~ubuntu-branches/ubuntu/raring/bind9/raring

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575405"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575422"><span><strong class="command">include</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575446"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575469"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575560"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575754"><span><strong class="command">logging</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577821"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577963"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578027"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578071"><span><strong class="command">masters</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578086"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575418"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575504"><span><strong class="command">include</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575527"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575550"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575709"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575835"><span><strong class="command">logging</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577834"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577908"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578040"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578084"><span><strong class="command">masters</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578099"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588542"><span><strong class="command">statistics-channels</strong></span> Statement Definition and

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589395"><span><strong class="command">statistics-channels</strong></span> Statement Definition and

Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588750"><span><strong class="command">trusted-keys</strong></span> Statement Definition

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">trusted-keys</strong></span> Statement Definition

and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588797"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589581"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition

and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589360"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590007"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>

Statement Grammar</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590796"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591558"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>

</dl></dd>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595782">Discussion of MX Records</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597260">Discussion of MX Records</a></span></dt>

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>

100

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596534">Inverse Mapping in IPv4</a></span></dt>

101

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596661">Other Zone File Directives</a></span></dt>

102

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596934"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>

100

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597876">Inverse Mapping in IPv4</a></span></dt>

101

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598003">Other Zone File Directives</a></span></dt>

102

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598276"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>

103

<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>

104

</dl></dd>

105

<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>

477

<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>

478

479

480

<a name="id2574037"></a>Syntax</h4></div></div></div>

480

<a name="id2574050"></a>Syntax</h4></div></div></div>

481

<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;

482

[<span class="optional"> address_match_list_element; ... </span>]

483

<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |

486

</div>

487

488

489

<a name="id2574065"></a>Definition and Usage</h4></div></div></div>

489

<a name="id2574077"></a>Definition and Usage</h4></div></div></div>

490

<p>

491

Address match lists are primarily used to determine access

492

control for various server operations. They are also used in

570

</div>

571

572

573

<a name="id2574270"></a>Comment Syntax</h3></div></div></div>

573

<a name="id2574283"></a>Comment Syntax</h3></div></div></div>

574

<p>

575

The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for

576

comments to appear

580

</p>

581

582

583

<a name="id2574285"></a>Syntax</h4></div></div></div>

583

<a name="id2574298"></a>Syntax</h4></div></div></div>

584

<p>

585

</p>

586

<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>

596

</div>

597

598

599

<a name="id2574315"></a>Definition and Usage</h4></div></div></div>

599

<a name="id2574328"></a>Definition and Usage</h4></div></div></div>

600

<p>

601

Comments may appear anywhere that whitespace may appear in

602

a <acronym class="acronym">BIND</acronym> configuration file.

848

</p>

849

850

851

<a name="id2574924"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>

851

<a name="id2574937"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>

852

<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {

853

address_match_list

854

};

930

</div>

931

932

933

<a name="id2575114"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>

933

<a name="id2575127"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>

934

<pre class="programlisting"><span><strong class="command">controls</strong></span> {

935

[ inet ( ip_addr | * ) [ port ip_port ]

936

allow { <em class="replaceable"><code> address_match_list </code></em> }

1054

</div>

1055

1056

1057

<a name="id2575405"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>

1057

<a name="id2575418"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>

1058

<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>

1059

</div>

1060

1061

1062

<a name="id2575422"></a><span><strong class="command">include</strong></span> Statement Definition and

1062

<a name="id2575504"></a><span><strong class="command">include</strong></span> Statement Definition and

1063

Usage</h3></div></div></div>

1064

<p>

1065

The <span><strong class="command">include</strong></span> statement inserts the

1074

</div>

1075

1076

1077

<a name="id2575446"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>

1077

<a name="id2575527"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>

1078

<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {

1079

algorithm <em class="replaceable"><code>string</code></em>;

1080

secret <em class="replaceable"><code>string</code></em>;

1083

</div>

1084

1085

1086

<a name="id2575469"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>

1086

<a name="id2575550"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>

1087

<p>

1088

The <span><strong class="command">key</strong></span> statement defines a shared

1089

secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)

1130

</div>

1131

1132

1133

<a name="id2575560"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>

1133

<a name="id2575709"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>

1134

<pre class="programlisting"><span><strong class="command">logging</strong></span> {

1135

[ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {

1136

( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>

1154

</div>

1155

1156

1157

<a name="id2575754"></a><span><strong class="command">logging</strong></span> Statement Definition and

1157

<a name="id2575835"></a><span><strong class="command">logging</strong></span> Statement Definition and

1158

Usage</h3></div></div></div>

1159

<p>

1160

The <span><strong class="command">logging</strong></span> statement configures a

1188

</p>

1189

1190

1191

<a name="id2575875"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>

1191

<a name="id2575888"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>

1192

<p>

1193

All log output goes to one or more <span class="emphasis"><em>channels</em></span>;

1194

you can make as many of them as you want.

1753

</div>

1754

1755

1756

<a name="id2577234"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>

1756

<a name="id2577315"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>

1757

<p>

1758

The <span><strong class="command">query-errors</strong></span> category is

1759

specifically intended for debugging purposes: To identify

1981

</div>

1982

1983

1984

<a name="id2577821"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>

1984

<a name="id2577834"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>

1985

<p>

1986

This is the grammar of the <span><strong class="command">lwres</strong></span>

1987

statement in the <code class="filename">named.conf</code> file:

1997

</div>

1998

1999

2000

<a name="id2577963"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>

2000

<a name="id2577908"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>

2001

<p>

2002

The <span><strong class="command">lwres</strong></span> statement configures the

2003

name

2048

</div>

2049

2050

2051

<a name="id2578027"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>

2051

<a name="id2578040"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>

2052

2053

<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |

2054

<em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };

2056

</div>

2057

2058

2059

<a name="id2578071"></a><span><strong class="command">masters</strong></span> Statement Definition and

2059

<a name="id2578084"></a><span><strong class="command">masters</strong></span> Statement Definition and

2060

Usage</h3></div></div></div>

2061

<p><span><strong class="command">masters</strong></span>

2062

lists allow for a common set of masters to be easily used by

2065

</div>

2066

2067

2068

<a name="id2578086"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>

2068

<a name="id2578099"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>

2069

<p>

2070

This is the grammar of the <span><strong class="command">options</strong></span>

2071

statement in the <code class="filename">named.conf</code> file:

2079

[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]

2080

[<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]

2081

[<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]

2082

[<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]

2082

2083

[<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]

2083

2084

[<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]

2084

2085

[<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]

2109

2110

[<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2110

2111

[<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]

2111

2112

[<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2112

[<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2113

[<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]

2113

2114

[<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |

2114

2115

<em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]

2115

2116

[<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]

2226

2227

[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2227

2228

[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]

2228

2229

[<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

2230

[<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> {

2231

[<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

2232

[<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

2233

[<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

2234

[<span class="optional"> suffix IPv6-address; </span>]

2235

[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2236

[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]

2237

}; </span>];

2238

[<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]

2239

[<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]

2229

2240

[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]

2230

2241

[<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]

2231

2242

[<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]

2245

2256

[<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]

2246

2257

[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]

2247

2258

[<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]

2259

[<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]

2248

2260

[<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]

2249

2261

[<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]

2262

[<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em> [<span class="optional"> policy <em class="replaceable"><code>given</code></em> | <em class="replaceable"><code>no-op</code></em> | <em class="replaceable"><code>nxdomain</code></em> | <em class="replaceable"><code>nodata</code></em> | <em class="replaceable"><code>cname domain</code></em> </span>] ; } ; </span>]

2250

2263

};

2251

2264

</pre>

2252

2265

</div>

2392

2405

<span><strong class="command">named-xfer</strong></span> program is needed;

2393

2406

its functionality is built into the name server.

2394

2407

</p></dd>

2408

<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>

2409

<dd><p>

2410

The KRB5 keytab file to use for GSS-TSIG updates. If

2411

this option is set and tkey-gssapi-credential is not

2412

set, then updates will be allowed with any key

2413

matching a principal in the specified keytab.

2414

</p></dd>

2395

2415

<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>

2396

2416

<dd><p>

2397

2417

The security credential with which the server should

2398

2418

authenticate keys requested by the GSS-TSIG protocol.

2399

2419

Currently only Kerberos 5 authentication is available

2400

and the credential is a Kerberos principal which

2401

the server can acquire through the default system

2402

key file, normally <code class="filename">/etc/krb5.keytab</code>.

2403

Normally this principal is of the form

2404

"<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".

2405

To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>

2406

must also be set.

2420

and the credential is a Kerberos principal which the

2421

server can acquire through the default system key

2422

file, normally <code class="filename">/etc/krb5.keytab</code>.

2423

The location keytab file can be overridden using the

2424

tkey-gssapi-keytab option. Normally this principal is

2425

of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".

2426

To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must

2427

also be set if a specific keytab is not set with

2428

tkey-gssapi-keytab.

2407

2429

</p></dd>

2408

2430

<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>

2409

2431

<dd><p>

2420

2442

should be the server's domain name, or an otherwise

2421

2443

non-existent subdomain like

2422

2444

"_tkey.<code class="varname">domainname</code>". If you are

2423

using GSS-TSIG, this variable must be defined.

2445

using GSS-TSIG, this variable must be defined, unless

2446

you specify a specific keytab using tkey-gssapi-keytab.

2424

2447

</p></dd>

2425

2448

<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>

2426

2449

<dd><p>

2485

2508

The pathname of a file to override the built-in trusted

2486

2509

keys provided by <span><strong class="command">named</strong></span>.

2487

2510

See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>

2488

for details. If not specified, the default is

2511

and <span><strong class="command">dnssec-validation</strong></span> for details.

2512

If not specified, the default is

2489

2513

<code class="filename">/etc/bind.keys</code>.

2490

2514

</p></dd>

2491

2515

<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>

2640

2664

</p>

2641

2665

<p>

2642

2666

The default DLV key is stored in the file

2643

<code class="filename">bind.keys</code>, which

2644

<span><strong class="command">named</strong></span> loads at startup if

2645

<span><strong class="command">dnssec-lookaside</strong></span> is set to

2646

<code class="constant">auto</code>. A copy of that file is

2667

<code class="filename">bind.keys</code>;

2668

<span><strong class="command">named</strong></span> will load that key at

2669

startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to

2670

<code class="constant">auto</code>. A copy of the file is

2647

2671

installed along with <acronym class="acronym">BIND</acronym> 9, and is

2648

2672

current as of the release date. If the DLV key expires, a

2649

2673

new copy of <code class="filename">bind.keys</code> can be downloaded

2657

2681

to be recompiled with a new key when the DLV key expires.)

2658

2682

</p>

2659

2683

<p>

2660

NOTE: Using <code class="filename">bind.keys</code> to store

2661

locally-configured keys is possible, but not

2662

recommended, as the file will be overwritten whenever

2663

<acronym class="acronym">BIND</acronym> 9 is re-installed or upgraded.

2684

NOTE: <span><strong class="command">named</strong></span> only loads certain specific

2685

keys from <code class="filename">bind.keys</code>: those for the

2686

DLV zone and for the DNS root zone. The file cannot be

2687

used to store keys for other zones.

2664

2688

</p>

2665

2689

</dd>

2666

2690

<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>

2675

2699

<span><strong class="command">managed-keys</strong></span> statement, or

2676

2700

<span><strong class="command">dnssec-lookaside</strong></span> must be active.

2677

2701

</p></dd>

2702

2703

<dd>

2704

<p>

2705

This directive instructs <span><strong class="command">named</strong></span> to

2706

return mapped IPv4 addresses to AAAA queries when

2707

there are no AAAA records. It is intended to be

2708

used in conjunction with a NAT64. Each

2709

<span><strong class="command">dns64</strong></span> defines one DNS64 prefix.

2710

Multiple DNS64 prefixes can be defined.

2711

</p>

2712

<p>

2713

Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,

2714

64 and 96 as per RFC 6052.

2715

</p>

2716

<p>

2717

Additionally a reverse IP6.ARPA zone will be created for

2718

the prefix to provide a mapping from the IP6.ARPA names

2719

to the corresponding IN-ADDR.ARPA names using synthesized

2720

CNAMEs. <span><strong class="command">dns64-server</strong></span> and

2721

<span><strong class="command">dns64-contact</strong></span> can be used to specify

2722

the name of the server and contact for the zones. These

2723

are settable at the view / options level. These are

2724

not settable on a per-prefix basis.

2725

</p>

2726

<p>

2727

Each <span><strong class="command">dns64</strong></span> supports an optional

2728

<span><strong class="command">clients</strong></span> ACL that determines which

2729

clients are affected by this directive. If not defined,

2730

it defaults to <strong class="userinput"><code>any;</code></strong>.

2731

</p>

2732

<p>

2733

Each <span><strong class="command">dns64</strong></span> supports an optional

2734

<span><strong class="command">mapped</strong></span> ACL that selects which

2735

IPv4 addresses are to be mapped in the corresponding

2736

A RRset. If not defined it defaults to

2737

<strong class="userinput"><code>any;</code></strong>.

2738

</p>

2739

<p>

2740

Normally, DNS64 won't apply to a domain name that

2741

owns one or more AAAA records; these records will

2742

simply be returned. The optional

2743

<span><strong class="command">exclude</strong></span> ACL allows specification

2744

of a list of IPv6 addresses that will be ignored

2745

if they appear in a domain name's AAAA records, and

2746

DNS64 will be applied to any A records the domain

2747

name owns. If not defined, <span><strong class="command">exclude</strong></span>

2748

defaults to none.

2749

</p>

2750

<p>

2751

A optional <span><strong class="command">suffix</strong></span> can also

2752

be defined to set the bits trailing the mapped

2753

IPv4 address bits. By default these bits are

2754

set to <strong class="userinput"><code>::</code></strong>. The bits

2755

matching the prefix and mapped IPv4 address

2756

must be zero.

2757

</p>

2758

<p>

2759

If <span><strong class="command">recursive-only</strong></span> is set to

2760

<span><strong class="command">yes</strong></span> the DNS64 synthesis will

2761

only happen for recursive queries. The default

2762

is <span><strong class="command">no</strong></span>.

2763

</p>

2764

<p>

2765

If <span><strong class="command">break-dnssec</strong></span> is set to

2766

<span><strong class="command">yes</strong></span> the DNS64 synthesis will

2767

happen even if the result, if validated, would

2768

cause a DNSSEC validation failure. If this option

2769

is set to <span><strong class="command">no</strong></span> (the default), the DO

2770

is set on the incoming query, and there are RRSIGs on

2771

the applicable records, then synthesis will not happen.

2772

</p>

2773

2774

acl rfc1918 { 10/8; 192.168/16; 172.16/12; };

2775

2776

dns64 64:FF9B::/96 {

2777

clients { any; };

2778

mapped { !rfc1918; any; };

2779

exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };

2780

suffix ::;

2781

};

2782

</pre>

2783

</dd>

2678

2784

</dl></div>

2679

2785

2680

2786

3340

3446

Enable DNSSEC validation in <span><strong class="command">named</strong></span>.

3341

3447

Note <span><strong class="command">dnssec-enable</strong></span> also needs to be

3342

3448

set to <strong class="userinput"><code>yes</code></strong> to be effective.

3343

The default is <strong class="userinput"><code>yes</code></strong>.

3449

If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation

3450

is disabled. If set to <strong class="userinput"><code>auto</code></strong>,

3451

DNSSEC validation is enabled, and a default

3452

trust-anchor for the DNS root zone is used. If set to

3453

<strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,

3454

but a trust anchor must be manually configured using

3455

a <span><strong class="command">trusted-keys</strong></span> or

3456

<span><strong class="command">managed-keys</strong></span> statement. The default

3457

is <strong class="userinput"><code>yes</code></strong>.

3344

3458

</p></dd>

3345

3459

<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>

3346

3460

<dd><p>

3401

3515

values are <span><strong class="command">fail</strong></span> and

3402

3516

<span><strong class="command">ignore</strong></span>.

3403

3517

</p></dd>

3404

<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>

3405

<dd><p>

3406

Check whether the MX record appears to refer to a IP address.

3407

The default is to <span><strong class="command">warn</strong></span>. Other possible

3408

values are <span><strong class="command">fail</strong></span> and

3409

<span><strong class="command">ignore</strong></span>.

3410

</p></dd>

3411

3518

<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>

3412

3519

<dd><p>

3413

3520

This option is used to check for non-terminal wildcards.

3542

3649

</div>

3543

3650

3544

3651

3545

<a name="id2583270"></a>Forwarding</h4></div></div></div>

3652

<a name="id2583636"></a>Forwarding</h4></div></div></div>

3546

3653

<p>

3547

3654

The forwarding facility can be used to create a large site-wide

3548

3655

cache on a few servers, reducing traffic over links to external

3586

3693

</div>

3587

3694

3588

3695

3589

<a name="id2583329"></a>Dual-stack Servers</h4></div></div></div>

3696

<a name="id2583763"></a>Dual-stack Servers</h4></div></div></div>

3590

3697

<p>

3591

3698

Dual-stack servers are used as servers of last resort to work

3592

3699

around

3785

3892

<span><strong class="command">filter-aaaa-on-v4</strong></span>

3786

3893

is applies. The default is <strong class="userinput"><code>any</code></strong>.

3787

3894

</p></dd>

3895

<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>

3896

<dd><p>

3897

The amount of time the resolver will spend attempting

3898

to resolve a recursive query before failing. The

3899

default is <code class="literal">10</code> and the maximum is

3900

<code class="literal">30</code>. Setting it to <code class="literal">0</code>

3901

will result in the default being used.

3902

</p></dd>

3788

3903

</dl></div>

3789

3904

</div>

3790

3905

3791

3906

3792

<a name="id2583856"></a>Interfaces</h4></div></div></div>

3907

<a name="id2584382"></a>Interfaces</h4></div></div></div>

3793

3908

<p>

3794

3909

The interfaces and ports that the server will answer queries

3795

3910

from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes

4063

4178

hour). The maximum value is 28 days (40320 minutes).

4064

4179

</p></dd>

4065

4180

<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>

4066

<dd><p>

4067

Slave servers will periodically query master servers

4068

to find out if zone serial numbers have changed. Each such

4069

query uses

4070

a minute amount of the slave server's network bandwidth. To

4071

limit the

4072

amount of bandwidth used, BIND 9 limits the rate at which

4073

queries are

4074

sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,

4075

an integer, is the maximum number of queries sent per

4076

second.

4077

The default is 20.

4078

</p></dd>

4181

<dd>

4182

<p>

4183

Slave servers will periodically query master

4184

servers to find out if zone serial numbers have

4185

changed. Each such query uses a minute amount of

4186

the slave server's network bandwidth. To limit

4187

the amount of bandwidth used, BIND 9 limits the

4188

rate at which queries are sent. The value of the

4189

<span><strong class="command">serial-query-rate</strong></span> option, an

4190

integer, is the maximum number of queries sent

4191

per second. The default is 20.

4192

</p>

4193

<p>

4194

In addition to controlling the rate SOA refresh

4195

queries are issued at

4196

<span><strong class="command">serial-query-rate</strong></span> also controls

4197

the rate at which NOTIFY messages are sent from

4198

both master and slave zones.

4199

</p>

4200

</dd>

4079

4201

<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>

4080

4202

<dd><p>

4081

4203

In BIND 8, the <span><strong class="command">serial-queries</strong></span>

4241

4363

</div>

4242

4364

4243

4365

4244

<a name="id2585059"></a>UDP Port Lists</h4></div></div></div>

4366

<a name="id2585456"></a>UDP Port Lists</h4></div></div></div>

4245

4367

<p>

4246

4368

<span><strong class="command">use-v4-udp-ports</strong></span>,

4247

4369

<span><strong class="command">avoid-v4-udp-ports</strong></span>,

4283

4405

</div>

4284

4406

4285

4407

4286

<a name="id2585118"></a>Operating System Resource Limits</h4></div></div></div>

4408

<a name="id2585584"></a>Operating System Resource Limits</h4></div></div></div>

4287

4409

<p>

4288

4410

The server's usage of many system resources can be limited.

4289

4411

Scaled values are allowed when specifying resource limits. For

4445

4567

</div>

4446

4568

4447

4569

4448

<a name="id2585473"></a>Periodic Task Intervals</h4></div></div></div>

4570

<a name="id2585869"></a>Periodic Task Intervals</h4></div></div></div>

4449

4571

4450

4572

<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>

4451

4573

<dd><p>

4910

5032

<p>

4911

5033

Sets the advertised EDNS UDP buffer size in bytes

4912

5034

to control the size of packets received.

4913

Valid values are 1024 to 4096 (values outside this range

5035

Valid values are 512 to 4096 (values outside this range

4914

5036

will be silently adjusted). The default value

4915

5037

is 4096. The usual reason for setting

4916

5038

<span><strong class="command">edns-udp-size</strong></span> to a non-default

5005

5127

</p>

5006

5128

</dd>

5007

5129

<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>

5008

<dd><p>

5130

<dd>

5131

<p>

5009

5132

The delay, in seconds, between sending sets of notify

5010

5133

messages for a zone. The default is five (5) seconds.

5011

</p></dd>

5134

</p>

5135

<p>

5136

The overall rate that NOTIFY messages are sent for all

5137

zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.

5138

</p>

5139

</dd>

5012

5140

</dl></div>

5013

5141

</div>

5014

5142

5096

5224

The current list of empty zones is:

5097

5225

</p>

5098

5226

5227

5228

5229

5230

5231

5232

5233

5234

5235

5236

5237

5238

5239

5240

5241

5242

5243

5244

5099

5245

5100

5246

5101

5247

5260

5406

</div>

5261

5407

5262

5408

5263

<a name="id2587722"></a>Content Filtering</h4></div></div></div>

5409

<a name="id2588113"></a>Content Filtering</h4></div></div></div>

5264

5410

<p>

5265

5411

<acronym class="acronym">BIND</acronym> 9 provides the ability to filter

5266

5412

out DNS responses from external DNS servers containing

5381

5527

spuriously can break such applications.

5382

5528

</p>

5383

5529

</div>

5530

5531

5532

<a name="id2588372"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>

5533

<p>

5534

<acronym class="acronym">BIND</acronym> 9 includes an intentionally limited

5535

mechanism to modify DNS responses for recursive requests

5536

similar to email anti-spam DNS blacklists.

5537

All response policy zones are named in the

5538

<span><strong class="command">response-policy</strong></span> option for the view or among the

5539

global options if there is no response-policy option for the view.

5540

</p>

5541

<p>

5542

The rules encoded in a response policy zone (RPZ) are applied

5543

only to responses to queries that ask for recursion (RD=1).

5544

RPZs are normal DNS zones containing RRsets

5545

that can be queried normally if allowed.

5546

It is usually best to restrict those queries with something like

5547

<span><strong class="command">allow-query {none; };</strong></span> or

5548

<span><strong class="command">allow-query { 127.0.0.1; };</strong></span>.

5549

</p>

5550

<p>

5551

There are four kinds of RPZ rewrite rules. QNAME rules are

5552

applied to query names in requests and to targets of CNAME

5553

records resolved in the process of generating the response.

5554

The owner name of a QNAME rule is the query name relativized

5555

to the RPZ.

5556

The records in a rewrite rule are usually A, AAAA, or special

5557

CNAMEs, but can be any type except DNAME.

5558

</p>

5559

<p>

5560

IP rules are triggered by addresses in A and AAAA records.

5561

All IP addresses in A or AAAA RRsets are tested and the rule

5562

longest prefix is applied. Ties between rules with equal prefixes

5563

are broken in favor of the first RPZ mentioned in the

5564

response-policy option.

5565

The rule matching the smallest IP address is chosen among equal

5566

prefix rules from a single RPZ.

5567

IP rules are expressed in RRsets with owner names that are

5568

subdomains of rpz-ip and encoding an IP address block, reversed

5569

as in IN-ARPA.

5570

prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255

5571

encodes an IPv4 address.

5572

IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or

5573

prefix.WORDS.zz.WORDS. The words in the standard IPv6 text

5574

representation are reversed, "::" is replaced with ".zz.",

5575

and ":" becomes ".".

5576

</p>

5577

<p>

5578

NSDNAME rules match names in NS RRsets for the response or a

5579

parent. They are encoded as subdomains of rpz-nsdomain relativized

5580

to the RPZ origin name.

5581

</p>

5582

<p>

5583

NSIP rules match IP addresses in A and AAAA RRsets for names of

5584

responsible servers or the names that can be matched by NSDNAME

5585

rules. The are encoded like IP rules except as subdomains of

5586

rpz-nsip.

5587

</p>

5588

<p>

5589

Authority verification issues and variations in authority data in

5590

the current version of <acronym class="acronym">BIND</acronym> 9 can cause

5591

inconsistent results from NSIP and NSDNAME. So they are available

5592

only when <acronym class="acronym">BIND</acronym> is built with the

5593

<strong class="userinput"><code>--enable-rpz-nsip</code></strong> or

5594

<strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options

5595

on the "configure" command line.

5596

</p>

5597

<p>

5598

Four policies can be expressed.

5599

The <span><strong class="command">NXDOMAIN</strong></span> policy causes a NXDOMAIN response

5600

and is expressed with an RRset consisting of a single CNAME

5601

whose target is the root domain (.).

5602

<span><strong class="command">NODATA</strong></span> generates NODATA or ANCOUNT=1 regardless

5603

of query type.

5604

It is expressed with a CNAME whose target is the wildcard

5605

top-level domain (*.).

5606

The <span><strong class="command">NO-OP</strong></span> policy does not change the response

5607

and is used to "poke holes" in policies for larger CIDR blocks or in

5608

zones named later in the <span><strong class="command">response-policy</strong></span> option.

5609

The NO-OP policy is expressed by a CNAME with a target consisting

5610

of the variable part of the owner name, such as "example.com." for

5611

a QNAME rule or "128.1.0.0.127." for an IP rule.

5612

The <span><strong class="command">CNAME</strong></span> policy is used to replace the RRsets

5613

of response.

5614

A and AAAA RRsets are most common and useful to capture

5615

an evil domain in a walled garden, but any valid set of RRsets

5616

is possible.

5617

</p>

5618

<p>

5619

All of the policies in an RPZ can be overridden with a

5620

<span><strong class="command">policy</strong></span> clause.

5621

<span><strong class="command">given</strong></span> says "do not override."

5622

<span><strong class="command">no-op</strong></span> says "do nothing" regardless of the policy

5623

in RPZ records.

5624

<span><strong class="command">nxdomain</strong></span> causes all RPZ rules to generate

5625

NXDOMAIN results.

5626

<span><strong class="command">nodata</strong></span> gives nodata.

5627

<span><strong class="command">cname domain</strong></span> causes all RPZ rules to act as if

5628

the consisted of a "cname domain" record.

5629

</p>

5630

<p>

5631

For example, you might use this option statement

5632

</p>

5633

<pre class="programlisting">response-policy { zone "bl"; };</pre>

5634

<p>

5635

and this zone statement

5636

</p>

5637

<pre class="programlisting">zone "bl" {type master; file "example/bl"; allow-query {none;}; };</pre>

5638

<p>

5639

with this zone file

5640

</p>

5641

<pre class="programlisting">$TTL 1H

5642

@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)

5643

5644

; QNAME rules

5645

nxdomain.domain.com CNAME .

5646

nodata.domain.com CNAME *.

5647

bad.domain.com A 10.0.0.1

5648

AAAA 2001:2::1

5649

ok.domain.com CNAME ok.domain.com.

5650

*.badzone.domain.com CNAME garden.example.com.

5651

5652

; IP rules rewriting all answers for 127/8 except 127.0.0.1

5653

8.0.0.0.127.ip CNAME .

5654

32.1.0.0.127.ip CNAME 32.1.0.0.127.

5655

5656

; NSDNAME and NSIP rules

5657

ns.domain.com.rpz-nsdname CNAME .

5658

48.zz.2.2001.rpz-nsip CNAME .

5659

</pre>

5660

</div>

5384

5661

</div>

5385

5662

5386

5663

5590

5867

</div>

5591

5868

5592

5869

5593

<a name="id2588542"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and

5870

<a name="id2589395"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and

5594

5871

Usage</h3></div></div></div>

5595

5872

<p>

5596

5873

The <span><strong class="command">statistics-channels</strong></span> statement

5650

5927

</div>

5651

5928

5652

5929

5653

<a name="id2588750"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition

5930

<a name="id2589534"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition

5654

5931

and Usage</h3></div></div></div>

5655

5932

<p>

5656

5933

The <span><strong class="command">trusted-keys</strong></span> statement defines

5690

5967

</div>

5691

5968

5692

5969

5693

<a name="id2588797"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>

5970

<a name="id2589581"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>

5694

5971

<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {

5695

5972

<em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;

5696

5973

[<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]

5825

6102

</div>

5826

6103

5827

6104

5828

<a name="id2589360"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>

6105

<a name="id2590007"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>

5829

6106

<p>

5830

6107

The <span><strong class="command">view</strong></span> statement is a powerful

5831

6108

feature

5991

6268

[<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]

5992

6269

[<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]

5993

6270

[<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]

5994

[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">create</code>|<code class="constant">off</code>; </span>]

6271

[<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]

5995

6272

[<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]

5996

6273

};

5997

6274

6003

6280

[<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

6004

6281

[<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

6005

6282

[<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]

6283

[<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]

6006

6284

[<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]

6007

6285

[<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]

6008

6286

[<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]

6091

6369

};

6092

6370

6093

6371

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {

6372

type static-stub;

6373

[<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]

6374

[<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]

6375

[<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]

6376

[<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]

6377

};

6378

6379

zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {

6094

6380

type forward;

6095

6381

[<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]

6096

6382

[<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]

6105

6391

</div>

6106

6392

6107

6393

6108

<a name="id2590796"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>

6394

<a name="id2591558"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>

6109

6395

6110

6396

6111

<a name="id2590804"></a>Zone Types</h4></div></div></div>

6397

<a name="id2591565"></a>Zone Types</h4></div></div></div>

6112

6398

6113

6399

6114

6400

<col>

6237

6523

<tr>

6238

6524

<td>

6239

6525

<p>

6526

<code class="varname">static-stub</code>

6527

</p>

6528

</td>

6529

<td>

6530

<p>

6531

A static-stub zone is similar to a stub zone

6532

with the following exceptions:

6533

the zone data is statically configured, rather

6534

than transferred from a master server;

6535

when recursion is necessary for a query that

6536

matches a static-stub zone, the locally

6537

configured data (nameserver names and glue addresses)

6538

is always used even if different authoritative

6539

information is cached.

6540

</p>

6541

<p>

6542

Zone data is configured via the

6543

<span><strong class="command">server-addresses</strong></span> and

6544

<span><strong class="command">server-names</strong></span> zone options.

6545

</p>

6546

<p>

6547

The zone data is maintained in the form of NS

6548

and (if necessary) glue A or AAAA RRs

6549

internally, which can be seen by dumping zone

6550

databases by <span><strong class="command">rndc dumpdb -all</strong></span>.

6551

The configured RRs are considered local configuration

6552

parameters rather than public data.

6553

Non recursive queries (i.e., those with the RD

6554

bit off) to a static-stub zone are therefore

6555

prohibited and will be responded with REFUSED.

6556

</p>

6557

<p>

6558

Since the data is statically configured, no

6559

zone maintenance action takes place for a static-stub

6560

zone.

6561

For example, there is no periodic refresh

6562

attempt, and an incoming notify message

6563

will be rejected with an rcode of NOTAUTH.

6564

</p>

6565

<p>

6566

Each static-stub zone is configured with

6567

internally generated NS and (if necessary)

6568

glue A or AAAA RRs

6569

</p>

6570

</td>

6571

</tr>

6572

<tr>

6573

<td>

6574

<p>

6240

6575

<code class="varname">forward</code>

6241

6576

</p>

6242

6577

</td>

6319

6654

</div>

6320

6655

6321

6656

6322

<a name="id2591232"></a>Class</h4></div></div></div>

6657

<a name="id2592179"></a>Class</h4></div></div></div>

6323

6658

<p>

6324

6659

The zone's name may optionally be followed by a class. If

6325

6660

a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),

6341

6676

</div>

6342

6677

6343

6678

6344

<a name="id2591265"></a>Zone Options</h4></div></div></div>

6679

<a name="id2592212"></a>Zone Options</h4></div></div></div>

6345

6680

6346

6681

<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>

6347

6682

<dd><p>

6586

6921

<span><strong class="command">statistics-file</strong></span> defined in

6587

6922

the server options.

6588

6923

</p></dd>

6924

<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>

6925

<dd>

6926

<p>

6927

Only meaningful for static-stub zones.

6928

This is a list of IP addresses to which queries

6929

should be sent in recursive resolution for the

6930

zone.

6931

A non empty list for this option will internally

6932

configure the apex NS RR with associated glue A or

6933

AAAA RRs.

6934

</p>

6935

<p>

6936

For example, if "example.com" is configured as a

6937

static-stub zone with 192.0.2.1 and 2001:db8::1234

6938

in a <span><strong class="command">server-addresses</strong></span> option,

6939

the following RRs will be internally configured.

6940

</p>

6941

<pre class="programlisting">example.com. NS example.com.

6942

example.com. A 192.0.2.1

6943

example.com. AAAA 2001:db8::1234</pre>

6944

<p>

6945

These records are internally used to resolve

6946

names under the static-stub zone.

6947

For instance, if the server receives a query for

6948

"www.example.com" with the RD bit on, the server

6949

will initiate recursive resolution and send

6950

queries to 192.0.2.1 and/or 2001:db8::1234.

6951

</p>

6952

</dd>

6953

<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>

6954

<dd>

6955

<p>

6956

Only meaningful for static-stub zones.

6957

This is a list of domain names of nameservers that

6958

act as authoritative servers of the static-stub

6959

zone.

6960

These names will be resolved to IP addresses when

6961

<span><strong class="command">named</strong></span> needs to send queries to

6962

these servers.

6963

To make this supplemental resolution successful,

6964

these names must not be a subdomain of the origin

6965

name of static-stub zone.

6966

That is, when "example.net" is the origin of a

6967

static-stub zone, "ns.example" and

6968

"master.example.com" can be specified in the

6969

<span><strong class="command">server-names</strong></span> option, but

6970

"ns.example.net" cannot, and will be rejected by

6971

the configuration parser.

6972

</p>

6973

<p>

6974

A non empty list for this option will internally

6975

configure the apex NS RR with the specified names.

6976

For example, if "example.com" is configured as a

6977

static-stub zone with "ns1.example.net" and

6978

"ns2.example.net"

6979

in a <span><strong class="command">server-names</strong></span> option,

6980

the following RRs will be internally configured.

6981

</p>

6982

<pre class="programlisting">example.com. NS ns1.example.net.

6983

example.com. NS ns2.example.net.

6984

</pre>

6985

<p>

6986

These records are internally used to resolve

6987

names under the static-stub zone.

6988

For instance, if the server receives a query for

6989

"www.example.com" with the RD bit on, the server

6990

initiate recursive resolution,

6991

resolve "ns1.example.net" and/or

6992

"ns2.example.net" to IP addresses, and then send

6993

queries to (one or more of) these addresses.

6994

</p>

6995

</dd>

6589

6996

<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>

6590

6997

<dd><p>

6591

6998

See the description of

6668

7075

<p>

6669

7076

Zones configured for dynamic DNS may also use this

6670

7077

option to allow varying levels of automatic DNSSEC key

6671

management. There are four possible settings:

7078

management. There are three possible settings:

6672

7079

</p>

6673

7080

<p>

6674

7081

<span><strong class="command">auto-dnssec allow;</strong></span> permits

6680

7087

<span><strong class="command">auto-dnssec maintain;</strong></span> includes the

6681

7088

above, but also automatically adjusts the zone's DNSSEC

6682

7089

keys on schedule, according to the keys' timing metadata

6683

(see ??? and

7090

(see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and

6684

7091

<a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command

6685

7092

<span><strong class="command">rndc sign

6686

7093

<em class="replaceable"><code>zonename</code></em></strong></span> causes

6692

7099

<span><strong class="command">named</strong></span> to load keys from the key

6693

7100

repository and schedule key maintenance events to occur

6694

7101

in the future, but it does not sign the full zone

6695

immediately.

7102

immediately. Note: once keys have been loaded for a

7103

zone the first time, the repository will be searched

7104

for changes periodically, regardless of whether

7105

<span><strong class="command">rndc loadkeys</strong></span> is used. The recheck

7106

interval is hard-coded to

7107

one hour.

6696

7108

</p>

6697

7109

<p>

6698

7110

<span><strong class="command">auto-dnssec create;</strong></span> includes the

6824

7236

contain a fully-qualified domain name.

6825

7237

</p>

6826

7238

<p>

7239

For nametypes <code class="varname">krb5-self</code>,

7240

<code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,

7241

and <code class="varname">ms-subdomain</code> the

7242

<em class="replaceable"><code>identity</code></em> field specifies

7243

the Windows or Kerberos realm of the machine belongs to.

7244

</p>

7245

<p>

6827

7246

The <em class="replaceable"><code>nametype</code></em> field has 13

6828

7247

values:

6829

7248

<code class="varname">name</code>, <code class="varname">subdomain</code>,

6833

7252

<code class="varname">krb5-subdomain</code>,

6834

7253

<code class="varname">ms-subdomain</code>,

6835

7254

<code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,

6836

and <code class="varname">zonesub</code>.

7255

<code class="varname">zonesub</code>, and <code class="varname">external</code>.

6837

7256

</p>

6838

7257

6839

7258

6964

7383

<tr>

6965

7384

<td>

6966

7385

<p>

7386

7387

</p>

7388

</td>

7389

<td>

7390

<p>

7391

This rule takes a Windows machine principal

7392

(machine$@REALM) for machine in REALM and

7393

and converts it machine.realm allowing the machine

7394

to update machine.realm. The REALM to be matched

7395

is specified in the <font color="red"><replacable>identity</replacable></font>

7396

field.

7397

</p>

7398

</td>

7399

</tr>

7400

<tr>

7401

<td>

7402

<p>

7403

<code class="varname">ms-subdomain</code>

7404

</p>

7405

</td>

7406

<td>

7407

<p>

7408

This rule takes a Windows machine principal

7409

(machine$@REALM) for machine in REALM and

7410

converts it to machine.realm allowing the machine

7411

to update subdomains of machine.realm. The REALM

7412

to be matched is specified in the

7413

<font color="red"><replacable>identity</replacable></font> field.

7414

</p>

7415

</td>

7416

</tr>

7417

<tr>

7418

<td>

7419

<p>

7420

7421

</p>

7422

</td>

7423

<td>

7424

<p>

7425

This rule takes a Kerberos machine principal

7426

(host/machine@REALM) for machine in REALM and

7427

and converts it machine.realm allowing the machine

7428

to update machine.realm. The REALM to be matched

7429

is specified in the <font color="red"><replacable>identity</replacable></font>

7430

field.

7431

</p>

7432

</td>

7433

</tr>

7434

<tr>

7435

<td>

7436

<p>

7437

<code class="varname">krb5-subdomain</code>

7438

</p>

7439

</td>

7440

<td>

7441

<p>

7442

This rule takes a Kerberos machine principal

7443

(host/machine@REALM) for machine in REALM and

7444

converts it to machine.realm allowing the machine

7445

to update subdomains of machine.realm. The REALM

7446

to be matched is specified in the

7447

<font color="red"><replacable>identity</replacable></font> field.

7448

</p>

7449

</td>

7450

</tr>

7451

<tr>

7452

<td>

7453

<p>

6967

7454

6968

7455

</p>

6969

7456

</td>

7002

7489

</div>

7003

7490

</td>

7004

7491

</tr>

7492

<tr>

7493

<td>

7494

<p>

7495

<code class="varname">external</code>

7496

</p>

7497

</td>

7498

<td>

7499

<p>

7500

This rule allows <span><strong class="command">named</strong></span>

7501

to defer the decision of whether to allow a

7502

given update to an external daemon.

7503

</p>

7504

<p>

7505

The method of communicating with the daemon is

7506

specified in the <em class="replaceable"><code>identity</code></em>

7507

field, the format of which is

7508

"<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",

7509

where <em class="replaceable"><code>path</code></em> is the location

7510

of a UNIX-domain socket. (Currently, "local" is the

7511

only supported mechanism.)

7512

</p>

7513

<p>

7514

Requests to the external daemon are sent over the

7515

UNIX-domain socket as datagrams with the following

7516

format:

7517

</p>

7518

7519

Protocol version number (4 bytes, network byte order, currently 1)

7520

Request length (4 bytes, network byte order)

7521

Signer (null-terminated string)

7522

Name (null-terminated string)

7523

TCP source address (null-terminated string)

7524

Rdata type (null-terminated string)

7525

Key (null-terminated string)

7526

TKEY token length (4 bytes, network byte order)

7527

TKEY token (remainder of packet)</pre>

7528

<p>

7529

The daemon replies with a four-byte value in

7530

network byte order, containing either 0 or 1; 0

7531

indicates that the specified update is not

7532

permitted, and 1 indicates that it is.

7533

</p>

7534

</td>

7535

</tr>

7005

7536

</tbody>

7006

7537

</table></div>

7007

7538

<p>

7008

7539

In all cases, the <em class="replaceable"><code>name</code></em>

7009

field must

7010

specify a fully-qualified domain name.

7540

field must specify a fully-qualified domain name.

7011

7541

</p>

7012

7542

<p>

7013

7543

If no types are explicitly specified, this rule matches

7023

7553

</div>

7024

7554

7025

7555

7026

7556

7027

7557

7028

7558

7029

7559

<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>

7036

7566

</p>

7037

7567

7038

7568

7039

<a name="id2593706"></a>Resource Records</h4></div></div></div>

7569

<a name="id2595048"></a>Resource Records</h4></div></div></div>

7040

7570

<p>

7041

7571

A domain name identifies a node. Each node has a set of

7042

7572

resource information, which may be empty. The set of resource

7773

8303

</div>

7774

8304

7775

8305

7776

<a name="id2595193"></a>Textual expression of RRs</h4></div></div></div>

8306

<a name="id2596603"></a>Textual expression of RRs</h4></div></div></div>

7777

8307

<p>

7778

8308

RRs are represented in binary form in the packets of the DNS

7779

8309

protocol, and are usually represented in highly encoded form

7976

8506

</div>

7977

8507

7978

8508

7979

<a name="id2595782"></a>Discussion of MX Records</h3></div></div></div>

8509

<a name="id2597260"></a>Discussion of MX Records</h3></div></div></div>

7980

8510

<p>

7981

8511

As described above, domain servers store information as a

7982

8512

series of resource records, each of which contains a particular

8232

8762

</div>

8233

8763

8234

8764

8235

<a name="id2596534"></a>Inverse Mapping in IPv4</h3></div></div></div>

8765

<a name="id2597876"></a>Inverse Mapping in IPv4</h3></div></div></div>

8236

8766

<p>

8237

8767

Reverse name resolution (that is, translation from IP address

8238

8768

to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain

8293

8823

</div>

8294

8824

8295

8825

8296

<a name="id2596661"></a>Other Zone File Directives</h3></div></div></div>

8826

<a name="id2598003"></a>Other Zone File Directives</h3></div></div></div>

8297

8827

<p>

8298

8828

The Master File Format was initially defined in RFC 1035 and

8299

8829

has subsequently been extended. While the Master File Format

8308

8838

</p>

8309

8839

8310

8840

8311

8841

8312

8842

<p>

8313

8843

When used in the label (or name) field, the asperand or

8314

8844

at-sign (@) symbol represents the current origin.

8319

8849

</div>

8320

8850

8321

8851

8322

<a name="id2596699"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>

8852

<a name="id2598109"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>

8323

8853

<p>

8324

8854

Syntax: <span><strong class="command">$ORIGIN</strong></span>

8325

8855

<em class="replaceable"><code>domain-name</code></em>

8348

8878

</div>

8349

8879

8350

8880

8351

<a name="id2596760"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>

8881

<a name="id2598170"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>

8352

8882

<p>

8353

8883

Syntax: <span><strong class="command">$INCLUDE</strong></span>

8354

8884

<em class="replaceable"><code>filename</code></em>

8384

8914

</div>

8385

8915

8386

8916

8387

<a name="id2596829"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>

8917

<a name="id2598240"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>

8388

8918

<p>

8389

8919

Syntax: <span><strong class="command">$TTL</strong></span>

8390

8920

<em class="replaceable"><code>default-ttl</code></em>

8403

8933

</div>

8404

8934

8405

8935

8406

<a name="id2596934"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>

8936

<a name="id2598276"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>

8407

8937

<p>

8408

8938

Syntax: <span><strong class="command">$GENERATE</strong></span>

8409

8939

<em class="replaceable"><code>range</code></em>

8827

9357

</p>

8828

9358

8829

9359

8830

<a name="id2597888"></a>Name Server Statistics Counters</h4></div></div></div>

9360

<a name="id2599229"></a>Name Server Statistics Counters</h4></div></div></div>

8831

9361

8832

9362

8833

9363

<col>

9384

9914

</div>

9385

9915

9386

9916

9387

<a name="id2599429"></a>Zone Maintenance Statistics Counters</h4></div></div></div>

9917

<a name="id2600702"></a>Zone Maintenance Statistics Counters</h4></div></div></div>

9388

9918

9389

9919

9390

9920

<col>

9538

10068

</div>

9539

10069

9540

10070

9541

<a name="id2599812"></a>Resolver Statistics Counters</h4></div></div></div>

10071

<a name="id2601154"></a>Resolver Statistics Counters</h4></div></div></div>

9542

10072

9543

10073

9544

10074

<col>

9921

10451

</div>

9922

10452

9923

10453

9924

<a name="id2600902"></a>Socket I/O Statistics Counters</h4></div></div></div>

10454

<a name="id2602312"></a>Socket I/O Statistics Counters</h4></div></div></div>

9925

10455

<p>

9926

10456

Socket I/O statistics counters are defined per socket

9927

10457

types, which are

10076

10606

</div>

10077

10607

10078

10608

10079

<a name="id2601275"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>

10609

<a name="id2602685"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>

10080

10610

<p>

10081

10611

Most statistics counters that were available

10082

10612

in <span><strong class="command">BIND</strong></span> 8 are also supported in

Older »