diff options
Diffstat (limited to 'usr.sbin/named/OPTIONS')
| -rw-r--r-- | usr.sbin/named/OPTIONS | 411 |
1 files changed, 0 insertions, 411 deletions
diff --git a/usr.sbin/named/OPTIONS b/usr.sbin/named/OPTIONS deleted file mode 100644 index ccc5e27..0000000 --- a/usr.sbin/named/OPTIONS +++ /dev/null @@ -1,411 +0,0 @@ -OPTIONS - Original: Paul Vixie, 28Mar92 - Revised: $Id: OPTIONS,v 8.5 1995/12/29 21:08:13 vixie Exp $ - -Options available in this version of BIND are controlled by conf/options.h, -rather than by $(DEFS) in the Makefile. The options are: - -DEBUG (origin: U C Berkeley) - enables the -d command line option, and allows SIGUSR1 to increment -and SIGUSR2 to clear the internal variable "debug", which in turn controls -hundreds of fprintf()'s out to /usr/tmp/named.run. - you probably want this. it makes the binary bigger but not slower (or -at least not much slower), but SIGUSR[12] are the only way you'll track down -misconfigured name servers that hose you down with billions of bogus requests. - you may need this, it is on by default. - -ALLOW_T_UNSPEC (origin: MIT Project Athena) - enables the "unspec" RR type for ancient Athena software that does not -know about TXT RR's. - you probably do not care about this, it is off by default. - -ALLOW_UPDATES (origin: Mike Schwartz, University of Washington) - enables "dynamic updates", described in "doc/DynamicUpdate". this lets -you update named's in-memory database on the fly if you have the right client. -there is absolutely no security around this; if you enable it, anyone who can -reach your server can update your database. - this code doesn't compile any more and will be removed shortly. - -INVQ (origin: U C Berkeley, with #ifdef's by Paul Vixie) - enables "inverse queries", which in all of the internet only one -client ever uses: ancient nslookup. if you build named with INVQ defined, -you get the time-honored behaviour of supporting this whole class of queries -for no real purpose other than to waste a few hundred kilobytes of your -memory and about 3% of named's total CPU time. if you build with INVQ -undefined, old nslookups will not be able to reach your server in their -startup phase, and you will have to use the "server" command after it fails -over to some other server, or use "nslookup - 0" to get in from the shell. - you probably do not want this. - -DSTORAGE (origin: U C Berkeley, with #ifdef's by Paul Vixie) - enables a malloc-debugger that checks for overruns on both ends of -each allocated block of memory. used when debugging since C has no bounds -or type checking. - you probably do not want this, it is off by default. - -DMALLOC (origin: Paul Vixie of Digital) - enables a malloc-debugger that traces all allocated blocks of memory -such that SIGIOT's output (see STATS option) includes a list of all mallocs -in the program, how many times each has been called, how many blocks of memory -allocated by that malloc are not yet free, and how many bytes they use up. -under each one will be a list of each free/realloc that has deallocated a block -of that malloc's memory, and how many times it has done so. - this is extremely helpful for finding memory leaks. as such, you -probably do not want this unless you are debugging named. - you probably do not need this, it is off by default. - -XFRNETS (origin: Paul Vixie of Digital) - enables the "xfrnets" command in named.boot. this has the same -syntax as "forwarders" and "sortlist" -- that is, a list of dotted quads. -each one is a network (16.0.0.0 and 130.180.0.0 are examples) or a host. -if you put any xfrnets commands into your named.boot, then zone transfers -will only be honored if they come from inside one of the specified -networks. this is very useful if you want to keep people outside from -being able to trivially map your entire network, but it doesn't stop them -from iterating so it's more annoying than secure. - this feature was once called "tcplist" out of ignorance on my part, -but with advice from phil almquist i decided to rename it "xfrnets" and make -it only control zone transfers -- previously it controlled all TCP connections -which made certain TCP-only resolvers unable to use our servers. the "tcplist" -syntax still works; it is a synonym for "xfrnets". - it is also nice if you want to keep the outside world from making your -nameserver fork and swap trying to do unauthorized zone transfers. if you have -large zone files or use BIND for TXT records you will find this useful. - you probably want this, it is on by default. - -PID_FIX (origin: Don Lewis of Harris) - tells named that if it starts up but can't keep going because another -nameserver is already running (and sitting on the server port), it should -put the /etc/named.pid (/var/run/named.pid) file back the way it found it. - you probably want this, it is on by default. - -FWD_LOOP (origin: Don Lewis of Harris) - tells named that if you list any of your own IP addresses in a -"forwarders" command in your named.boot file, you should be scolded. - you probably want this, it is on by default. - -NO_GLUE (origin: Don Lewis of Harris, and Andrew Partan of UUNET) - tells named-xfer that incoming zone transfers should be checked -for "glue" that comes from a zone outside the zone being transfered, and -comment this garbage out in the zone file so that when named reads in the -zone file after named-xfer exits, the garbage will not be entered into the -memory-resident database. - also tells named that when it is performing an outgoing zone -transfer, it should not send any of these "glue" records. - you definitely want this, it is on by default. - -BOGUSNS (origin: Piet Beertema of EUNet) - enables the "bogusns" command in named.boot. this has the same -syntax as forwarders and sortlist. any NS RR's that come in whose addresses -are on the list of "bogusns" addresses will be ignored. this is the last -resort when someone is bogusly advertising themselves as a root server. - just in case, though you won't use it often. - you probably want this, it is on by default. - -QRYLOG (origin: Bryan Beecher of UMich) - enables "query logging", such that SIGWINCH toggles tracing of all -incoming queries. the trace is sent to syslog, and is huge, but when you -need this you will need it bad and it does not slow named down or make it -larger. - If you define QRYLOG you may also start up named in query logging -mode by using the -q flag. If you do so you will probably want to analyze -the logs produced, the dnsstats and lamers scrips (in the contrib/umich -and contrib/lamers directories) will do it for you. - you probably want this, it is on by default. - -LOGFAC (origin: various people) - If you start up named with the -q flag you will be logging -large amounts of data, and probably will not want them logged to the -default logging facility, which is LOG_DAEMON. You will want to -redefine LOGFAC, presumably to LOC_LOCALn (0 <= n <= 7). Remember to -modify /etc/syslog.conf appropriately. - This only works on a system with a modern syslogd. - as such, it is on by default. - -YPKLUDGE (origin: Piet Beertema of EUNet) - certain versions of NIS/YP are capable of using the DNS for names -that cannot be found in the YP servers. of these, certain versions can't -tell the difference between a dotted quad and a domain name, and they send -queries to the DNS for dotted quads as if they were domain names. if your -named does not do anything special with these queries, they will end up -getting forwarded to other servers, effectively hosing all of you down with -endless useless network traffic. YPKLUDGE enables some checking in named -that lets it catch these bogus queries and send back immediate errors. - If you run "ypserv -i" you definitely want this, as a malconfigured -NIS server can cause DNS "flood" queries otherwise. Trust me. - this is off by default. - -TRACEROOT (origin: pma@cnd.hp.com and Bryan Beecher of UMich) - enables some checking in named for bogus root nameservers. This -code has been in use at U-M for years, so it is pretty well tested, plus we -have never been burned by the "bogus root NS scares" that have plagued the -DNS off and on. - this feature people will very much want to use, it is on by default. - -LOCALDOM (origin: Berkeley) - if set, the "domain" directive is recognized in the named.boot file. -this causes us to retry queries with the specified domain appended to the -name if the first lookup fails. this is a very bad idea since a given name -server will often be used by clients in more than one domain -- a name server -should _not_ make any presumptions as to the "home domain" of a requestor. - you almost certainly do not want this, it is off by default. - -SLAVE_FORWARD (origin: pma@sdd.hp.com) - if set, "slave" servers behave in an arguably more-correct way. this -is an experimental addition to BIND 4.9 that causes slaves to time out queries -in 60/N seconds where N is the number of forwarders defined. previously a -query would time out almost immediately, which caused a lot of unnecessary -network traffic. - you probably want this, it is on by default. - -FORCED_RELOAD (origin: pma@sdd.hp.com) - if set, then when a HUP signal is received, all secondary zones are -scheduled for serial-number comparison with the primaries. this has the effect -that if you HUP your server, it will refresh any zones which have changed, -even if those zones' refresh times have not been reached. - you probably want this, it is on by default. - -WANT_PIDFILE (origin: berkeley, parameterized by arc@sgi) - if set, a file called named.pid will be created in /etc or /var/run -when the name server has started. this file can be used to send signals to -BIND, as in "kill -HUP `cat /etc/named.pid`". - unless you are only on an SGI (where killall(1M) makes the pid file -unnecessary); - you probably want this, it is on by default. - -DOTTED_SERIAL (origin: berkeley; parameterized by vixie) - if set, allows a somewhat arcane n.m syntax in the serial number -field of an SOA. this is officially deprecated for 4.9; you should use -straight integer values and find an encoding that does not depend on -scaled-integer pseudodecimals. i suggest YYYYMMDDnn where YYYY is the -four-digit year, MM is the two-digit month, DD is the two-digit day-of-month, -and nn is a daily version number in case you change your serial number more -than once in a day. this encoding will overflow in the year 4294 gregorian. - you almost certainly do not want this, but if you have old zone files -lying around and you don't want to think your way through converting their -serial numbers, this deprecated behaviour is available. - graciously, it is on by default. - -SENSIBLE_DOTS (origin: kagotani@cs.titech.ac.jp; parameterized by vixie) - if set, changes the semantics of an "n.m" serial number from - n*10^(3+int(0.9+log10(m))) + m -to - n*10000+m - if you are using DOTTED_SERIAL in spite of its deprecated status, -and you are interested in a more predictable and sensible interpretation of -dotted numbers, then you probably want this. - it is off by default. - -VALIDATE (origin: USC/ISI) - enables a validation procedure to provide some security in an -otherwise insecure environment. Any RRs are accepted from a server only if -the server is authoritative over that domain. We consider a server -authoritative (for validation purposes) for even the sub-domains that it has -delegated to others. RRs are validated against the data we have in cache -already. Invalid records are neither cached nor returned. - it is off by default because it is hopeless, and the code will all -be ripped out of BIND in the near future. - -NCACHE (origin: USC/ISI) - enables negative caching. We cache only authoritative NXDOMAIN or -authoritative NOERROR with zero RR count. Non-authoritative NXDOMAIN answers -now contain NS records in the authority section. Non-authoritative NOERROR -responses have no authority or additional records to differentiate them from -referrals. They are cached for NTTL secs (currently 10 minutes) and are timed -out when the ttl expires. - you probably want this, it is on by default. - -RESOLVSORT (origin: marka@syd.dms.csiro.au) - enable sorting of addresses returned by gethostbyname. Sorting order -is specified by address/netmask pairs. This enables a host to override the -sortlist specified in the nameserver. - you probably want this, it is on by default. - -STUBS (origin: marka@syd.dms.csiro.au) - enable transfer and loading of NS records only for a zone. -still experimental. it won't hurt to enable it, but it may not work perfectly -so using it could lead to some confusion. - you probably don't care, it is on by default. - -SUNSECURITY (origin: rossc@ucc.su.oz.au) - enable checking of PTR records in gethostbyaddr() to detect -spoofing. Forced on SunOS 4 shared library as rlogin etc. depend on this. - you should probably not set this by hand. - -SECURE_ZONES (origin: gshapiro@guest.wpi.edu) - enables support for secure zones. This restricts access to -information in the zone according to the information found in the -secure_zone TXT RR found in the zone. If none is found, the zone is -world-readable. For information on the format of the secure_zone TXT -RR, see the Name Server Operations Guide for BIND. - you probably want this, it is on by default. - -ROUND_ROBIN (origin: Marshall Rose of TPC.INT) - if set, causes the databuf list in a namebuf to be rotated by one -slot after each access to it. this has the effect that if multiple RR's -of a given type are present, they will be given in "round robin" order -instead of always being given in the same order. - you probably want this, it is on by default. - -ADDAUTH (origin: marka@syd.dms.csiro.au) - if set, cause NS and glue A records to be returned with authoritative -answers. this causes slightly larger replies but less DNS traffic overall. - unless you have Mac's with an older version of Mac/TCP; - you probably want this, it is on by default. - -RFC1535 (origin: paul@vix.com) - if set, the resolver's default "search" list will be just the entire -"domain" name rather than the sliding window it had before 4.9.2. this will -make the default search list shorter, so folks who are saying "domain a.b.c" -and relying on the implicit "search a.b.c a.b c" will miss "a.b" and "c". - this option is on for compatibility with RFC 1535. - you should NOT turn it off, it is on by default. - -GEN_AXFR (origin: mark@comp.vuw.ac.nz, tytso@ATHENA.MIT.EDU, gdmr@dcs.ed.ac.uk) - if set, allows specification of zones in classes other than "IN" in -the named.boot file. Allows an optional "/class" on the "primary" and -"secondary" directives. Also fixes zone transfers so only data in the class -requested is transfered. - you probably want this, it is on by default. - -DATUMREFCNT (origin: mark andrews) - you want this. it will not be optional in future releases. - -LAME_DELEGATION (origin: don lewis; reworked by bryan beecher and don lewis) - this will detect the condition where some other server has told you -that a given set of servers is authoritative for some domain, and at least -one of those "delegated" servers disagrees (i.e., answers non-authoritatively). - you probably want this, it is on by default. - -LAME_LOGGING (origin: don lewis) - enable logging of lame delegations and set the log level - you may want this, it is on by default. - -RETURNSOA (origin: mark andrews) - This allows negative caching to work. Without this, older -pre-4.9.3 nameservers will not accept -ve cached anwsers. We actually -store the SOA record from the authority section rather that what was -requested because it is the existence of the NXDOMAIN that matters not -the type of data. The zone of the SOA record is tagged to the end of -the SOA record to allow it to be reconstructed. - You probably DO NOT WANT THIS, it's experimental and dangerous. - it is off by default. - -CLEANCACHE (origin: mark andrews) - Bind consumes memory without bound without this option. This -patch allows bind to periodically remove any stale entries in the -cache. Bind's memory usage should stabilize after approximately 1 day of -operation, as most TTL's are <= 1 day. Without this option stale entries -are only removed when they are looked up. - You probably want this, it is on by default. - -PURGE_ZONE (origin: mark andrews) - Various junk below a zone tends to hang around and corrupt future -zone data if a zone grows deeper. PURGE_ZONE will remove all traces of or -data which could be part of zone before loading a new one. - You probably want this, it is on by default. - -STATS (origin: Paul Vixie) - Named's internal statistics can take a fair amount of memory and -if you aren't interested in looking at these numbers you should disable -the feature. Future versions may require this. - You probably want this, it is on by default. - -RENICE (origin: bp@deins.informatik.uni-dortmund.de) - if set, the process priority of the AXFR subprocesses is changed to -"normal". If you are planning to raise the priority of the main nameserver -process, you will use this. - You probably want this, it is on by default. - -GETSER_LOGGING (origin: Paul Vixie) - if set, errors that occur during the fetch of serial numbers for zone -transfer consideration will be syslog()'d. this can lead to a lot of logging, -but is very helpful if you don't know why a zone isn't transfering. - You may not want this, but it is on by default. - -SHORT_FNAMES (origin: pma@sdd.hp.com) - on systems whose file names can only be 14 characters long, the temp -files created by named-xfer need to be constructed somewhat differently. this -should probably become the default since it is harmless. - you probably don't care one way or the other, it is off by default. - -XSTATS (origin: Benoit.Grange@inria.fr) - if set, the name server keeps more STATS about requests -received, and logs to syslog total counters from time to time. If you -aren't interested in looking at these numbers you should disable the -feature. Requires STATS. - You may want this, it is on by default. - -BIND_NOTIFY (origin: paul@vix.com) - experimental at this time; an internet draft is circulating. this -option informs slaves ("secondary" servers in BIND's erroneous terminology) -instantly when the master (primary, or another slave) loads a new zone. it -works fine and seems to cause no problems with slaves that don't support it, -but it does not implement the current internet draft (it lacks some necessary -delays) and causes a lot of extra syslog traffic, especially at startup. if -you don't mind running code that will absolutely NOT be compatible with the -eventual standard when the RFC is released, go ahead and turn this on. - vendors should not enable this in versions shipped to customers. - You will want this when it becomes compliant, it is off by default. - -LOC_RR (origin: ckd@kei.com) - incorporates support for the LOC RR type, currently in the -internet-draft stage. - you don't want this yet, it is off by default. - -SORT_RESPONSE (legacy) - should responses be sorted in what the server considers an optimal -order for the client? this is on by default but it does very little good. - -## ++Copyright++ 1989 -## - -## Copyright (c) 1989 -## The Regents of the University of California. All rights reserved. -## -## Redistribution and use in source and binary forms, with or without -## modification, are permitted provided that the following conditions -## are met: -## 1. Redistributions of source code must retain the above copyright -## notice, this list of conditions and the following disclaimer. -## 2. Redistributions in binary form must reproduce the above copyright -## notice, this list of conditions and the following disclaimer in the -## documentation and/or other materials provided with the distribution. -## 3. All advertising materials mentioning features or use of this software -## must display the following acknowledgement: -## This product includes software developed by the University of -## California, Berkeley and its contributors. -## 4. Neither the name of the University nor the names of its contributors -## may be used to endorse or promote products derived from this software -## without specific prior written permission. -## -## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -## ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -## SUCH DAMAGE. -## - -## Portions Copyright (c) 1993 by Digital Equipment Corporation. -## -## Permission to use, copy, modify, and distribute this software for any -## purpose with or without fee is hereby granted, provided that the above -## copyright notice and this permission notice appear in all copies, and that -## the name of Digital Equipment Corporation not be used in advertising or -## publicity pertaining to distribution of the document or software without -## specific, written prior permission. -## -## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL -## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES -## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT -## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL -## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR -## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS -## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS -## SOFTWARE. -## - -## --Copyright-- |
