
+ the types specified in the type field.
+ </p>
+<p>
+ The identity field specifies a name or a wildcard name.
+ Normally, this
+ is the name of the TSIG or SIG(0) key used to sign the update
+ request. When a
+ TKEY exchange has been used to create a shared secret, the
+ identity of the
+ shared secret is the same as the identity of the key used to
+ authenticate the
+ TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
+ wildcard name, it is subject to DNS wildcard expansion, so the
+ rule will apply
+ to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
+ contain a fully qualified domain name.
+ </p>
+<p>
+ The <em class="replaceable"><code>nametype</code></em> field has 6
+ values:
+ <code class="varname">name</code>, <code class="varname">subdomain</code>,
+ <code class="varname">wildcard</code>, <code class="varname">self</code>,
+ <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3252,69 +5435,151 @@ contain a fully qualified domain name.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="varname">name</code></p></td>
-<td><p>Exact-match semantics. This rule matches when the
-name being updated is identical to the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+ <p>
+ <code class="varname">name</code>
+ </p>
+ </td>
+<td>
+ <p>
+ Exact-match semantics. This rule matches
+ when the name being updated is identical
+ to the contents of the
+ <em class="replaceable"><code>name</code></em> field.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">subdomain</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule matches when the name being updated
+ is a subdomain of, or identical to, the
+ contents of the <em class="replaceable"><code>name</code></em>
+ field.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ <code class="varname">wildcard</code>
+ </p>
+ </td>
+<td>
+ <p>
+ The <em class="replaceable"><code>name</code></em> field
+ is subject to DNS wildcard expansion, and
+ this rule matches when the name being updated
+ name is a valid expansion of the wildcard.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">subdomain</code></p></td>
-<td><p>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
+<td>
+ <p>
+ <code class="varname">self</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule matches when the name being updated
+ matches the contents of the
+ <em class="replaceable"><code>identity</code></em> field.
+ The <em class="replaceable"><code>name</code></em> field
+ is ignored, but should be the same as the
+ <em class="replaceable"><code>identity</code></em> field.
+ The <code class="varname">self</code> nametype is
+ most useful when allowing using one key per
+ name to update, where the key has the same
+ name as the name to be updated. The
+ <em class="replaceable"><code>identity</code></em> would
+ be specified as <code class="constant">*</code> (an asterisk) in
+ this case.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">wildcard</code></p></td>
-<td><p>The <em class="replaceable"><code>name</code></em> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</p></td>
+<td>
+ <p>
+ <code class="varname">selfsub</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule is similar to <code class="varname">self</code>
+ except that subdomains of <code class="varname">self</code>
+ can also be updated.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="varname">self</code></p></td>
-<td><p>This rule matches when the name being updated
-matches the contents of the <em class="replaceable"><code>identity</code></em> field.
-The <em class="replaceable"><code>name</code></em> field is ignored, but should be
-the same as the <em class="replaceable"><code>identity</code></em> field. The
-<code class="varname">self</code> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated. The <em class="replaceable"><code>identity</code></em> would be
-specified as <code class="constant">*</code> in this case.</p></td>
+<td>
+ <p>
+ <code class="varname">selfwild</code>
+ </p>
+ </td>
+<td>
+ <p>
+ This rule is similar to <code class="varname">self</code>
+ except that only subdomains of
+ <code class="varname">self</code> can be updated.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>In all cases, the <em class="replaceable"><code>name</code></em> field must
-specify a fully qualified domain name.</p>
-<p>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</p>
+<p>
+ In all cases, the <em class="replaceable"><code>name</code></em>
+ field must
+ specify a fully qualified domain name.
+ </p>
+<p>
+ If no types are explicitly specified, this rule matches all
+ types except
+ RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
+ "ANY" (ANY matches all types except NSEC, which can never be
+ updated).
+ Note that when an attempt is made to delete all records
+ associated with a
+ name, the rules are checked for each existing record type.
+ </p>
</div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589173"></a>Zone File</h2></div></div></div>
+<a name="id2588846"></a>Zone File</h2></div></div></div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</p>
+<p>
+ This section, largely borrowed from RFC 1034, describes the
+ concept of a Resource Record (RR) and explains when each is used.
+ Since the publication of RFC 1034, several new RRs have been
+ identified
+ and implemented in the DNS. These are also included.
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2589191"></a>Resource Records</h4></div></div></div>
-<p>A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.</p>
-<p>The components of a Resource Record are:</p>
+<a name="id2588865"></a>Resource Records</h4></div></div></div>
+<p>
+ A domain name identifies a node. Each node has a set of
+ resource information, which may be empty. The set of resource
+ information associated with a particular name is composed of
+ separate RRs. The order of RRs in a set is not significant and
+ need not be preserved by name servers, resolvers, or other
+ parts of the DNS. However, sorting of multiple RRs is
+ permitted for optimization purposes, for example, to specify
+ that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
+ </p>
+<p>
+ The components of a Resource Record are:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3322,34 +5587,78 @@ and implemented in the DNS. These are also included.</p>
</colgroup>
<tbody>
<tr>
-<td><p>owner name</p></td>
-<td><p>the domain name where the RR is found.</p></td>
+<td>
+ <p>
+ owner name
+ </p>
+ </td>
+<td>
+ <p>
+ The domain name where the RR is found.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>type</p></td>
-<td><p>an encoded 16-bit value that specifies
-the type of the resource record.</p></td>
+<td>
+ <p>
+ type
+ </p>
+ </td>
+<td>
+ <p>
+ An encoded 16-bit value that specifies
+ the type of the resource record.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>TTL</p></td>
-<td><p>the time-to-live of the RR. This field
-is a 32-bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</p></td>
+<td>
+ <p>
+ TTL
+ </p>
+ </td>
+<td>
+ <p>
+ The time-to-live of the RR. This field
+ is a 32-bit integer in units of seconds, and is
+ primarily used by
+ resolvers when they cache RRs. The TTL describes how
+ long a RR can
+ be cached before it should be discarded.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>class</p></td>
-<td><p>an encoded 16-bit value that identifies
-a protocol family or instance of a protocol.</p></td>
+<td>
+ <p>
+ class
+ </p>
+ </td>
+<td>
+ <p>
+ An encoded 16-bit value that identifies
+ a protocol family or instance of a protocol.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RDATA</p></td>
-<td><p>the resource data. The format of the
-data is type (and sometimes class) specific.</p></td>
+<td>
+ <p>
+ RDATA
+ </p>
+ </td>
+<td>
+ <p>
+ The resource data. The format of the
+ data is type (and sometimes class) specific.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs:</p>
+<p>
+ The following are <span class="emphasis"><em>types</em></span> of valid RRs:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3357,160 +5666,463 @@ data is type (and sometimes class) specific.</p></td>
</colgroup>
<tbody>
<tr>
-<td><p>A</p></td>
-<td><p>a host address. In the IN class, this is a
-32-bit IP address. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ A
+ </p>
+ </td>
+<td>
+ <p>
+ A host address. In the IN class, this is a
+ 32-bit IP address. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>AAAA</p></td>
-<td><p>IPv6 address. Described in RFC 1886.</p></td>
+<td>
+ <p>
+ AAAA
+ </p>
+ </td>
+<td>
+ <p>
+ IPv6 address. Described in RFC 1886.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>A6</p></td>
-<td><p>IPv6 address. This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found. Experimental. Described in RFC 2874.</p></td>
+<td>
+ <p>
+ A6
+ </p>
+ </td>
+<td>
+ <p>
+ IPv6 address. This can be a partial
+ address (a suffix) and an indirection to the name
+ where the rest of the
+ address (the prefix) can be found. Experimental.
+ Described in RFC 2874.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>AFSDB</p></td>
-<td><p>location of AFS database servers.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ AFSDB
+ </p>
+ </td>
+<td>
+ <p>
+ Location of AFS database servers.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>APL</p></td>
-<td><p>address prefix list. Experimental.
-Described in RFC 3123.</p></td>
+<td>
+ <p>
+ APL
+ </p>
+ </td>
+<td>
+ <p>
+ Address prefix list. Experimental.
+ Described in RFC 3123.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CERT</p></td>
-<td><p>holds a digital certificate.
-Described in RFC 2538.</p></td>
+<td>
+ <p>
+ CERT
+ </p>
+ </td>
+<td>
+ <p>
+ Holds a digital certificate.
+ Described in RFC 2538.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CNAME</p></td>
-<td><p>identifies the canonical name of an alias.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ CNAME
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the canonical name of an alias.
+ Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>DNAME</p></td>
-<td><p>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</p></td>
+<td>
+ <p>
+ DNAME
+ </p>
+ </td>
+<td>
+ <p>
+ Replaces the domain name specified with
+ another name to be looked up, effectively aliasing an
+ entire
+ subtree of the domain name space rather than a single
+ record
+ as in the case of the CNAME RR.
+ Described in RFC 2672.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>GPOS</p></td>
-<td><p>Specifies the global position. Superseded by LOC.</p></td>
+<td>
+ <p>
+ DNSKEY
+ </p>
+ </td>
+<td>
+ <p>
+ Stores a public key associated with a signed
+ DNS zone. Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>HINFO</p></td>
-<td><p>identifies the CPU and OS used by a host.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ DS
+ </p>
+ </td>
+<td>
+ <p>
+ Stores the hash of a public key associated with a
+ signed DNS zone. Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>ISDN</p></td>
-<td><p>representation of ISDN addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ GPOS
+ </p>
+ </td>
+<td>
+ <p>
+ Specifies the global position. Superseded by LOC.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>KEY</p></td>
-<td><p>stores a public key associated with a
-DNS name. Described in RFC 2535.</p></td>
+<td>
+ <p>
+ HINFO
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the CPU and OS used by a host.
+ Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>KX</p></td>
-<td><p>identifies a key exchanger for this
-DNS name. Described in RFC 2230.</p></td>
+<td>
+ <p>
+ ISDN
+ </p>
+ </td>
+<td>
+ <p>
+ Representation of ISDN addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>LOC</p></td>
-<td><p>for storing GPS info. Described in RFC 1876.
-Experimental.</p></td>
+<td>
+ <p>
+ KEY
+ </p>
+ </td>
+<td>
+ <p>
+ Stores a public key associated with a
+ DNS name. Used in original DNSSEC; replaced
+ by DNSKEY in DNSSECbis, but still used with
+ SIG(0). Described in RFCs 2535 and 2931.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>MX</p></td>
-<td><p>identifies a mail exchange for the domain.
-A 16-bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</p></td>
+<td>
+ <p>
+ KX
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies a key exchanger for this
+ DNS name. Described in RFC 2230.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NAPTR</p></td>
-<td><p>name authority pointer. Described in RFC 2915.</p></td>
+<td>
+ <p>
+ LOC
+ </p>
+ </td>
+<td>
+ <p>
+ For storing GPS info. Described in RFC 1876.
+ Experimental.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NSAP</p></td>
-<td><p>a network service access point.
-Described in RFC 1706.</p></td>
+<td>
+ <p>
+ MX
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies a mail exchange for the domain with
+ a 16-bit preference value (lower is better)
+ followed by the host name of the mail exchange.
+ Described in RFC 974, RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NS</p></td>
-<td><p>the authoritative name server for the
-domain. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ NAPTR
+ </p>
+ </td>
+<td>
+ <p>
+ Name authority pointer. Described in RFC 2915.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>NXT</p></td>
-<td><p>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</p></td>
+<td>
+ <p>
+ NSAP
+ </p>
+ </td>
+<td>
+ <p>
+ A network service access point.
+ Described in RFC 1706.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>PTR</p></td>
-<td><p>a pointer to another part of the domain
-name space. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ NS
+ </p>
+ </td>
+<td>
+ <p>
+ The authoritative name server for the
+ domain. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>PX</p></td>
-<td><p>provides mappings between RFC 822 and X.400
-addresses. Described in RFC 2163.</p></td>
+<td>
+ <p>
+ NSEC
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSECbis to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Described in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RP</p></td>
-<td><p>information on persons responsible
-for the domain. Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ NXT
+ </p>
+ </td>
+<td>
+ <p>
+ Used in DNSSEC to securely indicate that
+ RRs with an owner name in a certain name interval do
+ not exist in
+ a zone and indicate what RR types are present for an
+ existing name.
+ Used in original DNSSEC; replaced by NSEC in
+ DNSSECbis.
+ Described in RFC 2535.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RT</p></td>
-<td><p>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ PTR
+ </p>
+ </td>
+<td>
+ <p>
+ A pointer to another part of the domain
+ name space. Described in RFC 1035.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SIG</p></td>
-<td><p>("signature") contains data authenticated
-in the secure DNS. Described in RFC 2535.</p></td>
+<td>
+ <p>
+ PX
+ </p>
+ </td>
+<td>
+ <p>
+ Provides mappings between RFC 822 and X.400
+ addresses. Described in RFC 2163.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SOA</p></td>
-<td><p>identifies the start of a zone of authority.
-Described in RFC 1035.</p></td>
+<td>
+ <p>
+ RP
+ </p>
+ </td>
+<td>
+ <p>
+ Information on persons responsible
+ for the domain. Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>SRV</p></td>
-<td><p>information about well known network
-services (replaces WKS). Described in RFC 2782.</p></td>
+<td>
+ <p>
+ RRSIG
+ </p>
+ </td>
+<td>
+ <p>
+ Contains DNSSECbis signature data. Described
+ in RFC 4034.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>TXT</p></td>
-<td><p>text records. Described in RFC 1035.</p></td>
+<td>
+ <p>
+ RT
+ </p>
+ </td>
+<td>
+ <p>
+ Route-through binding for hosts that
+ do not have their own direct wide area network
+ addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>WKS</p></td>
-<td><p>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</p></td>
+<td>
+ <p>
+ SIG
+ </p>
+ </td>
+<td>
+ <p>
+ Contains DNSSEC signature data. Used in
+ original DNSSEC; replaced by RRSIG in
+ DNSSECbis, but still used for SIG(0).
+ Described in RFCs 2535 and 2931.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>X25</p></td>
-<td><p>representation of X.25 network addresses.
-Experimental. Described in RFC 1183.</p></td>
+<td>
+ <p>
+ SOA
+ </p>
+ </td>
+<td>
+ <p>
+ Identifies the start of a zone of authority.
+ Described in RFC 1035.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ SRV
+ </p>
+ </td>
+<td>
+ <p>
+ Information about well known network
+ services (replaces WKS). Described in RFC 2782.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ TXT
+ </p>
+ </td>
+<td>
+ <p>
+ Text records. Described in RFC 1035.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ WKS
+ </p>
+ </td>
+<td>
+ <p>
+ Information about which well known
+ network services, such as SMTP, that a domain
+ supports. Historical.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p>
+ X25
+ </p>
+ </td>
+<td>
+ <p>
+ Representation of X.25 network addresses.
+ Experimental. Described in RFC 1183.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The following <span class="emphasis"><em>classes</em></span> of resource records
-are currently valid in the DNS:</p>
+<p>
+ The following <span class="emphasis"><em>classes</em></span> of resource records
+ are currently valid in the DNS:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3518,72 +6130,131 @@ are currently valid in the DNS:</p>
</colgroup>
<tbody>
<tr>
-<td><p>IN</p></td>
-<td><p>The Internet.</p></td>
+<td>
+ <p>
+ IN
+ </p>
+ </td>
+<td>
+ <p>
+ The Internet.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>CH</p></td>
-<td><p>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<code class="literal">version.bind</code>.
-</p></td>
+<td>
+ <p>
+ CH
+ </p>
+ </td>
+<td>
+ <p>
+ CHAOSnet, a LAN protocol created at MIT in the
+ mid-1970s.
+ Rarely used for its historical purpose, but reused for
+ BIND's
+ built-in server information zones, e.g.,
+ <code class="literal">version.bind</code>.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>HS</p></td>
-<td><p>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</p></td>
+<td>
+ <p>
+ HS
+ </p>
+ </td>
+<td>
+ <p>
+ Hesiod, an information service
+ developed by MIT's Project Athena. It is used to share
+ information
+ about various systems databases, such as users,
+ groups, printers
+ and so on.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The owner name is often implicit, rather than forming an integral
-part of the RR. For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</p>
-<p>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache. This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone. The TTL is assigned by the administrator for the
-zone where the data originates. While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host. If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</p>
-<p>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names. The domain names are frequently
-used as "pointers" to other data in the DNS.</p>
+<p>
+ The owner name is often implicit, rather than forming an
+ integral
+ part of the RR. For example, many name servers internally form
+ tree
+ or hash structures for the name space, and chain RRs off nodes.
+ The remaining RR parts are the fixed header (type, class, TTL)
+ which is consistent for all RRs, and a variable part (RDATA)
+ that
+ fits the needs of the resource being described.
+ </p>
+<p>
+ The meaning of the TTL field is a time limit on how long an
+ RR can be kept in a cache. This limit does not apply to
+ authoritative
+ data in zones; it is also timed out, but by the refreshing
+ policies
+ for the zone. The TTL is assigned by the administrator for the
+ zone where the data originates. While short TTLs can be used to
+ minimize caching, and a zero TTL prohibits caching, the
+ realities
+ of Internet performance suggest that these times should be on
+ the
+ order of days for the typical host. If a change can be
+ anticipated,
+ the TTL can be reduced prior to the change to minimize
+ inconsistency
+ during the change, and then increased back to its former value
+ following
+ the change.
+ </p>
+<p>
+ The data in the RDATA section of RRs is carried as a combination
+ of binary strings and domain names. The domain names are
+ frequently
+ used as "pointers" to other data in the DNS.
+ </p>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2590180"></a>Textual expression of RRs</h4></div></div></div>
-<p>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver. In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs. In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</p>
-<p>The start of the line gives the owner of the RR. If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR. Blank lines are often included for readability.</p>
-<p>Following the owner, we list the TTL, type, and class of the
-RR. Class and type use the mnemonics defined above, and TTL is
-an integer before the type field. In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</p>
-<p>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</p>
-<p>For example, we might show the RRs carried in a message as:</p>
+<a name="id2590279"></a>Textual expression of RRs</h4></div></div></div>
+<p>
+ RRs are represented in binary form in the packets of the DNS
+ protocol, and are usually represented in highly encoded form
+ when
+ stored in a name server or resolver. In the examples provided
+ in
+ RFC 1034, a style similar to that used in master files was
+ employed
+ in order to show the contents of RRs. In this format, most RRs
+ are shown on a single line, although continuation lines are
+ possible
+ using parentheses.
+ </p>
+<p>
+ The start of the line gives the owner of the RR. If a line
+ begins with a blank, then the owner is assumed to be the same as
+ that of the previous RR. Blank lines are often included for
+ readability.
+ </p>
+<p>
+ Following the owner, we list the TTL, type, and class of the
+ RR. Class and type use the mnemonics defined above, and TTL is
+ an integer before the type field. In order to avoid ambiguity
+ in
+ parsing, type and class mnemonics are disjoint, TTLs are
+ integers,
+ and the type mnemonic is always last. The IN class and TTL
+ values
+ are often omitted from examples in the interests of clarity.
+ </p>
+<p>
+ The resource data or RDATA section of the RR are given using
+ knowledge of the typical representation for the data.
+ </p>
+<p>
+ For example, we might show the RRs carried in a message as:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3592,43 +6263,116 @@ knowledge of the typical representation for the data.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">ISI.EDU.</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td>
+<td>
+ <p>
+ <code class="literal">ISI.EDU.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10 VENERA.ISI.EDU.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10 VAXA.ISI.EDU</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">VENERA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.32</code></p></td>
+<td>
+ <p>
+ <code class="literal">VENERA.ISI.EDU</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">128.9.0.32</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.1.0.52</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.1.0.52</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">VAXA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.2.0.27</code></p></td>
+<td>
+ <p>
+ <code class="literal">VAXA.ISI.EDU</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.2.0.27</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.33</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">128.9.0.33</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The MX RRs have an RDATA section which consists of a 16-bit
-number followed by a domain name. The address RRs use a standard
-IP address format to contain a 32-bit internet address.</p>
-<p>The above example shows six RRs, with two RRs at each of three
-domain names.</p>
-<p>Similarly we might see:</p>
+<p>
+ The MX RRs have an RDATA section which consists of a 16-bit
+ number followed by a domain name. The address RRs use a
+ standard
+ IP address format to contain a 32-bit internet address.
+ </p>
+<p>
+ The above example shows six RRs, with two RRs at each of three
+ domain names.
+ </p>
+<p>
+ Similarly we might see:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3637,45 +6381,83 @@ domain names.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.44</code></p></td>
+<td>
+ <p>
+ <code class="literal">XX.LCS.MIT.EDU.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.44</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">CH</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">MIT.EDU. 2420</code></p></td>
+<td> </td>
+<td>
+ <p>
+ <code class="literal">CH A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MIT.EDU. 2420</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>,
-each of a different class.</p>
+<p>
+ This example shows two addresses for
+ <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2590605"></a>Discussion of MX Records</h3></div></div></div>
-<p>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems
-determine when the RR is relevant.</p>
-<p>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &#8212; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have
-an associated A record &#8212; CNAME is not sufficient.</p>
-<p>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</p>
+<a name="id2590800"></a>Discussion of MX Records</h3></div></div></div>
+<p>
+ As described above, domain servers store information as a
+ series of resource records, each of which contains a particular
+ piece of information about a given domain name (which is usually,
+ but not always, a host). The simplest way to think of a RR is as
+ a typed pair of data, a domain name matched with a relevant datum,
+ and stored with some additional type information to help systems
+ determine when the RR is relevant.
+ </p>
+<p>
+ MX records are used to control delivery of email. The data
+ specified in the record is a priority and a domain name. The
+ priority
+ controls the order in which email delivery is attempted, with the
+ lowest number first. If two priorities are the same, a server is
+ chosen randomly. If no servers at a given priority are responding,
+ the mail transport agent will fall back to the next largest
+ priority.
+ Priority numbers do not have any absolute meaning &#8212; they are
+ relevant
+ only respective to other MX records for that domain name. The
+ domain
+ name given is the machine to which the mail will be delivered.
+ It <span class="emphasis"><em>must</em></span> have an associated address record
+ (A or AAAA) &#8212; CNAME is not sufficient.
+ </p>
+<p>
+ For a given domain, if there is both a CNAME record and an
+ MX record, the MX record is in error, and will be ignored.
+ Instead,
+ the mail will be delivered to the server specified in the MX
+ record
+ pointed to by the CNAME.
+ </p>
+<p>
+ For example:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3686,56 +6468,152 @@ pointed to by the CNAME.</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail.example.com.</code></p></td>
+<td>
+ <p>
+ <code class="literal">example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail.example.com.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail2.example.com.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">20</code></p></td>
-<td><p><code class="literal">mail.backup.org.</code></p></td>
+<td>
+ <p></p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">MX</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">20</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">mail.backup.org.</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-<td><p></p></td>
+<td>
+ <p>
+ <code class="literal">mail.example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.1</code>
+ </p>
+ </td>
+<td>
+ <p></p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-<td><p></p></td>
+<td>
+ <p>
+ <code class="literal">mail2.example.com.</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">A</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">10.0.0.2</code>
+ </p>
+ </td>
+<td>
+ <p></p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>For example:</p>
-<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-<code class="literal">mail2.example.com</code> (in
-any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-be attempted.</p>
+<p>
+ Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
+ <code class="literal">mail2.example.com</code> (in
+ any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
+ be attempted.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>The time-to-live of the RR field is a 32-bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</p>
+<p>
+ The time-to-live of the RR field is a 32-bit integer represented
+ in units of seconds, and is primarily used by resolvers when they
+ cache RRs. The TTL describes how long a RR can be cached before it
+ should be discarded. The following three types of TTL are
+ currently
+ used in a zone file.
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3743,46 +6621,79 @@ used in a zone file.</p>
</colgroup>
<tbody>
<tr>
-<td><p>SOA</p></td>
<td>
-<p>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</p>
-<p>The maximum time for
-negative caching is 3 hours (3h).</p>
-</td>
+ <p>
+ SOA
+ </p>
+ </td>
+<td>
+ <p>
+ The last field in the SOA is the negative
+ caching TTL. This controls how long other servers will
+ cache no-such-domain
+ (NXDOMAIN) responses from you.
+ </p>
+ <p>
+ The maximum time for
+ negative caching is 3 hours (3h).
+ </p>
+ </td>
</tr>
<tr>
-<td><p>$TTL</p></td>
-<td><p>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</p></td>
+<td>
+ <p>
+ $TTL
+ </p>
+ </td>
+<td>
+ <p>
+ The $TTL directive at the top of the
+ zone file (before the SOA) gives a default TTL for every
+ RR without
+ a specific TTL set.
+ </p>
+ </td>
</tr>
<tr>
-<td><p>RR TTLs</p></td>
-<td><p>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</p></td>
+<td>
+ <p>
+ RR TTLs
+ </p>
+ </td>
+<td>
+ <p>
+ Each RR can have a TTL as the second
+ field in the RR, which will control how long other
+ servers can cache
+ the it.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <code class="literal">1h30m</code>. </p>
+<p>
+ All of these TTLs default to units of seconds, though units
+ can be explicitly specified, for example, <code class="literal">1h30m</code>.
+ </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591102"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the [<span class="optional">example.com</span>] domain:</p>
+<a name="id2591419"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<p>
+ Reverse name resolution (that is, translation from IP address
+ to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
+ and PTR records. Entries in the in-addr.arpa domain are made in
+ least-to-most significant order, read left to right. This is the
+ opposite order to the way IP addresses are usually written. Thus,
+ a machine with an IP address of 10.1.2.3 would have a
+ corresponding
+ in-addr.arpa name of
+ 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+ whose data field is the name of the machine or, optionally,
+ multiple
+ PTR records if the machine has more than one name. For example,
+ in the [<span class="optional">example.com</span>] domain:
+ </p>
<div class="informaltable"><table border="1">
<colgroup>
<col>
@@ -3790,95 +6701,167 @@ in the [<span class="optional">example.com</span>] domain:</p>
</colgroup>
<tbody>
<tr>
-<td><p><code class="literal">$ORIGIN</code></p></td>
-<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td>
+<td>
+ <p>
+ <code class="literal">$ORIGIN</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">2.1.10.in-addr.arpa</code>
+ </p>
+ </td>
</tr>
<tr>
-<td><p><code class="literal">3</code></p></td>
-<td><p><code class="literal">IN PTR foo.example.com.</code></p></td>
+<td>
+ <p>
+ <code class="literal">3</code>
+ </p>
+ </td>
+<td>
+ <p>
+ <code class="literal">IN PTR foo.example.com.</code>
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
-<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</p>
+<p>
+ The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
+ are for providing context to the examples only-they do not
+ necessarily
+ appear in the actual usage. They are only used here to indicate
+ that the example is relative to the listed origin.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591208"></a>Other Zone File Directives</h3></div></div></div>
-<p>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</p>
-<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-and <span><strong class="command">$TTL.</strong></span></p>
+<a name="id2591546"></a>Other Zone File Directives</h3></div></div></div>
+<p>
+ The Master File Format was initially defined in RFC 1035 and
+ has subsequently been extended. While the Master File Format
+ itself
+ is class independent all records in a Master File must be of the
+ same
+ class.
+ </p>
+<p>
+ Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
+ and <span><strong class="command">$TTL.</strong></span>
+ </p>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591227"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$ORIGIN
-</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p>
-<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <span><strong class="command">$ORIGIN</strong></span> &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span> The
-current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified
-in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p>
-<pre class="programlisting">$ORIGIN example.com.
-WWW CNAME MAIN-SERVER</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre>
+<a name="id2591569"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$ORIGIN</strong></span>
+ <em class="replaceable"><code>domain-name</code></em>
+ [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+ </p>
+<p><span><strong class="command">$ORIGIN</strong></span>
+ sets the domain name that will be appended to any
+ unqualified records. When a zone is first read in there
+ is an implicit <span><strong class="command">$ORIGIN</strong></span>
+ &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span>
+ The current <span><strong class="command">$ORIGIN</strong></span> is appended to
+ the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
+ argument if it is not absolute.
+ </p>
+<pre class="programlisting">
+$ORIGIN example.com.
+WWW CNAME MAIN-SERVER
+</pre>
+<p>
+ is equivalent to
+ </p>
+<pre class="programlisting">
+WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+</pre>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591283"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$INCLUDE</strong></span>
-<em class="replaceable"><code>filename</code></em> [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Read and process the file <code class="filename">filename</code> as
-if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
-specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-used.</p>
-<p>The origin and the current domain name
-revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-the file has been read.</p>
+<a name="id2591629"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$INCLUDE</strong></span>
+ <em class="replaceable"><code>filename</code></em>
+ [<span class="optional">
+<em class="replaceable"><code>origin</code></em> </span>]
+ [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
+ </p>
+<p>
+ Read and process the file <code class="filename">filename</code> as
+ if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
+ specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
+ to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
+ used.
+ </p>
+<p>
+ The origin and the current domain name
+ revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
+ the file has been read.
+ </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
<p>
-RFC 1035 specifies that the current origin should be restored after
-an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current
-domain name should also be restored. BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</p>
+ RFC 1035 specifies that the current origin should be restored
+ after
+ an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
+ on whether the current
+ domain name should also be restored. BIND 9 restores both of
+ them.
+ This could be construed as a deviation from RFC 1035, a
+ feature, or both.
+ </p>
</div>
</div>
<div class="sect3" lang="en">
<div class="titlepage"><div><div><h4 class="title">
-<a name="id2591346"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$TTL</strong></span>
-<em class="replaceable"><code>default-ttl</code></em> [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p>
-<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p>
+<a name="id2591767"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$TTL</strong></span>
+ <em class="replaceable"><code>default-ttl</code></em>
+ [<span class="optional">
+<em class="replaceable"><code>comment</code></em> </span>]
+ </p>
+<p>
+ Set the default Time To Live (TTL) for subsequent records
+ with undefined TTLs. Valid TTLs are of the range 0-2147483647
+ seconds.
+ </p>
+<p><span><strong class="command">$TTL</strong></span>
+ is defined in RFC 2308.
+ </p>
</div>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
-<a name="id2591377"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] [<span class="optional"><em class="replaceable"><code>class</code></em></span>] <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of
-resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</p>
+<a name="id2591803"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<p>
+ Syntax: <span><strong class="command">$GENERATE</strong></span>
+ <em class="replaceable"><code>range</code></em>
+ <em class="replaceable"><code>lhs</code></em>
+ [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
+ [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
+ <em class="replaceable"><code>type</code></em>
+ <em class="replaceable"><code>rhs</code></em>
+ [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
+ </p>
+<p><span><strong class="command">$GENERATE</strong></span>
+ is used to create a series of resource records that only
+ differ from each other by an
+ iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
+ easily generate the sets of records required to support
+ sub /24 reverse delegations described in RFC 2317:
+ Classless IN-ADDR.ARPA delegation.
+ </p>
<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0</pre>
-<p>is equivalent to</p>
+<p>
+ is equivalent to
+ </p>
<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
@@ -3893,72 +6876,168 @@ $GENERATE 1-127 $ CNAME $.0</pre>
</colgroup>
<tbody>
<tr>
-<td><p><span><strong class="command">range</strong></span></p></td>
-<td><p>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used, then step is set to
- 1. All of start, stop and step must be positive.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lhs</strong></span></p></td>
-<td>
-<p><span><strong class="command">lhs</strong></span> describes the
-owner name of the resource records to be created. Any single
-<span><strong class="command">$</strong></span> (dollar sign) symbols
-within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <span><strong class="command">$</strong></span>
-using a backslash <span><strong class="command">\</strong></span>,
-e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base.
-Modifiers are introduced by a <span><strong class="command">{</strong></span> immediately following the
-<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-For example, <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value,
-prints the result as a decimal in a zero-padded field of width 3. Available
-output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>)
-and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase).
-The default modifier is <span><strong class="command">${0,0,d}</strong></span>.
-If the <span><strong class="command">lhs</strong></span> is not
-absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to
-the name.</p>
-<p>For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
-recognized as indicating a literal $ in the output.</p>
-</td>
+<td>
+ <p><span><strong class="command">range</strong></span></p>
+ </td>
+<td>
+ <p>
+ This can be one of two forms: start-stop
+ or start-stop/step. If the first form is used, then step
+ is set to
+ 1. All of start, stop and step must be positive.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">ttl</strong></span></p></td>
<td>
-<p>Specifies the
- ttl of the generated records. If not specified this will be
- inherited using the normal ttl inheritance rules.</p>
- <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
- entered in either order.</p>
-</td>
+ <p><span><strong class="command">lhs</strong></span></p>
+ </td>
+<td>
+ <p><span><strong class="command">lhs</strong></span>
+ describes the owner name of the resource records
+ to be created. Any single <span><strong class="command">$</strong></span>
+ (dollar sign)
+ symbols within the <span><strong class="command">lhs</strong></span> side
+ are replaced by the iterator value.
+
+ To get a $ in the output you need to escape the
+ <span><strong class="command">$</strong></span> using a backslash
+ <span><strong class="command">\</strong></span>,
+ e.g. <span><strong class="command">\$</strong></span>. The
+ <span><strong class="command">$</strong></span> may optionally be followed
+ by modifiers which change the offset from the
+ iterator, field width and base.
+
+ Modifiers are introduced by a
+ <span><strong class="command">{</strong></span> immediately following the
+ <span><strong class="command">$</strong></span> as
+ <span><strong class="command">${offset[,width[,base]]}</strong></span>.
+ For example, <span><strong class="command">${-20,3,d}</strong></span>
+ subtracts 20 from the current value, prints the
+ result as a decimal in a zero-padded field of
+ width 3.
+
+ Available output forms are decimal
+ (<span><strong class="command">d</strong></span>), octal
+ (<span><strong class="command">o</strong></span>) and hexadecimal
+ (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
+ for uppercase). The default modifier is
+ <span><strong class="command">${0,0,d}</strong></span>. If the
+ <span><strong class="command">lhs</strong></span> is not absolute, the
+ current <span><strong class="command">$ORIGIN</strong></span> is appended
+ to the name.
+ </p>
+ <p>
+ For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
+ recognized as indicating a literal $ in the output.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">class</strong></span></p></td>
<td>
-<p>Specifies the
- class of the generated records. This must match the zone class if
- it is specified.</p>
- <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
- entered in either order.</p>
-</td>
+ <p><span><strong class="command">ttl</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specifies the time-to-live of the generated records. If
+ not specified this will be inherited using the
+ normal ttl inheritance rules.
+ </p>
+ <p><span><strong class="command">class</strong></span>
+ and <span><strong class="command">ttl</strong></span> can be
+ entered in either order.
+ </p>
+ </td>
+</tr>
+<tr>
+<td>
+ <p><span><strong class="command">class</strong></span></p>
+ </td>
+<td>
+ <p>
+ Specifies the class of the generated records.
+ This must match the zone class if it is
+ specified.
+ </p>
+ <p><span><strong class="command">class</strong></span>
+ and <span><strong class="command">ttl</strong></span> can be
+ entered in either order.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">type</strong></span></p></td>
-<td><p>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</p></td>
+<td>
+ <p><span><strong class="command">type</strong></span></p>
+ </td>
+<td>
+ <p>
+ At present the only supported types are
+ PTR, CNAME, DNAME, A, AAAA and NS.
+ </p>
+ </td>
</tr>
<tr>
-<td><p><span><strong class="command">rhs</strong></span></p></td>
-<td><p>A domain name. It is processed
-similarly to lhs.</p></td>
+<td>
+ <p><span><strong class="command">rhs</strong></span></p>
+ </td>
+<td>
+ <p>
+ A domain name. It is processed
+ similarly to lhs.
+ </p>
+ </td>
</tr>
</tbody>
</table></div>
-<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
-and not part of the standard zone file format.</p>
-<p>BIND 8 does not support the optional TTL and CLASS fields.</p>
+<p>
+ The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
+ and not part of the standard zone file format.
+ </p>
+<p>
+ BIND 8 does not support the optional TTL and CLASS fields.
+ </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
+<p>
+ In addition to the standard textual format, BIND 9
+ supports the ability to read or dump to zone files in
+ other formats. The <code class="constant">raw</code> format is
+ currently available as an additional format. It is a
+ binary format representing BIND 9's internal data
+ structure directly, thereby remarkably improving the
+ loading time.
+ </p>
+<p>
+ For a primary server, a zone file in the
+ <code class="constant">raw</code> format is expected to be
+ generated from a textual zone file by the
+ <span><strong class="command">named-compilezone</strong></span> command. For a
+ secondary server or for a dynamic zone, it is automatically
+ generated (if this format is specified by the
+ <span><strong class="command">masterfile-format</strong></span> option) when
+ <span><strong class="command">named</strong></span> dumps the zone contents after
+ zone transfer or when applying prior updates.
+ </p>
+<p>
+ If a zone file in a binary format needs manual modification,
+ it first must be converted to a textual form by the
+ <span><strong class="command">named-compilezone</strong></span> command. All
+ necessary modification should go to the text file, which
+ should then be converted to the binary form by the
+ <span><strong class="command">named-compilezone</strong></span> command again.
+ </p>
+<p>
+ Although the <code class="constant">raw</code> format uses the
+ network byte order and avoids architecture-dependent
+ data alignment so that it is as much portable as
+ possible, it is primarily expected to be used inside
+ the same single system. In order to export a zone
+ file in the <code class="constant">raw</code> format or make a
+ portable backup of the file, it is recommended to
+ convert the file to the standard textual representation.
+ </p>
</div>
</div>
</div>
OpenPOWER on IntegriCloud