48
48
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
50
50
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
51
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574270">Comment Syntax</a></span></dt>
51
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574283">Comment Syntax</a></span></dt>
53
53
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
55
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574924"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
55
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574937"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
56
56
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
57
57
Usage</a></span></dt>
58
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575114"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
58
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575127"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
59
59
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
60
60
Usage</a></span></dt>
61
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575405"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
62
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575422"><span><strong class="command">include</strong></span> Statement Definition and
64
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575446"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
65
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575469"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
66
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575560"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
67
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575754"><span><strong class="command">logging</strong></span> Statement Definition and
69
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577821"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
70
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577963"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
71
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578027"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
72
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578071"><span><strong class="command">masters</strong></span> Statement Definition and
74
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578086"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
61
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575418"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
62
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575504"><span><strong class="command">include</strong></span> Statement Definition and
64
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575527"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
65
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575550"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
66
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575709"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
67
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575835"><span><strong class="command">logging</strong></span> Statement Definition and
69
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577834"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
70
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577908"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
71
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578040"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
72
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578084"><span><strong class="command">masters</strong></span> Statement Definition and
74
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578099"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
75
75
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
76
76
Usage</a></span></dt>
77
77
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
78
78
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
79
79
Usage</a></span></dt>
80
80
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
81
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588542"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
81
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589395"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
82
82
Usage</a></span></dt>
83
83
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
84
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588750"><span><strong class="command">trusted-keys</strong></span> Statement Definition
84
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589534"><span><strong class="command">trusted-keys</strong></span> Statement Definition
85
85
and Usage</a></span></dt>
86
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588797"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
86
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589581"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
87
87
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
88
88
and Usage</a></span></dt>
89
89
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
90
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589360"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
90
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590007"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
91
91
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
92
92
Statement Grammar</a></span></dt>
93
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590796"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
93
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591558"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
95
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2593688">Zone File</a></span></dt>
95
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595030">Zone File</a></span></dt>
97
97
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
98
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2595782">Discussion of MX Records</a></span></dt>
98
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597260">Discussion of MX Records</a></span></dt>
99
99
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
100
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596534">Inverse Mapping in IPv4</a></span></dt>
101
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596661">Other Zone File Directives</a></span></dt>
102
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2596934"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
100
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597876">Inverse Mapping in IPv4</a></span></dt>
101
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598003">Other Zone File Directives</a></span></dt>
102
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598276"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
103
103
<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
105
105
<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
2226
2227
[<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2227
2228
[<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
2228
2229
[<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2230
[<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> {
2231
[<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2232
[<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2233
[<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2234
[<span class="optional"> suffix IPv6-address; </span>]
2235
[<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2236
[<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2238
[<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
2239
[<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
2229
2240
[<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
2230
2241
[<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2231
2242
[<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2392
2405
<span><strong class="command">named-xfer</strong></span> program is needed;
2393
2406
its functionality is built into the name server.
2408
<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
2410
The KRB5 keytab file to use for GSS-TSIG updates. If
2411
this option is set and tkey-gssapi-credential is not
2412
set, then updates will be allowed with any key
2413
matching a principal in the specified keytab.
2395
2415
<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
2397
2417
The security credential with which the server should
2398
2418
authenticate keys requested by the GSS-TSIG protocol.
2399
2419
Currently only Kerberos 5 authentication is available
2400
and the credential is a Kerberos principal which
2401
the server can acquire through the default system
2402
key file, normally <code class="filename">/etc/krb5.keytab</code>.
2403
Normally this principal is of the form
2404
"<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
2405
To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
2420
and the credential is a Kerberos principal which the
2421
server can acquire through the default system key
2422
file, normally <code class="filename">/etc/krb5.keytab</code>.
2423
The location keytab file can be overridden using the
2424
tkey-gssapi-keytab option. Normally this principal is
2425
of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
2426
To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
2427
also be set if a specific keytab is not set with
2408
2430
<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
2675
2699
<span><strong class="command">managed-keys</strong></span> statement, or
2676
2700
<span><strong class="command">dnssec-lookaside</strong></span> must be active.
2702
<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
2705
This directive instructs <span><strong class="command">named</strong></span> to
2706
return mapped IPv4 addresses to AAAA queries when
2707
there are no AAAA records. It is intended to be
2708
used in conjunction with a NAT64. Each
2709
<span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
2710
Multiple DNS64 prefixes can be defined.
2713
Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
2714
64 and 96 as per RFC 6052.
2717
Additionally a reverse IP6.ARPA zone will be created for
2718
the prefix to provide a mapping from the IP6.ARPA names
2719
to the corresponding IN-ADDR.ARPA names using synthesized
2720
CNAMEs. <span><strong class="command">dns64-server</strong></span> and
2721
<span><strong class="command">dns64-contact</strong></span> can be used to specify
2722
the name of the server and contact for the zones. These
2723
are settable at the view / options level. These are
2724
not settable on a per-prefix basis.
2727
Each <span><strong class="command">dns64</strong></span> supports an optional
2728
<span><strong class="command">clients</strong></span> ACL that determines which
2729
clients are affected by this directive. If not defined,
2730
it defaults to <strong class="userinput"><code>any;</code></strong>.
2733
Each <span><strong class="command">dns64</strong></span> supports an optional
2734
<span><strong class="command">mapped</strong></span> ACL that selects which
2735
IPv4 addresses are to be mapped in the corresponding
2736
A RRset. If not defined it defaults to
2737
<strong class="userinput"><code>any;</code></strong>.
2740
Normally, DNS64 won't apply to a domain name that
2741
owns one or more AAAA records; these records will
2742
simply be returned. The optional
2743
<span><strong class="command">exclude</strong></span> ACL allows specification
2744
of a list of IPv6 addresses that will be ignored
2745
if they appear in a domain name's AAAA records, and
2746
DNS64 will be applied to any A records the domain
2747
name owns. If not defined, <span><strong class="command">exclude</strong></span>
2751
A optional <span><strong class="command">suffix</strong></span> can also
2752
be defined to set the bits trailing the mapped
2753
IPv4 address bits. By default these bits are
2754
set to <strong class="userinput"><code>::</code></strong>. The bits
2755
matching the prefix and mapped IPv4 address
2759
If <span><strong class="command">recursive-only</strong></span> is set to
2760
<span><strong class="command">yes</strong></span> the DNS64 synthesis will
2761
only happen for recursive queries. The default
2762
is <span><strong class="command">no</strong></span>.
2765
If <span><strong class="command">break-dnssec</strong></span> is set to
2766
<span><strong class="command">yes</strong></span> the DNS64 synthesis will
2767
happen even if the result, if validated, would
2768
cause a DNSSEC validation failure. If this option
2769
is set to <span><strong class="command">no</strong></span> (the default), the DO
2770
is set on the incoming query, and there are RRSIGs on
2771
the applicable records, then synthesis will not happen.
2773
<pre class="programlisting">
2774
acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
2776
dns64 64:FF9B::/96 {
2778
mapped { !rfc1918; any; };
2779
exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
2679
2785
<div class="sect3" lang="en">
2680
2786
<div class="titlepage"><div><div><h4 class="title">
3340
3446
Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
3341
3447
Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
3342
3448
set to <strong class="userinput"><code>yes</code></strong> to be effective.
3343
The default is <strong class="userinput"><code>yes</code></strong>.
3449
If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
3450
is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
3451
DNSSEC validation is enabled, and a default
3452
trust-anchor for the DNS root zone is used. If set to
3453
<strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
3454
but a trust anchor must be manually configured using
3455
a <span><strong class="command">trusted-keys</strong></span> or
3456
<span><strong class="command">managed-keys</strong></span> statement. The default
3457
is <strong class="userinput"><code>yes</code></strong>.
3345
3459
<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
4063
4178
hour). The maximum value is 28 days (40320 minutes).
4065
4180
<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
4067
Slave servers will periodically query master servers
4068
to find out if zone serial numbers have changed. Each such
4070
a minute amount of the slave server's network bandwidth. To
4072
amount of bandwidth used, BIND 9 limits the rate at which
4074
sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
4075
an integer, is the maximum number of queries sent per
4183
Slave servers will periodically query master
4184
servers to find out if zone serial numbers have
4185
changed. Each such query uses a minute amount of
4186
the slave server's network bandwidth. To limit
4187
the amount of bandwidth used, BIND 9 limits the
4188
rate at which queries are sent. The value of the
4189
<span><strong class="command">serial-query-rate</strong></span> option, an
4190
integer, is the maximum number of queries sent
4191
per second. The default is 20.
4194
In addition to controlling the rate SOA refresh
4195
queries are issued at
4196
<span><strong class="command">serial-query-rate</strong></span> also controls
4197
the rate at which NOTIFY messages are sent from
4198
both master and slave zones.
4079
4201
<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
4081
4203
In BIND 8, the <span><strong class="command">serial-queries</strong></span>
5096
5224
The current list of empty zones is:
5098
5226
<div class="itemizedlist"><ul type="disc">
5227
<li>10.IN-ADDR.ARPA</li>
5228
<li>16.172.IN-ADDR.ARPA</li>
5229
<li>17.172.IN-ADDR.ARPA</li>
5230
<li>18.172.IN-ADDR.ARPA</li>
5231
<li>19.172.IN-ADDR.ARPA</li>
5232
<li>20.172.IN-ADDR.ARPA</li>
5233
<li>21.172.IN-ADDR.ARPA</li>
5234
<li>22.172.IN-ADDR.ARPA</li>
5235
<li>23.172.IN-ADDR.ARPA</li>
5236
<li>24.172.IN-ADDR.ARPA</li>
5237
<li>25.172.IN-ADDR.ARPA</li>
5238
<li>26.172.IN-ADDR.ARPA</li>
5239
<li>27.172.IN-ADDR.ARPA</li>
5240
<li>28.172.IN-ADDR.ARPA</li>
5241
<li>29.172.IN-ADDR.ARPA</li>
5242
<li>30.172.IN-ADDR.ARPA</li>
5243
<li>31.172.IN-ADDR.ARPA</li>
5244
<li>168.192.IN-ADDR.ARPA</li>
5099
5245
<li>0.IN-ADDR.ARPA</li>
5100
5246
<li>127.IN-ADDR.ARPA</li>
5101
5247
<li>254.169.IN-ADDR.ARPA</li>
5381
5527
spuriously can break such applications.
5530
<div class="sect3" lang="en">
5531
<div class="titlepage"><div><div><h4 class="title">
5532
<a name="id2588372"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
5534
<acronym class="acronym">BIND</acronym> 9 includes an intentionally limited
5535
mechanism to modify DNS responses for recursive requests
5536
similar to email anti-spam DNS blacklists.
5537
All response policy zones are named in the
5538
<span><strong class="command">response-policy</strong></span> option for the view or among the
5539
global options if there is no response-policy option for the view.
5542
The rules encoded in a response policy zone (RPZ) are applied
5543
only to responses to queries that ask for recursion (RD=1).
5544
RPZs are normal DNS zones containing RRsets
5545
that can be queried normally if allowed.
5546
It is usually best to restrict those queries with something like
5547
<span><strong class="command">allow-query {none; };</strong></span> or
5548
<span><strong class="command">allow-query { 127.0.0.1; };</strong></span>.
5551
There are four kinds of RPZ rewrite rules. QNAME rules are
5552
applied to query names in requests and to targets of CNAME
5553
records resolved in the process of generating the response.
5554
The owner name of a QNAME rule is the query name relativized
5556
The records in a rewrite rule are usually A, AAAA, or special
5557
CNAMEs, but can be any type except DNAME.
5560
IP rules are triggered by addresses in A and AAAA records.
5561
All IP addresses in A or AAAA RRsets are tested and the rule
5562
longest prefix is applied. Ties between rules with equal prefixes
5563
are broken in favor of the first RPZ mentioned in the
5564
response-policy option.
5565
The rule matching the smallest IP address is chosen among equal
5566
prefix rules from a single RPZ.
5567
IP rules are expressed in RRsets with owner names that are
5568
subdomains of rpz-ip and encoding an IP address block, reversed
5570
prefix.B.B.B.B with prefix between 1 and 32 and B between 1 and 255
5571
encodes an IPv4 address.
5572
IPv6 addresses are encoded by with prefix.W.W.W.W.W.W.W.W or
5573
prefix.WORDS.zz.WORDS. The words in the standard IPv6 text
5574
representation are reversed, "::" is replaced with ".zz.",
5575
and ":" becomes ".".
5578
NSDNAME rules match names in NS RRsets for the response or a
5579
parent. They are encoded as subdomains of rpz-nsdomain relativized
5580
to the RPZ origin name.
5583
NSIP rules match IP addresses in A and AAAA RRsets for names of
5584
responsible servers or the names that can be matched by NSDNAME
5585
rules. The are encoded like IP rules except as subdomains of
5589
Authority verification issues and variations in authority data in
5590
the current version of <acronym class="acronym">BIND</acronym> 9 can cause
5591
inconsistent results from NSIP and NSDNAME. So they are available
5592
only when <acronym class="acronym">BIND</acronym> is built with the
5593
<strong class="userinput"><code>--enable-rpz-nsip</code></strong> or
5594
<strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options
5595
on the "configure" command line.
5598
Four policies can be expressed.
5599
The <span><strong class="command">NXDOMAIN</strong></span> policy causes a NXDOMAIN response
5600
and is expressed with an RRset consisting of a single CNAME
5601
whose target is the root domain (.).
5602
<span><strong class="command">NODATA</strong></span> generates NODATA or ANCOUNT=1 regardless
5604
It is expressed with a CNAME whose target is the wildcard
5605
top-level domain (*.).
5606
The <span><strong class="command">NO-OP</strong></span> policy does not change the response
5607
and is used to "poke holes" in policies for larger CIDR blocks or in
5608
zones named later in the <span><strong class="command">response-policy</strong></span> option.
5609
The NO-OP policy is expressed by a CNAME with a target consisting
5610
of the variable part of the owner name, such as "example.com." for
5611
a QNAME rule or "128.1.0.0.127." for an IP rule.
5612
The <span><strong class="command">CNAME</strong></span> policy is used to replace the RRsets
5614
A and AAAA RRsets are most common and useful to capture
5615
an evil domain in a walled garden, but any valid set of RRsets
5619
All of the policies in an RPZ can be overridden with a
5620
<span><strong class="command">policy</strong></span> clause.
5621
<span><strong class="command">given</strong></span> says "do not override."
5622
<span><strong class="command">no-op</strong></span> says "do nothing" regardless of the policy
5624
<span><strong class="command">nxdomain</strong></span> causes all RPZ rules to generate
5626
<span><strong class="command">nodata</strong></span> gives nodata.
5627
<span><strong class="command">cname domain</strong></span> causes all RPZ rules to act as if
5628
the consisted of a "cname domain" record.
5631
For example, you might use this option statement
5633
<pre class="programlisting">response-policy { zone "bl"; };</pre>
5635
and this zone statement
5637
<pre class="programlisting">zone "bl" {type master; file "example/bl"; allow-query {none;}; };</pre>
5641
<pre class="programlisting">$TTL 1H
5642
@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
5645
nxdomain.domain.com CNAME .
5646
nodata.domain.com CNAME *.
5647
bad.domain.com A 10.0.0.1
5649
ok.domain.com CNAME ok.domain.com.
5650
*.badzone.domain.com CNAME garden.example.com.
5652
; IP rules rewriting all answers for 127/8 except 127.0.0.1
5653
8.0.0.0.127.ip CNAME .
5654
32.1.0.0.127.ip CNAME 32.1.0.0.127.
5656
; NSDNAME and NSIP rules
5657
ns.domain.com.rpz-nsdname CNAME .
5658
48.zz.2.2001.rpz-nsip CNAME .
5385
5662
<div class="sect2" lang="en">
5386
5663
<div class="titlepage"><div><div><h3 class="title">
6526
<code class="varname">static-stub</code>
6531
A static-stub zone is similar to a stub zone
6532
with the following exceptions:
6533
the zone data is statically configured, rather
6534
than transferred from a master server;
6535
when recursion is necessary for a query that
6536
matches a static-stub zone, the locally
6537
configured data (nameserver names and glue addresses)
6538
is always used even if different authoritative
6539
information is cached.
6542
Zone data is configured via the
6543
<span><strong class="command">server-addresses</strong></span> and
6544
<span><strong class="command">server-names</strong></span> zone options.
6547
The zone data is maintained in the form of NS
6548
and (if necessary) glue A or AAAA RRs
6549
internally, which can be seen by dumping zone
6550
databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
6551
The configured RRs are considered local configuration
6552
parameters rather than public data.
6553
Non recursive queries (i.e., those with the RD
6554
bit off) to a static-stub zone are therefore
6555
prohibited and will be responded with REFUSED.
6558
Since the data is statically configured, no
6559
zone maintenance action takes place for a static-stub
6561
For example, there is no periodic refresh
6562
attempt, and an incoming notify message
6563
will be rejected with an rcode of NOTAUTH.
6566
Each static-stub zone is configured with
6567
internally generated NS and (if necessary)
6240
6575
<code class="varname">forward</code>
6586
6921
<span><strong class="command">statistics-file</strong></span> defined in
6587
6922
the server options.
6924
<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
6927
Only meaningful for static-stub zones.
6928
This is a list of IP addresses to which queries
6929
should be sent in recursive resolution for the
6931
A non empty list for this option will internally
6932
configure the apex NS RR with associated glue A or
6936
For example, if "example.com" is configured as a
6937
static-stub zone with 192.0.2.1 and 2001:db8::1234
6938
in a <span><strong class="command">server-addresses</strong></span> option,
6939
the following RRs will be internally configured.
6941
<pre class="programlisting">example.com. NS example.com.
6942
example.com. A 192.0.2.1
6943
example.com. AAAA 2001:db8::1234</pre>
6945
These records are internally used to resolve
6946
names under the static-stub zone.
6947
For instance, if the server receives a query for
6948
"www.example.com" with the RD bit on, the server
6949
will initiate recursive resolution and send
6950
queries to 192.0.2.1 and/or 2001:db8::1234.
6953
<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
6956
Only meaningful for static-stub zones.
6957
This is a list of domain names of nameservers that
6958
act as authoritative servers of the static-stub
6960
These names will be resolved to IP addresses when
6961
<span><strong class="command">named</strong></span> needs to send queries to
6963
To make this supplemental resolution successful,
6964
these names must not be a subdomain of the origin
6965
name of static-stub zone.
6966
That is, when "example.net" is the origin of a
6967
static-stub zone, "ns.example" and
6968
"master.example.com" can be specified in the
6969
<span><strong class="command">server-names</strong></span> option, but
6970
"ns.example.net" cannot, and will be rejected by
6971
the configuration parser.
6974
A non empty list for this option will internally
6975
configure the apex NS RR with the specified names.
6976
For example, if "example.com" is configured as a
6977
static-stub zone with "ns1.example.net" and
6979
in a <span><strong class="command">server-names</strong></span> option,
6980
the following RRs will be internally configured.
6982
<pre class="programlisting">example.com. NS ns1.example.net.
6983
example.com. NS ns2.example.net.
6986
These records are internally used to resolve
6987
names under the static-stub zone.
6988
For instance, if the server receives a query for
6989
"www.example.com" with the RD bit on, the server
6990
initiate recursive resolution,
6991
resolve "ns1.example.net" and/or
6992
"ns2.example.net" to IP addresses, and then send
6993
queries to (one or more of) these addresses.
6589
6996
<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
6591
6998
See the description of
7386
<code class="varname">ms-self</code>
7391
This rule takes a Windows machine principal
7392
(machine$@REALM) for machine in REALM and
7393
and converts it machine.realm allowing the machine
7394
to update machine.realm. The REALM to be matched
7395
is specified in the <font color="red"><replacable>identity</replacable></font>
7403
<code class="varname">ms-subdomain</code>
7408
This rule takes a Windows machine principal
7409
(machine$@REALM) for machine in REALM and
7410
converts it to machine.realm allowing the machine
7411
to update subdomains of machine.realm. The REALM
7412
to be matched is specified in the
7413
<font color="red"><replacable>identity</replacable></font> field.
7420
<code class="varname">krb5-self</code>
7425
This rule takes a Kerberos machine principal
7426
(host/machine@REALM) for machine in REALM and
7427
and converts it machine.realm allowing the machine
7428
to update machine.realm. The REALM to be matched
7429
is specified in the <font color="red"><replacable>identity</replacable></font>
7437
<code class="varname">krb5-subdomain</code>
7442
This rule takes a Kerberos machine principal
7443
(host/machine@REALM) for machine in REALM and
7444
converts it to machine.realm allowing the machine
7445
to update subdomains of machine.realm. The REALM
7446
to be matched is specified in the
7447
<font color="red"><replacable>identity</replacable></font> field.
6967
7454
<code class="varname">tcp-self</code>
7495
<code class="varname">external</code>
7500
This rule allows <span><strong class="command">named</strong></span>
7501
to defer the decision of whether to allow a
7502
given update to an external daemon.
7505
The method of communicating with the daemon is
7506
specified in the <em class="replaceable"><code>identity</code></em>
7507
field, the format of which is
7508
"<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
7509
where <em class="replaceable"><code>path</code></em> is the location
7510
of a UNIX-domain socket. (Currently, "local" is the
7511
only supported mechanism.)
7514
Requests to the external daemon are sent over the
7515
UNIX-domain socket as datagrams with the following
7518
<pre class="programlisting">
7519
Protocol version number (4 bytes, network byte order, currently 1)
7520
Request length (4 bytes, network byte order)
7521
Signer (null-terminated string)
7522
Name (null-terminated string)
7523
TCP source address (null-terminated string)
7524
Rdata type (null-terminated string)
7525
Key (null-terminated string)
7526
TKEY token length (4 bytes, network byte order)
7527
TKEY token (remainder of packet)</pre>
7529
The daemon replies with a four-byte value in
7530
network byte order, containing either 0 or 1; 0
7531
indicates that the specified update is not
7532
permitted, and 1 indicates that it is.
7008
7539
In all cases, the <em class="replaceable"><code>name</code></em>
7010
specify a fully-qualified domain name.
7540
field must specify a fully-qualified domain name.
7013
7543
If no types are explicitly specified, this rule matches