named.conf − configuration file for **named**
named.conf
named.conf is the configuration file for named.
For complete documentation about the configuration statements, please refer to the Configuration Reference section in the BIND 9 Administrator Reference Manual.
Statements are enclosed in braces and terminated with a semi−colon. Clauses in the statements are also semi−colon terminated. The usual comment styles are supported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
acl <string> { <address_match_element>; ... }; // may occur multiple times controls { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read−only <boolean> ]; // may occur multiple times unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read−only <boolean> ]; // may occur multiple times }; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dnssec−policy <string> { dnskey−ttl <duration>; keys { ( csk | ksk | zsk ) [ ( key−directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; max−zone−ttl <duration>; nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt−length <integer> ]; parent−ds−ttl <duration>; parent−propagation−delay <duration>; parent−registration−delay <duration>; // obsolete publish−safety <duration>; purge−keys <duration>; retire−safety <duration>; signatures−refresh <duration>; signatures−validity <duration>; signatures−validity−dnskey <duration>; zone−propagation−delay <duration>; }; // may occur multiple times dyndb <string> <quoted_string> { <unspecified−text> }; // may occur multiple times http <string> { endpoints { <quoted_string>; ... }; listener−clients <integer>; streams−per−connection <integer>; }; // may occur multiple times key <string> { algorithm <string>; secret <string>; }; // may occur multiple times logging { category <string> { <string>; ... }; // may occur multiple times channel <string> { buffered <boolean>; file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ]; null; print−category <boolean>; print−severity <boolean>; print−time ( iso8601 | iso8601−utc | local | <boolean> ); severity <log_severity>; stderr; syslog [ <syslog_facility> ]; }; // may occur multiple times }; managed−keys { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated options { allow−new−zones <boolean>; allow−notify { <address_match_element>; ... }; allow−query { <address_match_element>; ... }; allow−query−cache { <address_match_element>; ... }; allow−query−cache−on { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; allow−recursion { <address_match_element>; ... }; allow−recursion−on { <address_match_element>; ... }; allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow−update { <address_match_element>; ... }; allow−update−forwarding { <address_match_element>; ... }; also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; alt−transfer−source ( <ipv4_address> | * ) ; // deprecated alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated answer−cookie <boolean>; attach−cache <string>; auth−nxdomain <boolean>; auto−dnssec ( allow | maintain | off ); // deprecated automatic−interface−scan <boolean>; avoid−v4−udp−ports { <portrange>; ... }; // deprecated avoid−v6−udp−ports { <portrange>; ... }; // deprecated bindkeys−file <quoted_string>; blackhole { <address_match_element>; ... }; catalog−zones { zone <string> [ default−primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone−directory <quoted_string> ] [ in−memory <boolean> ] [ min−update−interval <duration> ]; ... }; check−dup−records ( fail | warn | ignore ); check−integrity <boolean>; check−mx ( fail | warn | ignore ); check−mx−cname ( fail | warn | ignore ); check−names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check−sibling <boolean>; check−spf ( warn | ignore ); check−srv−cname ( fail | warn | ignore ); check−wildcard <boolean>; clients−per−query <integer>; cookie−algorithm ( aes | siphash24 ); cookie−secret <string>; // may occur multiple times coresize ( default | unlimited | <sizeval> ); // deprecated datasize ( default | unlimited | <sizeval> ); // deprecated deny−answer−addresses { <address_match_element>; ... } [ except−from { <string>; ... } ]; deny−answer−aliases { <string>; ... } [ except−from { <string>; ... } ]; dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated directory <quoted_string>; disable−algorithms <string> { <string>; ... }; // may occur multiple times disable−ds−digests <string> { <string>; ... }; // may occur multiple times disable−empty−zone <string>; // may occur multiple times dns64 <netprefix> { break−dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive−only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64−contact <string>; dns64−server <string>; dnskey−sig−validity <integer>; dnsrps−enable <boolean>; // not configured dnsrps−options { <unspecified−text> }; // not configured dnssec−accept−expired <boolean>; dnssec−dnskey−kskonly <boolean>; dnssec−loadkeys−interval <integer>; dnssec−must−be−secure <string> <boolean>; // may occur multiple times, deprecated dnssec−policy <string>; dnssec−secure−to−insecure <boolean>; dnssec−update−mode ( maintain | no−resign ); dnssec−validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured dnstap−identity ( <quoted_string> | none | hostname ); // not configured dnstap−output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured dnstap−version ( <quoted_string> | none ); // not configured dscp <integer>; // obsolete dual−stack−servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... }; dump−file <quoted_string>; edns−udp−size <integer>; empty−contact <string>; empty−server <string>; empty−zones−enable <boolean>; fetch−quota−params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches−per−server <integer> [ ( drop | fail ) ]; fetches−per−zone <integer> [ ( drop | fail ) ]; files ( default | unlimited | <sizeval> ); // deprecated flush−zones−on−shutdown <boolean>; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; fstrm−set−buffer−hint <integer>; // not configured fstrm−set−flush−timeout <integer>; // not configured fstrm−set−input−queue−size <integer>; // not configured fstrm−set−output−notify−threshold <integer>; // not configured fstrm−set−output−queue−model ( mpsc | spsc ); // not configured fstrm−set−output−queue−size <integer>; // not configured fstrm−set−reopen−interval <duration>; // not configured geoip−directory ( <quoted_string> | none ); glue−cache <boolean>; // deprecated heartbeat−interval <integer>; // deprecated hostname ( <quoted_string> | none ); http−listener−clients <integer>; http−port <integer>; http−streams−per−connection <integer>; https−port <integer>; interface−interval <duration>; ipv4only−contact <string>; ipv4only−enable <boolean>; ipv4only−server <string>; ixfr−from−differences ( primary | master | secondary | slave | <boolean> ); keep−response−order { <address_match_element>; ... }; key−directory <quoted_string>; lame−ttl <duration>; listen−on [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times listen−on−v6 [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times lmdb−mapsize <sizeval>; lock−file ( <quoted_string> | none ); managed−keys−directory <quoted_string>; masterfile−format ( raw | text ); masterfile−style ( full | relative ); match−mapped−addresses <boolean>; max−cache−size ( default | unlimited | <sizeval> | <percentage> ); max−cache−ttl <duration>; max−clients−per−query <integer>; max−ixfr−ratio ( unlimited | <percentage> ); max−journal−size ( default | unlimited | <sizeval> ); max−ncache−ttl <duration>; max−records <integer>; max−recursion−depth <integer>; max−recursion−queries <integer>; max−refresh−time <integer>; max−retry−time <integer>; max−rsa−exponent−size <integer>; max−stale−ttl <duration>; max−transfer−idle−in <integer>; max−transfer−idle−out <integer>; max−transfer−time−in <integer>; max−transfer−time−out <integer>; max−udp−size <integer>; max−zone−ttl ( unlimited | <duration> ); memstatistics <boolean>; memstatistics−file <quoted_string>; message−compression <boolean>; min−cache−ttl <duration>; min−ncache−ttl <duration>; min−refresh−time <integer>; min−retry−time <integer>; minimal−any <boolean>; minimal−responses ( no−auth | no−auth−recursive | <boolean> ); multi−master <boolean>; new−zones−directory <quoted_string>; no−case−compress { <address_match_element>; ... }; nocookie−udp−size <integer>; notify ( explicit | master−only | primary−only | <boolean> ); notify−delay <integer>; notify−rate <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; notify−to−soa <boolean>; nsec3−test−zone <boolean>; // test only nta−lifetime <duration>; nta−recheck <duration>; nxdomain−redirect <string>; parental−source ( <ipv4_address> | * ) ; parental−source−v6 ( <ipv6_address> | * ) ; pid−file ( <quoted_string> | none ); port <integer>; preferred−glue <string>; prefetch <integer> [ <integer> ]; provide−ixfr <boolean>; qname−minimization ( strict | relaxed | disabled | off ); query−source [ address ] ( <ipv4_address> | * ); query−source−v6 [ address ] ( <ipv6_address> | * ); querylog <boolean>; random−device ( <quoted_string> | none ); // obsolete rate−limit { all−per−second <integer>; errors−per−second <integer>; exempt−clients { <address_match_element>; ... }; ipv4−prefix−length <integer>; ipv6−prefix−length <integer>; log−only <boolean>; max−table−size <integer>; min−table−size <integer>; nodata−per−second <integer>; nxdomains−per−second <integer>; qps−scale <integer>; referrals−per−second <integer>; responses−per−second <integer>; slip <integer>; window <integer>; }; recursing−file <quoted_string>; recursion <boolean>; recursive−clients <integer>; request−expire <boolean>; request−ixfr <boolean>; request−nsid <boolean>; require−server−cookie <boolean>; reserved−sockets <integer>; // deprecated resolver−nonbackoff−tries <integer>; resolver−query−timeout <integer>; resolver−retry−interval <integer>; response−padding { <address_match_element>; ... } block−size <integer>; response−policy { zone <string> [ add−soa <boolean> ] [ log <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ policy ( cname | disabled | drop | given | no−op | nodata | nxdomain | passthru | tcp−only <quoted_string> ) ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ]; ... } [ add−soa <boolean> ] [ break−dnssec <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ min−ns−dots <integer> ] [ nsip−wait−recurse <boolean> ] [ nsdname−wait−recurse <boolean> ] [ qname−wait−recurse <boolean> ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ] [ dnsrps−enable <boolean> ] [ dnsrps−options { <unspecified−text> } ]; reuseport <boolean>; root−delegation−only [ exclude { <string>; ... } ]; // deprecated root−key−sentinel <boolean>; rrset−order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; secroots−file <quoted_string>; send−cookie <boolean>; serial−query−rate <integer>; serial−update−method ( date | increment | unixtime ); server−id ( <quoted_string> | none | hostname ); servfail−ttl <duration>; session−keyalg <string>; session−keyfile ( <quoted_string> | none ); session−keyname <string>; sig−signing−nodes <integer>; sig−signing−signatures <integer>; sig−signing−type <integer>; sig−validity−interval <integer> [ <integer> ]; sortlist { <address_match_element>; ... }; stacksize ( default | unlimited | <sizeval> ); // deprecated stale−answer−client−timeout ( disabled | off | <integer> ); stale−answer−enable <boolean>; stale−answer−ttl <duration>; stale−cache−enable <boolean>; stale−refresh−time <duration>; startup−notify−rate <integer>; statistics−file <quoted_string>; suppress−initial−notify <boolean>; // obsolete synth−from−dnssec <boolean>; tcp−advertised−timeout <integer>; tcp−clients <integer>; tcp−idle−timeout <integer>; tcp−initial−timeout <integer>; tcp−keepalive−timeout <integer>; tcp−listen−queue <integer>; tcp−receive−buffer <integer>; tcp−send−buffer <integer>; tkey−dhkey <quoted_string> <integer>; // deprecated tkey−domain <quoted_string>; tkey−gssapi−credential <quoted_string>; tkey−gssapi−keytab <quoted_string>; tls−port <integer>; transfer−format ( many−answers | one−answer ); transfer−message−size <integer>; transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; transfers−in <integer>; transfers−out <integer>; transfers−per−ns <integer>; trust−anchor−telemetry <boolean>; // experimental try−tcp−refresh <boolean>; udp−receive−buffer <integer>; udp−send−buffer <integer>; update−check−ksk <boolean>; update−quota <integer>; use−alt−transfer−source <boolean>; // deprecated use−v4−udp−ports { <portrange>; ... }; // deprecated use−v6−udp−ports { <portrange>; ... }; // deprecated v6−bias <integer>; validate−except { <string>; ... }; version ( <quoted_string> | none ); zero−no−soa−ttl <boolean>; zero−no−soa−ttl−cache <boolean>; zone−statistics ( full | terse | none | <boolean> ); }; parental−agents <string> [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times plugin ( query ) <string> [ { <unspecified−text> } ]; // may occur multiple times primaries <string> [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times server <netprefix> { bogus <boolean>; edns <boolean>; edns−udp−size <integer>; edns−version <integer>; keys <server_key>; max−udp−size <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; padding <integer>; provide−ixfr <boolean>; query−source [ address ] ( <ipv4_address> | * ); query−source−v6 [ address ] ( <ipv6_address> | * ); request−expire <boolean>; request−ixfr <boolean>; request−nsid <boolean>; send−cookie <boolean>; tcp−keepalive <boolean>; tcp−only <boolean>; transfer−format ( many−answers | one−answer ); transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; transfers <integer>; }; // may occur multiple times statistics−channels { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times }; // may occur multiple times tls <string> { ca−file <quoted_string>; cert−file <quoted_string>; ciphers <string>; dhparam−file <quoted_string>; key−file <quoted_string>; prefer−server−ciphers <boolean>; protocols { <string>; ... }; remote−hostname <quoted_string>; session−tickets <boolean>; }; // may occur multiple times trust−anchors { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted−keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated view <string> [ <class> ] { allow−new−zones <boolean>; allow−notify { <address_match_element>; ... }; allow−query { <address_match_element>; ... }; allow−query−cache { <address_match_element>; ... }; allow−query−cache−on { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; allow−recursion { <address_match_element>; ... }; allow−recursion−on { <address_match_element>; ... }; allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow−update { <address_match_element>; ... }; allow−update−forwarding { <address_match_element>; ... }; also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; alt−transfer−source ( <ipv4_address> | * ) ; // deprecated alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated attach−cache <string>; auth−nxdomain <boolean>; auto−dnssec ( allow | maintain | off ); // deprecated catalog−zones { zone <string> [ default−primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone−directory <quoted_string> ] [ in−memory <boolean> ] [ min−update−interval <duration> ]; ... }; check−dup−records ( fail | warn | ignore ); check−integrity <boolean>; check−mx ( fail | warn | ignore ); check−mx−cname ( fail | warn | ignore ); check−names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check−sibling <boolean>; check−spf ( warn | ignore ); check−srv−cname ( fail | warn | ignore ); check−wildcard <boolean>; clients−per−query <integer>; deny−answer−addresses { <address_match_element>; ... } [ except−from { <string>; ... } ]; deny−answer−aliases { <string>; ... } [ except−from { <string>; ... } ]; dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated disable−algorithms <string> { <string>; ... }; // may occur multiple times disable−ds−digests <string> { <string>; ... }; // may occur multiple times disable−empty−zone <string>; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dns64 <netprefix> { break−dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive−only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64−contact <string>; dns64−server <string>; dnskey−sig−validity <integer>; dnsrps−enable <boolean>; // not configured dnsrps−options { <unspecified−text> }; // not configured dnssec−accept−expired <boolean>; dnssec−dnskey−kskonly <boolean>; dnssec−loadkeys−interval <integer>; dnssec−must−be−secure <string> <boolean>; // may occur multiple times, deprecated dnssec−policy <string>; dnssec−secure−to−insecure <boolean>; dnssec−update−mode ( maintain | no−resign ); dnssec−validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured dual−stack−servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... }; dyndb <string> <quoted_string> { <unspecified−text> }; // may occur multiple times edns−udp−size <integer>; empty−contact <string>; empty−server <string>; empty−zones−enable <boolean>; fetch−quota−params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches−per−server <integer> [ ( drop | fail ) ]; fetches−per−zone <integer> [ ( drop | fail ) ]; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; glue−cache <boolean>; // deprecated ipv4only−contact <string>; ipv4only−enable <boolean>; ipv4only−server <string>; ixfr−from−differences ( primary | master | secondary | slave | <boolean> ); key <string> { algorithm <string>; secret <string>; }; // may occur multiple times key−directory <quoted_string>; lame−ttl <duration>; lmdb−mapsize <sizeval>; managed−keys { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated masterfile−format ( raw | text ); masterfile−style ( full | relative ); match−clients { <address_match_element>; ... }; match−destinations { <address_match_element>; ... }; match−recursive−only <boolean>; max−cache−size ( default | unlimited | <sizeval> | <percentage> ); max−cache−ttl <duration>; max−clients−per−query <integer>; max−ixfr−ratio ( unlimited | <percentage> ); max−journal−size ( default | unlimited | <sizeval> ); max−ncache−ttl <duration>; max−records <integer>; max−recursion−depth <integer>; max−recursion−queries <integer>; max−refresh−time <integer>; max−retry−time <integer>; max−stale−ttl <duration>; max−transfer−idle−in <integer>; max−transfer−idle−out <integer>; max−transfer−time−in <integer>; max−transfer−time−out <integer>; max−udp−size <integer>; max−zone−ttl ( unlimited | <duration> ); message−compression <boolean>; min−cache−ttl <duration>; min−ncache−ttl <duration>; min−refresh−time <integer>; min−retry−time <integer>; minimal−any <boolean>; minimal−responses ( no−auth | no−auth−recursive | <boolean> ); multi−master <boolean>; new−zones−directory <quoted_string>; no−case−compress { <address_match_element>; ... }; nocookie−udp−size <integer>; notify ( explicit | master−only | primary−only | <boolean> ); notify−delay <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; notify−to−soa <boolean>; nsec3−test−zone <boolean>; // test only nta−lifetime <duration>; nta−recheck <duration>; nxdomain−redirect <string>; parental−source ( <ipv4_address> | * ) ; parental−source−v6 ( <ipv6_address> | * ) ; plugin ( query ) <string> [ { <unspecified−text> } ]; // may occur multiple times preferred−glue <string>; prefetch <integer> [ <integer> ]; provide−ixfr <boolean>; qname−minimization ( strict | relaxed | disabled | off ); query−source [ address ] ( <ipv4_address> | * ); query−source−v6 [ address ] ( <ipv6_address> | * ); rate−limit { all−per−second <integer>; errors−per−second <integer>; exempt−clients { <address_match_element>; ... }; ipv4−prefix−length <integer>; ipv6−prefix−length <integer>; log−only <boolean>; max−table−size <integer>; min−table−size <integer>; nodata−per−second <integer>; nxdomains−per−second <integer>; qps−scale <integer>; referrals−per−second <integer>; responses−per−second <integer>; slip <integer>; window <integer>; }; recursion <boolean>; request−expire <boolean>; request−ixfr <boolean>; request−nsid <boolean>; require−server−cookie <boolean>; resolver−nonbackoff−tries <integer>; resolver−query−timeout <integer>; resolver−retry−interval <integer>; response−padding { <address_match_element>; ... } block−size <integer>; response−policy { zone <string> [ add−soa <boolean> ] [ log <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ policy ( cname | disabled | drop | given | no−op | nodata | nxdomain | passthru | tcp−only <quoted_string> ) ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ]; ... } [ add−soa <boolean> ] [ break−dnssec <boolean> ] [ max−policy−ttl <duration> ] [ min−update−interval <duration> ] [ min−ns−dots <integer> ] [ nsip−wait−recurse <boolean> ] [ nsdname−wait−recurse <boolean> ] [ qname−wait−recurse <boolean> ] [ recursive−only <boolean> ] [ nsip−enable <boolean> ] [ nsdname−enable <boolean> ] [ dnsrps−enable <boolean> ] [ dnsrps−options { <unspecified−text> } ]; root−delegation−only [ exclude { <string>; ... } ]; // deprecated root−key−sentinel <boolean>; rrset−order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; send−cookie <boolean>; serial−update−method ( date | increment | unixtime ); server <netprefix> { bogus <boolean>; edns <boolean>; edns−udp−size <integer>; edns−version <integer>; keys <server_key>; max−udp−size <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; padding <integer>; provide−ixfr <boolean>; query−source [ address ] ( <ipv4_address> | * ); query−source−v6 [ address ] ( <ipv6_address> | * ); request−expire <boolean>; request−ixfr <boolean>; request−nsid <boolean>; send−cookie <boolean>; tcp−keepalive <boolean>; tcp−only <boolean>; transfer−format ( many−answers | one−answer ); transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; transfers <integer>; }; // may occur multiple times servfail−ttl <duration>; sig−signing−nodes <integer>; sig−signing−signatures <integer>; sig−signing−type <integer>; sig−validity−interval <integer> [ <integer> ]; sortlist { <address_match_element>; ... }; stale−answer−client−timeout ( disabled | off | <integer> ); stale−answer−enable <boolean>; stale−answer−ttl <duration>; stale−cache−enable <boolean>; stale−refresh−time <duration>; suppress−initial−notify <boolean>; // obsolete synth−from−dnssec <boolean>; transfer−format ( many−answers | one−answer ); transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; trust−anchor−telemetry <boolean>; // experimental trust−anchors { <string> ( static−key | initial−key | static−ds | initial−ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted−keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated try−tcp−refresh <boolean>; update−check−ksk <boolean>; use−alt−transfer−source <boolean>; // deprecated v6−bias <integer>; validate−except { <string>; ... }; zero−no−soa−ttl <boolean>; zero−no−soa−ttl−cache <boolean>; zone−statistics ( full | terse | none | <boolean> ); }; // may occur multiple times
Any of these zone statements can also be set inside the view statement.
zone <string> [ <class> ] { type primary; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow−update { <address_match_element>; ... }; also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; alt−transfer−source ( <ipv4_address> | * ) ; // deprecated alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated auto−dnssec ( allow | maintain | off ); // deprecated check−dup−records ( fail | warn | ignore ); check−integrity <boolean>; check−mx ( fail | warn | ignore ); check−mx−cname ( fail | warn | ignore ); check−names ( fail | warn | ignore ); check−sibling <boolean>; check−spf ( warn | ignore ); check−srv−cname ( fail | warn | ignore ); check−wildcard <boolean>; database <string>; dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated dlz <string>; dnskey−sig−validity <integer>; dnssec−dnskey−kskonly <boolean>; dnssec−loadkeys−interval <integer>; dnssec−policy <string>; dnssec−secure−to−insecure <boolean>; dnssec−update−mode ( maintain | no−resign ); file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; inline−signing <boolean>; ixfr−from−differences <boolean>; journal <quoted_string>; key−directory <quoted_string>; masterfile−format ( raw | text ); masterfile−style ( full | relative ); max−ixfr−ratio ( unlimited | <percentage> ); max−journal−size ( default | unlimited | <sizeval> ); max−records <integer>; max−transfer−idle−out <integer>; max−transfer−time−out <integer>; max−zone−ttl ( unlimited | <duration> ); notify ( explicit | master−only | primary−only | <boolean> ); notify−delay <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; notify−to−soa <boolean>; nsec3−test−zone <boolean>; // test only parental−agents [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; parental−source ( <ipv4_address> | * ) ; parental−source−v6 ( <ipv6_address> | * ) ; serial−update−method ( date | increment | unixtime ); sig−signing−nodes <integer>; sig−signing−signatures <integer>; sig−signing−type <integer>; sig−validity−interval <integer> [ <integer> ]; update−check−ksk <boolean>; update−policy ( local | { ( deny | grant ) <string> ( 6to4−self | external | krb5−self | krb5−selfsub | krb5−subdomain | krb5−subdomain−self−rhs | ms−self | ms−selfsub | ms−subdomain | ms−subdomain−self−rhs | name | self | selfsub | selfwild | subdomain | tcp−self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } ); zero−no−soa−ttl <boolean>; zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type secondary; allow−notify { <address_match_element>; ... }; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow−update−forwarding { <address_match_element>; ... }; also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; alt−transfer−source ( <ipv4_address> | * ) ; // deprecated alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated auto−dnssec ( allow | maintain | off ); // deprecated check−names ( fail | warn | ignore ); database <string>; dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated dlz <string>; dnskey−sig−validity <integer>; dnssec−dnskey−kskonly <boolean>; dnssec−loadkeys−interval <integer>; dnssec−policy <string>; dnssec−update−mode ( maintain | no−resign ); file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; inline−signing <boolean>; ixfr−from−differences <boolean>; journal <quoted_string>; key−directory <quoted_string>; masterfile−format ( raw | text ); masterfile−style ( full | relative ); max−ixfr−ratio ( unlimited | <percentage> ); max−journal−size ( default | unlimited | <sizeval> ); max−records <integer>; max−refresh−time <integer>; max−retry−time <integer>; max−transfer−idle−in <integer>; max−transfer−idle−out <integer>; max−transfer−time−in <integer>; max−transfer−time−out <integer>; min−refresh−time <integer>; min−retry−time <integer>; multi−master <boolean>; notify ( explicit | master−only | primary−only | <boolean> ); notify−delay <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; notify−to−soa <boolean>; nsec3−test−zone <boolean>; // test only parental−agents [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; parental−source ( <ipv4_address> | * ) ; parental−source−v6 ( <ipv6_address> | * ) ; primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; request−expire <boolean>; request−ixfr <boolean>; sig−signing−nodes <integer>; sig−signing−signatures <integer>; sig−signing−type <integer>; sig−validity−interval <integer> [ <integer> ]; transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; try−tcp−refresh <boolean>; update−check−ksk <boolean>; use−alt−transfer−source <boolean>; // deprecated zero−no−soa−ttl <boolean>; zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type mirror; allow−notify { <address_match_element>; ... }; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; allow−transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow−update−forwarding { <address_match_element>; ... }; also−notify [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; alt−transfer−source ( <ipv4_address> | * ) ; // deprecated alt−transfer−source−v6 ( <ipv6_address> | * ) ; // deprecated check−names ( fail | warn | ignore ); database <string>; file <quoted_string>; ixfr−from−differences <boolean>; journal <quoted_string>; masterfile−format ( raw | text ); masterfile−style ( full | relative ); max−ixfr−ratio ( unlimited | <percentage> ); max−journal−size ( default | unlimited | <sizeval> ); max−records <integer>; max−refresh−time <integer>; max−retry−time <integer>; max−transfer−idle−in <integer>; max−transfer−idle−out <integer>; max−transfer−time−in <integer>; max−transfer−time−out <integer>; min−refresh−time <integer>; min−retry−time <integer>; multi−master <boolean>; notify ( explicit | master−only | primary−only | <boolean> ); notify−delay <integer>; notify−source ( <ipv4_address> | * ) ; notify−source−v6 ( <ipv6_address> | * ) ; primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; request−expire <boolean>; request−ixfr <boolean>; transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; try−tcp−refresh <boolean>; use−alt−transfer−source <boolean>; // deprecated zero−no−soa−ttl <boolean>; zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type forward; delegation−only <boolean>; // deprecated forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; }; zone <string> [ <class> ] { type hint; check−names ( fail | warn | ignore ); delegation−only <boolean>; // deprecated file <quoted_string>; }; zone <string> [ <class> ] { type redirect; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; dlz <string>; file <quoted_string>; masterfile−format ( raw | text ); masterfile−style ( full | relative ); max−records <integer>; max−zone−ttl ( unlimited | <duration> ); primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type static−stub; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; max−records <integer>; server−addresses { ( <ipv4_address> | <ipv6_address> ); ... }; server−names { <string>; ... }; zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type stub; allow−query { <address_match_element>; ... }; allow−query−on { <address_match_element>; ... }; check−names ( fail | warn | ignore ); database <string>; delegation−only <boolean>; // deprecated dialup ( notify | notify−passive | passive | refresh | <boolean> ); // deprecated file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... }; masterfile−format ( raw | text ); masterfile−style ( full | relative ); max−records <integer>; max−refresh−time <integer>; max−retry−time <integer>; max−transfer−idle−in <integer>; max−transfer−time−in <integer>; min−refresh−time <integer>; min−retry−time <integer>; multi−master <boolean>; primaries [ port <integer> ] { ( <remote−servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; transfer−source ( <ipv4_address> | * ) ; transfer−source−v6 ( <ipv6_address> | * ) ; use−alt−transfer−source <boolean>; // deprecated zone−statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type delegation−only; }; zone <string> [ <class> ] { in−view <string>; };
/etc/bind/named.conf
named(8), named−checkconf(8), rndc(8), rndc−confgen(8), tsig−keygen(8), BIND 9 Administrator Reference Manual.
Internet Systems Consortium
2023, Internet Systems Consortium