named.conf − configuration file for **named**
named.conf
named.conf is the configuration file for named.
For complete documentation about the configuration statements, please refer to the Configuration Reference section in the BIND 9 Administrator Reference Manual.
Statements are enclosed in braces and terminated with a semi−colon. Clauses in the statements are also semi−colon terminated. The usual comment styles are supported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
acl <string> { <address_match_element>; ... }; // may occur multiple times
controls {
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read−only <boolean> ]; // may occur multiple times
unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read−only <boolean> ]; // may occur multiple times
}; // may occur multiple times
dlz <string> {
database <string>;
search <boolean>;
}; // may occur multiple times
dnssec−policy <string> {
dnskey−ttl <duration>;
keys { ( csk | ksk | zsk ) [ ( key−directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max−zone−ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt−length <integer> ];
parent−ds−ttl <duration>;
parent−propagation−delay <duration>;
parent−registration−delay <duration>; // obsolete
publish−safety <duration>;
purge−keys <duration>;
retire−safety <duration>;
signatures−refresh <duration>;
signatures−validity <duration>;
signatures−validity−dnskey <duration>;
zone−propagation−delay <duration>;
}; // may occur multiple times
dyndb <string> <quoted_string> { <unspecified−text> }; // may occur multiple times
http <string> {
endpoints { <quoted_string>; ... };
listener−clients <integer>;
streams−per−connection <integer>;
}; // may occur multiple times
key <string> {
algorithm <string>;
secret <string>;
}; // may occur multiple times
logging {
category <string> { <string>; ... }; // may occur multiple times
channel <string> {
buffered <boolean>;
file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
null;
print−category <boolean>;
print−severity <boolean>;
print−time ( iso8601 | iso8601−utc | local | <boolean> );
severity <log_severity>;
stderr;
syslog [ <syslog_facility> ];
}; // may occur multiple times
};
managed−keys { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
options {
allow−new−zones <boolean>;
allow−notify { <address_match_element>; ... };
allow−query { <address_match_element>; ... };
allow−query−cache { <address_match_element>; ... };
allow−query−cache−on { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
allow−recursion { <address_match_element>; ... };
allow−recursion−on { <address_match_element>; ... };
allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow−update { <address_match_element>; ... };
allow−update−forwarding { <address_match_element>; ... };
also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt−transfer−source ( <ipv4_address> | * ) ; // deprecated
alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated
answer−cookie <boolean>;
attach−cache <string>;
auth−nxdomain <boolean>;
auto−dnssec ( allow | maintain | off ); // deprecated
automatic−interface−scan <boolean>;
avoid−v4−udp−ports { <portrange>; ... }; // deprecated
avoid−v6−udp−ports { <portrange>; ... }; // deprecated
bindkeys−file <quoted_string>;
blackhole { <address_match_element>; ... };
catalog−zones { zone <string> [ default−primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone−directory <quoted_string> ] [ in−memory <boolean> ] [ min−update−interval <duration> ]; ... };
check−dup−records ( fail | warn | ignore );
check−integrity <boolean>;
check−mx ( fail | warn | ignore );
check−mx−cname ( fail | warn | ignore );
check−names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
check−sibling <boolean>;
check−spf ( warn | ignore );
check−srv−cname ( fail | warn | ignore );
check−wildcard <boolean>;
clients−per−query <integer>;
cookie−algorithm ( aes | siphash24 );
cookie−secret <string>; // may occur multiple times
coresize ( default | unlimited | <sizeval> ); // deprecated
datasize ( default | unlimited | <sizeval> ); // deprecated
deny−answer−addresses { <address_match_element>; ... } [ except−from { <string>; ... } ];
deny−answer−aliases { <string>; ... } [ except−from { <string>; ... } ];
dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated
directory <quoted_string>;
disable−algorithms <string> { <string>; ... }; // may occur multiple times
disable−ds−digests <string> { <string>; ... }; // may occur multiple times
disable−empty−zone <string>; // may occur multiple times
dns64 <netprefix> {
break−dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive−only <boolean>;
suffix <ipv6_address>;
}; // may occur multiple times
dns64−contact <string>;
dns64−server <string>;
dnskey−sig−validity <integer>;
dnsrps−enable <boolean>; // not configured
dnsrps−options { <unspecified−text> }; // not configured
dnssec−accept−expired <boolean>;
dnssec−dnskey−kskonly <boolean>;
dnssec−loadkeys−interval <integer>;
dnssec−must−be−secure <string> <boolean>; // may occur multiple times, deprecated
dnssec−policy <string>;
dnssec−secure−to−insecure <boolean>;
dnssec−update−mode ( maintain | no−resign );
dnssec−validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dnstap−identity ( <quoted_string> | none | hostname ); // not configured
dnstap−output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
dnstap−version ( <quoted_string> | none ); // not configured
dscp <integer>; // obsolete
dual−stack−servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
dump−file <quoted_string>;
edns−udp−size <integer>;
empty−contact <string>;
empty−server <string>;
empty−zones−enable <boolean>;
fetch−quota−params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches−per−server <integer> [ ( drop | fail ) ];
fetches−per−zone <integer> [ ( drop | fail ) ];
files ( default | unlimited | <sizeval> ); // deprecated
flush−zones−on−shutdown <boolean>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
fstrm−set−buffer−hint <integer>; // not configured
fstrm−set−flush−timeout <integer>; // not configured
fstrm−set−input−queue−size <integer>; // not configured
fstrm−set−output−notify−threshold <integer>; // not configured
fstrm−set−output−queue−model ( mpsc | spsc ); // not configured
fstrm−set−output−queue−size <integer>; // not configured
fstrm−set−reopen−interval <duration>; // not configured
geoip−directory ( <quoted_string> | none );
glue−cache <boolean>; // deprecated
heartbeat−interval <integer>; // deprecated
hostname ( <quoted_string> | none );
http−listener−clients <integer>;
http−port <integer>;
http−streams−per−connection <integer>;
https−port <integer>;
interface−interval <duration>;
ipv4only−contact <string>;
ipv4only−enable <boolean>;
ipv4only−server <string>;
ixfr−from−differences ( primary | master | secondary | slave | <boolean> );
keep−response−order { <address_match_element>; ... };
key−directory <quoted_string>;
lame−ttl <duration>;
listen−on [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
listen−on−v6 [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
lmdb−mapsize <sizeval>;
lock−file ( <quoted_string> | none );
managed−keys−directory <quoted_string>;
masterfile−format ( raw | text );
masterfile−style ( full | relative );
match−mapped−addresses <boolean>;
max−cache−size ( default | unlimited | <sizeval> | <percentage> );
max−cache−ttl <duration>;
max−clients−per−query <integer>;
max−ixfr−ratio ( unlimited | <percentage> );
max−journal−size ( default | unlimited | <sizeval> );
max−ncache−ttl <duration>;
max−records <integer>;
max−recursion−depth <integer>;
max−recursion−queries <integer>;
max−refresh−time <integer>;
max−retry−time <integer>;
max−rsa−exponent−size <integer>;
max−stale−ttl <duration>;
max−transfer−idle−in <integer>;
max−transfer−idle−out <integer>;
max−transfer−time−in <integer>;
max−transfer−time−out <integer>;
max−udp−size <integer>;
max−zone−ttl ( unlimited | <duration> );
memstatistics <boolean>;
memstatistics−file <quoted_string>;
message−compression <boolean>;
min−cache−ttl <duration>;
min−ncache−ttl <duration>;
min−refresh−time <integer>;
min−retry−time <integer>;
minimal−any <boolean>;
minimal−responses ( no−auth | no−auth−recursive | <boolean> );
multi−master <boolean>;
new−zones−directory <quoted_string>;
no−case−compress { <address_match_element>; ... };
nocookie−udp−size <integer>;
notify ( explicit | master−only | primary−only | <boolean> );
notify−delay <integer>;
notify−rate <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
notify−to−soa <boolean>;
nsec3−test−zone <boolean>; // test only
nta−lifetime <duration>;
nta−recheck <duration>;
nxdomain−redirect <string>;
parental−source ( <ipv4_address> | * ) ;
parental−source−v6 ( <ipv6_address> | * ) ;
pid−file ( <quoted_string> | none );
port <integer>;
preferred−glue <string>;
prefetch <integer> [ <integer> ];
provide−ixfr <boolean>;
qname−minimization ( strict | relaxed | disabled | off );
query−source [ address ] ( <ipv4_address> | * );
query−source−v6 [ address ] ( <ipv6_address> | * );
querylog <boolean>;
random−device ( <quoted_string> | none ); // obsolete
rate−limit {
all−per−second <integer>;
errors−per−second <integer>;
exempt−clients { <address_match_element>; ... };
ipv4−prefix−length <integer>;
ipv6−prefix−length <integer>;
log−only <boolean>;
max−table−size <integer>;
min−table−size <integer>;
nodata−per−second <integer>;
nxdomains−per−second <integer>;
qps−scale <integer>;
referrals−per−second <integer>;
responses−per−second <integer>;
slip <integer>;
window <integer>;
};
recursing−file <quoted_string>;
recursion <boolean>;
recursive−clients <integer>;
request−expire <boolean>;
request−ixfr <boolean>;
request−nsid <boolean>;
require−server−cookie <boolean>;
reserved−sockets <integer>; // deprecated
resolver−nonbackoff−tries <integer>;
resolver−query−timeout <integer>;
resolver−retry−interval <integer>;
response−padding { <address_match_element>; ... } block−size <integer>;
response−policy { zone <string> [ add−soa <boolean> ] [ log <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ policy ( cname | disabled | drop | given | no−op | nodata | nxdomain | passthru | tcp−only <quoted_string> ) ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ]; ... } [ add−soa <boolean> ] [ break−dnssec <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ min−ns−dots <integer> ] [ nsip−wait−recurse <boolean> ] [ nsdname−wait−recurse <boolean> ] [ qname−wait−recurse <boolean> ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ] [ dnsrps−enable <boolean> ] [ dnsrps−options { <unspecified−text> } ];
reuseport <boolean>;
root−delegation−only [ exclude { <string>; ... } ]; // deprecated
root−key−sentinel <boolean>;
rrset−order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
secroots−file <quoted_string>;
send−cookie <boolean>;
serial−query−rate <integer>;
serial−update−method ( date | increment | unixtime );
server−id ( <quoted_string> | none | hostname );
servfail−ttl <duration>;
session−keyalg <string>;
session−keyfile ( <quoted_string> | none );
session−keyname <string>;
sig−signing−nodes <integer>;
sig−signing−signatures <integer>;
sig−signing−type <integer>;
sig−validity−interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stacksize ( default | unlimited | <sizeval> ); // deprecated
stale−answer−client−timeout ( disabled | off | <integer> );
stale−answer−enable <boolean>;
stale−answer−ttl <duration>;
stale−cache−enable <boolean>;
stale−refresh−time <duration>;
startup−notify−rate <integer>;
statistics−file <quoted_string>;
suppress−initial−notify <boolean>; // obsolete
synth−from−dnssec <boolean>;
tcp−advertised−timeout <integer>;
tcp−clients <integer>;
tcp−idle−timeout <integer>;
tcp−initial−timeout <integer>;
tcp−keepalive−timeout <integer>;
tcp−listen−queue <integer>;
tcp−receive−buffer <integer>;
tcp−send−buffer <integer>;
tkey−dhkey <quoted_string> <integer>; // deprecated
tkey−domain <quoted_string>;
tkey−gssapi−credential <quoted_string>;
tkey−gssapi−keytab <quoted_string>;
tls−port <integer>;
transfer−format ( many−answers | one−answer );
transfer−message−size <integer>;
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
transfers−in <integer>;
transfers−out <integer>;
transfers−per−ns <integer>;
trust−anchor−telemetry <boolean>; // experimental
try−tcp−refresh <boolean>;
udp−receive−buffer <integer>;
udp−send−buffer <integer>;
update−check−ksk <boolean>;
update−quota <integer>;
use−alt−transfer−source <boolean>; // deprecated
use−v4−udp−ports { <portrange>; ... }; // deprecated
use−v6−udp−ports { <portrange>; ... }; // deprecated
v6−bias <integer>;
validate−except { <string>; ... };
version ( <quoted_string> | none );
zero−no−soa−ttl <boolean>;
zero−no−soa−ttl−cache <boolean>;
zone−statistics ( full | terse | none | <boolean> );
};
parental−agents <string> [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
plugin ( query ) <string> [ { <unspecified−text> } ]; // may occur multiple times
primaries <string> [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
server <netprefix> {
bogus <boolean>;
edns <boolean>;
edns−udp−size <integer>;
edns−version <integer>;
keys <server_key>;
max−udp−size <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
padding <integer>;
provide−ixfr <boolean>;
query−source [ address ] ( <ipv4_address> | * );
query−source−v6 [ address ] ( <ipv6_address> | * );
request−expire <boolean>;
request−ixfr <boolean>;
request−nsid <boolean>;
send−cookie <boolean>;
tcp−keepalive <boolean>;
tcp−only <boolean>;
transfer−format ( many−answers | one−answer );
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
transfers <integer>;
}; // may occur multiple times
statistics−channels {
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
}; // may occur multiple times
tls <string> {
ca−file <quoted_string>;
cert−file <quoted_string>;
ciphers <string>;
dhparam−file <quoted_string>;
key−file <quoted_string>;
prefer−server−ciphers <boolean>;
protocols { <string>; ... };
remote−hostname <quoted_string>;
session−tickets <boolean>;
}; // may occur multiple times
trust−anchors { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
trusted−keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
view <string> [ <class> ] {
allow−new−zones <boolean>;
allow−notify { <address_match_element>; ... };
allow−query { <address_match_element>; ... };
allow−query−cache { <address_match_element>; ... };
allow−query−cache−on { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
allow−recursion { <address_match_element>; ... };
allow−recursion−on { <address_match_element>; ... };
allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow−update { <address_match_element>; ... };
allow−update−forwarding { <address_match_element>; ... };
also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt−transfer−source ( <ipv4_address> | * ) ; // deprecated
alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated
attach−cache <string>;
auth−nxdomain <boolean>;
auto−dnssec ( allow | maintain | off ); // deprecated
catalog−zones { zone <string> [ default−primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone−directory <quoted_string> ] [ in−memory <boolean> ] [ min−update−interval <duration> ]; ... };
check−dup−records ( fail | warn | ignore );
check−integrity <boolean>;
check−mx ( fail | warn | ignore );
check−mx−cname ( fail | warn | ignore );
check−names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
check−sibling <boolean>;
check−spf ( warn | ignore );
check−srv−cname ( fail | warn | ignore );
check−wildcard <boolean>;
clients−per−query <integer>;
deny−answer−addresses { <address_match_element>; ... } [ except−from { <string>; ... } ];
deny−answer−aliases { <string>; ... } [ except−from { <string>; ... } ];
dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated
disable−algorithms <string> { <string>; ... }; // may occur multiple times
disable−ds−digests <string> { <string>; ... }; // may occur multiple times
disable−empty−zone <string>; // may occur multiple times
dlz <string> {
database <string>;
search <boolean>;
}; // may occur multiple times
dns64 <netprefix> {
break−dnssec <boolean>;
clients { <address_match_element>; ... };
exclude { <address_match_element>; ... };
mapped { <address_match_element>; ... };
recursive−only <boolean>;
suffix <ipv6_address>;
}; // may occur multiple times
dns64−contact <string>;
dns64−server <string>;
dnskey−sig−validity <integer>;
dnsrps−enable <boolean>; // not configured
dnsrps−options { <unspecified−text> }; // not configured
dnssec−accept−expired <boolean>;
dnssec−dnskey−kskonly <boolean>;
dnssec−loadkeys−interval <integer>;
dnssec−must−be−secure <string> <boolean>; // may occur multiple times, deprecated
dnssec−policy <string>;
dnssec−secure−to−insecure <boolean>;
dnssec−update−mode ( maintain | no−resign );
dnssec−validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
dual−stack−servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
dyndb <string> <quoted_string> { <unspecified−text> }; // may occur multiple times
edns−udp−size <integer>;
empty−contact <string>;
empty−server <string>;
empty−zones−enable <boolean>;
fetch−quota−params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
fetches−per−server <integer> [ ( drop | fail ) ];
fetches−per−zone <integer> [ ( drop | fail ) ];
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
glue−cache <boolean>; // deprecated
ipv4only−contact <string>;
ipv4only−enable <boolean>;
ipv4only−server <string>;
ixfr−from−differences ( primary | master | secondary | slave | <boolean> );
key <string> {
algorithm <string>;
secret <string>;
}; // may occur multiple times
key−directory <quoted_string>;
lame−ttl <duration>;
lmdb−mapsize <sizeval>;
managed−keys { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
masterfile−format ( raw | text );
masterfile−style ( full | relative );
match−clients { <address_match_element>; ... };
match−destinations { <address_match_element>; ... };
match−recursive−only <boolean>;
max−cache−size ( default | unlimited | <sizeval> | <percentage> );
max−cache−ttl <duration>;
max−clients−per−query <integer>;
max−ixfr−ratio ( unlimited | <percentage> );
max−journal−size ( default | unlimited | <sizeval> );
max−ncache−ttl <duration>;
max−records <integer>;
max−recursion−depth <integer>;
max−recursion−queries <integer>;
max−refresh−time <integer>;
max−retry−time <integer>;
max−stale−ttl <duration>;
max−transfer−idle−in <integer>;
max−transfer−idle−out <integer>;
max−transfer−time−in <integer>;
max−transfer−time−out <integer>;
max−udp−size <integer>;
max−zone−ttl ( unlimited | <duration> );
message−compression <boolean>;
min−cache−ttl <duration>;
min−ncache−ttl <duration>;
min−refresh−time <integer>;
min−retry−time <integer>;
minimal−any <boolean>;
minimal−responses ( no−auth | no−auth−recursive | <boolean> );
multi−master <boolean>;
new−zones−directory <quoted_string>;
no−case−compress { <address_match_element>; ... };
nocookie−udp−size <integer>;
notify ( explicit | master−only | primary−only | <boolean> );
notify−delay <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
notify−to−soa <boolean>;
nsec3−test−zone <boolean>; // test only
nta−lifetime <duration>;
nta−recheck <duration>;
nxdomain−redirect <string>;
parental−source ( <ipv4_address> | * ) ;
parental−source−v6 ( <ipv6_address> | * ) ;
plugin ( query ) <string> [ { <unspecified−text> } ]; // may occur multiple times
preferred−glue <string>;
prefetch <integer> [ <integer> ];
provide−ixfr <boolean>;
qname−minimization ( strict | relaxed | disabled | off );
query−source [ address ] ( <ipv4_address> | * );
query−source−v6 [ address ] ( <ipv6_address> | * );
rate−limit {
all−per−second <integer>;
errors−per−second <integer>;
exempt−clients { <address_match_element>; ... };
ipv4−prefix−length <integer>;
ipv6−prefix−length <integer>;
log−only <boolean>;
max−table−size <integer>;
min−table−size <integer>;
nodata−per−second <integer>;
nxdomains−per−second <integer>;
qps−scale <integer>;
referrals−per−second <integer>;
responses−per−second <integer>;
slip <integer>;
window <integer>;
};
recursion <boolean>;
request−expire <boolean>;
request−ixfr <boolean>;
request−nsid <boolean>;
require−server−cookie <boolean>;
resolver−nonbackoff−tries <integer>;
resolver−query−timeout <integer>;
resolver−retry−interval <integer>;
response−padding { <address_match_element>; ... } block−size <integer>;
response−policy { zone <string> [ add−soa <boolean> ] [ log <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ policy ( cname | disabled | drop | given | no−op | nodata | nxdomain | passthru | tcp−only <quoted_string> ) ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ]; ... } [ add−soa <boolean> ] [ break−dnssec <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ min−ns−dots <integer> ] [ nsip−wait−recurse <boolean> ] [ nsdname−wait−recurse <boolean> ] [ qname−wait−recurse <boolean> ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ] [ dnsrps−enable <boolean> ] [ dnsrps−options { <unspecified−text> } ];
root−delegation−only [ exclude { <string>; ... } ]; // deprecated
root−key−sentinel <boolean>;
rrset−order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
send−cookie <boolean>;
serial−update−method ( date | increment | unixtime );
server <netprefix> {
bogus <boolean>;
edns <boolean>;
edns−udp−size <integer>;
edns−version <integer>;
keys <server_key>;
max−udp−size <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
padding <integer>;
provide−ixfr <boolean>;
query−source [ address ] ( <ipv4_address> | * );
query−source−v6 [ address ] ( <ipv6_address> | * );
request−expire <boolean>;
request−ixfr <boolean>;
request−nsid <boolean>;
send−cookie <boolean>;
tcp−keepalive <boolean>;
tcp−only <boolean>;
transfer−format ( many−answers | one−answer );
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
transfers <integer>;
}; // may occur multiple times
servfail−ttl <duration>;
sig−signing−nodes <integer>;
sig−signing−signatures <integer>;
sig−signing−type <integer>;
sig−validity−interval <integer> [ <integer> ];
sortlist { <address_match_element>; ... };
stale−answer−client−timeout ( disabled | off | <integer> );
stale−answer−enable <boolean>;
stale−answer−ttl <duration>;
stale−cache−enable <boolean>;
stale−refresh−time <duration>;
suppress−initial−notify <boolean>; // obsolete
synth−from−dnssec <boolean>;
transfer−format ( many−answers | one−answer );
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
trust−anchor−telemetry <boolean>; // experimental
trust−anchors { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
trusted−keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
try−tcp−refresh <boolean>;
update−check−ksk <boolean>;
use−alt−transfer−source <boolean>; // deprecated
v6−bias <integer>;
validate−except { <string>; ... };
zero−no−soa−ttl <boolean>;
zero−no−soa−ttl−cache <boolean>;
zone−statistics ( full | terse | none | <boolean> );
}; // may occur multiple times
Any of these zone statements can also be set inside the view statement.
zone <string> [ <class> ] {
type primary;
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow−update { <address_match_element>; ... };
also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt−transfer−source ( <ipv4_address> | * ) ; // deprecated
alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated
auto−dnssec ( allow | maintain | off ); // deprecated
check−dup−records ( fail | warn | ignore );
check−integrity <boolean>;
check−mx ( fail | warn | ignore );
check−mx−cname ( fail | warn | ignore );
check−names ( fail | warn | ignore );
check−sibling <boolean>;
check−spf ( warn | ignore );
check−srv−cname ( fail | warn | ignore );
check−wildcard <boolean>;
database <string>;
dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated
dlz <string>;
dnskey−sig−validity <integer>;
dnssec−dnskey−kskonly <boolean>;
dnssec−loadkeys−interval <integer>;
dnssec−policy <string>;
dnssec−secure−to−insecure <boolean>;
dnssec−update−mode ( maintain | no−resign );
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
inline−signing <boolean>;
ixfr−from−differences <boolean>;
journal <quoted_string>;
key−directory <quoted_string>;
masterfile−format ( raw | text );
masterfile−style ( full | relative );
max−ixfr−ratio ( unlimited | <percentage> );
max−journal−size ( default | unlimited | <sizeval> );
max−records <integer>;
max−transfer−idle−out <integer>;
max−transfer−time−out <integer>;
max−zone−ttl ( unlimited | <duration> );
notify ( explicit | master−only | primary−only | <boolean> );
notify−delay <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
notify−to−soa <boolean>;
nsec3−test−zone <boolean>; // test only
parental−agents [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
parental−source ( <ipv4_address> | * ) ;
parental−source−v6 ( <ipv6_address> | * ) ;
serial−update−method ( date | increment | unixtime );
sig−signing−nodes <integer>;
sig−signing−signatures <integer>;
sig−signing−type <integer>;
sig−validity−interval <integer> [ <integer> ];
update−check−ksk <boolean>;
update−policy ( local | { ( deny | grant ) <string> ( 6to4−self | external | krb5−self | krb5−selfsub | krb5−subdomain | krb5−subdomain−self−rhs | ms−self | ms−selfsub | ms−subdomain | ms−subdomain−self−rhs | name | self | selfsub | selfwild | subdomain | tcp−self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
zero−no−soa−ttl <boolean>;
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type secondary;
allow−notify { <address_match_element>; ... };
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow−update−forwarding { <address_match_element>; ... };
also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt−transfer−source ( <ipv4_address> | * ) ; // deprecated
alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated
auto−dnssec ( allow | maintain | off ); // deprecated
check−names ( fail | warn | ignore );
database <string>;
dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated
dlz <string>;
dnskey−sig−validity <integer>;
dnssec−dnskey−kskonly <boolean>;
dnssec−loadkeys−interval <integer>;
dnssec−policy <string>;
dnssec−update−mode ( maintain | no−resign );
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
inline−signing <boolean>;
ixfr−from−differences <boolean>;
journal <quoted_string>;
key−directory <quoted_string>;
masterfile−format ( raw | text );
masterfile−style ( full | relative );
max−ixfr−ratio ( unlimited | <percentage> );
max−journal−size ( default | unlimited | <sizeval> );
max−records <integer>;
max−refresh−time <integer>;
max−retry−time <integer>;
max−transfer−idle−in <integer>;
max−transfer−idle−out <integer>;
max−transfer−time−in <integer>;
max−transfer−time−out <integer>;
min−refresh−time <integer>;
min−retry−time <integer>;
multi−master <boolean>;
notify ( explicit | master−only | primary−only | <boolean> );
notify−delay <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
notify−to−soa <boolean>;
nsec3−test−zone <boolean>; // test only
parental−agents [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
parental−source ( <ipv4_address> | * ) ;
parental−source−v6 ( <ipv6_address> | * ) ;
primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
request−expire <boolean>;
request−ixfr <boolean>;
sig−signing−nodes <integer>;
sig−signing−signatures <integer>;
sig−signing−type <integer>;
sig−validity−interval <integer> [ <integer> ];
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
try−tcp−refresh <boolean>;
update−check−ksk <boolean>;
use−alt−transfer−source <boolean>; // deprecated
zero−no−soa−ttl <boolean>;
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type mirror;
allow−notify { <address_match_element>; ... };
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
allow−update−forwarding { <address_match_element>; ... };
also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
alt−transfer−source ( <ipv4_address> | * ) ; // deprecated
alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated
check−names ( fail | warn | ignore );
database <string>;
file <quoted_string>;
ixfr−from−differences <boolean>;
journal <quoted_string>;
masterfile−format ( raw | text );
masterfile−style ( full | relative );
max−ixfr−ratio ( unlimited | <percentage> );
max−journal−size ( default | unlimited | <sizeval> );
max−records <integer>;
max−refresh−time <integer>;
max−retry−time <integer>;
max−transfer−idle−in <integer>;
max−transfer−idle−out <integer>;
max−transfer−time−in <integer>;
max−transfer−time−out <integer>;
min−refresh−time <integer>;
min−retry−time <integer>;
multi−master <boolean>;
notify ( explicit | master−only | primary−only | <boolean> );
notify−delay <integer>;
notify−source ( <ipv4_address> | * ) ;
notify−source−v6 ( <ipv6_address> | * ) ;
primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
request−expire <boolean>;
request−ixfr <boolean>;
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
try−tcp−refresh <boolean>;
use−alt−transfer−source <boolean>; // deprecated
zero−no−soa−ttl <boolean>;
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type forward;
delegation−only <boolean>; // deprecated
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
};
zone <string> [ <class> ] {
type hint;
check−names ( fail | warn | ignore );
delegation−only <boolean>; // deprecated
file <quoted_string>;
};
zone <string> [ <class> ] {
type redirect;
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
dlz <string>;
file <quoted_string>;
masterfile−format ( raw | text );
masterfile−style ( full | relative );
max−records <integer>;
max−zone−ttl ( unlimited | <duration> );
primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type static−stub;
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
max−records <integer>;
server−addresses { ( <ipv4_address> | <ipv6_address> ); ... };
server−names { <string>; ... };
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type stub;
allow−query { <address_match_element>; ... };
allow−query−on { <address_match_element>; ... };
check−names ( fail | warn | ignore );
database <string>;
delegation−only <boolean>; // deprecated
dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated
file <quoted_string>;
forward ( first | only );
forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
masterfile−format ( raw | text );
masterfile−style ( full | relative );
max−records <integer>;
max−refresh−time <integer>;
max−retry−time <integer>;
max−transfer−idle−in <integer>;
max−transfer−time−in <integer>;
min−refresh−time <integer>;
min−retry−time <integer>;
multi−master <boolean>;
primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
transfer−source ( <ipv4_address> | * ) ;
transfer−source−v6 ( <ipv6_address> | * ) ;
use−alt−transfer−source <boolean>; // deprecated
zone−statistics ( full | terse | none | <boolean> );
};
zone <string> [ <class> ] {
type delegation−only;
};
zone <string> [ <class> ] {
in−view <string>;
};
/etc/bind/named.conf
named(8), named−checkconf(8), rndc(8), rndc−confgen(8), tsig−keygen(8), BIND 9 Administrator Reference Manual.
Internet Systems Consortium
2023, Internet Systems Consortium