1<!--
2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16-->
17<html>
18<head>
19<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
20<title>Chapter�6.�BIND 9 Configuration Reference</title>
21<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
22<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
23<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver">
25<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations">
26</head>
27<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
28<div class="navheader">
29<table width="100%" summary="Navigation header">
30<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
31<tr>
32<td width="20%" align="left">
33<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
34<th width="60%" align="center">�</th>
35<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
36</td>
37</tr>
38</table>
39<hr>
40</div>
41<div class="chapter">
42<div class="titlepage"><div><div><h1 class="title">
43<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div>
44<div class="toc">
45<p><b>Table of Contents</b></p>
46<dl class="toc">
47<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
48<dd><dl>
49<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
50<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt>
51</dl></dd>
52<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
53<dd><dl>
54<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
55<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
56          Usage</a></span></dt>
57<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
58<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
59          Usage</a></span></dt>
60<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
61<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt>
62<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
63<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
64<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
65<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt>
66<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_grammar"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt>
67<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_statement"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt>
68<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
69<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and
70          Usage</a></span></dt>
71<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
72<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
73          Usage</a></span></dt>
74<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
75<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
76            Usage</a></span></dt>
77<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
78<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
79            Usage</a></span></dt>
80<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
81<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
82            and Usage</a></span></dt>
83<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
84<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
85            and Usage</a></span></dt>
86<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
87<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
88<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
89            Statement Grammar</a></span></dt>
90<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
91</dl></dd>
92<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt>
93<dd><dl>
94<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
95<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt>
96<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
97<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt>
98<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt>
99<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
100<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
101</dl></dd>
102<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
103<dd><dl>
104<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
105<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
106</dl></dd>
107</dl>
108</div>
109<p>
110      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
111      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
112      areas
113      of configuration, such as views. <acronym class="acronym">BIND</acronym>
114      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
115      9, although more complex configurations should be reviewed to check
116      if they can be more efficiently implemented using the new features
117      found in <acronym class="acronym">BIND</acronym> 9.
118    </p>
119<p>
120      <acronym class="acronym">BIND</acronym> 4 configuration files can be
121      converted to the new format
122      using the shell script
123      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
124    </p>
125<div class="section">
126<div class="titlepage"><div><div><h2 class="title" style="clear: both">
127<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
128<p>
129        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
130        file documentation:
131      </p>
132<div class="informaltable"><table border="1">
133<colgroup>
134<col width="1.855in" class="1">
135<col width="3.770in" class="2">
136</colgroup>
137<tbody>
138<tr>
139<td>
140                <p>
141                  <code class="varname">acl_name</code>
142                </p>
143              </td>
144<td>
145                <p>
146                  The name of an <code class="varname">address_match_list</code> as
147                  defined by the <span class="command"><strong>acl</strong></span> statement.
148                </p>
149              </td>
150</tr>
151<tr>
152<td>
153                <p>
154                  <code class="varname">address_match_list</code>
155                </p>
156              </td>
157<td>
158                <p>
159                  A list of one or more
160                  <code class="varname">ip_addr</code>,
161                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
162                  or <code class="varname">acl_name</code> elements, see
163                  <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
164                </p>
165              </td>
166</tr>
167<tr>
168<td>
169                <p>
170                  <code class="varname">masters_list</code>
171                </p>
172              </td>
173<td>
174                <p>
175                  A named list of one or more <code class="varname">ip_addr</code>
176                  with optional <code class="varname">key_id</code> and/or
177                  <code class="varname">ip_port</code>.
178                  A <code class="varname">masters_list</code> may include other
179                  <code class="varname">masters_lists</code>.
180                </p>
181              </td>
182</tr>
183<tr>
184<td>
185                <p>
186                  <code class="varname">domain_name</code>
187                </p>
188              </td>
189<td>
190                <p>
191                  A quoted string which will be used as
192                  a DNS name, for example "<code class="literal">my.test.domain</code>".
193                </p>
194              </td>
195</tr>
196<tr>
197<td>
198                <p>
199                  <code class="varname">namelist</code>
200                </p>
201              </td>
202<td>
203                <p>
204                  A list of one or more <code class="varname">domain_name</code>
205                  elements.
206                </p>
207              </td>
208</tr>
209<tr>
210<td>
211                <p>
212                  <code class="varname">dotted_decimal</code>
213                </p>
214              </td>
215<td>
216                <p>
217                  One to four integers valued 0 through
218                  255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
219                  <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
220                </p>
221              </td>
222</tr>
223<tr>
224<td>
225                <p>
226                  <code class="varname">ip4_addr</code>
227                </p>
228              </td>
229<td>
230                <p>
231                  An IPv4 address with exactly four elements
232                  in <code class="varname">dotted_decimal</code> notation.
233                </p>
234              </td>
235</tr>
236<tr>
237<td>
238                <p>
239                  <code class="varname">ip6_addr</code>
240                </p>
241              </td>
242<td>
243                <p>
244                  An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
245                  IPv6 scoped addresses that have ambiguity on their
246                  scope zones must be disambiguated by an appropriate
247                  zone ID with the percent character (`%') as
248                  delimiter.  It is strongly recommended to use
249                  string zone names rather than numeric identifiers,
250                  in order to be robust against system configuration
251                  changes.  However, since there is no standard
252                  mapping for such names and identifier values,
253                  currently only interface names as link identifiers
254                  are supported, assuming one-to-one mapping between
255                  interfaces and links.  For example, a link-local
256                  address <span class="command"><strong>fe80::1</strong></span> on the link
257                  attached to the interface <span class="command"><strong>ne0</strong></span>
258                  can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
259                  Note that on most systems link-local addresses
260                  always have the ambiguity, and need to be
261                  disambiguated.
262                </p>
263              </td>
264</tr>
265<tr>
266<td>
267                <p>
268                  <code class="varname">ip_addr</code>
269                </p>
270              </td>
271<td>
272                <p>
273                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
274                </p>
275              </td>
276</tr>
277<tr>
278<td>
279                <p>
280                  <code class="varname">ip_port</code>
281                </p>
282              </td>
283<td>
284                <p>
285                  An IP port <code class="varname">number</code>.
286                  The <code class="varname">number</code> is limited to 0
287                  through 65535, with values
288                  below 1024 typically restricted to use by processes running
289                  as root.
290                  In some cases, an asterisk (`*') character can be used as a
291                  placeholder to
292                  select a random high-numbered port.
293                </p>
294              </td>
295</tr>
296<tr>
297<td>
298                <p>
299                  <code class="varname">ip_prefix</code>
300                </p>
301              </td>
302<td>
303                <p>
304                  An IP network specified as an <code class="varname">ip_addr</code>,
305                  followed by a slash (`/') and then the number of bits in the
306                  netmask.
307                  Trailing zeros in a <code class="varname">ip_addr</code>
308                  may omitted.
309                  For example, <span class="command"><strong>127/8</strong></span> is the
310                  network <span class="command"><strong>127.0.0.0</strong></span> with
311                  netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
312                  network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
313                </p>
314                <p>
315                  When specifying a prefix involving a IPv6 scoped address
316                  the scope may be omitted.  In that case the prefix will
317                  match packets from any scope.
318                </p>
319              </td>
320</tr>
321<tr>
322<td>
323                <p>
324                  <code class="varname">key_id</code>
325                </p>
326              </td>
327<td>
328                <p>
329                  A <code class="varname">domain_name</code> representing
330                  the name of a shared key, to be used for transaction
331                  security.
332                </p>
333              </td>
334</tr>
335<tr>
336<td>
337                <p>
338                  <code class="varname">key_list</code>
339                </p>
340              </td>
341<td>
342                <p>
343                  A list of one or more
344                  <code class="varname">key_id</code>s,
345                  separated by semicolons and ending with a semicolon.
346                </p>
347              </td>
348</tr>
349<tr>
350<td>
351                <p>
352                  <code class="varname">number</code>
353                </p>
354              </td>
355<td>
356                <p>
357                  A non-negative 32-bit integer
358                  (i.e., a number between 0 and 4294967295, inclusive).
359                  Its acceptable value might further
360                  be limited by the context in which it is used.
361                </p>
362              </td>
363</tr>
364<tr>
365<td>
366                <p>
367                  <code class="varname">path_name</code>
368                </p>
369              </td>
370<td>
371                <p>
372                  A quoted string which will be used as
373                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
374                </p>
375              </td>
376</tr>
377<tr>
378<td>
379                <p>
380                  <code class="varname">port_list</code>
381                </p>
382              </td>
383<td>
384                <p>
385                  A list of an <code class="varname">ip_port</code> or a port
386                  range.
387                  A port range is specified in the form of
388                  <strong class="userinput"><code>range</code></strong> followed by
389                  two <code class="varname">ip_port</code>s,
390                  <code class="varname">port_low</code> and
391                  <code class="varname">port_high</code>, which represents
392                  port numbers from <code class="varname">port_low</code> through
393                  <code class="varname">port_high</code>, inclusive.
394                  <code class="varname">port_low</code> must not be larger than
395                  <code class="varname">port_high</code>.
396                  For example,
397                  <strong class="userinput"><code>range 1024 65535</code></strong> represents
398                  ports from 1024 through 65535.
399                  In either case an asterisk (`*') character is not
400                  allowed as a valid <code class="varname">ip_port</code>.
401                </p>
402              </td>
403</tr>
404<tr>
405<td>
406                <p>
407                  <code class="varname">size_spec</code>
408                </p>
409              </td>
410<td>
411                <p>
412                  A 64-bit unsigned integer, or the keywords
413                  <strong class="userinput"><code>unlimited</code></strong> or
414                  <strong class="userinput"><code>default</code></strong>.
415                </p>
416                <p>
417                  Integers may take values
418                  0 &lt;= value &lt;= 18446744073709551615, though
419                  certain parameters
420                  (such as <span class="command"><strong>max-journal-size</strong></span>) may
421                  use a more limited range within these extremes.
422                  In most cases, setting a value to 0 does not
423                  literally mean zero; it means "undefined" or
424                  "as big as possible", depending on the context.
425                  See the explanations of particular parameters
426                  that use <code class="varname">size_spec</code>
427                  for details on how they interpret its use.
428                </p>
429                <p>
430                  Numeric values can optionally be followed by a
431                  scaling factor:
432                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
433                  for kilobytes,
434                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
435                  for megabytes, and
436                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
437                  for gigabytes, which scale by 1024, 1024*1024, and
438                  1024*1024*1024 respectively.
439                </p>
440                <p>
441                  <code class="varname">unlimited</code> generally means
442                  "as big as possible", though in certain contexts,
443                  (including <code class="option">max-cache-size</code>), it may
444                  mean the largest possible 32-bit unsigned integer
445                  (0xffffffff); this distinction can be important when
446                  dealing with larger quantities.
447                  <code class="varname">unlimited</code> is usually the best way
448                  to safely set a very large number.
449                </p>
450                <p>
451                  <code class="varname">default</code>
452                  uses the limit that was in force when the server was started.
453                </p>
454              </td>
455</tr>
456<tr>
457<td>
458                <p>
459                  <code class="varname">yes_or_no</code>
460                </p>
461              </td>
462<td>
463                <p>
464                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
465                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
466                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
467                  and <strong class="userinput"><code>0</code></strong>.
468                </p>
469              </td>
470</tr>
471<tr>
472<td>
473                <p>
474                  <code class="varname">dialup_option</code>
475                </p>
476              </td>
477<td>
478                <p>
479                  One of <strong class="userinput"><code>yes</code></strong>,
480                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
481                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
482                  <strong class="userinput"><code>passive</code></strong>.
483                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
484                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
485                  are restricted to slave and stub zones.
486                </p>
487              </td>
488</tr>
489</tbody>
490</table></div>
491<div class="section">
492<div class="titlepage"><div><div><h3 class="title">
493<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
494<div class="section">
495<div class="titlepage"><div><div><h4 class="title">
496<a name="id-1.7.4.4.2"></a>Syntax</h4></div></div></div>
497<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
498  [<span class="optional"> address_match_list_element; ... </span>]
499<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
500   key key_id | acl_name | { address_match_list } )
501</pre>
502</div>
503<div class="section">
504<div class="titlepage"><div><div><h4 class="title">
505<a name="id-1.7.4.4.3"></a>Definition and Usage</h4></div></div></div>
506<p>
507            Address match lists are primarily used to determine access
508            control for various server operations. They are also used in
509            the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
510            statements. The elements which constitute an address match
511            list can be any of the following:
512          </p>
513<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
514<li class="listitem">an IP address (IPv4 or IPv6)</li>
515<li class="listitem">an IP prefix (in `/' notation)</li>
516<li class="listitem">
517                a key ID, as defined by the <span class="command"><strong>key</strong></span>
518                statement
519              </li>
520<li class="listitem">the name of an address match list defined with
521                the <span class="command"><strong>acl</strong></span> statement
522              </li>
523<li class="listitem">a nested address match list enclosed in braces</li>
524</ul></div>
525<p>
526            Elements can be negated with a leading exclamation mark (`!'),
527            and the match list names "any", "none", "localhost", and
528            "localnets" are predefined. More information on those names
529            can be found in the description of the acl statement.
530          </p>
531<p>
532            The addition of the key clause made the name of this syntactic
533            element something of a misnomer, since security keys can be used
534            to validate access without regard to a host or network address.
535            Nonetheless, the term "address match list" is still used
536            throughout the documentation.
537          </p>
538<p>
539            When a given IP address or prefix is compared to an address
540            match list, the comparison takes place in approximately O(1)
541            time.  However, key comparisons require that the list of keys
542            be traversed until a matching key is found, and therefore may
543            be somewhat slower.
544          </p>
545<p>
546            The interpretation of a match depends on whether the list is being
547            used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
548            <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
549          </p>
550<p>
551            When used as an access control list, a non-negated match
552            allows access and a negated match denies access. If
553            there is no match, access is denied. The clauses
554            <span class="command"><strong>allow-notify</strong></span>,
555            <span class="command"><strong>allow-recursion</strong></span>,
556            <span class="command"><strong>allow-recursion-on</strong></span>,
557            <span class="command"><strong>allow-query</strong></span>,
558            <span class="command"><strong>allow-query-on</strong></span>,
559            <span class="command"><strong>allow-query-cache</strong></span>,
560            <span class="command"><strong>allow-query-cache-on</strong></span>,
561            <span class="command"><strong>allow-transfer</strong></span>,
562            <span class="command"><strong>allow-update</strong></span>,
563            <span class="command"><strong>allow-update-forwarding</strong></span>, and
564            <span class="command"><strong>blackhole</strong></span> all use address match
565            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
566            server to refuse queries on any of the machine's
567            addresses which do not match the list.
568          </p>
569<p>
570            Order of insertion is significant.  If more than one element
571            in an ACL is found to match a given IP address or prefix,
572            preference will be given to the one that came
573            <span class="emphasis"><em>first</em></span> in the ACL definition.
574            Because of this first-match behavior, an element that
575            defines a subset of another element in the list should
576            come before the broader element, regardless of whether
577            either is negated. For example, in
578            <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
579            the 1.2.3.13 element is completely useless because the
580            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
581            element.  Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
582            that problem by having 1.2.3.13 blocked by the negation, but
583            all other 1.2.3.* hosts fall through.
584          </p>
585</div>
586</div>
587<div class="section">
588<div class="titlepage"><div><div><h3 class="title">
589<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div>
590<p>
591          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
592          comments to appear
593          anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
594          file. To appeal to programmers of all kinds, they can be written
595          in the C, C++, or shell/perl style.
596        </p>
597<div class="section">
598<div class="titlepage"><div><div><h4 class="title">
599<a name="id-1.7.4.5.3"></a>Syntax</h4></div></div></div>
600<p>
601            </p>
602<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
603<p>
604            </p>
605<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
606<p>
607            </p>
608<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
609# and perl</pre>
610<p>
611          </p>
612</div>
613<div class="section">
614<div class="titlepage"><div><div><h4 class="title">
615<a name="id-1.7.4.5.4"></a>Definition and Usage</h4></div></div></div>
616<p>
617            Comments may appear anywhere that whitespace may appear in
618            a <acronym class="acronym">BIND</acronym> configuration file.
619          </p>
620<p>
621            C-style comments start with the two characters /* (slash,
622            star) and end with */ (star, slash). Because they are completely
623            delimited with these characters, they can be used to comment only
624            a portion of a line or to span multiple lines.
625          </p>
626<p>
627            C-style comments cannot be nested. For example, the following
628            is not valid because the entire comment ends with the first */:
629          </p>
630<p>
631
632</p>
633<pre class="programlisting">/* This is the start of a comment.
634   This is still part of the comment.
635/* This is an incorrect attempt at nesting a comment. */
636   This is no longer in any comment. */
637</pre>
638<p>
639
640          </p>
641<p>
642            C++-style comments start with the two characters // (slash,
643            slash) and continue to the end of the physical line. They cannot
644            be continued across multiple physical lines; to have one logical
645            comment span multiple lines, each line must use the // pair.
646            For example:
647          </p>
648<p>
649
650</p>
651<pre class="programlisting">// This is the start of a comment.  The next line
652// is a new comment, even though it is logically
653// part of the previous comment.
654</pre>
655<p>
656
657          </p>
658<p>
659            Shell-style (or perl-style, if you prefer) comments start
660            with the character <code class="literal">#</code> (number sign)
661            and continue to the end of the
662            physical line, as in C++ comments.
663            For example:
664          </p>
665<p>
666
667</p>
668<pre class="programlisting"># This is the start of a comment.  The next line
669# is a new comment, even though it is logically
670# part of the previous comment.
671</pre>
672<p>
673
674          </p>
675<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
676<h3 class="title">Warning</h3>
677<p>
678              You cannot use the semicolon (`;') character
679              to start a comment such as you would in a zone file. The
680              semicolon indicates the end of a configuration
681              statement.
682            </p>
683</div>
684</div>
685</div>
686</div>
687<div class="section">
688<div class="titlepage"><div><div><h2 class="title" style="clear: both">
689<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
690<p>
691        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
692        statements and comments.
693        Statements end with a semicolon. Statements and comments are the
694        only elements that can appear without enclosing braces. Many
695        statements contain a block of sub-statements, which are also
696        terminated with a semicolon.
697      </p>
698<p>
699        The following statements are supported:
700      </p>
701<div class="informaltable"><table border="1">
702<colgroup>
703<col width="1.336in" class="1">
704<col width="3.778in" class="2">
705</colgroup>
706<tbody>
707<tr>
708<td>
709                <p><span class="command"><strong>acl</strong></span></p>
710              </td>
711<td>
712                <p>
713                  defines a named IP address
714                  matching list, for access control and other uses.
715                </p>
716              </td>
717</tr>
718<tr>
719<td>
720                <p><span class="command"><strong>controls</strong></span></p>
721              </td>
722<td>
723                <p>
724                  declares control channels to be used
725                  by the <span class="command"><strong>rndc</strong></span> utility.
726                </p>
727              </td>
728</tr>
729<tr>
730<td>
731                <p><span class="command"><strong>include</strong></span></p>
732              </td>
733<td>
734                <p>
735                  includes a file.
736                </p>
737              </td>
738</tr>
739<tr>
740<td>
741                <p><span class="command"><strong>key</strong></span></p>
742              </td>
743<td>
744                <p>
745                  specifies key information for use in
746                  authentication and authorization using TSIG.
747                </p>
748              </td>
749</tr>
750<tr>
751<td>
752                <p><span class="command"><strong>logging</strong></span></p>
753              </td>
754<td>
755                <p>
756                  specifies what the server logs, and where
757                  the log messages are sent.
758                </p>
759              </td>
760</tr>
761<tr>
762<td>
763                <p><span class="command"><strong>lwres</strong></span></p>
764              </td>
765<td>
766                <p>
767                  configures <span class="command"><strong>named</strong></span> to
768                  also act as a light-weight resolver daemon (<span class="command"><strong>lwresd</strong></span>).
769                </p>
770              </td>
771</tr>
772<tr>
773<td>
774                <p><span class="command"><strong>masters</strong></span></p>
775              </td>
776<td>
777                <p>
778                  defines a named masters list for
779                  inclusion in stub and slave zones'
780                  <span class="command"><strong>masters</strong></span> or
781                  <span class="command"><strong>also-notify</strong></span> lists.
782                </p>
783              </td>
784</tr>
785<tr>
786<td>
787                <p><span class="command"><strong>options</strong></span></p>
788              </td>
789<td>
790                <p>
791                  controls global server configuration
792                  options and sets defaults for other statements.
793                </p>
794              </td>
795</tr>
796<tr>
797<td>
798                <p><span class="command"><strong>server</strong></span></p>
799              </td>
800<td>
801                <p>
802                  sets certain configuration options on
803                  a per-server basis.
804                </p>
805              </td>
806</tr>
807<tr>
808<td>
809                <p><span class="command"><strong>statistics-channels</strong></span></p>
810              </td>
811<td>
812                <p>
813                  declares communication channels to get access to
814                  <span class="command"><strong>named</strong></span> statistics.
815                </p>
816              </td>
817</tr>
818<tr>
819<td>
820                <p><span class="command"><strong>trusted-keys</strong></span></p>
821              </td>
822<td>
823                <p>
824                  defines trusted DNSSEC keys.
825                </p>
826              </td>
827</tr>
828<tr>
829<td>
830                <p><span class="command"><strong>managed-keys</strong></span></p>
831              </td>
832<td>
833                <p>
834                  lists DNSSEC keys to be kept up to date
835                  using RFC 5011 trust anchor maintenance.
836                </p>
837              </td>
838</tr>
839<tr>
840<td>
841                <p><span class="command"><strong>view</strong></span></p>
842              </td>
843<td>
844                <p>
845                  defines a view.
846                </p>
847              </td>
848</tr>
849<tr>
850<td>
851                <p><span class="command"><strong>zone</strong></span></p>
852              </td>
853<td>
854                <p>
855                  defines a zone.
856                </p>
857              </td>
858</tr>
859</tbody>
860</table></div>
861<p>
862        The <span class="command"><strong>logging</strong></span> and
863        <span class="command"><strong>options</strong></span> statements may only occur once
864        per
865        configuration.
866      </p>
867<div class="section">
868<div class="titlepage"><div><div><h3 class="title">
869<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
870<pre class="programlisting"><span class="command"><strong>acl</strong></span> acl-name {
871    address_match_list
872};
873</pre>
874</div>
875<div class="section">
876<div class="titlepage"><div><div><h3 class="title">
877<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
878          Usage</h3></div></div></div>
879<p>
880          The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
881          name to an address match list. It gets its name from a primary
882          use of address match lists: Access Control Lists (ACLs).
883        </p>
884<p>
885          The following ACLs are built-in:
886        </p>
887<div class="informaltable"><table border="1">
888<colgroup>
889<col width="1.130in" class="1">
890<col width="4.000in" class="2">
891</colgroup>
892<tbody>
893<tr>
894<td>
895                  <p><span class="command"><strong>any</strong></span></p>
896                </td>
897<td>
898                  <p>
899                    Matches all hosts.
900                  </p>
901                </td>
902</tr>
903<tr>
904<td>
905                  <p><span class="command"><strong>none</strong></span></p>
906                </td>
907<td>
908                  <p>
909                    Matches no hosts.
910                  </p>
911                </td>
912</tr>
913<tr>
914<td>
915                  <p><span class="command"><strong>localhost</strong></span></p>
916                </td>
917<td>
918                  <p>
919                    Matches the IPv4 and IPv6 addresses of all network
920                    interfaces on the system.  When addresses are
921                    added or removed, the <span class="command"><strong>localhost</strong></span>
922                    ACL element is updated to reflect the changes.
923                  </p>
924                </td>
925</tr>
926<tr>
927<td>
928                  <p><span class="command"><strong>localnets</strong></span></p>
929                </td>
930<td>
931                  <p>
932                    Matches any host on an IPv4 or IPv6 network
933                    for which the system has an interface.
934                    When addresses are added or removed,
935                    the <span class="command"><strong>localnets</strong></span>
936                    ACL element is updated to reflect the changes.
937                    Some systems do not provide a way to determine the prefix
938                    lengths of
939                    local IPv6 addresses.
940                    In such a case, <span class="command"><strong>localnets</strong></span>
941                    only matches the local
942                    IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
943                  </p>
944                </td>
945</tr>
946</tbody>
947</table></div>
948</div>
949<div class="section">
950<div class="titlepage"><div><div><h3 class="title">
951<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
952<pre class="programlisting"><span class="command"><strong>controls</strong></span> {
953   [ inet ( ip_addr | * ) [ port ip_port ]
954                allow { <em class="replaceable"><code> address_match_list </code></em> }
955                keys { <em class="replaceable"><code>key_list</code></em> }; ]
956   [ inet ...; ]
957   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
958     keys { <em class="replaceable"><code>key_list</code></em> }; ]
959   [ unix ...; ]
960};
961</pre>
962</div>
963<div class="section">
964<div class="titlepage"><div><div><h3 class="title">
965<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
966          Usage</h3></div></div></div>
967<p>
968          The <span class="command"><strong>controls</strong></span> statement declares control
969          channels to be used by system administrators to control the
970          operation of the name server. These control channels are
971          used by the <span class="command"><strong>rndc</strong></span> utility to send
972          commands to and retrieve non-DNS results from a name server.
973        </p>
974<p>
975          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
976          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
977          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
978          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
979          interpreted as the IPv4 wildcard address; connections will be
980          accepted on any of the system's IPv4 addresses.
981          To listen on the IPv6 wildcard address,
982          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
983          If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
984          using the loopback address (<code class="literal">127.0.0.1</code>
985          or <code class="literal">::1</code>) is recommended for maximum security.
986        </p>
987<p>
988          If no port is specified, port 953 is used. The asterisk
989          "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
990        </p>
991<p>
992          The ability to issue commands over the control channel is
993          restricted by the <span class="command"><strong>allow</strong></span> and
994          <span class="command"><strong>keys</strong></span> clauses.
995          Connections to the control channel are permitted based on the
996          <span class="command"><strong>address_match_list</strong></span>.  This is for simple
997          IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
998          elements of the <span class="command"><strong>address_match_list</strong></span>
999          are ignored.
1000        </p>
1001<p>
1002          A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
1003          socket listening at the specified path in the file system.
1004          Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
1005          <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
1006          Note on some platforms (SunOS and Solaris) the permissions
1007          (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
1008          as the permissions on the socket itself are ignored.
1009        </p>
1010<p>
1011          The primary authorization mechanism of the command
1012          channel is the <span class="command"><strong>key_list</strong></span>, which
1013          contains a list of <span class="command"><strong>key_id</strong></span>s.
1014          Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span>
1015          is authorized to execute commands over the control channel.
1016          See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
1017          for information about configuring keys in <span class="command"><strong>rndc</strong></span>.
1018        </p>
1019<p>
1020          If no <span class="command"><strong>controls</strong></span> statement is present,
1021          <span class="command"><strong>named</strong></span> will set up a default
1022          control channel listening on the loopback address 127.0.0.1
1023          and its IPv6 counterpart ::1.
1024          In this case, and also when the <span class="command"><strong>controls</strong></span> statement
1025          is present but does not have a <span class="command"><strong>keys</strong></span> clause,
1026          <span class="command"><strong>named</strong></span> will attempt to load the command channel key
1027          from the file <code class="filename">rndc.key</code> in
1028          <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
1029          was specified as when <acronym class="acronym">BIND</acronym> was built).
1030          To create a <code class="filename">rndc.key</code> file, run
1031          <strong class="userinput"><code>rndc-confgen -a</code></strong>.
1032        </p>
1033<p>
1034          The <code class="filename">rndc.key</code> feature was created to
1035          ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
1036          which did not have digital signatures on its command channel
1037          messages and thus did not have a <span class="command"><strong>keys</strong></span> clause.
1038
1039          It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
1040          configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
1041          and still have <span class="command"><strong>rndc</strong></span> work the same way
1042          <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the
1043          command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
1044          installed.
1045        </p>
1046<p>
1047          Since the <code class="filename">rndc.key</code> feature
1048          is only intended to allow the backward-compatible usage of
1049          <acronym class="acronym">BIND</acronym> 8 configuration files, this
1050          feature does not
1051          have a high degree of configurability.  You cannot easily change
1052          the key name or the size of the secret, so you should make a
1053          <code class="filename">rndc.conf</code> with your own key if you
1054          wish to change
1055          those things.  The <code class="filename">rndc.key</code> file
1056          also has its
1057          permissions set such that only the owner of the file (the user that
1058          <span class="command"><strong>named</strong></span> is running as) can access it.
1059          If you
1060          desire greater flexibility in allowing other users to access
1061          <span class="command"><strong>rndc</strong></span> commands, then you need to create
1062          a
1063          <code class="filename">rndc.conf</code> file and make it group
1064          readable by a group
1065          that contains the users who should have access.
1066        </p>
1067<p>
1068          To disable the command channel, use an empty
1069          <span class="command"><strong>controls</strong></span> statement:
1070          <span class="command"><strong>controls { };</strong></span>.
1071        </p>
1072</div>
1073<div class="section">
1074<div class="titlepage"><div><div><h3 class="title">
1075<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div>
1076<pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
1077</div>
1078<div class="section">
1079<div class="titlepage"><div><div><h3 class="title">
1080<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div>
1081<p>
1082          The <span class="command"><strong>include</strong></span> statement inserts the
1083          specified file at the point where the <span class="command"><strong>include</strong></span>
1084          statement is encountered. The <span class="command"><strong>include</strong></span>
1085                statement facilitates the administration of configuration
1086          files
1087          by permitting the reading or writing of some things but not
1088          others. For example, the statement could include private keys
1089          that are readable only by the name server.
1090        </p>
1091</div>
1092<div class="section">
1093<div class="titlepage"><div><div><h3 class="title">
1094<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div>
1095<pre class="programlisting"><span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> {
1096    algorithm <em class="replaceable"><code>algorithm_id</code></em>;
1097    secret <em class="replaceable"><code>secret_string</code></em>;
1098};
1099</pre>
1100</div>
1101<div class="section">
1102<div class="titlepage"><div><div><h3 class="title">
1103<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div>
1104<p>
1105          The <span class="command"><strong>key</strong></span> statement defines a shared
1106          secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
1107          or the command channel
1108          (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
1109          Usage&#8221;</a>).
1110        </p>
1111<p>
1112          The <span class="command"><strong>key</strong></span> statement can occur at the
1113          top level
1114          of the configuration file or inside a <span class="command"><strong>view</strong></span>
1115          statement.  Keys defined in top-level <span class="command"><strong>key</strong></span>
1116          statements can be used in all views.  Keys intended for use in
1117          a <span class="command"><strong>controls</strong></span> statement
1118          (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span class="command"><strong>controls</strong></span> Statement Definition and
1119          Usage&#8221;</a>)
1120          must be defined at the top level.
1121        </p>
1122<p>
1123          The <em class="replaceable"><code>key_id</code></em>, also known as the
1124          key name, is a domain name uniquely identifying the key. It can
1125          be used in a <span class="command"><strong>server</strong></span>
1126          statement to cause requests sent to that
1127          server to be signed with this key, or in address match lists to
1128          verify that incoming requests have been signed with a key
1129          matching this name, algorithm, and secret.
1130        </p>
1131<p>
1132          The <em class="replaceable"><code>algorithm_id</code></em> is a string
1133          that specifies a security/authentication algorithm.  Named
1134          supports <code class="literal">hmac-md5</code>,
1135          <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
1136          <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
1137          and <code class="literal">hmac-sha512</code> TSIG authentication.
1138          Truncated hashes are supported by appending the minimum
1139          number of required bits preceded by a dash, e.g.
1140          <code class="literal">hmac-sha1-80</code>.  The
1141          <em class="replaceable"><code>secret_string</code></em> is the secret
1142          to be used by the algorithm, and is treated as a base-64
1143          encoded string.
1144        </p>
1145</div>
1146<div class="section">
1147<div class="titlepage"><div><div><h3 class="title">
1148<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div>
1149<pre class="programlisting"><span class="command"><strong>logging</strong></span> {
1150   [ <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
1151     ( <span class="command"><strong>file</strong></span> <em class="replaceable"><code>path_name</code></em>
1152         [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span class="command"><strong>unlimited</strong></span> ) ]
1153         [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
1154       | <span class="command"><strong>syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
1155       | <span class="command"><strong>stderr</strong></span>
1156       | <span class="command"><strong>null</strong></span> );
1157     [ <span class="command"><strong>severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
1158                 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
1159     [ <span class="command"><strong>print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1160     [ <span class="command"><strong>print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1161     [ <span class="command"><strong>print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1162   }; ]
1163   [ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> {
1164     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
1165   }; ]
1166   ...
1167};
1168</pre>
1169</div>
1170<div class="section">
1171<div class="titlepage"><div><div><h3 class="title">
1172<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div>
1173<p>
1174          The <span class="command"><strong>logging</strong></span> statement configures a
1175          wide
1176          variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase
1177          associates output methods, format options and severity levels with
1178          a name that can then be used with the <span class="command"><strong>category</strong></span> phrase
1179          to select how various classes of messages are logged.
1180        </p>
1181<p>
1182          Only one <span class="command"><strong>logging</strong></span> statement is used to
1183          define
1184          as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement,
1185          the logging configuration will be:
1186        </p>
1187<pre class="programlisting">logging {
1188     category default { default_syslog; default_debug; };
1189     category unmatched { null; };
1190};
1191</pre>
1192<p>
1193          In <acronym class="acronym">BIND</acronym> 9, the logging configuration
1194          is only established when
1195          the entire configuration file has been parsed.  In <acronym class="acronym">BIND</acronym> 8, it was
1196          established as soon as the <span class="command"><strong>logging</strong></span>
1197          statement
1198          was parsed. When the server is starting up, all logging messages
1199          regarding syntax errors in the configuration file go to the default
1200          channels, or to standard error if the "<code class="option">-g</code>" option
1201          was specified.
1202        </p>
1203<div class="section">
1204<div class="titlepage"><div><div><h4 class="title">
1205<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div>
1206<p>
1207            All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
1208            you can make as many of them as you want.
1209          </p>
1210<p>
1211            Every channel definition must include a destination clause that
1212            says whether messages selected for the channel go to a file, to a
1213            particular syslog facility, to the standard error stream, or are
1214            discarded. It can optionally also limit the message severity level
1215            that will be accepted by the channel (the default is
1216            <span class="command"><strong>info</strong></span>), and whether to include a
1217            <span class="command"><strong>named</strong></span>-generated time stamp, the
1218            category name
1219            and/or severity level (the default is not to include any).
1220          </p>
1221<p>
1222            The <span class="command"><strong>null</strong></span> destination clause
1223            causes all messages sent to the channel to be discarded;
1224            in that case, other options for the channel are meaningless.
1225          </p>
1226<p>
1227            The <span class="command"><strong>file</strong></span> destination clause directs
1228            the channel
1229            to a disk file.  It can include limitations
1230            both on how large the file is allowed to become, and how many
1231            versions
1232            of the file will be saved each time the file is opened.
1233          </p>
1234<p>
1235            If you use the <span class="command"><strong>versions</strong></span> log file
1236            option, then
1237            <span class="command"><strong>named</strong></span> will retain that many backup
1238            versions of the file by
1239            renaming them when opening.  For example, if you choose to keep
1240            three old versions
1241            of the file <code class="filename">lamers.log</code>, then just
1242            before it is opened
1243            <code class="filename">lamers.log.1</code> is renamed to
1244            <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
1245            to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
1246            renamed to <code class="filename">lamers.log.0</code>.
1247            You can say <span class="command"><strong>versions unlimited</strong></span> to
1248            not limit
1249            the number of versions.
1250            If a <span class="command"><strong>size</strong></span> option is associated with
1251            the log file,
1252            then renaming is only done when the file being opened exceeds the
1253            indicated size.  No backup versions are kept by default; any
1254            existing
1255            log file is simply appended.
1256          </p>
1257<p>
1258            The <span class="command"><strong>size</strong></span> option for files is used
1259            to limit log
1260            growth. If the file ever exceeds the size, then <span class="command"><strong>named</strong></span> will
1261            stop writing to the file unless it has a <span class="command"><strong>versions</strong></span> option
1262            associated with it.  If backup versions are kept, the files are
1263            rolled as
1264            described above and a new one begun.  If there is no
1265            <span class="command"><strong>versions</strong></span> option, no more data will
1266            be written to the log
1267            until some out-of-band mechanism removes or truncates the log to
1268            less than the
1269            maximum size.  The default behavior is not to limit the size of
1270            the
1271            file.
1272          </p>
1273<p>
1274            Example usage of the <span class="command"><strong>size</strong></span> and
1275            <span class="command"><strong>versions</strong></span> options:
1276          </p>
1277<pre class="programlisting">channel an_example_channel {
1278    file "example.log" versions 3 size 20m;
1279    print-time yes;
1280    print-category yes;
1281};
1282</pre>
1283<p>
1284            The <span class="command"><strong>syslog</strong></span> destination clause
1285            directs the
1286            channel to the system log.  Its argument is a
1287            syslog facility as described in the <span class="command"><strong>syslog</strong></span> man
1288            page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>,
1289            <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>,
1290            <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>,
1291            <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>,
1292            <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>,
1293            <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>,
1294            <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and
1295            <span class="command"><strong>local7</strong></span>, however not all facilities
1296            are supported on
1297            all operating systems.
1298            How <span class="command"><strong>syslog</strong></span> will handle messages
1299            sent to
1300            this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man
1301            page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that
1302            only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function,
1303            then this clause is silently ignored.
1304          </p>
1305<p>
1306            On Windows machines syslog messages are directed to the EventViewer.
1307          </p>
1308<p>
1309            The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s
1310            "priorities", except that they can also be used if you are writing
1311            straight to a file rather than using <span class="command"><strong>syslog</strong></span>.
1312            Messages which are not at least of the severity level given will
1313            not be selected for the channel; messages of higher severity
1314            levels
1315            will be accepted.
1316          </p>
1317<p>
1318            If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities
1319            will also determine what eventually passes through. For example,
1320            defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but
1321            only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will
1322            cause messages of severity <span class="command"><strong>info</strong></span> and
1323            <span class="command"><strong>notice</strong></span> to
1324            be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing
1325            messages of only <span class="command"><strong>warning</strong></span> or higher,
1326            then <span class="command"><strong>syslogd</strong></span> would
1327            print all messages it received from the channel.
1328          </p>
1329<p>
1330            The <span class="command"><strong>stderr</strong></span> destination clause
1331            directs the
1332            channel to the server's standard error stream.  This is intended
1333            for
1334            use when the server is running as a foreground process, for
1335            example
1336            when debugging a configuration.
1337          </p>
1338<p>
1339            The server can supply extensive debugging information when
1340            it is in debugging mode. If the server's global debug level is
1341            greater
1342            than zero, then debugging mode will be active. The global debug
1343            level is set either by starting the <span class="command"><strong>named</strong></span> server
1344            with the <code class="option">-d</code> flag followed by a positive integer,
1345            or by running <span class="command"><strong>rndc trace</strong></span>.
1346            The global debug level
1347            can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc
1348notrace</strong></span>. All debugging messages in the server have a debug
1349            level, and higher debug levels give more detailed output. Channels
1350            that specify a specific debug severity, for example:
1351          </p>
1352<pre class="programlisting">channel specific_debug_level {
1353    file "foo";
1354    severity debug 3;
1355};
1356</pre>
1357<p>
1358            will get debugging output of level 3 or less any time the
1359            server is in debugging mode, regardless of the global debugging
1360            level. Channels with <span class="command"><strong>dynamic</strong></span>
1361            severity use the
1362            server's global debug level to determine what messages to print.
1363          </p>
1364<p>
1365            If <span class="command"><strong>print-time</strong></span> has been turned on,
1366            then
1367            the date and time will be logged. <span class="command"><strong>print-time</strong></span> may
1368            be specified for a <span class="command"><strong>syslog</strong></span> channel,
1369            but is usually
1370            pointless since <span class="command"><strong>syslog</strong></span> also logs
1371            the date and
1372            time. If <span class="command"><strong>print-category</strong></span> is
1373            requested, then the
1374            category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is
1375            on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may
1376            be used in any combination, and will always be printed in the
1377            following
1378            order: time, category, severity. Here is an example where all
1379            three <span class="command"><strong>print-</strong></span> options
1380            are on:
1381          </p>
1382<p>
1383            <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
1384          </p>
1385<p>
1386            There are four predefined channels that are used for
1387            <span class="command"><strong>named</strong></span>'s default logging as follows.
1388            How they are
1389            used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span class="command"><strong>category</strong></span> Phrase&#8221;</a>.
1390          </p>
1391<pre class="programlisting">channel default_syslog {
1392    // send to syslog's daemon facility
1393    syslog daemon;
1394    // only send priority info and higher
1395    severity info;
1396
1397channel default_debug {
1398    // write to named.run in the working directory
1399    // Note: stderr is used instead of "named.run" if
1400    // the server is started with the '-f' option.
1401    file "named.run";
1402    // log at the server's current debug level
1403    severity dynamic;
1404};
1405
1406channel default_stderr {
1407    // writes to stderr
1408    stderr;
1409    // only send priority info and higher
1410    severity info;
1411};
1412
1413channel null {
1414   // toss anything sent to this channel
1415   null;
1416};
1417</pre>
1418<p>
1419            The <span class="command"><strong>default_debug</strong></span> channel has the
1420            special
1421            property that it only produces output when the server's debug
1422            level is
1423            nonzero.  It normally writes to a file called <code class="filename">named.run</code>
1424            in the server's working directory.
1425          </p>
1426<p>
1427            For security reasons, when the "<code class="option">-u</code>"
1428            command line option is used, the <code class="filename">named.run</code> file
1429            is created only after <span class="command"><strong>named</strong></span> has
1430            changed to the
1431            new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is
1432            starting up and still running as root is discarded.  If you need
1433            to capture this output, you must run the server with the "<code class="option">-g</code>"
1434            option and redirect standard error to a file.
1435          </p>
1436<p>
1437            Once a channel is defined, it cannot be redefined. Thus you
1438            cannot alter the built-in channels directly, but you can modify
1439            the default logging by pointing categories at channels you have
1440            defined.
1441          </p>
1442</div>
1443<div class="section">
1444<div class="titlepage"><div><div><h4 class="title">
1445<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div>
1446<p>
1447            There are many categories, so you can send the logs you want
1448            to see wherever you want, without seeing logs you don't want. If
1449            you don't specify a list of channels for a category, then log
1450            messages
1451            in that category will be sent to the <span class="command"><strong>default</strong></span> category
1452            instead. If you don't specify a default category, the following
1453            "default default" is used:
1454          </p>
1455<pre class="programlisting">category default { default_syslog; default_debug; };
1456</pre>
1457<p>
1458            As an example, let's say you want to log security events to
1459            a file, but you also want keep the default logging behavior. You'd
1460            specify the following:
1461          </p>
1462<pre class="programlisting">channel my_security_channel {
1463    file "my_security_file";
1464    severity info;
1465};
1466category security {
1467    my_security_channel;
1468    default_syslog;
1469    default_debug;
1470};</pre>
1471<p>
1472            To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel:
1473          </p>
1474<pre class="programlisting">category xfer-out { null; };
1475category notify { null; };
1476</pre>
1477<p>
1478            Following are the available categories and brief descriptions
1479            of the types of log information they contain. More
1480            categories may be added in future <acronym class="acronym">BIND</acronym> releases.
1481          </p>
1482<div class="informaltable"><table border="1">
1483<colgroup>
1484<col width="1.150in" class="1">
1485<col width="3.350in" class="2">
1486</colgroup>
1487<tbody>
1488<tr>
1489<td>
1490	  <p><span class="command"><strong>client</strong></span></p>
1491	</td>
1492<td>
1493	  <p>
1494	    Processing of client requests.
1495	  </p>
1496	</td>
1497</tr>
1498<tr>
1499<td>
1500	  <p><span class="command"><strong>cname</strong></span></p>
1501	</td>
1502<td>
1503	  <p>
1504	    Logs nameservers that are skipped due to them being
1505	    a CNAME rather than A / AAAA records.
1506	  </p>
1507	</td>
1508</tr>
1509<tr>
1510<td>
1511	  <p><span class="command"><strong>config</strong></span></p>
1512	</td>
1513<td>
1514	  <p>
1515	    Configuration file parsing and processing.
1516	  </p>
1517	</td>
1518</tr>
1519<tr>
1520<td>
1521	  <p><span class="command"><strong>database</strong></span></p>
1522	</td>
1523<td>
1524	  <p>
1525	    Messages relating to the databases used
1526	    internally by the name server to store zone and cache
1527	    data.
1528	  </p>
1529	</td>
1530</tr>
1531<tr>
1532<td>
1533	  <p><span class="command"><strong>default</strong></span></p>
1534	</td>
1535<td>
1536	  <p>
1537	    The default category defines the logging
1538	    options for those categories where no specific
1539	    configuration has been
1540	    defined.
1541	  </p>
1542	</td>
1543</tr>
1544<tr>
1545<td>
1546	  <p><span class="command"><strong>delegation-only</strong></span></p>
1547	</td>
1548<td>
1549	  <p>
1550	    Delegation only.  Logs queries that have been
1551	    forced to NXDOMAIN as the result of a
1552	    delegation-only zone or a
1553	    <span class="command"><strong>delegation-only</strong></span> in a
1554	    forward, hint or stub zone declaration.
1555	  </p>
1556	</td>
1557</tr>
1558<tr>
1559<td>
1560	  <p><span class="command"><strong>dispatch</strong></span></p>
1561	</td>
1562<td>
1563	  <p>
1564	    Dispatching of incoming packets to the
1565	    server modules where they are to be processed.
1566	  </p>
1567	</td>
1568</tr>
1569<tr>
1570<td>
1571	  <p><span class="command"><strong>dnssec</strong></span></p>
1572	</td>
1573<td>
1574	  <p>
1575	    DNSSEC and TSIG protocol processing.
1576	  </p>
1577	</td>
1578</tr>
1579<tr>
1580<td>
1581	  <p><span class="command"><strong>edns-disabled</strong></span></p>
1582	</td>
1583<td>
1584	  <p>
1585	    Log queries that have been forced to use plain
1586	    DNS due to timeouts.  This is often due to
1587	    the remote servers not being RFC 1034 compliant
1588	    (not always returning FORMERR or similar to
1589	    EDNS queries and other extensions to the DNS
1590	    when they are not understood).  In other words, this is
1591	    targeted at servers that fail to respond to
1592	    DNS queries that they don't understand.
1593	  </p>
1594	  <p>
1595	    Note: the log message can also be due to
1596	    packet loss.  Before reporting servers for
1597	    non-RFC 1034 compliance they should be re-tested
1598	    to determine the nature of the non-compliance.
1599	    This testing should prevent or reduce the
1600	    number of false-positive reports.
1601	  </p>
1602	  <p>
1603	    Note: eventually <span class="command"><strong>named</strong></span> will have to stop
1604	    treating such timeouts as due to RFC 1034 non
1605	    compliance and start treating it as plain
1606	    packet loss.  Falsely classifying packet
1607	    loss as due to RFC 1034 non compliance impacts
1608	    on DNSSEC validation which requires EDNS for
1609	    the DNSSEC records to be returned.
1610	  </p>
1611	</td>
1612</tr>
1613<tr>
1614<td>
1615	  <p><span class="command"><strong>general</strong></span></p>
1616	</td>
1617<td>
1618	  <p>
1619	    The catch-all. Many things still aren't
1620	    classified into categories, and they all end up here.
1621	  </p>
1622	</td>
1623</tr>
1624<tr>
1625<td>
1626	  <p><span class="command"><strong>lame-servers</strong></span></p>
1627	</td>
1628<td>
1629	  <p>
1630	    Lame servers.  These are misconfigurations
1631	    in remote servers, discovered by BIND 9 when trying to
1632	    query those servers during resolution.
1633	  </p>
1634	</td>
1635</tr>
1636<tr>
1637<td>
1638	  <p><span class="command"><strong>network</strong></span></p>
1639	</td>
1640<td>
1641	  <p>
1642	    Network operations.
1643	  </p>
1644	</td>
1645</tr>
1646<tr>
1647<td>
1648	  <p><span class="command"><strong>notify</strong></span></p>
1649	</td>
1650<td>
1651	  <p>
1652	    The NOTIFY protocol.
1653	  </p>
1654	</td>
1655</tr>
1656<tr>
1657<td>
1658	  <p><span class="command"><strong>queries</strong></span></p>
1659	</td>
1660<td>
1661	  <p>
1662	    Specify where queries should be logged to.
1663	  </p>
1664	  <p>
1665	    At startup, specifying the category <span class="command"><strong>queries</strong></span> will also
1666	    enable query logging unless <span class="command"><strong>querylog</strong></span> option has been
1667	    specified.
1668	  </p>
1669
1670	  <p>
1671	    The query log entry reports the client's IP
1672	    address and port number, and the query name,
1673	    class and type.  Next it reports whether the
1674	    Recursion Desired flag was set (+ if set, -
1675	    if not set), if the query was signed (S),
1676	    EDNS was in use (E), if TCP was used (T), if
1677	    DO (DNSSEC Ok) was set (D), or if CD (Checking
1678	    Disabled) was set (C).  After this the
1679	    destination address the query was sent to is
1680	    reported.
1681	  </p>
1682
1683	  <p>
1684	    <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
1685	  </p>
1686	  <p>
1687	    <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
1688	  </p>
1689	  <p>
1690	    (The first part of this log message, showing the
1691	    client address/port number and query name, is
1692	    repeated in all subsequent log messages related
1693	    to the same query.)
1694	  </p>
1695	</td>
1696</tr>
1697<tr>
1698<td>
1699	  <p><span class="command"><strong>query-errors</strong></span></p>
1700	</td>
1701<td>
1702	  <p>
1703	    Information about queries that resulted in some
1704	    failure.
1705	  </p>
1706	</td>
1707</tr>
1708<tr>
1709<td>
1710	  <p><span class="command"><strong>rate-limit</strong></span></p>
1711	</td>
1712<td>
1713	  <p>
1714	    (Only available when <acronym class="acronym">BIND</acronym> 9 is
1715	    configured with the <strong class="userinput"><code>--enable-rrl</code></strong>
1716	    option at compile time.)
1717	  </p>
1718	  <p>
1719	    The start, periodic, and final notices of the
1720	    rate limiting of a stream of responses are logged at
1721	    <span class="command"><strong>info</strong></span> severity in this category.
1722	    These messages include a hash value of the domain name
1723	    of the response and the name itself,
1724	    except when there is insufficient memory to record
1725	    the name for the final notice
1726	    The final notice is normally delayed until about one
1727	    minute after rate limit stops.
1728	    A lack of memory can hurry the final notice,
1729	    in which case it starts with an asterisk (*).
1730	    Various internal events are logged at debug 1 level
1731	    and higher.
1732	  </p>
1733	  <p>
1734	    Rate limiting of individual requests
1735	    is logged in the <span class="command"><strong>query-errors</strong></span> category.
1736	  </p>
1737	</td>
1738</tr>
1739<tr>
1740<td>
1741	  <p><span class="command"><strong>resolver</strong></span></p>
1742	</td>
1743<td>
1744	  <p>
1745	    DNS resolution, such as the recursive
1746	    lookups performed on behalf of clients by a caching name
1747	    server.
1748	  </p>
1749	</td>
1750</tr>
1751<tr>
1752<td>
1753	  <p><span class="command"><strong>rpz</strong></span></p>
1754	</td>
1755<td>
1756	  <p>
1757	    Information about errors in response policy zone files,
1758	    rewritten responses, and at the highest
1759	    <span class="command"><strong>debug</strong></span> levels, mere rewriting
1760	    attempts.
1761	  </p>
1762	</td>
1763</tr>
1764<tr>
1765<td>
1766	  <p><span class="command"><strong>security</strong></span></p>
1767	</td>
1768<td>
1769	  <p>
1770	    Approval and denial of requests.
1771	  </p>
1772	</td>
1773</tr>
1774<tr>
1775<td>
1776	  <p><span class="command"><strong>spill</strong></span></p>
1777	</td>
1778<td>
1779	  <p>
1780	    Logs queries that have been terminated, either by dropping
1781	    or responding with SERVFAIL, as a result of a fetchlimit
1782	    quota being exceeded.
1783	  </p>
1784	</td>
1785</tr>
1786<tr>
1787<td>
1788	  <p><span class="command"><strong>unmatched</strong></span></p>
1789	</td>
1790<td>
1791	  <p>
1792	    Messages that <span class="command"><strong>named</strong></span> was unable to determine the
1793	    class of or for which there was no matching <span class="command"><strong>view</strong></span>.
1794	    A one line summary is also logged to the <span class="command"><strong>client</strong></span> category.
1795	    This category is best sent to a file or stderr, by
1796	    default it is sent to
1797	    the <span class="command"><strong>null</strong></span> channel.
1798	  </p>
1799	</td>
1800</tr>
1801<tr>
1802<td>
1803	  <p><span class="command"><strong>update</strong></span></p>
1804	</td>
1805<td>
1806	  <p>
1807	    Dynamic updates.
1808	  </p>
1809	</td>
1810</tr>
1811<tr>
1812<td>
1813	  <p><span class="command"><strong>update-security</strong></span></p>
1814	</td>
1815<td>
1816	  <p>
1817	    Approval and denial of update requests.
1818	  </p>
1819	</td>
1820</tr>
1821<tr>
1822<td>
1823	  <p><span class="command"><strong>xfer-in</strong></span></p>
1824	</td>
1825<td>
1826	  <p>
1827	    Zone transfers the server is receiving.
1828	  </p>
1829	</td>
1830</tr>
1831<tr>
1832<td>
1833	  <p><span class="command"><strong>xfer-out</strong></span></p>
1834	</td>
1835<td>
1836	  <p>
1837	    Zone transfers the server is sending.
1838	  </p>
1839	</td>
1840</tr>
1841</tbody>
1842</table></div>
1843</div>
1844<div class="section">
1845<div class="titlepage"><div><div><h4 class="title">
1846<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div>
1847<p>
1848            The <span class="command"><strong>query-errors</strong></span> category is
1849            specifically intended for debugging purposes: To identify
1850            why and how specific queries result in responses which
1851            indicate an error.
1852            Messages of this category are therefore only logged
1853            with <span class="command"><strong>debug</strong></span> levels.
1854          </p>
1855<p>
1856            At the debug levels of 1 or higher, each response with the
1857            rcode of SERVFAIL is logged as follows:
1858          </p>
1859<p>
1860            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
1861          </p>
1862<p>
1863            This means an error resulting in SERVFAIL was
1864            detected at line 3880 of source file
1865            <code class="filename">query.c</code>.
1866            Log messages of this level will particularly
1867            help identify the cause of SERVFAIL for an
1868            authoritative server.
1869          </p>
1870<p>
1871            At the debug levels of 2 or higher, detailed context
1872            information of recursive resolutions that resulted in
1873            SERVFAIL is logged.
1874            The log message will look like as follows:
1875          </p>
1876<p>
1877
1878            </p>
1879<pre class="programlisting">
1880fetch completed at resolver.c:2970 for www.example.com/A
1881in 30.000183: timed out/success [domain:example.com,
1882referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
1883badresp:1,adberr:0,findfail:0,valfail:0]
1884            </pre>
1885<p>
1886          </p>
1887<p>
1888            The first part before the colon shows that a recursive
1889            resolution for AAAA records of www.example.com completed
1890            in 30.000183 seconds and the final result that led to the
1891            SERVFAIL was determined at line 2970 of source file
1892            <code class="filename">resolver.c</code>.
1893          </p>
1894<p>
1895            The following part shows the detected final result and the
1896            latest result of DNSSEC validation.
1897            The latter is always success when no validation attempt
1898            is made.
1899            In this example, this query resulted in SERVFAIL probably
1900            because all name servers are down or unreachable, leading
1901            to a timeout in 30 seconds.
1902            DNSSEC validation was probably not attempted.
1903          </p>
1904<p>
1905            The last part enclosed in square brackets shows statistics
1906            information collected for this particular resolution
1907            attempt.
1908            The <code class="varname">domain</code> field shows the deepest zone
1909            that the resolver reached;
1910            it is the zone where the error was finally detected.
1911            The meaning of the other fields is summarized in the
1912            following table.
1913          </p>
1914<div class="informaltable"><table border="1">
1915<colgroup>
1916<col width="1.150in" class="1">
1917<col width="3.350in" class="2">
1918</colgroup>
1919<tbody>
1920<tr>
1921<td>
1922                    <p><code class="varname">referral</code></p>
1923                  </td>
1924<td>
1925                    <p>
1926                      The number of referrals the resolver received
1927                      throughout the resolution process.
1928                      In the above example this is 2, which are most
1929                      likely com and example.com.
1930                    </p>
1931                  </td>
1932</tr>
1933<tr>
1934<td>
1935                    <p><code class="varname">restart</code></p>
1936                  </td>
1937<td>
1938                    <p>
1939                      The number of cycles that the resolver tried
1940                      remote servers at the <code class="varname">domain</code>
1941                      zone.
1942                      In each cycle the resolver sends one query
1943                      (possibly resending it, depending on the response)
1944                      to each known name server of
1945                      the <code class="varname">domain</code> zone.
1946                    </p>
1947                  </td>
1948</tr>
1949<tr>
1950<td>
1951                    <p><code class="varname">qrysent</code></p>
1952                  </td>
1953<td>
1954                    <p>
1955                      The number of queries the resolver sent at the
1956                      <code class="varname">domain</code> zone.
1957                    </p>
1958                  </td>
1959</tr>
1960<tr>
1961<td>
1962                    <p><code class="varname">timeout</code></p>
1963                  </td>
1964<td>
1965                    <p>
1966                      The number of timeouts since the resolver
1967                      received the last response.
1968                    </p>
1969                  </td>
1970</tr>
1971<tr>
1972<td>
1973                    <p><code class="varname">lame</code></p>
1974                  </td>
1975<td>
1976                    <p>
1977                      The number of lame servers the resolver detected
1978                      at the <code class="varname">domain</code> zone.
1979                      A server is detected to be lame either by an
1980                      invalid response or as a result of lookup in
1981                      BIND9's address database (ADB), where lame
1982                      servers are cached.
1983                    </p>
1984                  </td>
1985</tr>
1986<tr>
1987<td>
1988                    <p><code class="varname">neterr</code></p>
1989                  </td>
1990<td>
1991                    <p>
1992                      The number of erroneous results that the
1993                      resolver encountered in sending queries
1994                      at the <code class="varname">domain</code> zone.
1995                      One common case is the remote server is
1996                      unreachable and the resolver receives an ICMP
1997                      unreachable error message.
1998                    </p>
1999                  </td>
2000</tr>
2001<tr>
2002<td>
2003                    <p><code class="varname">badresp</code></p>
2004                  </td>
2005<td>
2006                    <p>
2007                      The number of unexpected responses (other than
2008                      <code class="varname">lame</code>) to queries sent by the
2009                      resolver at the <code class="varname">domain</code> zone.
2010                    </p>
2011                  </td>
2012</tr>
2013<tr>
2014<td>
2015                    <p><code class="varname">adberr</code></p>
2016                  </td>
2017<td>
2018                    <p>
2019                      Failures in finding remote server addresses
2020                      of the <code class="varname">domain</code> zone in the ADB.
2021                      One common case of this is that the remote
2022                      server's name does not have any address records.
2023                    </p>
2024                  </td>
2025</tr>
2026<tr>
2027<td>
2028                    <p><code class="varname">findfail</code></p>
2029                  </td>
2030<td>
2031                    <p>
2032                      Failures of resolving remote server addresses.
2033                      This is a total number of failures throughout
2034                      the resolution process.
2035                    </p>
2036                  </td>
2037</tr>
2038<tr>
2039<td>
2040                    <p><code class="varname">valfail</code></p>
2041                  </td>
2042<td>
2043                    <p>
2044                      Failures of DNSSEC validation.
2045                      Validation failures are counted throughout
2046                      the resolution process (not limited to
2047                      the <code class="varname">domain</code> zone), but should
2048                      only happen in <code class="varname">domain</code>.
2049                    </p>
2050                  </td>
2051</tr>
2052</tbody>
2053</table></div>
2054<p>
2055            At the debug levels of 3 or higher, the same messages
2056            as those at the debug 1 level are logged for other errors
2057            than SERVFAIL.
2058            Note that negative responses such as NXDOMAIN are not
2059            regarded as errors here.
2060          </p>
2061<p>
2062            At the debug levels of 4 or higher, the same messages
2063            as those at the debug 2 level are logged for other errors
2064            than SERVFAIL.
2065            Unlike the above case of level 3, messages are logged for
2066            negative responses.
2067            This is because any unexpected results can be difficult to
2068            debug in the recursion case.
2069          </p>
2070</div>
2071</div>
2072<div class="section">
2073<div class="titlepage"><div><div><h3 class="title">
2074<a name="lwres_grammar"></a><span class="command"><strong>lwres</strong></span> Statement Grammar</h3></div></div></div>
2075<p>
2076           This is the grammar of the <span class="command"><strong>lwres</strong></span>
2077          statement in the <code class="filename">named.conf</code> file:
2078        </p>
2079<pre class="programlisting"><span class="command"><strong>lwres</strong></span> {
2080    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
2081                [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
2082    [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
2083    [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
2084    [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
2085};
2086</pre>
2087</div>
2088<div class="section">
2089<div class="titlepage"><div><div><h3 class="title">
2090<a name="lwres_statement"></a><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
2091<p>
2092          The <span class="command"><strong>lwres</strong></span> statement configures the
2093          name
2094          server to also act as a lightweight resolver server. (See
2095          <a class="xref" href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.)  There may be multiple
2096          <span class="command"><strong>lwres</strong></span> statements configuring
2097          lightweight resolver servers with different properties.
2098        </p>
2099<p>
2100          The <span class="command"><strong>listen-on</strong></span> statement specifies a
2101          list of
2102          IPv4 addresses (and ports) that this instance of a lightweight
2103          resolver daemon
2104          should accept requests on.  If no port is specified, port 921 is
2105          used.
2106          If this statement is omitted, requests will be accepted on
2107          127.0.0.1,
2108          port 921.
2109        </p>
2110<p>
2111          The <span class="command"><strong>view</strong></span> statement binds this
2112          instance of a
2113          lightweight resolver daemon to a view in the DNS namespace, so that
2114          the
2115          response will be constructed in the same manner as a normal DNS
2116          query
2117          matching this view.  If this statement is omitted, the default view
2118          is
2119          used, and if there is no default view, an error is triggered.
2120        </p>
2121<p>
2122          The <span class="command"><strong>search</strong></span> statement is equivalent to
2123          the
2124          <span class="command"><strong>search</strong></span> statement in
2125          <code class="filename">/etc/resolv.conf</code>.  It provides a
2126          list of domains
2127          which are appended to relative names in queries.
2128        </p>
2129<p>
2130          The <span class="command"><strong>ndots</strong></span> statement is equivalent to
2131          the
2132          <span class="command"><strong>ndots</strong></span> statement in
2133          <code class="filename">/etc/resolv.conf</code>.  It indicates the
2134          minimum
2135          number of dots in a relative domain name that should result in an
2136          exact match lookup before search path elements are appended.
2137        </p>
2138</div>
2139<div class="section">
2140<div class="titlepage"><div><div><h3 class="title">
2141<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div>
2142<pre class="programlisting">
2143<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
2144      <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
2145</pre>
2146</div>
2147<div class="section">
2148<div class="titlepage"><div><div><h3 class="title">
2149<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and
2150          Usage</h3></div></div></div>
2151<p><span class="command"><strong>masters</strong></span>
2152          lists allow for a common set of masters to be easily used by
2153          multiple stub and slave zones in their <span class="command"><strong>masters</strong></span>
2154          or <span class="command"><strong>also-notify</strong></span> lists.
2155        </p>
2156</div>
2157<div class="section">
2158<div class="titlepage"><div><div><h3 class="title">
2159<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div>
2160<p>
2161          This is the grammar of the <span class="command"><strong>options</strong></span>
2162          statement in the <code class="filename">named.conf</code> file:
2163        </p>
2164<pre class="programlisting"><span class="command"><strong>options</strong></span> {
2165    [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
2166    [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
2167    [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
2168    [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
2169    [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
2170    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
2171    [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
2172    [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
2173    [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
2174    [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
2175    [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
2176    [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
2177    [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
2178    [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
2179    [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
2180    [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
2181    [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
2182    [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
2183    [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
2184    [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2185    [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
2186    [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
2187    [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
2188    [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
2189    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
2190    [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2191    [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2192    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
2193    [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2194    [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2195    [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2196    [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2197    [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2198    [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
2199    [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2200    [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2201    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
2202    [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2203    [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2204    [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2205    [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2206    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2207    [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
2208    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
2209    [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2210    [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
2211    [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
2212                        <em class="replaceable"><code>no</code></em> |
2213                        <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
2214    [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
2215    [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2216    [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
2217    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
2218    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
2219        ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
2220          <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
2221        ... }; </span>]
2222    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
2223        ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2224    [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2225    [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2226    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2227    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2228    [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2229    [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2230    [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2231    [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2232    [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
2233    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2234    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2235    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2236    [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2237    [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2238    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2239    [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2240    [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2241    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2242    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2243    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2244    [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
2245    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2246    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
2247    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
2248    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2249    [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2250    [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2251    [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2252    [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2253    [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2254    [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2255    [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2256    [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2257    [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2258    [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
2259        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
2260        [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
2261        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
2262    [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
2263        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
2264        [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
2265        [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
2266    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2267    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
2268    [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
2269    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
2270    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
2271    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
2272    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
2273    [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
2274    [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
2275    [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
2276    [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
2277    [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
2278    [<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
2279    [<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>]
2280    [<span class="optional"> fetches-per-zone <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>]
2281    [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
2282    [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
2283    [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
2284    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
2285    [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
2286    [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
2287    [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
2288    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2289    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2290    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2291    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
2292                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2293    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2294    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
2295    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2296    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2297    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2298    [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
2299                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
2300                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
2301    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
2302    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
2303    [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2304    [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2305    [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
2306    [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2307    [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
2308    [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
2309    [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
2310    [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
2311    [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
2312    [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
2313    [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
2314    [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
2315    [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
2316    [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
2317    [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>]
2318    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
2319    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
2320    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
2321    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
2322    [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
2323    [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2324    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2325    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2326    [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2327    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
2328    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
2329    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
2330    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
2331    [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
2332    [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2333    [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2334    [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
2335    [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
2336    [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2337    [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
2338    [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2339    [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
2340        [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2341        [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2342        [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2343        [<span class="optional"> suffix <em class="replaceable"><code>IPv6-address</code></em>; </span>]
2344        [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2345        [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2346    }; </span>];
2347    [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
2348    [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
2349    [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
2350    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2351    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2352    [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
2353    [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
2354    [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2355    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
2356                                [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
2357    [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2358    [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
2359    [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
2360    [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
2361    [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>]
2362    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
2363    [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
2364    [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
2365    [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2366    [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
2367    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2368    [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2369    [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
2370    [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
2371    [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
2372    [<span class="optional"> rate-limit {
2373        [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2374        [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2375        [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2376        [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2377        [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2378        [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2379        [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
2380        [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2381        [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
2382        [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
2383        [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
2384        [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
2385        [<span class="optional"> exempt-clients  { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
2386        [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
2387        [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
2388    } ; </span>]
2389    [<span class="optional"> response-policy {
2390        zone <em class="replaceable"><code>zone_name</code></em>
2391        [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru |
2392                  nxdomain | nodata | cname domain</code></em>) </span>]
2393        ; [<span class="optional">...</span>]
2394    } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>]
2395      [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
2396      [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>]
2397      [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>]
2398    ; </span>]
2399};
2400</pre>
2401</div>
2402<div class="section">
2403<div class="titlepage"><div><div><h3 class="title">
2404<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and
2405          Usage</h3></div></div></div>
2406<p>
2407          The <span class="command"><strong>options</strong></span> statement sets up global
2408          options
2409          to be used by <acronym class="acronym">BIND</acronym>. This statement
2410          may appear only
2411          once in a configuration file. If there is no <span class="command"><strong>options</strong></span>
2412          statement, an options block with each option set to its default will
2413          be used.
2414        </p>
2415<div class="variablelist"><dl class="variablelist">
2416<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt>
2417<dd>
2418<p>
2419                  Allows multiple views to share a single cache
2420                  database.
2421                  Each view has its own cache database by default, but
2422                  if multiple views have the same operational policy
2423                  for name resolution and caching, those views can
2424                  share a single cache to save memory and possibly
2425                  improve resolution efficiency by using this option.
2426                </p>
2427<p>
2428                  The <span class="command"><strong>attach-cache</strong></span> option
2429                  may also be specified in <span class="command"><strong>view</strong></span>
2430                  statements, in which case it overrides the
2431                  global <span class="command"><strong>attach-cache</strong></span> option.
2432                </p>
2433<p>
2434                  The <em class="replaceable"><code>cache_name</code></em> specifies
2435                  the cache to be shared.
2436                  When the <span class="command"><strong>named</strong></span> server configures
2437                  views which are supposed to share a cache, it
2438                  creates a cache with the specified name for the
2439                  first view of these sharing views.
2440                  The rest of the views will simply refer to the
2441                  already created cache.
2442                </p>
2443<p>
2444                  One common configuration to share a cache would be to
2445                  allow all views to share a single cache.
2446                  This can be done by specifying
2447                  the <span class="command"><strong>attach-cache</strong></span> as a global
2448                  option with an arbitrary name.
2449                </p>
2450<p>
2451                  Another possible operation is to allow a subset of
2452                  all views to share a cache while the others to
2453                  retain their own caches.
2454                  For example, if there are three views A, B, and C,
2455                  and only A and B should share a cache, specify the
2456                  <span class="command"><strong>attach-cache</strong></span> option as a view A (or
2457                  B)'s option, referring to the other view name:
2458                </p>
2459<pre class="programlisting">
2460  view "A" {
2461    // this view has its own cache
2462    ...
2463  };
2464  view "B" {
2465    // this view refers to A's cache
2466    attach-cache "A";
2467  };
2468  view "C" {
2469    // this view has its own cache
2470    ...
2471  };
2472</pre>
2473<p>
2474                  Views that share a cache must have the same policy
2475                  on configurable parameters that may affect caching.
2476                  The current implementation requires the following
2477                  configurable options be consistent among these
2478                  views:
2479                  <span class="command"><strong>check-names</strong></span>,
2480                  <span class="command"><strong>cleaning-interval</strong></span>,
2481                  <span class="command"><strong>dnssec-accept-expired</strong></span>,
2482                  <span class="command"><strong>dnssec-validation</strong></span>,
2483                  <span class="command"><strong>max-cache-ttl</strong></span>,
2484                  <span class="command"><strong>max-ncache-ttl</strong></span>,
2485                  <span class="command"><strong>max-cache-size</strong></span>, and
2486                  <span class="command"><strong>zero-no-soa-ttl</strong></span>.
2487                </p>
2488<p>
2489                  Note that there may be other parameters that may
2490                  cause confusion if they are inconsistent for
2491                  different views that share a single cache.
2492                  For example, if these views define different sets of
2493                  forwarders that can return different answers for the
2494                  same question, sharing the answer does not make
2495                  sense or could even be harmful.
2496                  It is administrator's responsibility to ensure
2497                  configuration differences in different views do
2498                  not cause disruption with a shared cache.
2499                </p>
2500</dd>
2501<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt>
2502<dd><p>
2503                The working directory of the server.
2504                Any non-absolute pathnames in the configuration file will be
2505                taken
2506                as relative to this directory. The default location for most
2507                server
2508                output files (e.g. <code class="filename">named.run</code>)
2509                is this directory.
2510                If a directory is not specified, the working directory
2511                defaults to `<code class="filename">.</code>', the directory from
2512                which the server
2513                was started. The directory specified should be an absolute
2514                path.
2515              </p></dd>
2516<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
2517<dd><p>
2518                When performing dynamic update of secure zones, the
2519                directory where the public and private DNSSEC key files
2520                should be found, if different than the current working
2521                directory.  (Note that this option has no effect on the
2522                paths for files containing non-DNSSEC keys such as
2523                <code class="filename">bind.keys</code>,
2524                <code class="filename">rndc.key</code> or
2525                <code class="filename">session.key</code>.)
2526              </p></dd>
2527<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt>
2528<dd>
2529<p>
2530                Specifies the directory in which to store the files that
2531                track managed DNSSEC keys.  By default, this is the working
2532                directory.
2533              </p>
2534<p>
2535                If <span class="command"><strong>named</strong></span> is not configured to use views,
2536                then managed keys for the server will be tracked in a single
2537                file called <code class="filename">managed-keys.bind</code>.
2538                Otherwise, managed keys will be tracked in separate files,
2539                one file per view; each file name will be the SHA256 hash
2540                of the view name, followed by the extension
2541                <code class="filename">.mkeys</code>.
2542              </p>
2543</dd>
2544<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt>
2545<dd><p>
2546                <span class="emphasis"><em>This option is obsolete.</em></span> It
2547                was used in <acronym class="acronym">BIND</acronym> 8 to specify
2548                the pathname to the <span class="command"><strong>named-xfer</strong></span>
2549                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
2550                <span class="command"><strong>named-xfer</strong></span> program is needed;
2551                its functionality is built into the name server.
2552              </p></dd>
2553<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt>
2554<dd><p>
2555                The KRB5 keytab file to use for GSS-TSIG updates. If
2556                this option is set and tkey-gssapi-credential is not
2557                set, then updates will be allowed with any key
2558                matching a principal in the specified keytab.
2559              </p></dd>
2560<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt>
2561<dd><p>
2562                The security credential with which the server should
2563                authenticate keys requested by the GSS-TSIG protocol.
2564                Currently only Kerberos 5 authentication is available
2565                and the credential is a Kerberos principal which the
2566                server can acquire through the default system key
2567                file, normally <code class="filename">/etc/krb5.keytab</code>.
2568                The location keytab file can be overridden using the
2569                tkey-gssapi-keytab option. Normally this principal is
2570                of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
2571                To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must
2572                also be set if a specific keytab is not set with
2573                tkey-gssapi-keytab.
2574              </p></dd>
2575<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt>
2576<dd><p>
2577                The domain appended to the names of all shared keys
2578                generated with <span class="command"><strong>TKEY</strong></span>.  When a
2579                client requests a <span class="command"><strong>TKEY</strong></span> exchange,
2580                it may or may not specify the desired name for the
2581                key. If present, the name of the shared key will
2582                be <code class="varname">client specified part</code> +
2583                <code class="varname">tkey-domain</code>.  Otherwise, the
2584                name of the shared key will be <code class="varname">random hex
2585                digits</code> + <code class="varname">tkey-domain</code>.
2586                In most cases, the <span class="command"><strong>domainname</strong></span>
2587                should be the server's domain name, or an otherwise
2588                non-existent subdomain like
2589                "_tkey.<code class="varname">domainname</code>".  If you are
2590                using GSS-TSIG, this variable must be defined, unless
2591                you specify a specific keytab using tkey-gssapi-keytab.
2592              </p></dd>
2593<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt>
2594<dd><p>
2595                The Diffie-Hellman key used by the server
2596                to generate shared keys with clients using the Diffie-Hellman
2597                mode
2598                of <span class="command"><strong>TKEY</strong></span>. The server must be
2599                able to load the
2600                public and private keys from files in the working directory.
2601                In
2602                most cases, the keyname should be the server's host name.
2603              </p></dd>
2604<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt>
2605<dd><p>
2606                This is for testing only.  Do not use.
2607              </p></dd>
2608<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt>
2609<dd><p>
2610                The pathname of the file the server dumps
2611                the database to when instructed to do so with
2612                <span class="command"><strong>rndc dumpdb</strong></span>.
2613                If not specified, the default is <code class="filename">named_dump.db</code>.
2614              </p></dd>
2615<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt>
2616<dd><p>
2617                The pathname of the file the server writes memory
2618                usage statistics to on exit. If not specified,
2619                the default is <code class="filename">named.memstats</code>.
2620              </p></dd>
2621<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt>
2622<dd><p>
2623                The pathname of the file the server writes its process ID
2624                in. If not specified, the default is
2625                <code class="filename">/var/run/named/named.pid</code>.
2626                The PID file is used by programs that want to send signals to
2627                the running
2628                name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the
2629                use of a PID file &#8212; no file will be written and any
2630                existing one will be removed.  Note that <span class="command"><strong>none</strong></span>
2631                is a keyword, not a filename, and therefore is not enclosed
2632                in
2633                double quotes.
2634              </p></dd>
2635<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt>
2636<dd><p>
2637                The pathname of the file the server dumps
2638                the queries that are currently recursing when instructed
2639                to do so with <span class="command"><strong>rndc recursing</strong></span>.
2640                If not specified, the default is <code class="filename">named.recursing</code>.
2641              </p></dd>
2642<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt>
2643<dd><p>
2644                The pathname of the file the server appends statistics
2645                to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>.
2646                If not specified, the default is <code class="filename">named.stats</code> in the
2647                server's current directory.  The format of the file is
2648                described
2649                in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
2650              </p></dd>
2651<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt>
2652<dd><p>
2653                The pathname of a file to override the built-in trusted
2654                keys provided by <span class="command"><strong>named</strong></span>.
2655                See the discussion of <span class="command"><strong>dnssec-lookaside</strong></span>
2656                and <span class="command"><strong>dnssec-validation</strong></span> for details.
2657                If not specified, the default is
2658                <code class="filename">/etc/bind.keys</code>.
2659              </p></dd>
2660<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt>
2661<dd><p>
2662                The pathname of the file the server dumps
2663                security roots to when instructed to do so with
2664                <span class="command"><strong>rndc secroots</strong></span>.
2665                If not specified, the default is
2666                <code class="filename">named.secroots</code>.
2667              </p></dd>
2668<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt>
2669<dd><p>
2670                The pathname of the file into which to write a TSIG
2671                session key generated by <span class="command"><strong>named</strong></span> for use by
2672                <span class="command"><strong>nsupdate -l</strong></span>.  If not specified, the
2673                default is <code class="filename">/var/run/named/session.key</code>.
2674                (See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>, and in
2675                particular the discussion of the
2676                <span class="command"><strong>update-policy</strong></span> statement's
2677                <strong class="userinput"><code>local</code></strong> option for more
2678                information about this feature.)
2679              </p></dd>
2680<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt>
2681<dd><p>
2682                The key name to use for the TSIG session key.
2683                If not specified, the default is "local-ddns".
2684              </p></dd>
2685<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt>
2686<dd><p>
2687                The algorithm to use for the TSIG session key.
2688                Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
2689                hmac-sha384, hmac-sha512 and hmac-md5.  If not
2690                specified, the default is hmac-sha256.
2691              </p></dd>
2692<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt>
2693<dd><p>
2694                The UDP/TCP port number the server uses for
2695                receiving and sending DNS protocol traffic.
2696                The default is 53.  This option is mainly intended for server
2697                testing;
2698                a server using a port other than 53 will not be able to
2699                communicate with
2700                the global DNS.
2701              </p></dd>
2702<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt>
2703<dd><p>
2704                The source of entropy to be used by the server.  Entropy is
2705                primarily needed
2706                for DNSSEC operations, such as TKEY transactions and dynamic
2707                update of signed
2708                zones.  This options specifies the device (or file) from which
2709                to read
2710                entropy.  If this is a file, operations requiring entropy will
2711                fail when the
2712                file has been exhausted.  If not specified, the default value
2713                is
2714                <code class="filename">/dev/random</code>
2715                (or equivalent) when present, and none otherwise.  The
2716                <span class="command"><strong>random-device</strong></span> option takes
2717                effect during
2718                the initial configuration load at server startup time and
2719                is ignored on subsequent reloads.
2720              </p></dd>
2721<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt>
2722<dd><p>
2723                If specified, the listed type (A or AAAA) will be emitted
2724                before other glue
2725                in the additional section of a query response.
2726                The default is to prefer A records when responding
2727                to queries that arrived via IPv4 and AAAA when
2728                responding to queries that arrived via IPv6.
2729              </p></dd>
2730<dt>
2731<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span>
2732</dt>
2733<dd>
2734<p>
2735                Turn on enforcement of delegation-only in TLDs
2736                (top level domains) and root zones with an optional
2737                exclude list.
2738              </p>
2739<p>
2740                DS queries are expected to be made to and be answered by
2741                delegation only zones.  Such queries and responses are
2742                treated as an exception to delegation-only processing
2743                and are not converted to NXDOMAIN responses provided
2744                a CNAME is not discovered at the query name.
2745              </p>
2746<p>
2747                If a delegation only zone server also serves a child
2748                zone it is not always possible to determine whether
2749                an answer comes from the delegation only zone or the
2750                child zone.  SOA NS and DNSKEY records are apex
2751                only records and a matching response that contains
2752                these records or DS is treated as coming from a
2753                child zone.  RRSIG records are also examined to see
2754                if they are signed by a child zone or not.  The
2755                authority section is also examined to see if there
2756                is evidence that the answer is from the child zone.
2757                Answers that are determined to be from a child zone
2758                are not converted to NXDOMAIN responses.  Despite
2759                all these checks there is still a possibility of
2760                false negatives when a child zone is being served.
2761              </p>
2762<p>
2763                Similarly false positives can arise from empty nodes
2764                (no records at the name) in the delegation only zone
2765                when the query type is not ANY.
2766              </p>
2767<p>
2768                Note some TLDs are not delegation only (e.g. "DE", "LV",
2769                "US" and "MUSEUM").  This list is not exhaustive.
2770              </p>
2771<pre class="programlisting">
2772options {
2773        root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
2774};
2775</pre>
2776</dd>
2777<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt>
2778<dd><p>
2779                Disable the specified DNSSEC algorithms at and below the
2780                specified name.
2781                Multiple <span class="command"><strong>disable-algorithms</strong></span>
2782                statements are allowed.
2783                Only the most specific will be applied.
2784              </p></dd>
2785<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt>
2786<dd>
2787<p>
2788                When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the
2789                validator with an alternate method to validate DNSKEY
2790                records at the top of a zone.  When a DNSKEY is at or
2791                below a domain specified by the deepest
2792                <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC
2793                validation has left the key untrusted, the trust-anchor
2794                will be appended to the key name and a DLV record will be
2795                looked up to see if it can validate the key.  If the DLV
2796                record validates a DNSKEY (similarly to the way a DS
2797                record does) the DNSKEY RRset is deemed to be trusted.
2798              </p>
2799<p>
2800                If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
2801                <strong class="userinput"><code>auto</code></strong>, then built-in default
2802                values for the DLV domain and trust anchor will be
2803                used, along with a built-in key for validation.
2804              </p>
2805<p>
2806                If <span class="command"><strong>dnssec-lookaside</strong></span> is set to
2807                <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
2808                is not used.
2809              </p>
2810<p>
2811                The default DLV key is stored in the file
2812                <code class="filename">bind.keys</code>;
2813                <span class="command"><strong>named</strong></span> will load that key at
2814                startup if <span class="command"><strong>dnssec-lookaside</strong></span> is set to
2815                <code class="constant">auto</code>.  A copy of the file is
2816                installed along with <acronym class="acronym">BIND</acronym> 9, and is
2817                current as of the release date.  If the DLV key expires, a
2818                new copy of <code class="filename">bind.keys</code> can be downloaded
2819                from <a class="link" href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
2820              </p>
2821<p>
2822                (To prevent problems if <code class="filename">bind.keys</code> is
2823                not found, the current key is also compiled in to
2824                <span class="command"><strong>named</strong></span>.  Relying on this is not
2825                recommended, however, as it requires <span class="command"><strong>named</strong></span>
2826                to be recompiled with a new key when the DLV key expires.)
2827              </p>
2828<p>
2829                NOTE: <span class="command"><strong>named</strong></span> only loads certain specific
2830                keys from <code class="filename">bind.keys</code>:  those for the
2831                DLV zone and for the DNS root zone.  The file cannot be
2832                used to store keys for other zones.
2833              </p>
2834</dd>
2835<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt>
2836<dd><p>
2837                Specify hierarchies which must be or may not be secure
2838                (signed and validated).  If <strong class="userinput"><code>yes</code></strong>,
2839                then <span class="command"><strong>named</strong></span> will only accept answers if
2840                they are secure.  If <strong class="userinput"><code>no</code></strong>, then normal
2841                DNSSEC validation applies allowing for insecure answers to
2842                be accepted.  The specified domain must be under a
2843                <span class="command"><strong>trusted-keys</strong></span> or
2844                <span class="command"><strong>managed-keys</strong></span> statement, or
2845                <span class="command"><strong>dnssec-lookaside</strong></span> must be active.
2846              </p></dd>
2847<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt>
2848<dd>
2849<p>
2850                This directive instructs <span class="command"><strong>named</strong></span> to
2851                return mapped IPv4 addresses to AAAA queries when
2852                there are no AAAA records.  It is intended to be
2853                used in conjunction with a NAT64.  Each
2854                <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix.
2855                Multiple DNS64 prefixes can be defined.
2856              </p>
2857<p>
2858                Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
2859                64 and 96 as per RFC 6052.
2860              </p>
2861<p>
2862                Additionally a reverse IP6.ARPA zone will be created for
2863                the prefix to provide a mapping from the IP6.ARPA names
2864                to the corresponding IN-ADDR.ARPA names using synthesized
2865                CNAMEs.  <span class="command"><strong>dns64-server</strong></span> and
2866                <span class="command"><strong>dns64-contact</strong></span> can be used to specify
2867                the name of the server and contact for the zones. These
2868                are settable at the view / options level.  These are
2869                not settable on a per-prefix basis.
2870              </p>
2871<p>
2872                Each <span class="command"><strong>dns64</strong></span> supports an optional
2873                <span class="command"><strong>clients</strong></span> ACL that determines which
2874                clients are affected by this directive.  If not defined,
2875                it defaults to <strong class="userinput"><code>any;</code></strong>.
2876              </p>
2877<p>
2878                Each <span class="command"><strong>dns64</strong></span> supports an optional
2879                <span class="command"><strong>mapped</strong></span> ACL that selects which
2880                IPv4 addresses are to be mapped in the corresponding
2881                A RRset.  If not defined it defaults to
2882                <strong class="userinput"><code>any;</code></strong>.
2883              </p>
2884<p>
2885                Normally, DNS64 won't apply to a domain name that
2886                owns one or more AAAA records; these records will
2887                simply be returned.  The optional
2888                <span class="command"><strong>exclude</strong></span> ACL allows specification
2889                of a list of IPv6 addresses that will be ignored
2890                if they appear in a domain name's AAAA records, and
2891                DNS64 will be applied to any A records the domain
2892                name owns.  If not defined, <span class="command"><strong>exclude</strong></span>
2893                defaults to none.
2894              </p>
2895<p>
2896                A optional <span class="command"><strong>suffix</strong></span> can also
2897                be defined to set the bits trailing the mapped
2898                IPv4 address bits.  By default these bits are
2899                set to <strong class="userinput"><code>::</code></strong>.  The bits
2900                matching the prefix and mapped IPv4 address
2901                must be zero.
2902              </p>
2903<p>
2904                If <span class="command"><strong>recursive-only</strong></span> is set to
2905                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
2906                only happen for recursive queries.  The default
2907                is <span class="command"><strong>no</strong></span>.
2908              </p>
2909<p>
2910                If <span class="command"><strong>break-dnssec</strong></span> is set to
2911                <span class="command"><strong>yes</strong></span> the DNS64 synthesis will
2912                happen even if the result, if validated, would
2913                cause a DNSSEC validation failure.  If this option
2914                is set to <span class="command"><strong>no</strong></span> (the default), the DO
2915                is set on the incoming query, and there are RRSIGs on
2916                the applicable records, then synthesis will not happen.
2917              </p>
2918<pre class="programlisting">
2919        acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
2920
2921        dns64 64:FF9B::/96 {
2922                clients { any; };
2923                mapped { !rfc1918; any; };
2924                exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
2925                suffix ::;
2926        };
2927</pre>
2928</dd>
2929<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
2930<dd><p>
2931                  When a zone is configured with <span class="command"><strong>auto-dnssec
2932                  maintain;</strong></span> its key repository must be checked
2933                  periodically to see if any new keys have been added
2934                  or any existing keys' timing metadata has been updated
2935                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
2936                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The
2937                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option
2938                  sets the frequency of automatic repository checks, in
2939                  minutes.  The default is <code class="literal">60</code> (1 hour),
2940                  the minimum is <code class="literal">1</code> (1 minute), and the
2941                  maximum is <code class="literal">1440</code> (24 hours); any higher
2942                  value is silently reduced.
2943                </p></dd>
2944<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
2945<dd>
2946<p>
2947                  If this option is set to its default value of
2948                  <code class="literal">maintain</code> in a zone of type
2949                  <code class="literal">master</code> which is DNSSEC-signed
2950                  and configured to allow dynamic updates (see
2951                  <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>), and
2952                  if <span class="command"><strong>named</strong></span> has access to the
2953                  private signing key(s) for the zone, then
2954                  <span class="command"><strong>named</strong></span> will automatically sign all new
2955                  or changed records and maintain signatures for the zone
2956                  by regenerating RRSIG records whenever they approach
2957                  their expiration date.
2958                </p>
2959<p>
2960                  If the option is changed to <code class="literal">no-resign</code>,
2961                  then <span class="command"><strong>named</strong></span> will sign all new or
2962                  changed records, but scheduled maintenance of
2963                  signatures is disabled.
2964                </p>
2965<p>
2966                  With either of these settings, <span class="command"><strong>named</strong></span>
2967                  will reject updates to a DNSSEC-signed zone when the
2968                  signing keys are inactive or unavailable to
2969                  <span class="command"><strong>named</strong></span>.  (A planned third option,
2970                  <code class="literal">external</code>, will disable all automatic
2971                  signing and allow DNSSEC data to be submitted into a zone
2972                  via dynamic update; this is not yet implemented.)
2973                </p>
2974</dd>
2975<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
2976<dd>
2977<p>
2978                Zones configured for dynamic DNS may use this
2979                option to set the update method that will be used for
2980                the zone serial number in the SOA record.
2981              </p>
2982<p>
2983                With the default setting of
2984                <span class="command"><strong>serial-update-method increment;</strong></span>, the
2985                SOA serial number will be incremented by one each time
2986                the zone is updated.
2987              </p>
2988<p>
2989                When set to
2990                <span class="command"><strong>serial-update-method unixtime;</strong></span>, the
2991                SOA serial number will be set to the number of seconds
2992                since the UNIX epoch, unless the serial number is
2993                already greater than or equal to that value, in which
2994                case it is simply incremented by one.
2995              </p>
2996</dd>
2997<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
2998<dd>
2999<p>
3000                If <strong class="userinput"><code>full</code></strong>, the server will collect
3001                statistical data on all zones (unless specifically
3002                turned off on a per-zone basis by specifying
3003                <span class="command"><strong>zone-statistics terse</strong></span> or
3004                <span class="command"><strong>zone-statistics none</strong></span>
3005                in the <span class="command"><strong>zone</strong></span> statement).
3006                The default is <strong class="userinput"><code>terse</code></strong>, providing
3007                minimal statistics on zones (including name and
3008                current serial number, but not query type
3009                counters).
3010              </p>
3011<p>
3012                These statistics may be accessed via the
3013                <span class="command"><strong>statistics-channel</strong></span> or
3014                using <span class="command"><strong>rndc stats</strong></span>, which
3015                will dump them to the file listed
3016                in the <span class="command"><strong>statistics-file</strong></span>.  See
3017                also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
3018              </p>
3019<p>
3020                For backward compatibility with earlier versions
3021                of BIND 9, the <span class="command"><strong>zone-statistics</strong></span>
3022                option can also accept <strong class="userinput"><code>yes</code></strong>
3023                or <strong class="userinput"><code>no</code></strong>, which have the same
3024                effect as <strong class="userinput"><code>full</code></strong> and
3025                <strong class="userinput"><code>terse</code></strong>, respectively.
3026              </p>
3027</dd>
3028</dl></div>
3029<div class="section">
3030<div class="titlepage"><div><div><h4 class="title">
3031<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
3032<div class="variablelist"><dl class="variablelist">
3033<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt>
3034<dd><p>
3035                  If <strong class="userinput"><code>yes</code></strong>, then zones can be
3036                  added at runtime via <span class="command"><strong>rndc addzone</strong></span>
3037                  or deleted via <span class="command"><strong>rndc delzone</strong></span>.
3038                  The default is <strong class="userinput"><code>no</code></strong>.
3039                </p></dd>
3040<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt>
3041<dd><p>
3042                  If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit
3043                  is always set on NXDOMAIN responses, even if the server is
3044                  not actually
3045                  authoritative. The default is <strong class="userinput"><code>no</code></strong>;
3046                  this is
3047                  a change from <acronym class="acronym">BIND</acronym> 8. If you
3048                  are using very old DNS software, you
3049                  may need to set it to <strong class="userinput"><code>yes</code></strong>.
3050                </p></dd>
3051<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt>
3052<dd><p>
3053                  This option was used in <acronym class="acronym">BIND</acronym>
3054                  8 to enable checking
3055                  for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
3056                  the checks.
3057                </p></dd>
3058<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt>
3059<dd><p>
3060                  Write memory statistics to the file specified by
3061                  <span class="command"><strong>memstatistics-file</strong></span> at exit.
3062                  The default is <strong class="userinput"><code>no</code></strong> unless
3063                  '-m record' is specified on the command line in
3064                  which case it is <strong class="userinput"><code>yes</code></strong>.
3065                </p></dd>
3066<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
3067<dd>
3068<p>
3069                  If <strong class="userinput"><code>yes</code></strong>, then the
3070                  server treats all zones as if they are doing zone transfers
3071                  across
3072                  a dial-on-demand dialup link, which can be brought up by
3073                  traffic
3074                  originating from this server. This has different effects
3075                  according
3076                  to zone type and concentrates the zone maintenance so that
3077                  it all
3078                  happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and
3079                  hopefully during the one call. It also suppresses some of
3080                  the normal
3081                  zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
3082                </p>
3083<p>
3084                  The <span class="command"><strong>dialup</strong></span> option
3085                  may also be specified in the <span class="command"><strong>view</strong></span> and
3086                  <span class="command"><strong>zone</strong></span> statements,
3087                  in which case it overrides the global <span class="command"><strong>dialup</strong></span>
3088                  option.
3089                </p>
3090<p>
3091                  If the zone is a master zone, then the server will send out a
3092                  NOTIFY
3093                  request to all the slaves (default). This should trigger the
3094                  zone serial
3095                  number check in the slave (providing it supports NOTIFY)
3096                  allowing the slave
3097                  to verify the zone while the connection is active.
3098                  The set of servers to which NOTIFY is sent can be controlled
3099                  by
3100                  <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>.
3101                </p>
3102<p>
3103                  If the
3104                  zone is a slave or stub zone, then the server will suppress
3105                  the regular
3106                  "zone up to date" (refresh) queries and only perform them
3107                  when the
3108                  <span class="command"><strong>heartbeat-interval</strong></span> expires in
3109                  addition to sending
3110                  NOTIFY requests.
3111                </p>
3112<p>
3113                  Finer control can be achieved by using
3114                  <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
3115                  messages,
3116                  <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
3117                  messages and
3118                  suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
3119                  which suppresses normal refresh processing and sends refresh
3120                  queries
3121                  when the <span class="command"><strong>heartbeat-interval</strong></span>
3122                  expires, and
3123                  <strong class="userinput"><code>passive</code></strong> which just disables normal
3124                  refresh
3125                  processing.
3126                </p>
3127<div class="informaltable"><table border="1">
3128<colgroup>
3129<col width="1.150in" class="1">
3130<col width="1.150in" class="2">
3131<col width="1.150in" class="3">
3132<col width="1.150in" class="4">
3133</colgroup>
3134<tbody>
3135<tr>
3136<td>
3137                          <p>
3138                            dialup mode
3139                          </p>
3140                        </td>
3141<td>
3142                          <p>
3143                            normal refresh
3144                          </p>
3145                        </td>
3146<td>
3147                          <p>
3148                            heart-beat refresh
3149                          </p>
3150                        </td>
3151<td>
3152                          <p>
3153                            heart-beat notify
3154                          </p>
3155                        </td>
3156</tr>
3157<tr>
3158<td>
3159                          <p><span class="command"><strong>no</strong></span> (default)</p>
3160                        </td>
3161<td>
3162                          <p>
3163                            yes
3164                          </p>
3165                        </td>
3166<td>
3167                          <p>
3168                            no
3169                          </p>
3170                        </td>
3171<td>
3172                          <p>
3173                            no
3174                          </p>
3175                        </td>
3176</tr>
3177<tr>
3178<td>
3179                          <p><span class="command"><strong>yes</strong></span></p>
3180                        </td>
3181<td>
3182                          <p>
3183                            no
3184                          </p>
3185                        </td>
3186<td>
3187                          <p>
3188                            yes
3189                          </p>
3190                        </td>
3191<td>
3192                          <p>
3193                            yes
3194                          </p>
3195                        </td>
3196</tr>
3197<tr>
3198<td>
3199                          <p><span class="command"><strong>notify</strong></span></p>
3200                        </td>
3201<td>
3202                          <p>
3203                            yes
3204                          </p>
3205                        </td>
3206<td>
3207                          <p>
3208                            no
3209                          </p>
3210                        </td>
3211<td>
3212                          <p>
3213                            yes
3214                          </p>
3215                        </td>
3216</tr>
3217<tr>
3218<td>
3219                          <p><span class="command"><strong>refresh</strong></span></p>
3220                        </td>
3221<td>
3222                          <p>
3223                            no
3224                          </p>
3225                        </td>
3226<td>
3227                          <p>
3228                            yes
3229                          </p>
3230                        </td>
3231<td>
3232                          <p>
3233                            no
3234                          </p>
3235                        </td>
3236</tr>
3237<tr>
3238<td>
3239                          <p><span class="command"><strong>passive</strong></span></p>
3240                        </td>
3241<td>
3242                          <p>
3243                            no
3244                          </p>
3245                        </td>
3246<td>
3247                          <p>
3248                            no
3249                          </p>
3250                        </td>
3251<td>
3252                          <p>
3253                            no
3254                          </p>
3255                        </td>
3256</tr>
3257<tr>
3258<td>
3259                          <p><span class="command"><strong>notify-passive</strong></span></p>
3260                        </td>
3261<td>
3262                          <p>
3263                            no
3264                          </p>
3265                        </td>
3266<td>
3267                          <p>
3268                            no
3269                          </p>
3270                        </td>
3271<td>
3272                          <p>
3273                            yes
3274                          </p>
3275                        </td>
3276</tr>
3277</tbody>
3278</table></div>
3279<p>
3280                  Note that normal NOTIFY processing is not affected by
3281                  <span class="command"><strong>dialup</strong></span>.
3282                </p>
3283</dd>
3284<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt>
3285<dd><p>
3286                  In <acronym class="acronym">BIND</acronym> 8, this option
3287                  enabled simulating the obsolete DNS query type
3288                  IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
3289                  IQUERY simulation.
3290                </p></dd>
3291<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt>
3292<dd><p>
3293                  This option is obsolete.
3294                  In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
3295                  caused the server to attempt to fetch glue resource records
3296                  it
3297                  didn't have when constructing the additional
3298                  data section of a response.  This is now considered a bad
3299                  idea
3300                  and BIND 9 never does it.
3301                </p></dd>
3302<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt>
3303<dd><p>
3304                  When the nameserver exits due receiving SIGTERM,
3305                  flush or do not flush any pending zone writes.  The default
3306                  is
3307                  <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
3308                </p></dd>
3309<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt>
3310<dd><p>
3311                  This option was incorrectly implemented
3312                  in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
3313                  To achieve the intended effect
3314                  of
3315                  <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
3316                  the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
3317                  and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
3318                </p></dd>
3319<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt>
3320<dd><p>
3321                  In BIND 8, this enables keeping of
3322                  statistics for every host that the name server interacts
3323                  with.
3324                  Not implemented in BIND 9.
3325                </p></dd>
3326<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt>
3327<dd><p>
3328                  <span class="emphasis"><em>This option is obsolete</em></span>.
3329                  It was used in <acronym class="acronym">BIND</acronym> 8 to
3330                  determine whether a transaction log was
3331                  kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
3332                  log whenever possible.  If you need to disable outgoing
3333                  incremental zone
3334                  transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
3335                </p></dd>
3336<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt>
3337<dd><p>
3338                  If <strong class="userinput"><code>yes</code></strong>, then when generating
3339                  responses the server will only add records to the authority
3340                  and additional data sections when they are required (e.g.
3341                  delegations, negative responses).  This may improve the
3342                  performance of the server.
3343                  The default is <strong class="userinput"><code>no</code></strong>.
3344                </p></dd>
3345<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt>
3346<dd><p>
3347                  This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
3348                  a domain name to have multiple CNAME records in violation of
3349                  the DNS standards.  <acronym class="acronym">BIND</acronym> 9.2 onwards
3350                  always strictly enforces the CNAME rules both in master
3351                  files and dynamic updates.
3352                </p></dd>
3353<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
3354<dd>
3355<p>
3356                  If <strong class="userinput"><code>yes</code></strong> (the default),
3357                  DNS NOTIFY messages are sent when a zone the server is
3358                  authoritative for
3359                  changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are
3360                  sent to the
3361                  servers listed in the zone's NS records (except the master
3362                  server identified
3363                  in the SOA MNAME field), and to any servers listed in the
3364                  <span class="command"><strong>also-notify</strong></span> option.
3365                </p>
3366<p>
3367                  If <strong class="userinput"><code>master-only</code></strong>, notifies are only
3368                  sent
3369                  for master zones.
3370                  If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
3371                  to
3372                  servers explicitly listed using <span class="command"><strong>also-notify</strong></span>.
3373                  If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
3374                </p>
3375<p>
3376                  The <span class="command"><strong>notify</strong></span> option may also be
3377                  specified in the <span class="command"><strong>zone</strong></span>
3378                  statement,
3379                  in which case it overrides the <span class="command"><strong>options notify</strong></span> statement.
3380                  It would only be necessary to turn off this option if it
3381                  caused slaves
3382                  to crash.
3383                </p>
3384</dd>
3385<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
3386<dd><p>
3387                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
3388                  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
3389                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
3390                  supposed to contain the name of the ultimate master.
3391                  Sometimes, however, a slave is listed as the SOA MNAME in
3392                  hidden master configurations and in that case you would
3393                  want the ultimate master to still send NOTIFY messages to
3394                  all the nameservers listed in the NS RRset.
3395                </p></dd>
3396<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt>
3397<dd><p>
3398                  If <strong class="userinput"><code>yes</code></strong>, and a
3399                  DNS query requests recursion, then the server will attempt
3400                  to do
3401                  all the work required to answer the query. If recursion is
3402                  off
3403                  and the server does not already know the answer, it will
3404                  return a
3405                  referral response. The default is
3406                  <strong class="userinput"><code>yes</code></strong>.
3407                  Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent
3408                  clients from getting data from the server's cache; it only
3409                  prevents new data from being cached as an effect of client
3410                  queries.
3411                  Caching may still occur as an effect the server's internal
3412                  operation, such as NOTIFY address lookups.
3413                </p></dd>
3414<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt>
3415<dd><p>
3416                  If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
3417                  NSID (Name Server Identifier) option is sent with all
3418                  queries to authoritative name servers during iterative
3419                  resolution. If the authoritative server returns an NSID
3420                  option in its response, then its contents are logged in
3421                  the <span class="command"><strong>resolver</strong></span> category at level
3422                  <span class="command"><strong>info</strong></span>.
3423                  The default is <strong class="userinput"><code>no</code></strong>.
3424                </p></dd>
3425<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt>
3426<dd>
3427<p>
3428                  Setting this to <strong class="userinput"><code>yes</code></strong> will
3429                  cause the server to send NS records along with the SOA
3430                  record for negative
3431                  answers. The default is <strong class="userinput"><code>no</code></strong>.
3432                </p>
3433<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3434<h3 class="title">Note</h3>
3435<p>
3436                    Not yet implemented in <acronym class="acronym">BIND</acronym>
3437                    9.
3438                  </p>
3439</div>
3440</dd>
3441<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt>
3442<dd><p>
3443                  <span class="emphasis"><em>This option is obsolete</em></span>.
3444                  <acronym class="acronym">BIND</acronym> 9 always allocates query
3445                  IDs from a pool.
3446                </p></dd>
3447<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt>
3448<dd><p>
3449                  <span class="emphasis"><em>This option is obsolete</em></span>.
3450                  If you need to disable IXFR to a particular server or
3451                  servers, see
3452                  the information on the <span class="command"><strong>provide-ixfr</strong></span> option
3453                  in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
3454            Usage&#8221;</a>.
3455                  See also
3456                  <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
3457                </p></dd>
3458<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt>
3459<dd><p>
3460                  See the description of
3461                  <span class="command"><strong>provide-ixfr</strong></span> in
3462                  <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
3463            Usage&#8221;</a>.
3464                </p></dd>
3465<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt>
3466<dd><p>
3467                  See the description of
3468                  <span class="command"><strong>request-ixfr</strong></span> in
3469                  <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span class="command"><strong>server</strong></span> Statement Definition and
3470            Usage&#8221;</a>.
3471                </p></dd>
3472<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt>
3473<dd><p>
3474                  This option was used in <acronym class="acronym">BIND</acronym>
3475                  8 to make
3476                  the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way
3477                  as a space or tab character,
3478                  to facilitate loading of zone files on a UNIX system that
3479                  were generated
3480                  on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>"
3481                  and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines
3482                  are always accepted,
3483                  and the option is ignored.
3484                </p></dd>
3485<dt>
3486<span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span>
3487</dt>
3488<dd>
3489<p>
3490                  These options control the behavior of an authoritative
3491                  server when
3492                  answering queries which have additional data, or when
3493                  following CNAME
3494                  and DNAME chains.
3495                </p>
3496<p>
3497                  When both of these options are set to <strong class="userinput"><code>yes</code></strong>
3498                  (the default) and a
3499                  query is being answered from authoritative data (a zone
3500                  configured into the server), the additional data section of
3501                  the
3502                  reply will be filled in using data from other authoritative
3503                  zones
3504                  and from the cache.  In some situations this is undesirable,
3505                  such
3506                  as when there is concern over the correctness of the cache,
3507                  or
3508                  in servers where slave zones may be added and modified by
3509                  untrusted third parties.  Also, avoiding
3510                  the search for this additional data will speed up server
3511                  operations
3512                  at the possible expense of additional queries to resolve
3513                  what would
3514                  otherwise be provided in the additional section.
3515                </p>
3516<p>
3517                  For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
3518                  and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
3519                  records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
3520                  if known, even though they are not in the example.com zone.
3521                  Setting these options to <span class="command"><strong>no</strong></span>
3522                  disables this behavior and makes
3523                  the server only search for additional data in the zone it
3524                  answers from.
3525                </p>
3526<p>
3527                  These options are intended for use in authoritative-only
3528                  servers, or in authoritative-only views.  Attempts to set
3529                  them to <span class="command"><strong>no</strong></span> without also
3530                  specifying
3531                  <span class="command"><strong>recursion no</strong></span> will cause the
3532                  server to
3533                  ignore the options and log a warning message.
3534                </p>
3535<p>
3536                  Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually
3537                  disables the use of the cache not only for additional data
3538                  lookups
3539                  but also when looking up the answer.  This is usually the
3540                  desired
3541                  behavior in an authoritative-only server where the
3542                  correctness of
3543                  the cached data is an issue.
3544                </p>
3545<p>
3546                  When a name server is non-recursively queried for a name
3547                  that is not
3548                  below the apex of any served zone, it normally answers with
3549                  an
3550                  "upwards referral" to the root servers or the servers of
3551                  some other
3552                  known parent of the query name.  Since the data in an
3553                  upwards referral
3554                  comes from the cache, the server will not be able to provide
3555                  upwards
3556                  referrals when <span class="command"><strong>additional-from-cache no</strong></span>
3557                  has been specified.  Instead, it will respond to such
3558                  queries
3559                  with REFUSED.  This should not cause any problems since
3560                  upwards referrals are not required for the resolution
3561                  process.
3562                </p>
3563</dd>
3564<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt>
3565<dd>
3566<p>
3567                  If <strong class="userinput"><code>yes</code></strong>, then an
3568                  IPv4-mapped IPv6 address will match any address match
3569                  list entries that match the corresponding IPv4 address.
3570                </p>
3571<p>
3572                  This option was introduced to work around a kernel quirk
3573                  in some operating systems that causes IPv4 TCP
3574                  connections, such as zone transfers, to be accepted on an
3575                  IPv6 socket using mapped addresses.  This caused address
3576                  match lists designed for IPv4 to fail to match.  However,
3577                  <span class="command"><strong>named</strong></span> now solves this problem
3578                  internally.  The use of this option is discouraged.
3579                </p>
3580</dd>
3581<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt>
3582<dd>
3583<p>
3584                  This option is only available when
3585                  <acronym class="acronym">BIND</acronym> 9 is compiled with the
3586                  <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
3587                  "configure" command line.  It is intended to help the
3588                  transition from IPv4 to IPv6 by not giving IPv6 addresses
3589                  to DNS clients unless they have connections to the IPv6
3590                  Internet.  This is not recommended unless absolutely
3591                  necessary.  The default is <strong class="userinput"><code>no</code></strong>.
3592                  The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option
3593                  may also be specified in <span class="command"><strong>view</strong></span> statements
3594                  to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span>
3595                  option.
3596                </p>
3597<p>
3598                  If <strong class="userinput"><code>yes</code></strong>,
3599                  the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>,
3600                  and if the response does not include DNSSEC signatures,
3601                  then all AAAA records are deleted from the response.
3602                  This filtering applies to all responses and not only
3603                  authoritative responses.
3604                </p>
3605<p>
3606                  If <strong class="userinput"><code>break-dnssec</code></strong>,
3607                  then AAAA records are deleted even when dnssec is enabled.
3608                  As suggested by the name, this makes the response not verify,
3609                  because the DNSSEC protocol is designed detect deletions.
3610                </p>
3611<p>
3612                  This mechanism can erroneously cause other servers to
3613                  not give AAAA records to their clients.
3614                  A recursing server with both IPv6 and IPv4 network connections
3615                  that queries an authoritative server using this mechanism
3616                  via IPv4 will be denied AAAA records even if its client is
3617                  using IPv6.
3618                </p>
3619<p>
3620                  This mechanism is applied to authoritative as well as
3621                  non-authoritative records.
3622                  A client using IPv4 that is not allowed recursion can
3623                  erroneously be given AAAA records because the server is not
3624                  allowed to check for A records.
3625                </p>
3626<p>
3627                  Some AAAA records are given to IPv4 clients in glue records.
3628                  IPv4 clients that are servers can then erroneously
3629                  answer requests for AAAA records received via IPv4.
3630                </p>
3631</dd>
3632<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
3633<dd>
3634<p>
3635                  When <strong class="userinput"><code>yes</code></strong> and the server loads a new
3636                  version of a master zone from its zone file or receives a
3637                  new version of a slave file via zone transfer, it will
3638                  compare the new version to the previous one and calculate
3639                  a set of differences.  The differences are then logged in
3640                  the zone's journal file such that the changes can be
3641                  transmitted to downstream slaves as an incremental zone
3642                  transfer.
3643                </p>
3644<p>
3645                  By allowing incremental zone transfers to be used for
3646                  non-dynamic zones, this option saves bandwidth at the
3647                  expense of increased CPU and memory consumption at the
3648                  master.
3649                  In particular, if the new version of a zone is completely
3650                  different from the previous one, the set of differences
3651                  will be of a size comparable to the combined size of the
3652                  old and new zone version, and the server will need to
3653                  temporarily allocate memory to hold this complete
3654                  difference set.
3655                </p>
3656<p><span class="command"><strong>ixfr-from-differences</strong></span>
3657                  also accepts <span class="command"><strong>master</strong></span> and
3658                  <span class="command"><strong>slave</strong></span> at the view and options
3659                  levels which causes
3660                  <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for
3661                  all <span class="command"><strong>master</strong></span> or
3662                  <span class="command"><strong>slave</strong></span> zones respectively.
3663                  It is off by default.
3664                </p>
3665</dd>
3666<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
3667<dd><p>
3668                  This should be set when you have multiple masters for a zone
3669                  and the
3670                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will
3671                  not log
3672                  when the serial number on the master is less than what <span class="command"><strong>named</strong></span>
3673                  currently
3674                  has.  The default is <strong class="userinput"><code>no</code></strong>.
3675                </p></dd>
3676<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
3677<dd>
3678<p>
3679                  Zones configured for dynamic DNS may use this
3680                  option to allow varying levels of automatic DNSSEC key
3681                  management. There are three possible settings:
3682                </p>
3683<p>
3684                  <span class="command"><strong>auto-dnssec allow;</strong></span> permits
3685                  keys to be updated and the zone fully re-signed
3686                  whenever the user issues the command <span class="command"><strong>rndc sign
3687                  <em class="replaceable"><code>zonename</code></em></strong></span>.
3688                </p>
3689<p>
3690                  <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the
3691                  above, but also automatically adjusts the zone's DNSSEC
3692                  keys on schedule, according to the keys' timing metadata
3693                  (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
3694                  <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>).  The command
3695                  <span class="command"><strong>rndc sign
3696                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
3697                  <span class="command"><strong>named</strong></span> to load keys from the key
3698                  repository and sign the zone with all keys that are
3699                  active.
3700                  <span class="command"><strong>rndc loadkeys
3701                  <em class="replaceable"><code>zonename</code></em></strong></span> causes
3702                  <span class="command"><strong>named</strong></span> to load keys from the key
3703                  repository and schedule key maintenance events to occur
3704                  in the future, but it does not sign the full zone
3705                  immediately.  Note: once keys have been loaded for a
3706                  zone the first time, the repository will be searched
3707                  for changes periodically, regardless of whether
3708                  <span class="command"><strong>rndc loadkeys</strong></span> is used.  The recheck
3709                  interval is defined by
3710                  <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.)
3711                </p>
3712<p>
3713                  The default setting is <span class="command"><strong>auto-dnssec off</strong></span>.
3714                </p>
3715</dd>
3716<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt>
3717<dd><p>
3718                  This indicates whether DNSSEC-related resource
3719                  records are to be returned by <span class="command"><strong>named</strong></span>.
3720                  If set to <strong class="userinput"><code>no</code></strong>,
3721                  <span class="command"><strong>named</strong></span> will not return DNSSEC-related
3722                  resource records unless specifically queried for.
3723                  The default is <strong class="userinput"><code>yes</code></strong>.
3724                </p></dd>
3725<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt>
3726<dd>
3727<p>
3728                  Enable DNSSEC validation in <span class="command"><strong>named</strong></span>.
3729                  Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be
3730                  set to <strong class="userinput"><code>yes</code></strong> to be effective.
3731                  If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
3732                  is disabled.  If set to <strong class="userinput"><code>auto</code></strong>,
3733                  DNSSEC validation is enabled, and a default
3734                  trust-anchor for the DNS root zone is used.  If set to
3735                  <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
3736                  but a trust anchor must be manually configured using
3737                  a <span class="command"><strong>trusted-keys</strong></span> or
3738                  <span class="command"><strong>managed-keys</strong></span> statement.  The default
3739                  is <strong class="userinput"><code>yes</code></strong>.
3740                </p>
3741<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3742<h3 class="title">Note</h3>
3743<p>
3744                    Whenever the resolver sends out queries to an
3745                    EDNS-compliant server, it always sets the DO bit
3746                    indicating it can support DNSSEC responses even if
3747                    <span class="command"><strong>dnssec-validation</strong></span> is off.
3748                  </p>
3749</div>
3750</dd>
3751<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt>
3752<dd><p>
3753                  Accept expired signatures when verifying DNSSEC signatures.
3754                  The default is <strong class="userinput"><code>no</code></strong>.
3755                  Setting this option to <strong class="userinput"><code>yes</code></strong>
3756                  leaves <span class="command"><strong>named</strong></span> vulnerable to
3757                  replay attacks.
3758                </p></dd>
3759<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt>
3760<dd><p>
3761                  Specify whether query logging should be started when <span class="command"><strong>named</strong></span>
3762                  starts.
3763                  If <span class="command"><strong>querylog</strong></span> is not specified,
3764                  then the query logging
3765                  is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>.
3766                </p></dd>
3767<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
3768<dd>
3769<p>
3770                  This option is used to restrict the character set and syntax
3771                  of
3772                  certain domain names in master files and/or DNS responses
3773                  received
3774                  from the network.  The default varies according to usage
3775                  area.  For
3776                  <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.
3777                  For <span class="command"><strong>slave</strong></span> zones the default
3778                  is <span class="command"><strong>warn</strong></span>.
3779                  For answers received from the network (<span class="command"><strong>response</strong></span>)
3780                  the default is <span class="command"><strong>ignore</strong></span>.
3781                </p>
3782<p>
3783                  The rules for legal hostnames and mail domains are derived
3784                  from RFC 952 and RFC 821 as modified by RFC 1123.
3785                </p>
3786<p><span class="command"><strong>check-names</strong></span>
3787                  applies to the owner names of A, AAAA and MX records.
3788                  It also applies to the domain names in the RDATA of NS, SOA,
3789                  MX, and SRV records.
3790                  It also applies to the RDATA of PTR records where the owner
3791                  name indicated that it is a reverse lookup of a hostname
3792                  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
3793                </p>
3794</dd>
3795<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt>
3796<dd><p>
3797                  Check master zones for records that are treated as different
3798                  by DNSSEC but are semantically equal in plain DNS.  The
3799                  default is to <span class="command"><strong>warn</strong></span>.  Other possible
3800                  values are <span class="command"><strong>fail</strong></span> and
3801                  <span class="command"><strong>ignore</strong></span>.
3802                </p></dd>
3803<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
3804<dd><p>
3805                  Check whether the MX record appears to refer to a IP address.
3806                  The default is to <span class="command"><strong>warn</strong></span>.  Other possible
3807                  values are <span class="command"><strong>fail</strong></span> and
3808                  <span class="command"><strong>ignore</strong></span>.
3809                </p></dd>
3810<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
3811<dd><p>
3812                  This option is used to check for non-terminal wildcards.
3813                  The use of non-terminal wildcards is almost always as a
3814                  result of a failure
3815                  to understand the wildcard matching algorithm (RFC 1034).
3816                  This option
3817                  affects master zones.  The default (<span class="command"><strong>yes</strong></span>) is to check
3818                  for non-terminal wildcards and issue a warning.
3819                </p></dd>
3820<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
3821<dd>
3822<p>
3823                  Perform post load zone integrity checks on master
3824                  zones.  This checks that MX and SRV records refer
3825                  to address (A or AAAA) records and that glue
3826                  address records exist for delegated zones.  For
3827                  MX and SRV records only in-zone hostnames are
3828                  checked (for out-of-zone hostnames use
3829                  <span class="command"><strong>named-checkzone</strong></span>).
3830                  For NS records only names below top of zone are
3831                  checked (for out-of-zone names and glue consistency
3832                  checks use <span class="command"><strong>named-checkzone</strong></span>).
3833                  The default is <span class="command"><strong>yes</strong></span>.
3834                </p>
3835<p>
3836                  The use of the SPF record for publishing Sender
3837                  Policy Framework is deprecated as the migration
3838                  from using TXT records to SPF records was abandoned.
3839                  Enabling this option also checks that a TXT Sender
3840                  Policy Framework record exists (starts with "v=spf1")
3841                  if there is an SPF record. Warnings are emitted if the
3842                  TXT record does not exist and can be suppressed with
3843                  <span class="command"><strong>check-spf</strong></span>.
3844                </p>
3845</dd>
3846<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt>
3847<dd><p>
3848                  If <span class="command"><strong>check-integrity</strong></span> is set then
3849                  fail, warn or ignore MX records that refer
3850                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
3851                </p></dd>
3852<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt>
3853<dd><p>
3854                  If <span class="command"><strong>check-integrity</strong></span> is set then
3855                  fail, warn or ignore SRV records that refer
3856                  to CNAMES.  The default is to <span class="command"><strong>warn</strong></span>.
3857                </p></dd>
3858<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
3859<dd><p>
3860                  When performing integrity checks, also check that
3861                  sibling glue exists.  The default is <span class="command"><strong>yes</strong></span>.
3862                </p></dd>
3863<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
3864<dd><p>
3865                  If <span class="command"><strong>check-integrity</strong></span> is set then
3866                  check that there is a TXT Sender Policy Framework
3867                  record present (starts with "v=spf1") if there is an
3868                  SPF record present. The default is
3869                  <span class="command"><strong>warn</strong></span>.
3870                </p></dd>
3871<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
3872<dd><p>
3873                  When returning authoritative negative responses to
3874                  SOA queries set the TTL of the SOA record returned in
3875                  the authority section to zero.
3876                  The default is <span class="command"><strong>yes</strong></span>.
3877                </p></dd>
3878<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt>
3879<dd><p>
3880                  When caching a negative response to a SOA query
3881                  set the TTL to zero.
3882                  The default is <span class="command"><strong>no</strong></span>.
3883                </p></dd>
3884<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
3885<dd>
3886<p>
3887                  When set to the default value of <code class="literal">yes</code>,
3888                  check the KSK bit in each key to determine how the key
3889                  should be used when generating RRSIGs for a secure zone.
3890                </p>
3891<p>
3892                  Ordinarily, zone-signing keys (that is, keys without the
3893                  KSK bit set) are used to sign the entire zone, while
3894                  key-signing keys (keys with the KSK bit set) are only
3895                  used to sign the DNSKEY RRset at the zone apex.
3896                  However, if this option is set to <code class="literal">no</code>,
3897                  then the KSK bit is ignored; KSKs are treated as if they
3898                  were ZSKs and are used to sign the entire zone.  This is
3899                  similar to the <span class="command"><strong>dnssec-signzone -z</strong></span>
3900                  command line option.
3901                </p>
3902<p>
3903                  When this option is set to <code class="literal">yes</code>, there
3904                  must be at least two active keys for every algorithm
3905                  represented in the DNSKEY RRset: at least one KSK and one
3906                  ZSK per algorithm.  If there is any algorithm for which
3907                  this requirement is not met, this option will be ignored
3908                  for that algorithm.
3909                </p>
3910</dd>
3911<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
3912<dd>
3913<p>
3914                  When this option and <span class="command"><strong>update-check-ksk</strong></span>
3915                  are both set to <code class="literal">yes</code>, only key-signing
3916                  keys (that is, keys with the KSK bit set) will be used
3917                  to sign the DNSKEY RRset at the zone apex.  Zone-signing
3918                  keys (keys without the KSK bit set) will be used to sign
3919                  the remainder of the zone, but not the DNSKEY RRset.
3920                  This is similar to the
3921                  <span class="command"><strong>dnssec-signzone -x</strong></span> command line option.
3922                </p>
3923<p>
3924                  The default is <span class="command"><strong>no</strong></span>.  If
3925                  <span class="command"><strong>update-check-ksk</strong></span> is set to
3926                  <code class="literal">no</code>, this option is ignored.
3927                </p>
3928</dd>
3929<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
3930<dd><p>
3931                  Try to refresh the zone using TCP if UDP queries fail.
3932                  For BIND 8 compatibility, the default is
3933                  <span class="command"><strong>yes</strong></span>.
3934                </p></dd>
3935<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
3936<dd>
3937<p>
3938                  Allow a dynamic zone to transition from secure to
3939                  insecure (i.e., signed to unsigned) by deleting all
3940                  of the DNSKEY records.  The default is <span class="command"><strong>no</strong></span>.
3941                  If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset
3942                  at the zone apex is deleted, all RRSIG and NSEC records
3943                  will be removed from the zone as well.
3944                </p>
3945<p>
3946                  If the zone uses NSEC3, then it is also necessary to
3947                  delete the NSEC3PARAM RRset from the zone apex; this will
3948                  cause the removal of all corresponding NSEC3 records.
3949                  (It is expected that this requirement will be eliminated
3950                  in a future release.)
3951                </p>
3952<p>
3953                  Note that if a zone has been configured with
3954                  <span class="command"><strong>auto-dnssec maintain</strong></span> and the
3955                  private keys remain accessible in the key repository,
3956                  then the zone will be automatically signed again the
3957                  next time <span class="command"><strong>named</strong></span> is started.
3958                </p>
3959</dd>
3960</dl></div>
3961</div>
3962<div class="section">
3963<div class="titlepage"><div><div><h4 class="title">
3964<a name="forwarding"></a>Forwarding</h4></div></div></div>
3965<p>
3966            The forwarding facility can be used to create a large site-wide
3967            cache on a few servers, reducing traffic over links to external
3968            name servers. It can also be used to allow queries by servers that
3969            do not have direct access to the Internet, but wish to look up
3970            exterior
3971            names anyway. Forwarding occurs only on those queries for which
3972            the server is not authoritative and does not have the answer in
3973            its cache.
3974          </p>
3975<div class="variablelist"><dl class="variablelist">
3976<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
3977<dd><p>
3978                  This option is only meaningful if the
3979                  forwarders list is not empty. A value of <code class="varname">first</code>,
3980                  the default, causes the server to query the forwarders
3981                  first &#8212; and
3982                  if that doesn't answer the question, the server will then
3983                  look for
3984                  the answer itself. If <code class="varname">only</code> is
3985                  specified, the
3986                  server will only query the forwarders.
3987                </p></dd>
3988<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
3989<dd><p>
3990                  Specifies the IP addresses to be used
3991                  for forwarding. The default is the empty list (no
3992                  forwarding).
3993                </p></dd>
3994</dl></div>
3995<p>
3996            Forwarding can also be configured on a per-domain basis, allowing
3997            for the global forwarding options to be overridden in a variety
3998            of ways. You can set particular domains to use different
3999            forwarders,
4000            or have a different <span class="command"><strong>forward only/first</strong></span> behavior,
4001            or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called &#8220;<span class="command"><strong>zone</strong></span>
4002            Statement Grammar&#8221;</a>.
4003          </p>
4004</div>
4005<div class="section">
4006<div class="titlepage"><div><div><h4 class="title">
4007<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div>
4008<p>
4009            Dual-stack servers are used as servers of last resort to work
4010            around
4011            problems in reachability due the lack of support for either IPv4
4012            or IPv6
4013            on the host machine.
4014          </p>
4015<div class="variablelist"><dl class="variablelist">
4016<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt>
4017<dd><p>
4018                  Specifies host names or addresses of machines with access to
4019                  both IPv4 and IPv6 transports. If a hostname is used, the
4020                  server must be able
4021                  to resolve the name using only the transport it has.  If the
4022                  machine is dual
4023                  stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless
4024                  access to a transport has been disabled on the command line
4025                  (e.g. <span class="command"><strong>named -4</strong></span>).
4026                </p></dd>
4027</dl></div>
4028</div>
4029<div class="section">
4030<div class="titlepage"><div><div><h4 class="title">
4031<a name="access_control"></a>Access Control</h4></div></div></div>
4032<p>
4033            Access to the server can be restricted based on the IP address
4034            of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
4035            details on how to specify IP address lists.
4036          </p>
4037<div class="variablelist"><dl class="variablelist">
4038<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
4039<dd><p>
4040                  Specifies which hosts are allowed to
4041                  notify this server, a slave, of zone changes in addition
4042                  to the zone masters.
4043                  <span class="command"><strong>allow-notify</strong></span> may also be
4044                  specified in the
4045                  <span class="command"><strong>zone</strong></span> statement, in which case
4046                  it overrides the
4047                  <span class="command"><strong>options allow-notify</strong></span>
4048                  statement.  It is only meaningful
4049                  for a slave zone.  If not specified, the default is to
4050                  process notify messages
4051                  only from a zone's master.
4052                </p></dd>
4053<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
4054<dd>
4055<p>
4056                  Specifies which hosts are allowed to ask ordinary
4057                  DNS questions. <span class="command"><strong>allow-query</strong></span> may
4058                  also be specified in the <span class="command"><strong>zone</strong></span>
4059                  statement, in which case it overrides the
4060                  <span class="command"><strong>options allow-query</strong></span> statement.
4061                  If not specified, the default is to allow queries
4062                  from all hosts.
4063                </p>
4064<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4065<h3 class="title">Note</h3>
4066<p>
4067                    <span class="command"><strong>allow-query-cache</strong></span> is now
4068                    used to specify access to the cache.
4069                  </p>
4070</div>
4071</dd>
4072<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
4073<dd>
4074<p>
4075                  Specifies which local addresses can accept ordinary
4076                  DNS questions. This makes it possible, for instance,
4077                  to allow queries on internal-facing interfaces but
4078                  disallow them on external-facing ones, without
4079                  necessarily knowing the internal network's addresses.
4080                </p>
4081<p>
4082                  Note that <span class="command"><strong>allow-query-on</strong></span> is only
4083                  checked for queries that are permitted by
4084                  <span class="command"><strong>allow-query</strong></span>.  A query must be
4085                  allowed by both ACLs, or it will be refused.
4086                </p>
4087<p>
4088                  <span class="command"><strong>allow-query-on</strong></span> may
4089                  also be specified in the <span class="command"><strong>zone</strong></span>
4090                  statement, in which case it overrides the
4091                  <span class="command"><strong>options allow-query-on</strong></span> statement.
4092                </p>
4093<p>
4094                  If not specified, the default is to allow queries
4095                  on all addresses.
4096                </p>
4097<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4098<h3 class="title">Note</h3>
4099<p>
4100                    <span class="command"><strong>allow-query-cache</strong></span> is
4101                    used to specify access to the cache.
4102                  </p>
4103</div>
4104</dd>
4105<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt>
4106<dd><p>
4107                  Specifies which hosts are allowed to get answers
4108                  from the cache.  If <span class="command"><strong>allow-query-cache</strong></span>
4109                  is not set then <span class="command"><strong>allow-recursion</strong></span>
4110                  is used if set, otherwise <span class="command"><strong>allow-query</strong></span>
4111                  is used if set unless <span class="command"><strong>recursion no;</strong></span> is
4112                  set in which case <span class="command"><strong>none;</strong></span> is used,
4113                  otherwise the default (<span class="command"><strong>localnets;</strong></span>
4114                  <span class="command"><strong>localhost;</strong></span>) is used.
4115                </p></dd>
4116<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt>
4117<dd><p>
4118                  Specifies which local addresses can give answers
4119                  from the cache.  If not specified, the default is
4120                  to allow cache queries on any address,
4121                  <span class="command"><strong>localnets</strong></span> and
4122                  <span class="command"><strong>localhost</strong></span>.
4123                </p></dd>
4124<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt>
4125<dd><p>
4126                  Specifies which hosts are allowed to make recursive
4127                  queries through this server. If
4128                  <span class="command"><strong>allow-recursion</strong></span> is not set
4129                  then <span class="command"><strong>allow-query-cache</strong></span> is
4130                  used if set, otherwise <span class="command"><strong>allow-query</strong></span>
4131                  is used if set, otherwise the default
4132                  (<span class="command"><strong>localnets;</strong></span>
4133                  <span class="command"><strong>localhost;</strong></span>) is used.
4134                </p></dd>
4135<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt>
4136<dd><p>
4137                  Specifies which local addresses can accept recursive
4138                  queries.  If not specified, the default is to allow
4139                  recursive queries on all addresses.
4140                </p></dd>
4141<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
4142<dd><p>
4143                  Specifies which hosts are allowed to
4144                  submit Dynamic DNS updates for master zones. The default is
4145                  to deny
4146                  updates from all hosts.  Note that allowing updates based
4147                  on the requestor's IP address is insecure; see
4148                  <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
4149                </p></dd>
4150<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
4151<dd>
4152<p>
4153                  Specifies which hosts are allowed to
4154                  submit Dynamic DNS updates to slave zones to be forwarded to
4155                  the
4156                  master.  The default is <strong class="userinput"><code>{ none; }</code></strong>,
4157                  which
4158                  means that no update forwarding will be performed.  To
4159                  enable
4160                  update forwarding, specify
4161                  <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
4162                  Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
4163                  <strong class="userinput"><code>{ any; }</code></strong> is usually
4164                  counterproductive, since
4165                  the responsibility for update access control should rest
4166                  with the
4167                  master server, not the slaves.
4168                </p>
4169<p>
4170                  Note that enabling the update forwarding feature on a slave
4171                  server
4172                  may expose master servers relying on insecure IP address
4173                  based
4174                  access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
4175                  for more details.
4176                </p>
4177</dd>
4178<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt>
4179<dd><p>
4180                  This option was introduced for the smooth transition from
4181                  AAAA
4182                  to A6 and from "nibble labels" to binary labels.
4183                  However, since both A6 and binary labels were then
4184                  deprecated,
4185                  this option was also deprecated.
4186                  It is now ignored with some warning messages.
4187                </p></dd>
4188<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
4189<dd><p>
4190                  Specifies which hosts are allowed to
4191                  receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may
4192                  also be specified in the <span class="command"><strong>zone</strong></span>
4193                  statement, in which
4194                  case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement.
4195                  If not specified, the default is to allow transfers to all
4196                  hosts.
4197                </p></dd>
4198<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt>
4199<dd><p>
4200                  Specifies a list of addresses that the
4201                  server will not accept queries from or use to resolve a
4202                  query. Queries
4203                  from these addresses will not be responded to. The default
4204                  is <strong class="userinput"><code>none</code></strong>.
4205                </p></dd>
4206<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt>
4207<dd><p>
4208                  Specifies a list of addresses to which
4209                  <span class="command"><strong>filter-aaaa-on-v4</strong></span>
4210                  is applies.  The default is <strong class="userinput"><code>any</code></strong>.
4211                </p></dd>
4212<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt>
4213<dd>
4214<p>
4215                  Specifies a list of addresses which require responses
4216                  to use case-insensitive compression.  This ACL can be
4217                  used when <span class="command"><strong>named</strong></span> needs to work with
4218                  clients that do not comply with the requirement in RFC
4219                  1034 to use case-insensitive name comparisons when
4220                  checking for matching domain names.
4221                </p>
4222<p>
4223                  If left undefined, the ACL defaults to
4224                  <span class="command"><strong>none</strong></span>: case-insensitive compression
4225                  will be used for all clients.  If the ACL is defined and
4226                  matches a client, then case will be ignored when
4227                  compressing domain names in DNS responses sent to that
4228                  client.
4229                </p>
4230<p>
4231                  This can result in slightly smaller responses: if
4232                  a response contains the names "example.com" and
4233                  "example.COM", case-insensitive compression would treat
4234                  the second one as a duplicate.  It also ensures
4235                  that the case of the query name exactly matches the
4236                  case of the owner names of returned records, rather
4237                  than matching the case of the records entered in
4238                  the zone file.  This allows responses to exactly
4239                  match the query, which is required by some clients
4240                  due to incorrect use of case-sensitive comparisons.
4241                </p>
4242<p>
4243                  Case-insensitive compression is <span class="emphasis"><em>always</em></span>
4244                  used in AXFR and IXFR responses, regardless of whether
4245                  the client matches this ACL.
4246                </p>
4247<p>
4248                  There are circumstances in which <span class="command"><strong>named</strong></span>
4249                  will not preserve the case of owner names of records:
4250                  if a zone file defines records of different types with
4251                  the same name, but the capitalization of the name is
4252                  different (e.g., "www.example.com/A" and
4253                  "WWW.EXAMPLE.COM/AAAA"), then all responses for that
4254                  name will use the <span class="emphasis"><em>first</em></span> version
4255                  of the name that was used in the zone file.  This
4256                  limitation may be addressed in a future release.  However,
4257                  domain names specified in the rdata of resource records
4258                  (i.e., records of type NS, MX, CNAME, etc) will always
4259                  have their case preserved unless the client matches this
4260                  ACL.
4261                </p>
4262</dd>
4263<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt>
4264<dd><p>
4265                  The amount of time the resolver will spend attempting
4266                  to resolve a recursive query before failing.  The default
4267                  and minimum is <code class="literal">10</code> and the maximum is
4268                  <code class="literal">30</code>.  Setting it to <code class="literal">0</code>
4269                  will result in the default being used.
4270                </p></dd>
4271</dl></div>
4272</div>
4273<div class="section">
4274<div class="titlepage"><div><div><h4 class="title">
4275<a name="interfaces"></a>Interfaces</h4></div></div></div>
4276<p>
4277            The interfaces and ports that the server will answer queries
4278            from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes
4279            an optional port and an <code class="varname">address_match_list</code>
4280            of IPv4 addresses.  (IPv6 addresses are ignored, with a
4281            logged warning.)
4282            The server will listen on all interfaces allowed by the address
4283            match list. If a port is not specified, port 53 will be used.
4284          </p>
4285<p>
4286            Multiple <span class="command"><strong>listen-on</strong></span> statements are
4287            allowed.
4288            For example,
4289          </p>
4290<pre class="programlisting">listen-on { 5.6.7.8; };
4291listen-on port 1234 { !1.2.3.4; 1.2/16; };
4292</pre>
4293<p>
4294            will enable the name server on port 53 for the IP address
4295            5.6.7.8, and on port 1234 of an address on the machine in net
4296            1.2 that is not 1.2.3.4.
4297          </p>
4298<p>
4299            If no <span class="command"><strong>listen-on</strong></span> is specified, the
4300            server will listen on port 53 on all IPv4 interfaces.
4301          </p>
4302<p>
4303            The <span class="command"><strong>listen-on-v6</strong></span> option is used to
4304            specify the interfaces and the ports on which the server will
4305            listen
4306            for incoming queries sent using IPv6.
4307          </p>
4308<p>
4309            When </p>
4310<pre class="programlisting">{ any; }</pre>
4311<p> is
4312            specified
4313            as the <code class="varname">address_match_list</code> for the
4314            <span class="command"><strong>listen-on-v6</strong></span> option,
4315            the server does not bind a separate socket to each IPv6 interface
4316            address as it does for IPv4 if the operating system has enough API
4317            support for IPv6 (specifically if it conforms to RFC 3493 and RFC
4318            3542).
4319            Instead, it listens on the IPv6 wildcard address.
4320            If the system only has incomplete API support for IPv6, however,
4321            the behavior is the same as that for IPv4.
4322          </p>
4323<p>
4324            A list of particular IPv6 addresses can also be specified, in
4325            which case
4326            the server listens on a separate socket for each specified
4327            address,
4328            regardless of whether the desired API is supported by the system.
4329            IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span>
4330            will be ignored, with a logged warning.
4331          </p>
4332<p>
4333            Multiple <span class="command"><strong>listen-on-v6</strong></span> options can
4334            be used.
4335            For example,
4336          </p>
4337<pre class="programlisting">listen-on-v6 { any; };
4338listen-on-v6 port 1234 { !2001:db8::/32; any; };
4339</pre>
4340<p>
4341            will enable the name server on port 53 for any IPv6 addresses
4342            (with a single wildcard socket),
4343            and on port 1234 of IPv6 addresses that is not in the prefix
4344            2001:db8::/32 (with separate sockets for each matched address.)
4345          </p>
4346<p>
4347            To make the server not listen on any IPv6 address, use
4348          </p>
4349<pre class="programlisting">listen-on-v6 { none; };
4350</pre>
4351<p>
4352            If no <span class="command"><strong>listen-on-v6</strong></span> option is
4353            specified, the server will not listen on any IPv6 address
4354            unless <span class="command"><strong>-6</strong></span> is specified when <span class="command"><strong>named</strong></span> is
4355            invoked.  If <span class="command"><strong>-6</strong></span> is specified then
4356            <span class="command"><strong>named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
4357          </p>
4358</div>
4359<div class="section">
4360<div class="titlepage"><div><div><h4 class="title">
4361<a name="query_address"></a>Query Address</h4></div></div></div>
4362<p>
4363            If the server doesn't know the answer to a question, it will
4364            query other name servers. <span class="command"><strong>query-source</strong></span> specifies
4365            the address and port used for such queries. For queries sent over
4366            IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option.
4367            If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted,
4368            a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>)
4369            will be used.
4370          </p>
4371<p>
4372            If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted,
4373            a random port number from a pre-configured
4374            range is picked up and will be used for each query.
4375            The port range(s) is that specified in
4376            the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4)
4377            and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6)
4378            options, excluding the ranges specified in
4379            the <span class="command"><strong>avoid-v4-udp-ports</strong></span>
4380            and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively.
4381          </p>
4382<p>
4383            The defaults of the <span class="command"><strong>query-source</strong></span> and
4384            <span class="command"><strong>query-source-v6</strong></span> options
4385            are:
4386          </p>
4387<pre class="programlisting">query-source address * port *;
4388query-source-v6 address * port *;
4389</pre>
4390<p>
4391            If <span class="command"><strong>use-v4-udp-ports</strong></span> or
4392            <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified,
4393            <span class="command"><strong>named</strong></span> will check if the operating
4394            system provides a programming interface to retrieve the
4395            system's default range for ephemeral ports.
4396            If such an interface is available,
4397            <span class="command"><strong>named</strong></span> will use the corresponding system
4398            default range; otherwise, it will use its own defaults:
4399         </p>
4400<pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
4401use-v6-udp-ports { range 1024 65535; };
4402</pre>
4403<p>
4404            Note: make sure the ranges be sufficiently large for
4405            security.  A desirable size depends on various parameters,
4406            but we generally recommend it contain at least 16384 ports
4407            (14 bits of entropy).
4408            Note also that the system's default range when used may be
4409            too small for this purpose, and that the range may even be
4410            changed while <span class="command"><strong>named</strong></span> is running; the new
4411            range will automatically be applied when <span class="command"><strong>named</strong></span>
4412            is reloaded.
4413            It is encouraged to
4414            configure <span class="command"><strong>use-v4-udp-ports</strong></span> and
4415            <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the
4416            ranges are sufficiently large and are reasonably
4417            independent from the ranges used by other applications.
4418          </p>
4419<p>
4420            Note: the operational configuration
4421            where <span class="command"><strong>named</strong></span> runs may prohibit the use
4422            of some ports.  For example, UNIX systems will not allow
4423            <span class="command"><strong>named</strong></span> running without a root privilege
4424            to use ports less than 1024.
4425            If such ports are included in the specified (or detected)
4426            set of query ports, the corresponding query attempts will
4427            fail, resulting in resolution failures or delay.
4428            It is therefore important to configure the set of ports
4429            that can be safely used in the expected operational environment.
4430          </p>
4431<p>
4432            The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
4433            <span class="command"><strong>avoid-v6-udp-ports</strong></span> options
4434            are:
4435          </p>
4436<pre class="programlisting">avoid-v4-udp-ports {};
4437avoid-v6-udp-ports {};
4438</pre>
4439<p>
4440            Note: BIND 9.5.0 introduced
4441            the <span class="command"><strong>use-queryport-pool</strong></span>
4442            option to support a pool of such random ports, but this
4443            option is now obsolete because reusing the same ports in
4444            the pool may not be sufficiently secure.
4445            For the same reason, it is generally strongly discouraged to
4446            specify a particular port for the
4447            <span class="command"><strong>query-source</strong></span> or
4448            <span class="command"><strong>query-source-v6</strong></span> options;
4449            it implicitly disables the use of randomized port numbers.
4450          </p>
4451<div class="variablelist"><dl class="variablelist">
4452<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt>
4453<dd><p>
4454                  This option is obsolete.
4455                </p></dd>
4456<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt>
4457<dd><p>
4458                  This option is obsolete.
4459                </p></dd>
4460<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt>
4461<dd><p>
4462                  This option is obsolete.
4463                </p></dd>
4464</dl></div>
4465<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4466<h3 class="title">Note</h3>
4467<p>
4468              The address specified in the <span class="command"><strong>query-source</strong></span> option
4469              is used for both UDP and TCP queries, but the port applies only
4470              to UDP queries.  TCP queries always use a random
4471              unprivileged port.
4472            </p>
4473</div>
4474<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4475<h3 class="title">Note</h3>
4476<p>
4477              Solaris 2.5.1 and earlier does not support setting the source
4478              address for TCP sockets.
4479            </p>
4480</div>
4481<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4482<h3 class="title">Note</h3>
4483<p>
4484              See also <span class="command"><strong>transfer-source</strong></span> and
4485              <span class="command"><strong>notify-source</strong></span>.
4486            </p>
4487</div>
4488</div>
4489<div class="section">
4490<div class="titlepage"><div><div><h4 class="title">
4491<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
4492<p>
4493            <acronym class="acronym">BIND</acronym> has mechanisms in place to
4494            facilitate zone transfers
4495            and set limits on the amount of load that transfers place on the
4496            system. The following options apply to zone transfers.
4497          </p>
4498<div class="variablelist"><dl class="variablelist">
4499<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
4500<dd>
4501<p>
4502                  Defines a global list of IP addresses of name servers
4503                  that are also sent NOTIFY messages whenever a fresh copy of
4504                  the
4505                  zone is loaded, in addition to the servers listed in the
4506                  zone's NS records.
4507                  This helps to ensure that copies of the zones will
4508                  quickly converge on stealth servers.
4509                  Optionally, a port may be specified with each
4510                  <span class="command"><strong>also-notify</strong></span> address to send
4511                  the notify messages to a port other than the
4512                  default of 53.
4513                  An optional TSIG key can also be specified with each
4514                  address to cause the notify messages to be signed; this
4515                  can be useful when sending notifies to multiple views.
4516                  In place of explicit addresses, one or more named
4517                  <span class="command"><strong>masters</strong></span> lists can be used.
4518                </p>
4519<p>
4520                  If an <span class="command"><strong>also-notify</strong></span> list
4521                  is given in a <span class="command"><strong>zone</strong></span> statement,
4522                  it will override
4523                  the <span class="command"><strong>options also-notify</strong></span>
4524                  statement. When a <span class="command"><strong>zone notify</strong></span>
4525                  statement
4526                  is set to <span class="command"><strong>no</strong></span>, the IP
4527                  addresses in the global <span class="command"><strong>also-notify</strong></span> list will
4528                  not be sent NOTIFY messages for that zone. The default is
4529                  the empty
4530                  list (no global notification list).
4531                </p>
4532</dd>
4533<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
4534<dd><p>
4535                  Inbound zone transfers running longer than
4536                  this many minutes will be terminated. The default is 120
4537                  minutes
4538                  (2 hours).  The maximum value is 28 days (40320 minutes).
4539                </p></dd>
4540<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
4541<dd><p>
4542                  Inbound zone transfers making no progress
4543                  in this many minutes will be terminated. The default is 60
4544                  minutes
4545                  (1 hour).  The maximum value is 28 days (40320 minutes).
4546                </p></dd>
4547<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
4548<dd><p>
4549                  Outbound zone transfers running longer than
4550                  this many minutes will be terminated. The default is 120
4551                  minutes
4552                  (2 hours).  The maximum value is 28 days (40320 minutes).
4553                </p></dd>
4554<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
4555<dd><p>
4556                  Outbound zone transfers making no progress
4557                  in this many minutes will be terminated.  The default is 60
4558                  minutes (1
4559                  hour).  The maximum value is 28 days (40320 minutes).
4560                </p></dd>
4561<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt>
4562<dd>
4563<p>
4564                  Slave servers will periodically query master
4565                  servers to find out if zone serial numbers have
4566                  changed. Each such query uses a minute amount of
4567                  the slave server's network bandwidth.  To limit
4568                  the amount of bandwidth used, BIND 9 limits the
4569                  rate at which queries are sent.  The value of the
4570                  <span class="command"><strong>serial-query-rate</strong></span> option, an
4571                  integer, is the maximum number of queries sent
4572                  per second.  The default is 20 per second.
4573                  The lowest possible rate is one per second; when set
4574                  to zero, it will be silently raised to one.
4575                </p>
4576<p>
4577                  In addition to controlling the rate SOA refresh
4578                  queries are issued at,
4579                  <span class="command"><strong>serial-query-rate</strong></span> also controls
4580                  the rate at which NOTIFY messages are sent from
4581                  both master and slave zones.
4582                </p>
4583</dd>
4584<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt>
4585<dd><p>
4586                  In BIND 8, the <span class="command"><strong>serial-queries</strong></span>
4587                  option
4588                  set the maximum number of concurrent serial number queries
4589                  allowed to be outstanding at any given time.
4590                  BIND 9 does not limit the number of outstanding
4591                  serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option.
4592                  Instead, it limits the rate at which the queries are sent
4593                  as defined using the <span class="command"><strong>serial-query-rate</strong></span> option.
4594                </p></dd>
4595<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt>
4596<dd><p>
4597                  Zone transfers can be sent using two different formats,
4598                  <span class="command"><strong>one-answer</strong></span> and
4599                  <span class="command"><strong>many-answers</strong></span>.
4600                  The <span class="command"><strong>transfer-format</strong></span> option is used
4601                  on the master server to determine which format it sends.
4602                  <span class="command"><strong>one-answer</strong></span> uses one DNS message per
4603                  resource record transferred.
4604                  <span class="command"><strong>many-answers</strong></span> packs as many resource
4605                  records as possible into a message.
4606                  <span class="command"><strong>many-answers</strong></span> is more efficient, but is
4607                  only supported by relatively new slave servers,
4608                  such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
4609                  8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
4610                  The <span class="command"><strong>many-answers</strong></span> format is also supported by
4611                  recent Microsoft Windows nameservers.
4612                  The default is <span class="command"><strong>many-answers</strong></span>.
4613                  <span class="command"><strong>transfer-format</strong></span> may be overridden on a
4614                  per-server basis by using the <span class="command"><strong>server</strong></span>
4615                  statement.
4616                </p></dd>
4617<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt>
4618<dd><p>
4619                  The maximum number of inbound zone transfers
4620                  that can be running concurrently. The default value is <code class="literal">10</code>.
4621                  Increasing <span class="command"><strong>transfers-in</strong></span> may
4622                  speed up the convergence
4623                  of slave zones, but it also may increase the load on the
4624                  local system.
4625                </p></dd>
4626<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt>
4627<dd><p>
4628                  The maximum number of outbound zone transfers
4629                  that can be running concurrently. Zone transfer requests in
4630                  excess
4631                  of the limit will be refused. The default value is <code class="literal">10</code>.
4632                </p></dd>
4633<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt>
4634<dd><p>
4635                  The maximum number of inbound zone transfers
4636                  that can be concurrently transferring from a given remote
4637                  name server.
4638                  The default value is <code class="literal">2</code>.
4639                  Increasing <span class="command"><strong>transfers-per-ns</strong></span>
4640                  may
4641                  speed up the convergence of slave zones, but it also may
4642                  increase
4643                  the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may
4644                  be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase
4645                  of the <span class="command"><strong>server</strong></span> statement.
4646                </p></dd>
4647<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
4648<dd>
4649<p><span class="command"><strong>transfer-source</strong></span>
4650                  determines which local address will be bound to IPv4
4651                  TCP connections used to fetch zones transferred
4652                  inbound by the server.  It also determines the
4653                  source IPv4 address, and optionally the UDP port,
4654                  used for the refresh queries and forwarded dynamic
4655                  updates.  If not set, it defaults to a system
4656                  controlled value which will usually be the address
4657                  of the interface "closest to" the remote end. This
4658                  address must appear in the remote end's
4659                  <span class="command"><strong>allow-transfer</strong></span> option for the
4660                  zone being transferred, if one is specified. This
4661                  statement sets the
4662                  <span class="command"><strong>transfer-source</strong></span> for all zones,
4663                  but can be overridden on a per-view or per-zone
4664                  basis by including a
4665                  <span class="command"><strong>transfer-source</strong></span> statement within
4666                  the <span class="command"><strong>view</strong></span> or
4667                  <span class="command"><strong>zone</strong></span> block in the configuration
4668                  file.
4669                </p>
4670<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4671<h3 class="title">Note</h3>
4672<p>
4673                    Solaris 2.5.1 and earlier does not support setting the
4674                    source address for TCP sockets.
4675                  </p>
4676</div>
4677</dd>
4678<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
4679<dd><p>
4680                  The same as <span class="command"><strong>transfer-source</strong></span>,
4681                  except zone transfers are performed using IPv6.
4682                </p></dd>
4683<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
4684<dd>
4685<p>
4686                  An alternate transfer source if the one listed in
4687                  <span class="command"><strong>transfer-source</strong></span> fails and
4688                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
4689                  set.
4690                </p>
4691<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4692<h3 class="title">Note</h3>
4693<p>
4694                  If you do not wish the alternate transfer source
4695                  to be used, you should set
4696                  <span class="command"><strong>use-alt-transfer-source</strong></span>
4697                  appropriately and you should not depend upon
4698                  getting an answer back to the first refresh
4699                  query.
4700                </p>
4701</div>
4702</dd>
4703<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
4704<dd><p>
4705                  An alternate transfer source if the one listed in
4706                  <span class="command"><strong>transfer-source-v6</strong></span> fails and
4707                  <span class="command"><strong>use-alt-transfer-source</strong></span> is
4708                  set.
4709                </p></dd>
4710<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
4711<dd><p>
4712                  Use the alternate transfer sources or not.  If views are
4713                  specified this defaults to <span class="command"><strong>no</strong></span>
4714                  otherwise it defaults to
4715                  <span class="command"><strong>yes</strong></span> (for BIND 8
4716                  compatibility).
4717                </p></dd>
4718<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
4719<dd>
4720<p><span class="command"><strong>notify-source</strong></span>
4721                  determines which local source address, and
4722                  optionally UDP port, will be used to send NOTIFY
4723                  messages.  This address must appear in the slave
4724                  server's <span class="command"><strong>masters</strong></span> zone clause or
4725                  in an <span class="command"><strong>allow-notify</strong></span> clause.  This
4726                  statement sets the <span class="command"><strong>notify-source</strong></span>
4727                  for all zones, but can be overridden on a per-zone or
4728                  per-view basis by including a
4729                  <span class="command"><strong>notify-source</strong></span> statement within
4730                  the <span class="command"><strong>zone</strong></span> or
4731                  <span class="command"><strong>view</strong></span> block in the configuration
4732                  file.
4733                </p>
4734<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4735<h3 class="title">Note</h3>
4736<p>
4737                    Solaris 2.5.1 and earlier does not support setting the
4738                    source address for TCP sockets.
4739                  </p>
4740</div>
4741</dd>
4742<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
4743<dd><p>
4744                  Like <span class="command"><strong>notify-source</strong></span>,
4745                  but applies to notify messages sent to IPv6 addresses.
4746                </p></dd>
4747</dl></div>
4748</div>
4749<div class="section">
4750<div class="titlepage"><div><div><h4 class="title">
4751<a name="port_lists"></a>UDP Port Lists</h4></div></div></div>
4752<p>
4753            <span class="command"><strong>use-v4-udp-ports</strong></span>,
4754            <span class="command"><strong>avoid-v4-udp-ports</strong></span>,
4755            <span class="command"><strong>use-v6-udp-ports</strong></span>, and
4756            <span class="command"><strong>avoid-v6-udp-ports</strong></span>
4757            specify a list of IPv4 and IPv6 UDP ports that will be
4758            used or not used as source ports for UDP messages.
4759            See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called &#8220;Query Address&#8221;</a> about how the
4760            available ports are determined.
4761            For example, with the following configuration
4762          </p>
4763<pre class="programlisting">
4764use-v6-udp-ports { range 32768 65535; };
4765avoid-v6-udp-ports { 40000; range 50000 60000; };
4766</pre>
4767<p>
4768             UDP ports of IPv6 messages sent
4769             from <span class="command"><strong>named</strong></span> will be in one
4770             of the following ranges: 32768 to 39999, 40001 to 49999,
4771             and 60001 to 65535.
4772           </p>
4773<p>
4774             <span class="command"><strong>avoid-v4-udp-ports</strong></span> and
4775             <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used
4776             to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a
4777             port that is blocked by your firewall or a port that is
4778             used by other applications;
4779             if a query went out with a source port blocked by a
4780             firewall, the
4781             answer would not get by the firewall and the name server would
4782             have to query again.
4783             Note: the desired range can also be represented only with
4784             <span class="command"><strong>use-v4-udp-ports</strong></span> and
4785             <span class="command"><strong>use-v6-udp-ports</strong></span>, and the
4786             <span class="command"><strong>avoid-</strong></span> options are redundant in that
4787             sense; they are provided for backward compatibility and
4788             to possibly simplify the port specification.
4789           </p>
4790</div>
4791<div class="section">
4792<div class="titlepage"><div><div><h4 class="title">
4793<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div>
4794<p>
4795            The server's usage of many system resources can be limited.
4796            Scaled values are allowed when specifying resource limits.  For
4797            example, <span class="command"><strong>1G</strong></span> can be used instead of
4798            <span class="command"><strong>1073741824</strong></span> to specify a limit of
4799            one
4800            gigabyte. <span class="command"><strong>unlimited</strong></span> requests
4801            unlimited use, or the
4802            maximum available amount. <span class="command"><strong>default</strong></span>
4803            uses the limit
4804            that was in force when the server was started. See the description
4805            of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.
4806          </p>
4807<p>
4808            The following options set operating system resource limits for
4809            the name server process.  Some operating systems don't support
4810            some or
4811            any of the limits. On such systems, a warning will be issued if
4812            the
4813            unsupported limit is used.
4814          </p>
4815<div class="variablelist"><dl class="variablelist">
4816<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt>
4817<dd><p>
4818                  The maximum size of a core dump. The default
4819                  is <code class="literal">default</code>.
4820                </p></dd>
4821<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt>
4822<dd><p>
4823                  The maximum amount of data memory the server
4824                  may use. The default is <code class="literal">default</code>.
4825                  This is a hard limit on server memory usage.
4826                  If the server attempts to allocate memory in excess of this
4827                  limit, the allocation will fail, which may in turn leave
4828                  the server unable to perform DNS service.  Therefore,
4829                  this option is rarely useful as a way of limiting the
4830                  amount of memory used by the server, but it can be used
4831                  to raise an operating system data size limit that is
4832                  too small by default.  If you wish to limit the amount
4833                  of memory used by the server, use the
4834                  <span class="command"><strong>max-cache-size</strong></span> and
4835                  <span class="command"><strong>recursive-clients</strong></span>
4836                  options instead.
4837                </p></dd>
4838<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt>
4839<dd><p>
4840                  The maximum number of files the server
4841                  may have open concurrently. The default is <code class="literal">unlimited</code>.
4842                </p></dd>
4843<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt>
4844<dd><p>
4845                  The maximum amount of stack memory the server
4846                  may use. The default is <code class="literal">default</code>.
4847                </p></dd>
4848</dl></div>
4849</div>
4850<div class="section">
4851<div class="titlepage"><div><div><h4 class="title">
4852<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
4853<p>
4854            The following options set limits on the server's
4855            resource consumption that are enforced internally by the
4856            server rather than the operating system.
4857          </p>
4858<div class="variablelist"><dl class="variablelist">
4859<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt>
4860<dd><p>
4861                  This option is obsolete; it is accepted
4862                  and ignored for BIND 8 compatibility.  The option
4863                  <span class="command"><strong>max-journal-size</strong></span> performs a
4864                  similar function in BIND 9.
4865                </p></dd>
4866<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
4867<dd><p>
4868                  Sets a maximum size for each journal file
4869                  (see <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file
4870                  approaches
4871                  the specified size, some of the oldest transactions in the
4872                  journal
4873                  will be automatically removed.  The largest permitted
4874                  value is 2 gigabytes. The default is
4875                  <code class="literal">unlimited</code>, which also
4876                  means 2 gigabytes.
4877                  This may also be set on a per-zone basis.
4878                </p></dd>
4879<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt>
4880<dd><p>
4881                  In BIND 8, specifies the maximum number of host statistics
4882                  entries to be kept.
4883                  Not implemented in BIND 9.
4884                </p></dd>
4885<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt>
4886<dd>
4887<p>
4888                  The maximum number ("hard quota") of simultaneous
4889                  recursive lookups the server will perform on behalf
4890                  of clients.  The default is
4891                  <code class="literal">1000</code>.  Because each recursing
4892                  client uses a fair
4893                  bit of memory (on the order of 20 kilobytes), the
4894                  value of the
4895                  <span class="command"><strong>recursive-clients</strong></span> option may
4896                  have to be decreased on hosts with limited memory.
4897                </p>
4898<p>
4899                  <code class="option">recursive-clients</code> defines a "hard
4900                  quota" limit for pending recursive clients: when more
4901                  clients than this are pending, new incoming requests
4902                  will not be accepted, and for each incoming request
4903                  a previous pending request will also be dropped.
4904                </p>
4905<p>
4906                  A "soft quota" is also set.  When this lower
4907                  quota is exceeded, incoming requests are accepted, but
4908                  for each one, a pending request will be dropped.
4909                  If <code class="option">recursive-clients</code> is greater than
4910                  1000, the soft quota is set to
4911                  <code class="option">recursive-clients</code> minus 100;
4912                  otherwise it is set to 90% of
4913                  <code class="option">recursive-clients</code>.
4914                </p>
4915</dd>
4916<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt>
4917<dd><p>
4918                  The maximum number of simultaneous client TCP
4919                  connections that the server will accept.
4920                  The default is <code class="literal">100</code>.
4921                </p></dd>
4922<dt>
4923<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span>
4924</dt>
4925<dd>
4926<p>These set the
4927                  initial value (minimum) and maximum number of recursive
4928                  simultaneous clients for any given query
4929                  (&lt;qname,qtype,qclass&gt;) that the server will accept
4930                  before dropping additional clients.  <span class="command"><strong>named</strong></span> will attempt to
4931                  self tune this value and changes will be logged.  The
4932                  default values are 10 and 100.
4933                </p>
4934<p>
4935                  This value should reflect how many queries come in for
4936                  a given name in the time it takes to resolve that name.
4937                  If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will
4938                  assume that it is dealing with a non-responsive zone
4939                  and will drop additional queries.  If it gets a response
4940                  after dropping queries, it will raise the estimate.  The
4941                  estimate will then be lowered in 20 minutes if it has
4942                  remained unchanged.
4943                </p>
4944<p>
4945                  If <span class="command"><strong>clients-per-query</strong></span> is set to zero,
4946                  then there is no limit on the number of clients per query
4947                  and no queries will be dropped.
4948                </p>
4949<p>
4950                  If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero,
4951                  then there is no upper bound other than imposed by
4952                  <span class="command"><strong>recursive-clients</strong></span>.
4953                </p>
4954</dd>
4955<dt>
4956<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span>
4957</dt>
4958<dd>
4959<p>
4960                  The maximum number of simultaneous iterative
4961                  queries to any one domain that the server will
4962                  permit before blocking new queries for data
4963                  in or beneath that zone.
4964                  This value should reflect how many fetches would
4965                  normally be sent to any one zone in the time it
4966                  would take to resolve them.  It should be smaller
4967                  than <code class="option">recursive-clients</code>.
4968                </p>
4969<p>
4970                  When many clients simultaneously query for the
4971                  same name and type, the clients will all be attached
4972                  to the same fetch, up to the
4973                  <code class="option">max-clients-per-query</code> limit,
4974                  and only one iterative query will be sent.
4975                  However, when clients are simultaneously
4976                  querying for <span class="emphasis"><em>different</em></span> names
4977                  or types, multiple queries will be sent and
4978                  <code class="option">max-clients-per-query</code> is not
4979                  effective as a limit.
4980                </p>
4981<p>
4982                  Optionally, this value may be followed by the keyword
4983                  <code class="literal">drop</code> or <code class="literal">fail</code>,
4984                  indicating whether queries which exceed the fetch
4985                  quota for a zone will be dropped with no response,
4986                  or answered with SERVFAIL.  The default is
4987                  <code class="literal">drop</code>.
4988                </p>
4989<p>
4990                  If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero,
4991                  then there is no limit on the number of fetches per query
4992                  and no queries will be dropped.  The default is zero.
4993                </p>
4994<p>
4995                  The current list of active fetches can be dumped by
4996                  running <span class="command"><strong>rndc recursing</strong></span>.  The list
4997                  includes the number of active fetches for each
4998                  domain and the number of queries that have been
4999                  passed or dropped as a result of the
5000                  <code class="option">fetches-per-zone</code> limit.  (Note:
5001                  these counters are not cumulative over time; whenever
5002                  the number of active fetches for a domain drops to
5003                  zero, the counter for that domain is deleted, and the
5004                  next time a fetch is sent to that domain, it is
5005                  recreated with the counters set to zero.)
5006                </p>
5007<p>
5008                  (Note: This option is only available when BIND is
5009                  built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.)
5010                </p>
5011</dd>
5012<dt>
5013<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span>
5014</dt>
5015<dd>
5016<p>
5017                  The maximum number of simultaneous iterative
5018                  queries that the server will allow to be sent to
5019                  a single upstream name server before blocking
5020                  additional queries.
5021                  This value should reflect how many fetches would
5022                  normally be sent to any one server in the time it
5023                  would take to resolve them.  It should be smaller
5024                  than <code class="option">recursive-clients</code>.
5025                </p>
5026<p>
5027                  Optionally, this value may be followed by the keyword
5028                  <code class="literal">drop</code> or <code class="literal">fail</code>,
5029                  indicating whether queries will be dropped with no
5030                  response, or answered with SERVFAIL, when all of the
5031                  servers authoritative for a zone are found to have
5032                  exceeded the per-server quota.  The default is
5033                  <code class="literal">fail</code>.
5034                </p>
5035<p>
5036                  If <span class="command"><strong>fetches-per-server</strong></span> is set to zero,
5037                  then there is no limit on the number of fetches per query
5038                  and no queries will be dropped.  The default is zero.
5039                </p>
5040<p>
5041                  The <span class="command"><strong>fetches-per-server</strong></span> quota is
5042                  dynamically adjusted in response to detected
5043                  congestion. As queries are sent to a server
5044                  and are either answered or time out, an
5045                  exponentially weighted moving average is calculated
5046                  of the ratio of timeouts to responses.  If the
5047                  current average timeout ratio rises above a "high"
5048                  threshold, then <span class="command"><strong>fetches-per-server</strong></span>
5049                  is reduced for that server.  If the timeout ratio
5050                  drops below a "low" threshold, then
5051                  <span class="command"><strong>fetches-per-server</strong></span> is increased.
5052                  The <span class="command"><strong>fetch-quota-params</strong></span> options
5053                  can be used to adjust the parameters for this
5054                  calculation.
5055                </p>
5056<p>
5057                  (Note: This option is only available when BIND is
5058                  built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.)
5059                </p>
5060</dd>
5061<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt>
5062<dd>
5063<p>
5064                  Sets the parameters to use for dynamic resizing of
5065                  the <code class="option">fetches-per-server</code> quota in
5066                  response to detected congestion.
5067                </p>
5068<p>
5069                  The first argument is an integer value indicating
5070                  how frequently to recalculate the moving average
5071                  of the ratio of timeouts to responses for each
5072                  server.  The default is 100, meaning we recalculate
5073                  the average ratio after every 100 queries have either
5074                  been answered or timed out.
5075                </p>
5076<p>
5077                  The remaining three arguments represent the "low"
5078                  threshold (defaulting to a timeout ratio of 0.1),
5079                  the "high" threshold (defaulting to a timeout
5080                  ratio of 0.3), and the discount rate for
5081                  the moving average (defaulting to 0.7).
5082                  A higher discount rate causes recent events to
5083                  weigh more heavily when calculating the moving
5084                  average; a lower discount rate causes past
5085                  events to weigh more heavily, smoothing out
5086                  short-term blips in the timeout ratio.
5087                  These arguments are all fixed-point numbers with
5088                  precision of 1/100: at most two places after
5089                  the decimal point are significant.
5090                </p>
5091<p>
5092                  (Note: This option is only available when BIND is
5093                  built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.)
5094                </p>
5095</dd>
5096<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt>
5097<dd>
5098<p>
5099                  The number of file descriptors reserved for TCP, stdio,
5100                  etc.  This needs to be big enough to cover the number of
5101                  interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as
5102                  to provide room for outgoing TCP queries and incoming zone
5103                  transfers.  The default is <code class="literal">512</code>.
5104                  The minimum value is <code class="literal">128</code> and the
5105                  maximum value is <code class="literal">128</code> less than
5106                  maxsockets (-S).  This option may be removed in the future.
5107                </p>
5108<p>
5109                  This option has little effect on Windows.
5110                </p>
5111</dd>
5112<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt>
5113<dd><p>
5114                  The maximum amount of memory to use for the
5115                  server's cache, in bytes.
5116                  When the amount of data in the cache
5117                  reaches this limit, the server will cause records to expire
5118                  prematurely based on an LRU based strategy so that
5119                  the limit is not exceeded.
5120                  A value of 0 is special, meaning that
5121                  records are purged from the cache only when their
5122                  TTLs expire.
5123                  Another special keyword <strong class="userinput"><code>unlimited</code></strong>
5124                  means the maximum value of 32-bit unsigned integers
5125                  (0xffffffff), which may not have the same effect as
5126                  0 on machines that support more than 32 bits of
5127                  memory space.
5128                  Any positive values less than 2MB will be ignored reset
5129                  to 2MB.
5130                  In a server with multiple views, the limit applies
5131                  separately to the cache of each view.
5132                  The default is 0.
5133                </p></dd>
5134<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt>
5135<dd><p>
5136                  The listen queue depth.  The default and minimum is 10.
5137                  If the kernel supports the accept filter "dataready" this
5138                  also controls how
5139                  many TCP connections that will be queued in kernel space
5140                  waiting for
5141                  some data before being passed to accept.  Nonzero values
5142                  less than 10 will be silently raised. A value of 0 may also
5143                  be used; on most platforms this sets the listen queue
5144                  length to a system-defined default value.
5145                </p></dd>
5146</dl></div>
5147</div>
5148<div class="section">
5149<div class="titlepage"><div><div><h4 class="title">
5150<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div>
5151<div class="variablelist"><dl class="variablelist">
5152<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt>
5153<dd><p>
5154                  This interval is effectively obsolete.  Previously,
5155                  the server would remove expired resource records
5156                  from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes.
5157                  <acronym class="acronym">BIND</acronym> 9 now manages cache
5158                  memory in a more sophisticated manner and does not
5159                  rely on the periodic cleaning any more.
5160                  Specifying this option therefore has no effect on
5161                  the server's behavior.
5162                </p></dd>
5163<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt>
5164<dd><p>
5165                  The server will perform zone maintenance tasks
5166                  for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this
5167                  interval expires. The default is 60 minutes. Reasonable
5168                  values are up
5169                  to 1 day (1440 minutes).  The maximum value is 28 days
5170                  (40320 minutes).
5171                  If set to 0, no zone maintenance for these zones will occur.
5172                </p></dd>
5173<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt>
5174<dd><p>
5175                  The server will scan the network interface list
5176                  every <span class="command"><strong>interface-interval</strong></span>
5177                  minutes. The default
5178                  is 60 minutes. The maximum value is 28 days (40320 minutes).
5179                  If set to 0, interface scanning will only occur when
5180                  the configuration file is  loaded. After the scan, the
5181                  server will
5182                  begin listening for queries on any newly discovered
5183                  interfaces (provided they are allowed by the
5184                  <span class="command"><strong>listen-on</strong></span> configuration), and
5185                  will
5186                  stop listening on interfaces that have gone away.
5187                </p></dd>
5188<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt>
5189<dd>
5190<p>
5191                  Name server statistics will be logged
5192                  every <span class="command"><strong>statistics-interval</strong></span>
5193                  minutes. The default is
5194                  60. The maximum value is 28 days (40320 minutes).
5195                  If set to 0, no statistics will be logged.
5196                  </p>
5197<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5198<h3 class="title">Note</h3>
5199<p>
5200                    Not yet implemented in
5201                    <acronym class="acronym">BIND</acronym> 9.
5202                  </p>
5203</div>
5204</dd>
5205</dl></div>
5206</div>
5207<div class="section">
5208<div class="titlepage"><div><div><h4 class="title">
5209<a name="topology"></a>Topology</h4></div></div></div>
5210<p>
5211            All other things being equal, when the server chooses a name
5212            server
5213            to query from a list of name servers, it prefers the one that is
5214            topologically closest to itself. The <span class="command"><strong>topology</strong></span> statement
5215            takes an <span class="command"><strong>address_match_list</strong></span> and
5216            interprets it
5217            in a special way. Each top-level list element is assigned a
5218            distance.
5219            Non-negated elements get a distance based on their position in the
5220            list, where the closer the match is to the start of the list, the
5221            shorter the distance is between it and the server. A negated match
5222            will be assigned the maximum distance from the server. If there
5223            is no match, the address will get a distance which is further than
5224            any non-negated list element, and closer than any negated element.
5225            For example,
5226          </p>
5227<pre class="programlisting">topology {
5228    10/8;
5229    !1.2.3/24;
5230    { 1.2/16; 3/8; };
5231};</pre>
5232<p>
5233            will prefer servers on network 10 the most, followed by hosts
5234            on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
5235            exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
5236            is preferred least of all.
5237          </p>
5238<p>
5239            The default topology is
5240          </p>
5241<pre class="programlisting">    topology { localhost; localnets; };
5242</pre>
5243<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5244<h3 class="title">Note</h3>
5245<p>
5246              The <span class="command"><strong>topology</strong></span> option
5247              is not implemented in <acronym class="acronym">BIND</acronym> 9.
5248            </p>
5249</div>
5250</div>
5251<div class="section">
5252<div class="titlepage"><div><div><h4 class="title">
5253<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div>
5254<p>
5255            The response to a DNS query may consist of multiple resource
5256            records (RRs) forming a resource records set (RRset).
5257            The name server will normally return the
5258            RRs within the RRset in an indeterminate order
5259            (but see the <span class="command"><strong>rrset-order</strong></span>
5260            statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
5261            The client resolver code should rearrange the RRs as appropriate,
5262            that is, using any addresses on the local net in preference to
5263            other addresses.
5264            However, not all resolvers can do this or are correctly
5265            configured.
5266            When a client is using a local server, the sorting can be performed
5267            in the server, based on the client's address. This only requires
5268            configuring the name servers, not all the clients.
5269          </p>
5270<p>
5271            The <span class="command"><strong>sortlist</strong></span> statement (see below)
5272            takes
5273            an <span class="command"><strong>address_match_list</strong></span> and
5274            interprets it even
5275            more specifically than the <span class="command"><strong>topology</strong></span>
5276            statement
5277            does (<a class="xref" href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
5278            Each top level statement in the <span class="command"><strong>sortlist</strong></span> must
5279            itself be an explicit <span class="command"><strong>address_match_list</strong></span> with
5280            one or two elements. The first element (which may be an IP
5281            address,
5282            an IP prefix, an ACL name or a nested <span class="command"><strong>address_match_list</strong></span>)
5283            of each top level list is checked against the source address of
5284            the query until a match is found.
5285          </p>
5286<p>
5287            Once the source address of the query has been matched, if
5288            the top level statement contains only one element, the actual
5289            primitive
5290            element that matched the source address is used to select the
5291            address
5292            in the response to move to the beginning of the response. If the
5293            statement is a list of two elements, then the second element is
5294            treated the same as the <span class="command"><strong>address_match_list</strong></span> in
5295            a <span class="command"><strong>topology</strong></span> statement. Each top
5296            level element
5297            is assigned a distance and the address in the response with the
5298            minimum
5299            distance is moved to the beginning of the response.
5300          </p>
5301<p>
5302            In the following example, any queries received from any of
5303            the addresses of the host itself will get responses preferring
5304            addresses
5305            on any of the locally connected networks. Next most preferred are
5306            addresses
5307            on the 192.168.1/24 network, and after that either the
5308            192.168.2/24
5309            or
5310            192.168.3/24 network with no preference shown between these two
5311            networks. Queries received from a host on the 192.168.1/24 network
5312            will prefer other addresses on that network to the 192.168.2/24
5313            and
5314            192.168.3/24 networks. Queries received from a host on the
5315            192.168.4/24
5316            or the 192.168.5/24 network will only prefer other addresses on
5317            their directly connected networks.
5318          </p>
5319<pre class="programlisting">sortlist {
5320    // IF the local host
5321    // THEN first fit on the following nets
5322    { localhost;
5323        { localnets;
5324            192.168.1/24;
5325            { 192.168.2/24; 192.168.3/24; }; }; };
5326    // IF on class C 192.168.1 THEN use .1, or .2 or .3
5327    { 192.168.1/24;
5328        { 192.168.1/24;
5329            { 192.168.2/24; 192.168.3/24; }; }; };
5330    // IF on class C 192.168.2 THEN use .2, or .1 or .3
5331    { 192.168.2/24;
5332        { 192.168.2/24;
5333            { 192.168.1/24; 192.168.3/24; }; }; };
5334    // IF on class C 192.168.3 THEN use .3, or .1 or .2
5335    { 192.168.3/24;
5336        { 192.168.3/24;
5337            { 192.168.1/24; 192.168.2/24; }; }; };
5338    // IF .4 or .5 THEN prefer that net
5339    { { 192.168.4/24; 192.168.5/24; };
5340    };
5341};</pre>
5342<p>
5343            The following example will give reasonable behavior for the
5344            local host and hosts on directly connected networks. It is similar
5345            to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
5346            to queries from the local host will favor any of the directly
5347            connected
5348            networks. Responses sent to queries from any other hosts on a
5349            directly
5350            connected network will prefer addresses on that same network.
5351            Responses
5352            to other queries will not be sorted.
5353          </p>
5354<pre class="programlisting">sortlist {
5355           { localhost; localnets; };
5356           { localnets; };
5357};
5358</pre>
5359</div>
5360<div class="section">
5361<div class="titlepage"><div><div><h4 class="title">
5362<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
5363<p>
5364            When multiple records are returned in an answer it may be
5365            useful to configure the order of the records placed into the
5366            response.
5367            The <span class="command"><strong>rrset-order</strong></span> statement permits
5368            configuration
5369            of the ordering of the records in a multiple record response.
5370            See also the <span class="command"><strong>sortlist</strong></span> statement,
5371            <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a>.
5372          </p>
5373<p>
5374            An <span class="command"><strong>order_spec</strong></span> is defined as
5375            follows:
5376          </p>
5377<p>
5378            [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
5379            [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
5380            [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
5381            order <em class="replaceable"><code>ordering</code></em>
5382          </p>
5383<p>
5384            If no class is specified, the default is <span class="command"><strong>ANY</strong></span>.
5385            If no type is specified, the default is <span class="command"><strong>ANY</strong></span>.
5386            If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk).
5387          </p>
5388<p>
5389            The legal values for <span class="command"><strong>ordering</strong></span> are:
5390          </p>
5391<div class="informaltable"><table border="1">
5392<colgroup>
5393<col width="0.750in" class="1">
5394<col width="3.750in" class="2">
5395</colgroup>
5396<tbody>
5397<tr>
5398<td>
5399                    <p><span class="command"><strong>fixed</strong></span></p>
5400                  </td>
5401<td>
5402                    <p>
5403                      Records are returned in the order they
5404                      are defined in the zone file.
5405                    </p>
5406                  </td>
5407</tr>
5408<tr>
5409<td>
5410                    <p><span class="command"><strong>random</strong></span></p>
5411                  </td>
5412<td>
5413                    <p>
5414                      Records are returned in some random order.
5415                    </p>
5416                  </td>
5417</tr>
5418<tr>
5419<td>
5420                    <p><span class="command"><strong>cyclic</strong></span></p>
5421                  </td>
5422<td>
5423                    <p>
5424                      Records are returned in a cyclic round-robin order.
5425                    </p>
5426                    <p>
5427                      If <acronym class="acronym">BIND</acronym> is configured with the
5428                      "--enable-fixed-rrset" option at compile time, then
5429                      the initial ordering of the RRset will match the
5430                      one specified in the zone file.
5431                    </p>
5432                  </td>
5433</tr>
5434</tbody>
5435</table></div>
5436<p>
5437            For example:
5438          </p>
5439<pre class="programlisting">rrset-order {
5440   class IN type A name "host.example.com" order random;
5441   order cyclic;
5442};
5443</pre>
5444<p>
5445            will cause any responses for type A records in class IN that
5446            have "<code class="literal">host.example.com</code>" as a
5447            suffix, to always be returned
5448            in random order. All other records are returned in cyclic order.
5449          </p>
5450<p>
5451            If multiple <span class="command"><strong>rrset-order</strong></span> statements
5452            appear, they are not combined &#8212; the last one applies.
5453          </p>
5454<p>
5455            By default, all records are returned in random order.
5456          </p>
5457<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5458<h3 class="title">Note</h3>
5459<p>
5460              In this release of <acronym class="acronym">BIND</acronym> 9, the
5461              <span class="command"><strong>rrset-order</strong></span> statement does not support
5462              "fixed" ordering by default.  Fixed ordering can be enabled
5463              at compile time by specifying "--enable-fixed-rrset" on
5464              the "configure" command line.
5465            </p>
5466</div>
5467</div>
5468<div class="section">
5469<div class="titlepage"><div><div><h4 class="title">
5470<a name="tuning"></a>Tuning</h4></div></div></div>
5471<div class="variablelist"><dl class="variablelist">
5472<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt>
5473<dd>
5474<p>
5475                  Sets the number of seconds to cache a
5476                  lame server indication. 0 disables caching. (This is
5477                  <span class="bold"><strong>NOT</strong></span> recommended.)
5478                  The default is <code class="literal">600</code> (10 minutes) and the
5479                  maximum value is
5480                  <code class="literal">1800</code> (30 minutes).
5481                </p>
5482<p>
5483                  Lame-ttl also controls the amount of time DNSSEC
5484                  validation failures are cached.  There is a minimum
5485                  of 30 seconds applied to bad cache entries if the
5486                  lame-ttl is set to less than 30 seconds.
5487                </p>
5488</dd>
5489<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt>
5490<dd><p>
5491                  To reduce network traffic and increase performance,
5492                  the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is
5493                  used to set a maximum retention time for these answers in
5494                  the server
5495                  in seconds. The default
5496                  <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
5497                  <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed
5498                  7 days and will
5499                  be silently truncated to 7 days if set to a greater value.
5500                </p></dd>
5501<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt>
5502<dd><p>
5503                  Sets the maximum time for which the server will
5504                  cache ordinary (positive) answers. The default is
5505                  one week (7 days).
5506                  A value of zero may cause all queries to return
5507                  SERVFAIL, because of lost caches of intermediate
5508                  RRsets (such as NS and glue AAAA/A records) in the
5509                  resolution process.
5510                </p></dd>
5511<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt>
5512<dd>
5513<p>
5514                  The minimum number of root servers that
5515                  is required for a request for the root servers to be
5516                  accepted. The default
5517                  is <strong class="userinput"><code>2</code></strong>.
5518                </p>
5519<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5520<h3 class="title">Note</h3>
5521<p>
5522                    Not implemented in <acronym class="acronym">BIND</acronym> 9.
5523                  </p>
5524</div>
5525</dd>
5526<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
5527<dd>
5528<p>
5529                  Specifies the number of days into the future when
5530                  DNSSEC signatures automatically generated as a
5531                  result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
5532                  is an optional second field which specifies how
5533                  long before expiry that the signatures will be
5534                  regenerated.  If not specified, the signatures will
5535                  be regenerated at 1/4 of base interval.  The second
5536                  field is specified in days if the base interval is
5537                  greater than 7 days otherwise it is specified in hours.
5538                  The default base interval is <code class="literal">30</code> days
5539                  giving a re-signing interval of 7 1/2 days.  The maximum
5540                  values are 10 years (3660 days).
5541                </p>
5542<p>
5543                  The signature inception time is unconditionally
5544                  set to one hour before the current time to allow
5545                  for a limited amount of clock skew.
5546                </p>
5547<p>
5548                  The <span class="command"><strong>sig-validity-interval</strong></span>
5549                  should be, at least, several multiples of the SOA
5550                  expire interval to allow for reasonable interaction
5551                  between the various timer and expiry dates.
5552                </p>
5553</dd>
5554<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
5555<dd><p>
5556                  Specify the maximum number of nodes to be
5557                  examined in each quantum when signing a zone with
5558                  a new DNSKEY. The default is
5559                  <code class="literal">100</code>.
5560                </p></dd>
5561<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
5562<dd><p>
5563                  Specify a threshold number of signatures that
5564                  will terminate processing a quantum when signing
5565                  a zone with a new DNSKEY.  The default is
5566                  <code class="literal">10</code>.
5567                </p></dd>
5568<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
5569<dd>
5570<p>
5571                  Specify a private RDATA type to be used when generating
5572                  signing state records.  The default is
5573                  <code class="literal">65534</code>.
5574                </p>
5575<p>
5576                  It is expected that this parameter may be removed
5577                  in a future version once there is a standard type.
5578                </p>
5579<p>
5580                  Signing state records are used to internally by
5581                  <span class="command"><strong>named</strong></span> to track the current state of
5582                  a zone-signing process, i.e., whether it is still active
5583                  or has been completed.  The records can be inspected
5584                  using the command
5585                  <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
5586                  Once <span class="command"><strong>named</strong></span> has finished signing
5587                  a zone with a particular key, the signing state
5588                  record associated with that key can be removed from
5589                  the zone by running
5590                  <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
5591                  To clear all of the completed signing state
5592                  records for a zone, use
5593                  <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
5594                </p>
5595</dd>
5596<dt>
5597<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
5598</dt>
5599<dd>
5600<p>
5601                  These options control the server's behavior on refreshing a
5602                  zone
5603                  (querying for SOA changes) or retrying failed transfers.
5604                  Usually the SOA values for the zone are used, but these
5605                  values
5606                  are set by the master, giving slave server administrators
5607                  little
5608                  control over their contents.
5609                </p>
5610<p>
5611                  These options allow the administrator to set a minimum and
5612                  maximum
5613                  refresh and retry time either per-zone, per-view, or
5614                  globally.
5615                  These options are valid for slave and stub zones,
5616                  and clamp the SOA refresh and retry times to the specified
5617                  values.
5618                </p>
5619<p>
5620                  The following defaults apply.
5621                  <span class="command"><strong>min-refresh-time</strong></span> 300 seconds,
5622                  <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds
5623                  (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds,
5624                  and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds
5625                  (2 weeks).
5626                </p>
5627</dd>
5628<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt>
5629<dd>
5630<p>
5631                  Sets the advertised EDNS UDP buffer size in bytes
5632                  to control the size of packets received.
5633                  Valid values are 512 to 4096 (values outside this range
5634                  will be silently adjusted).  The default value
5635                  is 4096.  The usual reason for setting
5636                  <span class="command"><strong>edns-udp-size</strong></span> to a non-default
5637                  value is to get UDP answers to pass through broken
5638                  firewalls that block fragmented packets and/or
5639                  block UDP packets that are greater than 512 bytes.
5640                </p>
5641<p>
5642                  <span class="command"><strong>named</strong></span> will fallback to using 512 bytes
5643                  if it get a series of timeout at the initial value.  512
5644                  bytes is not being offered to encourage sites to fix their
5645                  firewalls.  Small EDNS UDP sizes will result in the
5646                  excessive use of TCP.
5647                </p>
5648</dd>
5649<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt>
5650<dd>
5651<p>
5652                  Sets the maximum EDNS UDP message size
5653                  <span class="command"><strong>named</strong></span> will send in bytes.
5654                  Valid values are 512 to 4096 (values outside this
5655                  range will be silently adjusted).  The default
5656                  value is 4096.  The usual reason for setting
5657                  <span class="command"><strong>max-udp-size</strong></span> to a non-default
5658                  value is to get UDP answers to pass through broken
5659                  firewalls that block fragmented packets and/or
5660                  block UDP packets that are greater than 512 bytes.
5661                  This is independent of the advertised receive
5662                  buffer (<span class="command"><strong>edns-udp-size</strong></span>).
5663                </p>
5664<p>
5665                  Setting this to a low value will encourage additional
5666                  TCP traffic to the nameserver.
5667                </p>
5668</dd>
5669<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
5670<dd>
5671<p>Specifies
5672                  the file format of zone files (see
5673                  <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called &#8220;Additional File Formats&#8221;</a>).
5674                  The default value is <code class="constant">text</code>, which is the
5675                  standard textual representation, except for slave zones,
5676                  in which the default value is <code class="constant">raw</code>.
5677                  Files in other formats than <code class="constant">text</code> are
5678                  typically expected to be generated by the
5679                  <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by
5680                  <span class="command"><strong>named</strong></span>.
5681                </p>
5682<p>
5683                  Note that when a zone file in a different format than
5684                  <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span>
5685                  may omit some of the checks which would be performed for a
5686                  file in the <code class="constant">text</code> format.  In particular,
5687                  <span class="command"><strong>check-names</strong></span> checks do not apply
5688                  for the <code class="constant">raw</code> format.  This means
5689                  a zone file in the <code class="constant">raw</code> format
5690                  must be generated with the same check level as that
5691                  specified in the <span class="command"><strong>named</strong></span> configuration
5692                  file.  This statement sets the
5693                  <span class="command"><strong>masterfile-format</strong></span> for all zones,
5694                  but can be overridden on a per-zone or per-view basis
5695                  by including a <span class="command"><strong>masterfile-format</strong></span>
5696                  statement within the <span class="command"><strong>zone</strong></span> or
5697                  <span class="command"><strong>view</strong></span> block in the configuration
5698                  file.
5699                </p>
5700</dd>
5701<dt>
5702<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span>
5703</dt>
5704<dd><p>
5705                  Sets the maximum number of levels of recursion
5706                  that are permitted at any one time while servicing
5707                  a recursive query. Resolving a name may require
5708                  looking up a name server address, which in turn
5709                  requires resolving another name, etc; if the number
5710                  of indirections exceeds this value, the recursive
5711                  query is terminated and returns SERVFAIL.  The
5712                  default is 7.
5713                </p></dd>
5714<dt>
5715<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span>
5716</dt>
5717<dd><p>
5718                  Sets the maximum number of iterative queries that
5719                  may be sent while servicing a recursive query.
5720                  If more queries are sent, the recursive query
5721                  is terminated and returns SERVFAIL. Queries to
5722                  look up top level comains such as "com" and "net"
5723                  and the DNS root zone are exempt from this limitation.
5724                  The default is 75.
5725                </p></dd>
5726<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
5727<dd>
5728<p>
5729                  The delay, in seconds, between sending sets of notify
5730                  messages for a zone.  The default is five (5) seconds.
5731                </p>
5732<p>
5733                  The overall rate that NOTIFY messages are sent for all
5734                  zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>.
5735                </p>
5736</dd>
5737<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt>
5738<dd><p>
5739                  The maximum RSA exponent size, in bits, that will
5740                  be accepted when validating.  Valid values are 35
5741                  to 4096 bits.  The default zero (0) is also accepted
5742                  and is equivalent to 4096.
5743                </p></dd>
5744</dl></div>
5745</div>
5746<div class="section">
5747<div class="titlepage"><div><div><h4 class="title">
5748<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
5749<p>
5750            The server provides some helpful diagnostic information
5751            through a number of built-in zones under the
5752            pseudo-top-level-domain <code class="literal">bind</code> in the
5753            <span class="command"><strong>CHAOS</strong></span> class.  These zones are part
5754            of a
5755            built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span class="command"><strong>view</strong></span> Statement Grammar&#8221;</a>) of
5756            class
5757            <span class="command"><strong>CHAOS</strong></span> which is separate from the
5758            default view of class <span class="command"><strong>IN</strong></span>. Most global
5759            configuration options (<span class="command"><strong>allow-query</strong></span>,
5760            etc) will apply to this view, but some are locally
5761            overridden: <span class="command"><strong>notify</strong></span>,
5762            <span class="command"><strong>recursion</strong></span> and
5763            <span class="command"><strong>allow-new-zones</strong></span> are
5764            always set to <strong class="userinput"><code>no</code></strong>.
5765          </p>
5766<p>
5767            If you need to disable these zones, use the options
5768            below, or hide the built-in <span class="command"><strong>CHAOS</strong></span>
5769            view by
5770            defining an explicit view of class <span class="command"><strong>CHAOS</strong></span>
5771            that matches all clients.
5772          </p>
5773<div class="variablelist"><dl class="variablelist">
5774<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt>
5775<dd><p>
5776                  The version the server should report
5777                  via a query of the name <code class="literal">version.bind</code>
5778                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
5779                  The default is the real version number of this server.
5780                  Specifying <span class="command"><strong>version none</strong></span>
5781                  disables processing of the queries.
5782                </p></dd>
5783<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt>
5784<dd><p>
5785                  The hostname the server should report via a query of
5786                  the name <code class="filename">hostname.bind</code>
5787                  with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
5788                  This defaults to the hostname of the machine hosting the
5789                  name server as
5790                  found by the gethostname() function.  The primary purpose of such queries
5791                  is to
5792                  identify which of a group of anycast servers is actually
5793                  answering your queries.  Specifying <span class="command"><strong>hostname none;</strong></span>
5794                  disables processing of the queries.
5795                </p></dd>
5796<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt>
5797<dd><p>
5798                  The ID the server should report when receiving a Name
5799                  Server Identifier (NSID) query, or a query of the name
5800                  <code class="filename">ID.SERVER</code> with type
5801                  <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>.
5802                  The primary purpose of such queries is to
5803                  identify which of a group of anycast servers is actually
5804                  answering your queries.  Specifying <span class="command"><strong>server-id none;</strong></span>
5805                  disables processing of the queries.
5806                  Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to
5807                  use the hostname as found by the gethostname() function.
5808                  The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>.
5809                </p></dd>
5810</dl></div>
5811</div>
5812<div class="section">
5813<div class="titlepage"><div><div><h4 class="title">
5814<a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
5815<p>
5816            Named has some built-in empty zones (SOA and NS records only).
5817            These are for zones that should normally be answered locally
5818            and which queries should not be sent to the Internet's root
5819            servers.  The official servers which cover these namespaces
5820            return NXDOMAIN responses to these queries.  In particular,
5821            these cover the reverse namespaces for addresses from
5822            RFC 1918, RFC 4193, RFC 5737 and RFC 6598.  They also include the
5823            reverse namespace for IPv6 local address (locally assigned),
5824            IPv6 link local addresses, the IPv6 loopback address and the
5825            IPv6 unknown address.
5826          </p>
5827<p>
5828            Named will attempt to determine if a built-in zone already exists
5829            or is active (covered by a forward-only forwarding declaration)
5830            and will not create an empty zone in that case.
5831          </p>
5832<p>
5833            The current list of empty zones is:
5834            </p>
5835<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5836<li class="listitem">10.IN-ADDR.ARPA</li>
5837<li class="listitem">16.172.IN-ADDR.ARPA</li>
5838<li class="listitem">17.172.IN-ADDR.ARPA</li>
5839<li class="listitem">18.172.IN-ADDR.ARPA</li>
5840<li class="listitem">19.172.IN-ADDR.ARPA</li>
5841<li class="listitem">20.172.IN-ADDR.ARPA</li>
5842<li class="listitem">21.172.IN-ADDR.ARPA</li>
5843<li class="listitem">22.172.IN-ADDR.ARPA</li>
5844<li class="listitem">23.172.IN-ADDR.ARPA</li>
5845<li class="listitem">24.172.IN-ADDR.ARPA</li>
5846<li class="listitem">25.172.IN-ADDR.ARPA</li>
5847<li class="listitem">26.172.IN-ADDR.ARPA</li>
5848<li class="listitem">27.172.IN-ADDR.ARPA</li>
5849<li class="listitem">28.172.IN-ADDR.ARPA</li>
5850<li class="listitem">29.172.IN-ADDR.ARPA</li>
5851<li class="listitem">30.172.IN-ADDR.ARPA</li>
5852<li class="listitem">31.172.IN-ADDR.ARPA</li>
5853<li class="listitem">168.192.IN-ADDR.ARPA</li>
5854<li class="listitem">64.100.IN-ADDR.ARPA</li>
5855<li class="listitem">65.100.IN-ADDR.ARPA</li>
5856<li class="listitem">66.100.IN-ADDR.ARPA</li>
5857<li class="listitem">67.100.IN-ADDR.ARPA</li>
5858<li class="listitem">68.100.IN-ADDR.ARPA</li>
5859<li class="listitem">69.100.IN-ADDR.ARPA</li>
5860<li class="listitem">70.100.IN-ADDR.ARPA</li>
5861<li class="listitem">71.100.IN-ADDR.ARPA</li>
5862<li class="listitem">72.100.IN-ADDR.ARPA</li>
5863<li class="listitem">73.100.IN-ADDR.ARPA</li>
5864<li class="listitem">74.100.IN-ADDR.ARPA</li>
5865<li class="listitem">75.100.IN-ADDR.ARPA</li>
5866<li class="listitem">76.100.IN-ADDR.ARPA</li>
5867<li class="listitem">77.100.IN-ADDR.ARPA</li>
5868<li class="listitem">78.100.IN-ADDR.ARPA</li>
5869<li class="listitem">79.100.IN-ADDR.ARPA</li>
5870<li class="listitem">80.100.IN-ADDR.ARPA</li>
5871<li class="listitem">81.100.IN-ADDR.ARPA</li>
5872<li class="listitem">82.100.IN-ADDR.ARPA</li>
5873<li class="listitem">83.100.IN-ADDR.ARPA</li>
5874<li class="listitem">84.100.IN-ADDR.ARPA</li>
5875<li class="listitem">85.100.IN-ADDR.ARPA</li>
5876<li class="listitem">86.100.IN-ADDR.ARPA</li>
5877<li class="listitem">87.100.IN-ADDR.ARPA</li>
5878<li class="listitem">88.100.IN-ADDR.ARPA</li>
5879<li class="listitem">89.100.IN-ADDR.ARPA</li>
5880<li class="listitem">90.100.IN-ADDR.ARPA</li>
5881<li class="listitem">91.100.IN-ADDR.ARPA</li>
5882<li class="listitem">92.100.IN-ADDR.ARPA</li>
5883<li class="listitem">93.100.IN-ADDR.ARPA</li>
5884<li class="listitem">94.100.IN-ADDR.ARPA</li>
5885<li class="listitem">95.100.IN-ADDR.ARPA</li>
5886<li class="listitem">96.100.IN-ADDR.ARPA</li>
5887<li class="listitem">97.100.IN-ADDR.ARPA</li>
5888<li class="listitem">98.100.IN-ADDR.ARPA</li>
5889<li class="listitem">99.100.IN-ADDR.ARPA</li>
5890<li class="listitem">100.100.IN-ADDR.ARPA</li>
5891<li class="listitem">101.100.IN-ADDR.ARPA</li>
5892<li class="listitem">102.100.IN-ADDR.ARPA</li>
5893<li class="listitem">103.100.IN-ADDR.ARPA</li>
5894<li class="listitem">104.100.IN-ADDR.ARPA</li>
5895<li class="listitem">105.100.IN-ADDR.ARPA</li>
5896<li class="listitem">106.100.IN-ADDR.ARPA</li>
5897<li class="listitem">107.100.IN-ADDR.ARPA</li>
5898<li class="listitem">108.100.IN-ADDR.ARPA</li>
5899<li class="listitem">109.100.IN-ADDR.ARPA</li>
5900<li class="listitem">110.100.IN-ADDR.ARPA</li>
5901<li class="listitem">111.100.IN-ADDR.ARPA</li>
5902<li class="listitem">112.100.IN-ADDR.ARPA</li>
5903<li class="listitem">113.100.IN-ADDR.ARPA</li>
5904<li class="listitem">114.100.IN-ADDR.ARPA</li>
5905<li class="listitem">115.100.IN-ADDR.ARPA</li>
5906<li class="listitem">116.100.IN-ADDR.ARPA</li>
5907<li class="listitem">117.100.IN-ADDR.ARPA</li>
5908<li class="listitem">118.100.IN-ADDR.ARPA</li>
5909<li class="listitem">119.100.IN-ADDR.ARPA</li>
5910<li class="listitem">120.100.IN-ADDR.ARPA</li>
5911<li class="listitem">121.100.IN-ADDR.ARPA</li>
5912<li class="listitem">122.100.IN-ADDR.ARPA</li>
5913<li class="listitem">123.100.IN-ADDR.ARPA</li>
5914<li class="listitem">124.100.IN-ADDR.ARPA</li>
5915<li class="listitem">125.100.IN-ADDR.ARPA</li>
5916<li class="listitem">126.100.IN-ADDR.ARPA</li>
5917<li class="listitem">127.100.IN-ADDR.ARPA</li>
5918<li class="listitem">0.IN-ADDR.ARPA</li>
5919<li class="listitem">127.IN-ADDR.ARPA</li>
5920<li class="listitem">254.169.IN-ADDR.ARPA</li>
5921<li class="listitem">2.0.192.IN-ADDR.ARPA</li>
5922<li class="listitem">100.51.198.IN-ADDR.ARPA</li>
5923<li class="listitem">113.0.203.IN-ADDR.ARPA</li>
5924<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li>
5925<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
5926<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
5927<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li>
5928<li class="listitem">D.F.IP6.ARPA</li>
5929<li class="listitem">8.E.F.IP6.ARPA</li>
5930<li class="listitem">9.E.F.IP6.ARPA</li>
5931<li class="listitem">A.E.F.IP6.ARPA</li>
5932<li class="listitem">B.E.F.IP6.ARPA</li>
5933</ul></div>
5934<p>
5935          </p>
5936<p>
5937            Empty zones are settable at the view level and only apply to
5938            views of class IN.  Disabled empty zones are only inherited
5939            from options if there are no disabled empty zones specified
5940            at the view level.  To override the options list of disabled
5941            zones, you can disable the root zone at the view level, for example:
5942</p>
5943<pre class="programlisting">
5944            disable-empty-zone ".";
5945</pre>
5946<p>
5947          </p>
5948<p>
5949            If you are using the address ranges covered here, you should
5950            already have reverse zones covering the addresses you use.
5951            In practice this appears to not be the case with many queries
5952            being made to the infrastructure servers for names in these
5953            spaces.  So many in fact that sacrificial servers were needed
5954            to be deployed to channel the query load away from the
5955            infrastructure servers.
5956          </p>
5957<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5958<h3 class="title">Note</h3>
5959<p>
5960            The real parent servers for these zones should disable all
5961            empty zone under the parent zone they serve.  For the real
5962            root servers, this is all built-in empty zones.  This will
5963            enable them to return referrals to deeper in the tree.
5964          </p>
5965</div>
5966<div class="variablelist"><dl class="variablelist">
5967<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt>
5968<dd><p>
5969                  Specify what server name will appear in the returned
5970                  SOA record for empty zones.  If none is specified, then
5971                  the zone's name will be used.
5972                </p></dd>
5973<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt>
5974<dd><p>
5975                  Specify what contact name will appear in the returned
5976                  SOA record for empty zones.  If none is specified, then
5977                  "." will be used.
5978                </p></dd>
5979<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt>
5980<dd><p>
5981                  Enable or disable all empty zones.  By default, they
5982                  are enabled.
5983                </p></dd>
5984<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt>
5985<dd><p>
5986                  Disable individual empty zones.  By default, none are
5987                  disabled.  This option can be specified multiple times.
5988                </p></dd>
5989</dl></div>
5990</div>
5991<div class="section">
5992<div class="titlepage"><div><div><h4 class="title">
5993<a name="acache"></a>Additional Section Caching</h4></div></div></div>
5994<p>
5995            The additional section cache, also called <span class="command"><strong>acache</strong></span>,
5996            is an internal cache to improve the response performance of BIND 9.
5997            When additional section caching is enabled, BIND 9 will
5998            cache an internal short-cut to the additional section content for
5999            each answer RR.
6000            Note that <span class="command"><strong>acache</strong></span> is an internal caching
6001            mechanism of BIND 9, and is not related to the DNS caching
6002            server function.
6003          </p>
6004<p>
6005            Additional section caching does not change the
6006            response content (except the RRsets ordering of the additional
6007            section, see below), but can improve the response performance
6008            significantly.
6009            It is particularly effective when BIND 9 acts as an authoritative
6010            server for a zone that has many delegations with many glue RRs.
6011          </p>
6012<p>
6013            In order to obtain the maximum performance improvement
6014            from additional section caching, setting
6015            <span class="command"><strong>additional-from-cache</strong></span>
6016            to <span class="command"><strong>no</strong></span> is recommended, since the current
6017            implementation of <span class="command"><strong>acache</strong></span>
6018            does not short-cut of additional section information from the
6019            DNS cache data.
6020          </p>
6021<p>
6022            One obvious disadvantage of <span class="command"><strong>acache</strong></span> is
6023            that it requires much more
6024            memory for the internal cached data.
6025            Thus, if the response performance does not matter and memory
6026            consumption is much more critical, the
6027            <span class="command"><strong>acache</strong></span> mechanism can be
6028            disabled by setting <span class="command"><strong>acache-enable</strong></span> to
6029            <span class="command"><strong>no</strong></span>.
6030            It is also possible to specify the upper limit of memory
6031            consumption
6032            for acache by using <span class="command"><strong>max-acache-size</strong></span>.
6033          </p>
6034<p>
6035            Additional section caching also has a minor effect on the
6036            RRset ordering in the additional section.
6037            Without <span class="command"><strong>acache</strong></span>,
6038            <span class="command"><strong>cyclic</strong></span> order is effective for the additional
6039            section as well as the answer and authority sections.
6040            However, additional section caching fixes the ordering when it
6041            first caches an RRset for the additional section, and the same
6042            ordering will be kept in succeeding responses, regardless of the
6043            setting of <span class="command"><strong>rrset-order</strong></span>.
6044            The effect of this should be minor, however, since an
6045            RRset in the additional section
6046            typically only contains a small number of RRs (and in many cases
6047            it only contains a single RR), in which case the
6048            ordering does not matter much.
6049          </p>
6050<p>
6051            The following is a summary of options related to
6052            <span class="command"><strong>acache</strong></span>.
6053          </p>
6054<div class="variablelist"><dl class="variablelist">
6055<dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt>
6056<dd><p>
6057                  If <span class="command"><strong>yes</strong></span>, additional section caching is
6058                  enabled.  The default value is <span class="command"><strong>no</strong></span>.
6059                </p></dd>
6060<dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt>
6061<dd><p>
6062                  The server will remove stale cache entries, based on an LRU
6063                  based
6064                  algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes.
6065                  The default is 60 minutes.
6066                  If set to 0, no periodic cleaning will occur.
6067                </p></dd>
6068<dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt>
6069<dd><p>
6070                  The maximum amount of memory in bytes to use for the server's acache.
6071                  When the amount of data in the acache reaches this limit,
6072                  the server
6073                  will clean more aggressively so that the limit is not
6074                  exceeded.
6075                  In a server with multiple views, the limit applies
6076                  separately to the
6077                  acache of each view.
6078                  The default is <code class="literal">16M</code>.
6079                </p></dd>
6080</dl></div>
6081</div>
6082<div class="section">
6083<div class="titlepage"><div><div><h4 class="title">
6084<a name="content_filtering"></a>Content Filtering</h4></div></div></div>
6085<p>
6086            <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
6087            out DNS responses from external DNS servers containing
6088            certain types of data in the answer section.
6089            Specifically, it can reject address (A or AAAA) records if
6090            the corresponding IPv4 or IPv6 addresses match the given
6091            <code class="varname">address_match_list</code> of the
6092            <span class="command"><strong>deny-answer-addresses</strong></span> option.
6093            It can also reject CNAME or DNAME records if the "alias"
6094            name (i.e., the CNAME alias or the substituted query name
6095            due to DNAME) matches the
6096            given <code class="varname">namelist</code> of the
6097            <span class="command"><strong>deny-answer-aliases</strong></span> option, where
6098            "match" means the alias name is a subdomain of one of
6099            the <code class="varname">name_list</code> elements.
6100            If the optional <code class="varname">namelist</code> is specified
6101            with <span class="command"><strong>except-from</strong></span>, records whose query name
6102            matches the list will be accepted regardless of the filter
6103            setting.
6104            Likewise, if the alias name is a subdomain of the
6105            corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span>
6106            filter will not apply;
6107            for example, even if "example.com" is specified for
6108            <span class="command"><strong>deny-answer-aliases</strong></span>,
6109          </p>
6110<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
6111<p>
6112            returned by an "example.com" server will be accepted.
6113          </p>
6114<p>
6115            In the <code class="varname">address_match_list</code> of the
6116            <span class="command"><strong>deny-answer-addresses</strong></span> option, only
6117            <code class="varname">ip_addr</code>
6118            and <code class="varname">ip_prefix</code>
6119            are meaningful;
6120            any <code class="varname">key_id</code> will be silently ignored.
6121          </p>
6122<p>
6123            If a response message is rejected due to the filtering,
6124            the entire message is discarded without being cached, and
6125            a SERVFAIL error will be returned to the client.
6126          </p>
6127<p>
6128            This filtering is intended to prevent "DNS rebinding attacks," in
6129            which an attacker, in response to a query for a domain name the
6130            attacker controls, returns an IP address within your own network or
6131            an alias name within your own domain.
6132            A naive web browser or script could then serve as an
6133            unintended proxy, allowing the attacker
6134            to get access to an internal node of your local network
6135            that couldn't be externally accessed otherwise.
6136            See the paper available at
6137            <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
6138            http://portal.acm.org/citation.cfm?id=1315245.1315298
6139            </a>
6140            for more details about the attacks.
6141          </p>
6142<p>
6143            For example, if you own a domain named "example.net" and
6144            your internal network uses an IPv4 prefix 192.0.2.0/24,
6145            you might specify the following rules:
6146          </p>
6147<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
6148deny-answer-aliases { "example.net"; };
6149</pre>
6150<p>
6151            If an external attacker lets a web browser in your local
6152            network look up an IPv4 address of "attacker.example.com",
6153            the attacker's DNS server would return a response like this:
6154          </p>
6155<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
6156<p>
6157            in the answer section.
6158            Since the rdata of this record (the IPv4 address) matches
6159            the specified prefix 192.0.2.0/24, this response will be
6160            ignored.
6161          </p>
6162<p>
6163            On the other hand, if the browser looks up a legitimate
6164            internal web server "www.example.net" and the
6165            following response is returned to
6166            the <acronym class="acronym">BIND</acronym> 9 server
6167          </p>
6168<pre class="programlisting">www.example.net. A 192.0.2.2</pre>
6169<p>
6170            it will be accepted since the owner name "www.example.net"
6171            matches the <span class="command"><strong>except-from</strong></span> element,
6172            "example.net".
6173          </p>
6174<p>
6175            Note that this is not really an attack on the DNS per se.
6176            In fact, there is nothing wrong for an "external" name to
6177            be mapped to your "internal" IP address or domain name
6178            from the DNS point of view.
6179            It might actually be provided for a legitimate purpose,
6180            such as for debugging.
6181            As long as the mapping is provided by the correct owner,
6182            it is not possible or does not make sense to detect
6183            whether the intent of the mapping is legitimate or not
6184            within the DNS.
6185            The "rebinding" attack must primarily be protected at the
6186            application that uses the DNS.
6187            For a large site, however, it may be difficult to protect
6188            all possible applications at once.
6189            This filtering feature is provided only to help such an
6190            operational environment;
6191            it is generally discouraged to turn it on unless you are
6192            very sure you have no other choice and the attack is a
6193            real threat for your applications.
6194          </p>
6195<p>
6196            Care should be particularly taken if you want to use this
6197            option for addresses within 127.0.0.0/8.
6198            These addresses are obviously "internal", but many
6199            applications conventionally rely on a DNS mapping from
6200            some name to such an address.
6201            Filtering out DNS records containing this address
6202            spuriously can break such applications.
6203          </p>
6204</div>
6205<div class="section">
6206<div class="titlepage"><div><div><h4 class="title">
6207<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
6208<p>
6209            <acronym class="acronym">BIND</acronym> 9 includes a limited
6210            mechanism to modify DNS responses for requests
6211            analogous to email anti-spam DNS blacklists.
6212            Responses can be changed to deny the existence of domains (NXDOMAIN),
6213            deny the existence of IP addresses for domains (NODATA),
6214            or contain other IP addresses or data.
6215          </p>
6216<p>
6217            Response policy zones are named in the
6218            <span class="command"><strong>response-policy</strong></span> option for the view or among the
6219            global options if there is no response-policy option for the view.
6220            RPZs are ordinary DNS zones containing RRsets
6221            that can be queried normally if allowed.
6222            It is usually best to restrict those queries with something like
6223            <span class="command"><strong>allow-query { localhost; };</strong></span>.
6224          </p>
6225<p>
6226            Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
6227            and NSDNAME.
6228            QNAME RPZ records triggered by query names of requests and targets
6229            of CNAME records resolved to generate the response.
6230            The owner name of a QNAME RPZ record is the query name relativized
6231            to the RPZ.
6232          </p>
6233<p>
6234            The second kind of RPZ trigger is an IP address in an A and AAAA
6235            record in the ANSWER section of a response.
6236            IP address triggers are encoded in records that have owner names
6237            that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized
6238            to the RPZ origin name and encode an IP address or address block.
6239            IPv4 trigger addresses are represented as
6240            <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
6241            The prefix length must be between 1 and 32.
6242            All four bytes, B4, B3, B2, and B1, must be present.
6243            B4 is the decimal value of the least significant byte of the
6244            IPv4 address as in IN-ADDR.ARPA.
6245            IPv6 addresses are encoded in a format similar to the standard
6246            IPv6 text representation,
6247            <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
6248            Each of W8,...,W1 is a one to four digit hexadecimal number
6249            representing 16 bits of the IPv6 address as in the standard text
6250            representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
6251            All 8 words must be present except when consecutive
6252            zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
6253            analogous to double colons (::) in standard IPv6 text encodings.
6254            The prefix length must be between 1 and 128.
6255          </p>
6256<p>
6257            NSDNAME triggers match names of authoritative servers
6258            for the query name, a parent of the query name, a CNAME for
6259            query name, or a parent of a CNAME.
6260            They are encoded as subdomains of
6261            <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
6262            to the RPZ origin name.
6263            NSIP triggers match IP addresses in A and
6264            AAAA RRsets for domains that can be checked against NSDNAME
6265            policy records.
6266            NSIP triggers are encoded like IP triggers except as subdomains of
6267            <strong class="userinput"><code>rpz-nsip</code></strong>.
6268            NSDNAME and NSIP triggers are checked only for names with at
6269            least <span class="command"><strong>min-ns-dots</strong></span> dots.
6270            The default value of <span class="command"><strong>min-ns-dots</strong></span> is 1 to
6271            exclude top level domains.
6272          </p>
6273<p>
6274            The query response is checked against all RPZs, so
6275            two or more policy records can be triggered by a response.
6276            Because DNS responses can be rewritten according to at most one
6277            policy record, a single record encoding an action (other than
6278            <span class="command"><strong>DISABLED</strong></span> actions) must be chosen.
6279            Triggers or the records that encode them are chosen in
6280            the following order:
6281            </p>
6282<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
6283<li class="listitem">Choose the triggered record in the zone that appears
6284                first in the response-policy option.
6285              </li>
6286<li class="listitem">Prefer QNAME to IP to NSDNAME to NSIP triggers
6287                in a single zone.
6288              </li>
6289<li class="listitem">Among NSDNAME triggers, prefer the
6290                trigger that matches the smallest name under the DNSSEC ordering.
6291              </li>
6292<li class="listitem">Among IP or NSIP triggers, prefer the trigger
6293                with the longest prefix.
6294              </li>
6295<li class="listitem">Among triggers with the same prefix length,
6296                prefer the IP or NSIP trigger that matches
6297                the smallest IP address.
6298              </li>
6299</ul></div>
6300<p>
6301          </p>
6302<p>
6303            When the processing of a response is restarted to resolve
6304            DNAME or CNAME records and a policy record set has
6305            not been triggered,
6306            all RPZs are again consulted for the DNAME or CNAME names
6307            and addresses.
6308          </p>
6309<p>
6310            RPZ record sets are sets of any types of DNS record except
6311            DNAME or DNSSEC that encode actions or responses to queries.
6312            </p>
6313<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
6314<li class="listitem">The <span class="command"><strong>NXDOMAIN</strong></span> response is encoded
6315                by a CNAME whose target is the root domain (.)
6316              </li>
6317<li class="listitem">A CNAME whose target is the wildcard top-level
6318                domain (*.) specifies the <span class="command"><strong>NODATA</strong></span> action,
6319                which rewrites the response to NODATA or ANCOUNT=1.
6320              </li>
6321<li class="listitem">The <span class="command"><strong>Local Data</strong></span> action is
6322                represented by a set ordinary DNS records that are used
6323                to answer queries.  Queries for record types not the
6324                set are answered with NODATA.
6325
6326                A special form of local data is a CNAME whose target is a
6327                wildcard such as *.example.com.
6328                It is used as if were an ordinary CNAME after the astrisk (*)
6329                has been replaced with the query name.
6330                The purpose for this special form is query logging in the
6331                walled garden's authority DNS server.
6332              </li>
6333<li class="listitem">The <span class="command"><strong>PASSTHRU</strong></span> policy is specified
6334                by a CNAME whose target is <span class="command"><strong>rpz-passthru.</strong></span>
6335                It causes the response to not be rewritten
6336                and is most often used to "poke holes" in policies for
6337                CIDR blocks.
6338                (A CNAME whose target is the variable part of its owner name
6339                is an obsolete specification of the PASSTHRU policy.)
6340              </li>
6341</ul></div>
6342<p>
6343          </p>
6344<p>
6345            The actions specified in an RPZ can be overridden with a
6346            <span class="command"><strong>policy</strong></span> clause in the
6347            <span class="command"><strong>response-policy</strong></span> option.
6348            An organization using an RPZ provided by another organization might
6349            use this mechanism to redirect domains to its own walled garden.
6350            </p>
6351<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
6352<li class="listitem">
6353<span class="command"><strong>GIVEN</strong></span> says "do not override but
6354                perform the action specified in the zone."
6355              </li>
6356<li class="listitem">
6357<span class="command"><strong>DISABLED</strong></span> causes policy records to do
6358                nothing but log what they might have done.
6359                The response to the DNS query will be written according to
6360                any triggered policy records that are not disabled.
6361                Disabled policy zones should appear first,
6362                because they will often not be logged
6363                if a higher precedence trigger is found first.
6364              </li>
6365<li class="listitem">
6366<span class="command"><strong>PASSTHRU</strong></span> causes all policy records
6367                to act as if they were CNAME records with targets the variable
6368                part of their owner name.  They protect the response from
6369                being changed.
6370              </li>
6371<li class="listitem">
6372<span class="command"><strong>NXDOMAIN</strong></span> causes all RPZ records
6373                to specify NXDOMAIN policies.
6374              </li>
6375<li class="listitem">
6376<span class="command"><strong>NODATA</strong></span> overrides with the
6377                NODATA policy
6378              </li>
6379<li class="listitem">
6380<span class="command"><strong>CNAME domain</strong></span> causes all RPZ
6381                policy records to act as if they were "cname domain" records.
6382              </li>
6383</ul></div>
6384<p>
6385          </p>
6386<p>
6387            By default, the actions encoded in an RPZ are applied
6388            only to queries that ask for recursion (RD=1).
6389            That default can be changed for a single RPZ or all RPZs in a view
6390            with a <span class="command"><strong>recursive-only no</strong></span> clause.
6391            This feature is useful for serving the same zone files
6392            both inside and outside an RFC 1918 cloud and using RPZ to
6393            delete answers that would otherwise contain RFC 1918 values
6394            on the externally visible name server or view.
6395          </p>
6396<p>
6397            Also by default, RPZ actions are applied only to DNS requests that
6398            either do not request DNSSEC metadata (DO=0) or when no DNSSEC
6399            records are available for request name in the original zone (not
6400            the response policy zone).
6401            This default can be changed for all RPZs in a view with a
6402            <span class="command"><strong>break-dnssec yes</strong></span> clause.
6403            In that case, RPZ actions are applied regardless of DNSSEC.
6404            The name of the clause option reflects the fact that results
6405            rewritten by RPZ actions cannot verify.
6406          </p>
6407<p>
6408            The TTL of a record modified by RPZ policies is set from the
6409            TTL of the relevant record in policy zone.  It is then limited
6410            to a maximum value.
6411            The <span class="command"><strong>max-policy-ttl</strong></span> clause changes that
6412            maximum from its default of 5.
6413          </p>
6414<p>
6415            For example, you might use this option statement
6416          </p>
6417<pre class="programlisting">    response-policy { zone "badlist"; };</pre>
6418<p>
6419            and this zone statement
6420          </p>
6421<pre class="programlisting">    zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
6422<p>
6423            with this zone file
6424          </p>
6425<pre class="programlisting">$TTL 1H
6426@                       SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
6427                        NS  LOCALHOST.
6428
6429; QNAME policy records.  There are no periods (.) after the owner names.
6430nxdomain.domain.com     CNAME   .               ; NXDOMAIN policy
6431nodata.domain.com       CNAME   *.              ; NODATA policy
6432bad.domain.com          A       10.0.0.1        ; redirect to a walled garden
6433                        AAAA    2001:2::1
6434
6435; do not rewrite (PASSTHRU) OK.DOMAIN.COM
6436ok.domain.com           CNAME   rpz-passthru.
6437
6438bzone.domain.com        CNAME   garden.example.com.
6439
6440; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
6441*.bzone.domain.com      CNAME   *.garden.example.com.
6442
6443
6444; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
64458.0.0.0.127.rpz-ip      CNAME   .
644632.1.0.0.127.rpz-ip     CNAME   rpz-passthru.
6447
6448; NSDNAME and NSIP policy records
6449ns.domain.com.rpz-nsdname   CNAME   .
645048.zz.2.2001.rpz-nsip       CNAME   .
6451</pre>
6452<p>
6453            RPZ can affect server performance.
6454            Each configured response policy zone requires the server to
6455            perform one to four additional database lookups before a
6456            query can be answered.
6457            For example, a DNS server with four policy zones, each with all
6458            four kinds of response triggers, QNAME, IP, NSIP, and
6459            NSDNAME, requires a total of 17 times as many database
6460            lookups as a similar DNS server with no response policy zones.
6461            A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
6462            response policy zone with QNAME and IP triggers might achieve a
6463            maximum queries-per-second rate about 20% lower.
6464            A server with four response policy zones with QNAME and IP
6465            triggers might have a maximum QPS rate about 50% lower.
6466          </p>
6467<p>
6468            Responses rewritten by RPZ are counted in the
6469            <span class="command"><strong>RPZRewrites</strong></span> statistics.
6470          </p>
6471</div>
6472<div class="section">
6473<div class="titlepage"><div><div><h4 class="title">
6474<a name="rrl"></a>Response Rate Limiting</h4></div></div></div>
6475<p>
6476            This feature is only available when <acronym class="acronym">BIND</acronym> 9
6477            is compiled with the <strong class="userinput"><code>--enable-rrl</code></strong>
6478            option on the "configure" command line.
6479          </p>
6480<p>
6481            Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
6482            can be controlled by configuring a
6483            <span class="command"><strong>rate-limit</strong></span> clause in an
6484            <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement.
6485            This mechanism keeps authoritative BIND 9 from being used
6486            in amplifying reflection denial of service (DoS) attacks.
6487            Short truncated (TC=1) responses can be sent to provide
6488            rate-limited responses to legitimate clients within
6489            a range of forged, attacked IP addresses.
6490            Legitimate clients react to dropped or truncated response
6491            by retrying with UDP or with TCP respectively.
6492          </p>
6493<p>
6494            This mechanism is intended for authoritative DNS servers.
6495            It can be used on recursive servers but can slow
6496            applications such as SMTP servers (mail receivers) and
6497            HTTP clients (web browsers) that repeatedly request the
6498            same domains.
6499            When possible, closing "open" recursive servers is better.
6500          </p>
6501<p>
6502            Response rate limiting uses a "credit" or "token bucket" scheme.
6503            Each combination of identical response and client
6504            has a conceptual account that earns a specified number
6505            of credits every second.
6506            A prospective response debits its account by one.
6507            Responses are dropped or truncated
6508            while the account is negative.
6509            Responses are tracked within a rolling window of time
6510            which defaults to 15 seconds, but can be configured with
6511            the <span class="command"><strong>window</strong></span> option to any value from
6512            1 to 3600 seconds (1 hour).
6513            The account cannot become more positive than
6514            the per-second limit
6515            or more negative than <span class="command"><strong>window</strong></span>
6516            times the per-second limit.
6517            When the specified number of credits for a class of
6518            responses is set to 0, those responses are not rate limited.
6519          </p>
6520<p>
6521            The notions of "identical response" and "DNS client"
6522            for rate limiting are not simplistic.
6523            All responses to an address block are counted as if to a
6524            single client.
6525            The prefix lengths of addresses blocks are
6526            specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24)
6527            and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56).
6528          </p>
6529<p>
6530            All non-empty responses for a valid domain name (qname)
6531            and record type (qtype) are identical and have a limit specified
6532            with <span class="command"><strong>responses-per-second</strong></span>
6533            (default 0 or no limit).
6534            All empty (NODATA) responses for a valid domain,
6535            regardless of query type, are identical.
6536            Responses in the NODATA class are limited by
6537            <span class="command"><strong>nodata-per-second</strong></span>
6538            (default <span class="command"><strong>responses-per-second</strong></span>).
6539            Requests for any and all undefined subdomains of a given
6540            valid domain result in NXDOMAIN errors, and are identical
6541            regardless of query type.
6542            They are limited by <span class="command"><strong>nxdomain-per-second</strong></span>
6543            (default <span class="command"><strong>responses-per-second</strong></span>).
6544            This controls some attacks using random names, but
6545            can be relaxed or turned off (set to 0)
6546            on servers that expect many legitimate
6547            NXDOMAIN responses, such as from anti-spam blacklists.
6548            Referrals or delegations to the server of a given
6549            domain are identical and are limited by
6550            <span class="command"><strong>referrals-per-second</strong></span>
6551            (default <span class="command"><strong>responses-per-second</strong></span>).
6552          </p>
6553<p>
6554            Responses generated from local wildcards are counted and limited
6555            as if they were for the parent domain name.
6556            This controls flooding using random.wild.example.com.
6557          </p>
6558<p>
6559            All requests that result in DNS errors other
6560            than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
6561            regardless of requested name (qname) or record type (qtype).
6562            This controls attacks using invalid requests or distant,
6563            broken authoritative servers.
6564            By default the limit on errors is the same as the
6565            <span class="command"><strong>responses-per-second</strong></span> value,
6566            but it can be set separately with
6567            <span class="command"><strong>errors-per-second</strong></span>.
6568          </p>
6569<p>
6570            Many attacks using DNS involve UDP requests with forged source
6571            addresses.
6572            Rate limiting prevents the use of BIND 9 to flood a network
6573            with responses to requests with forged source addresses,
6574            but could let a third party block responses to legitimate requests.
6575            There is a mechanism that can answer some legitimate
6576            requests from a client whose address is being forged in a flood.
6577            Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every
6578            other UDP request to be answered with a small truncated (TC=1)
6579            response.
6580            The small size and reduced frequency, and so lack of
6581            amplification, of "slipped" responses make them unattractive
6582            for reflection DoS attacks.
6583            <span class="command"><strong>slip</strong></span> must be between 0 and 10.
6584            A value of 0 does not "slip":
6585            no truncated responses are sent due to rate limiting,
6586            all responses are dropped.
6587            A value of 1 causes every response to slip;
6588            values between 2 and 10 cause every n'th response to slip.
6589            Some error responses including REFUSED and SERVFAIL
6590            cannot be replaced with truncated responses and are instead
6591            leaked at the <span class="command"><strong>slip</strong></span> rate.
6592          </p>
6593<p>
6594            (NOTE: Dropped responses from an authoritative server may
6595            reduce the difficulty of a third party successfully forging
6596            a response to a recursive resolver. The best security
6597            against forged responses is for authoritative operators
6598            to sign their zones using DNSSEC and for resolver operators
6599            to validate the responses. When this is not an option,
6600            operators who are more concerned with response integrity
6601            than with flood mitigation may consider setting
6602            <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited
6603            responses to be truncated rather than dropped.  This reduces
6604            the effectiveness of rate-limiting against reflection attacks.)
6605          </p>
6606<p>
6607            When the approximate query per second rate exceeds
6608            the <span class="command"><strong>qps-scale</strong></span> value,
6609            then the <span class="command"><strong>responses-per-second</strong></span>,
6610            <span class="command"><strong>errors-per-second</strong></span>,
6611            <span class="command"><strong>nxdomains-per-second</strong></span> and
6612            <span class="command"><strong>all-per-second</strong></span> values are reduced by the
6613            ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value.
6614            This feature can tighten defenses during attacks.
6615            For example, with
6616            <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and
6617            a total query rate of 1000 queries/second for all queries from
6618            all DNS clients including via TCP,
6619            then the effective responses/second limit changes to
6620            (250/1000)*20 or 5.
6621            Responses sent via TCP are not limited
6622            but are counted to compute the query per second rate.
6623          </p>
6624<p>
6625            Communities of DNS clients can be given their own parameters or no
6626            rate limiting by putting
6627            <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span>
6628            statements instead of the global <span class="command"><strong>option</strong></span>
6629            statement.
6630            A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces,
6631            rather than supplementing, a <span class="command"><strong>rate-limit</strong></span>
6632            statement among the main options.
6633            DNS clients within a view can be exempted from rate limits
6634            with the <span class="command"><strong>exempt-clients</strong></span> clause.
6635          </p>
6636<p>
6637            UDP responses of all kinds can be limited with the
6638            <span class="command"><strong>all-per-second</strong></span> phrase.
6639            This rate limiting is unlike the rate limiting provided by
6640            <span class="command"><strong>responses-per-second</strong></span>,
6641            <span class="command"><strong>errors-per-second</strong></span>, and
6642            <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server
6643            which are often invisible to the victim of a DNS reflection attack.
6644            Unless the forged requests of the attack are the same as the
6645            legitimate requests of the victim, the victim's requests are
6646            not affected.
6647            Responses affected by an <span class="command"><strong>all-per-second</strong></span> limit
6648            are always dropped; the <span class="command"><strong>slip</strong></span> value has no
6649            effect.
6650            An <span class="command"><strong>all-per-second</strong></span> limit should be
6651            at least 4 times as large as the other limits,
6652            because single DNS clients often send bursts of legitimate
6653            requests.
6654            For example, the receipt of a single mail message can prompt
6655            requests from an SMTP server for NS, PTR, A, and AAAA records
6656            as the incoming SMTP/TCP/IP connection is considered.
6657            The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
6658            records as it considers the STMP <span class="command"><strong>Mail From</strong></span>
6659            command.
6660            Web browsers often repeatedly resolve the same names that
6661            are repeated in HTML &lt;IMG&gt; tags in a page.
6662            <span class="command"><strong>All-per-second</strong></span> is similar to the
6663            rate limiting offered by firewalls but often inferior.
6664            Attacks that justify ignoring the
6665            contents of DNS responses are likely to be attacks on the
6666            DNS server itself.
6667            They usually should be discarded before the DNS server
6668            spends resources making TCP connections or parsing DNS requests,
6669            but that rate limiting must be done before the
6670            DNS server sees the requests.
6671          </p>
6672<p>
6673            The maximum size of the table used to track requests and
6674            rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>.
6675            Each entry in the table is between 40 and 80 bytes.
6676            The table needs approximately as many entries as the number
6677            of requests received per second.
6678            The default is 20,000.
6679            To reduce the cold start of growing the table,
6680            <span class="command"><strong>min-table-size</strong></span> (default 500)
6681            can set the minimum table size.
6682            Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor
6683            expansions of the table and inform
6684            choices for the initial and maximum table size.
6685          </p>
6686<p>
6687            Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters
6688            without actually dropping any requests.
6689          </p>
6690<p>
6691            Responses dropped by rate limits are included in the
6692            <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span>
6693            statistics.
6694            Responses that truncated by rate limits are included in
6695            <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>.
6696          </p>
6697</div>
6698</div>
6699<div class="section">
6700<div class="titlepage"><div><div><h3 class="title">
6701<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div>
6702<pre class="programlisting"><span class="command"><strong>server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
6703    [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6704    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6705    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6706    [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6707    [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6708    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
6709    [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
6710    [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
6711    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
6712    [<span class="optional"> keys { <em class="replaceable"><code>key_id</code></em> }; </span>]
6713    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6714    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6715    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6716    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6717    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
6718                  [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
6719    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
6720                     [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
6721    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
6722    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
6723    [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
6724};
6725</pre>
6726</div>
6727<div class="section">
6728<div class="titlepage"><div><div><h3 class="title">
6729<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and
6730            Usage</h3></div></div></div>
6731<p>
6732            The <span class="command"><strong>server</strong></span> statement defines
6733            characteristics
6734            to be associated with a remote name server.  If a prefix length is
6735            specified, then a range of servers is covered.  Only the most
6736            specific
6737            server clause applies regardless of the order in
6738            <code class="filename">named.conf</code>.
6739          </p>
6740<p>
6741            The <span class="command"><strong>server</strong></span> statement can occur at
6742            the top level of the
6743            configuration file or inside a <span class="command"><strong>view</strong></span>
6744            statement.
6745            If a <span class="command"><strong>view</strong></span> statement contains
6746            one or more <span class="command"><strong>server</strong></span> statements, only
6747            those
6748            apply to the view and any top-level ones are ignored.
6749            If a view contains no <span class="command"><strong>server</strong></span>
6750            statements,
6751            any top-level <span class="command"><strong>server</strong></span> statements are
6752            used as
6753            defaults.
6754          </p>
6755<p>
6756            If you discover that a remote server is giving out bad data,
6757            marking it as bogus will prevent further queries to it. The
6758            default
6759            value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>.
6760          </p>
6761<p>
6762            The <span class="command"><strong>provide-ixfr</strong></span> clause determines
6763            whether
6764            the local server, acting as master, will respond with an
6765            incremental
6766            zone transfer when the given remote server, a slave, requests it.
6767            If set to <span class="command"><strong>yes</strong></span>, incremental transfer
6768            will be provided
6769            whenever possible. If set to <span class="command"><strong>no</strong></span>,
6770            all transfers
6771            to the remote server will be non-incremental. If not set, the
6772            value
6773            of the <span class="command"><strong>provide-ixfr</strong></span> option in the
6774            view or
6775            global options block is used as a default.
6776          </p>
6777<p>
6778            The <span class="command"><strong>request-ixfr</strong></span> clause determines
6779            whether
6780            the local server, acting as a slave, will request incremental zone
6781            transfers from the given remote server, a master. If not set, the
6782            value of the <span class="command"><strong>request-ixfr</strong></span> option in
6783            the view or global options block is used as a default. It may
6784            also be set in the zone block and, if set there, it will
6785            override the global or view setting for that zone.
6786          </p>
6787<p>
6788            IXFR requests to servers that do not support IXFR will
6789            automatically
6790            fall back to AXFR.  Therefore, there is no need to manually list
6791            which servers support IXFR and which ones do not; the global
6792            default
6793            of <span class="command"><strong>yes</strong></span> should always work.
6794            The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and
6795            <span class="command"><strong>request-ixfr</strong></span> clauses is
6796            to make it possible to disable the use of IXFR even when both
6797            master
6798            and slave claim to support it, for example if one of the servers
6799            is buggy and crashes or corrupts data when IXFR is used.
6800          </p>
6801<p>
6802            The <span class="command"><strong>edns</strong></span> clause determines whether
6803            the local server will attempt to use EDNS when communicating
6804            with the remote server.  The default is <span class="command"><strong>yes</strong></span>.
6805          </p>
6806<p>
6807            The <span class="command"><strong>edns-udp-size</strong></span> option sets the EDNS UDP size
6808            that is advertised by <span class="command"><strong>named</strong></span> when querying the remote server.
6809            Valid values are 512 to 4096 bytes (values outside this range will be
6810            silently adjusted).  This option is useful when you wish to
6811            advertises a different value to this server than the value you
6812            advertise globally, for example, when there is a firewall at the
6813            remote site that is blocking large replies.
6814          </p>
6815<p>
6816            The <span class="command"><strong>max-udp-size</strong></span> option sets the
6817            maximum EDNS UDP message size <span class="command"><strong>named</strong></span> will send.  Valid
6818            values are 512 to 4096 bytes (values outside this range will
6819            be silently adjusted).  This option is useful when you
6820            know that there is a firewall that is blocking large
6821            replies from <span class="command"><strong>named</strong></span>.
6822          </p>
6823<p>
6824            The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>,
6825            uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs
6826            as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is
6827            more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
6828            8.x, and patched versions of <acronym class="acronym">BIND</acronym>
6829            4.9.5. You can specify which method
6830            to use for a server with the <span class="command"><strong>transfer-format</strong></span> option.
6831            If <span class="command"><strong>transfer-format</strong></span> is not
6832            specified, the <span class="command"><strong>transfer-format</strong></span>
6833            specified
6834            by the <span class="command"><strong>options</strong></span> statement will be
6835            used.
6836          </p>
6837<p><span class="command"><strong>transfers</strong></span>
6838            is used to limit the number of concurrent inbound zone
6839            transfers from the specified server. If no
6840            <span class="command"><strong>transfers</strong></span> clause is specified, the
6841            limit is set according to the
6842            <span class="command"><strong>transfers-per-ns</strong></span> option.
6843          </p>
6844<p>
6845            The <span class="command"><strong>keys</strong></span> clause identifies a
6846            <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement,
6847            to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
6848            when talking to the remote server.
6849            When a request is sent to the remote server, a request signature
6850            will be generated using the key specified here and appended to the
6851            message. A request originating from the remote server is not
6852            required
6853            to be signed by this key.
6854          </p>
6855<p>
6856            Only a single key per server is currently supported.
6857          </p>
6858<p>
6859            The <span class="command"><strong>transfer-source</strong></span> and
6860            <span class="command"><strong>transfer-source-v6</strong></span> clauses specify
6861            the IPv4 and IPv6 source
6862            address to be used for zone transfer with the remote server,
6863            respectively.
6864            For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can
6865            be specified.
6866            Similarly, for an IPv6 remote server, only
6867            <span class="command"><strong>transfer-source-v6</strong></span> can be
6868            specified.
6869            For more details, see the description of
6870            <span class="command"><strong>transfer-source</strong></span> and
6871            <span class="command"><strong>transfer-source-v6</strong></span> in
6872            <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
6873          </p>
6874<p>
6875            The <span class="command"><strong>notify-source</strong></span> and
6876            <span class="command"><strong>notify-source-v6</strong></span> clauses specify the
6877            IPv4 and IPv6 source address to be used for notify
6878            messages sent to remote servers, respectively.  For an
6879            IPv4 remote server, only <span class="command"><strong>notify-source</strong></span>
6880            can be specified.  Similarly, for an IPv6 remote server,
6881            only <span class="command"><strong>notify-source-v6</strong></span> can be specified.
6882          </p>
6883<p>
6884            The <span class="command"><strong>query-source</strong></span> and
6885            <span class="command"><strong>query-source-v6</strong></span> clauses specify the
6886            IPv4 and IPv6 source address to be used for queries
6887            sent to remote servers, respectively.  For an IPv4
6888            remote server, only <span class="command"><strong>query-source</strong></span> can
6889            be specified.  Similarly, for an IPv6 remote server,
6890            only <span class="command"><strong>query-source-v6</strong></span> can be specified.
6891          </p>
6892<p>
6893            The <span class="command"><strong>request-nsid</strong></span> clause determines
6894            whether the local server will add a NSID EDNS option
6895            to requests sent to the server.  This overrides
6896            <span class="command"><strong>request-nsid</strong></span> set at the view or
6897            option level.
6898          </p>
6899</div>
6900<div class="section">
6901<div class="titlepage"><div><div><h3 class="title">
6902<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
6903<pre class="programlisting"><span class="command"><strong>statistics-channels</strong></span> {
6904   [ inet ( ip_addr | * ) [ port ip_port ]
6905   [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
6906   [ inet ...; ]
6907};
6908</pre>
6909</div>
6910<div class="section">
6911<div class="titlepage"><div><div><h3 class="title">
6912<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
6913            Usage</h3></div></div></div>
6914<p>
6915          The <span class="command"><strong>statistics-channels</strong></span> statement
6916          declares communication channels to be used by system
6917          administrators to get access to statistics information of
6918          the name server.
6919        </p>
6920<p>
6921          This statement intends to be flexible to support multiple
6922          communication protocols in the future, but currently only
6923          HTTP access is supported.
6924          It requires that BIND 9 be compiled with libxml2;
6925          the <span class="command"><strong>statistics-channels</strong></span> statement is
6926          still accepted even if it is built without the library,
6927          but any HTTP access will fail with an error.
6928        </p>
6929<p>
6930          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
6931          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
6932          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
6933          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
6934          interpreted as the IPv4 wildcard address; connections will be
6935          accepted on any of the system's IPv4 addresses.
6936          To listen on the IPv6 wildcard address,
6937          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
6938        </p>
6939<p>
6940          If no port is specified, port 80 is used for HTTP channels.
6941          The asterisk "<code class="literal">*</code>" cannot be used for
6942          <span class="command"><strong>ip_port</strong></span>.
6943        </p>
6944<p>
6945          The attempt of opening a statistics channel is
6946          restricted by the optional <span class="command"><strong>allow</strong></span> clause.
6947          Connections to the statistics channel are permitted based on the
6948          <span class="command"><strong>address_match_list</strong></span>.
6949          If no <span class="command"><strong>allow</strong></span> clause is present,
6950          <span class="command"><strong>named</strong></span> accepts connection
6951          attempts from any address; since the statistics may
6952          contain sensitive internal information, it is highly
6953          recommended to restrict the source of connection requests
6954          appropriately.
6955        </p>
6956<p>
6957          If no <span class="command"><strong>statistics-channels</strong></span> statement is present,
6958          <span class="command"><strong>named</strong></span> will not open any communication channels.
6959        </p>
6960<p>
6961          If the statistics channel is configured to listen on 127.0.0.1
6962          port 8888, then the statistics are accessible in XML format at
6963          <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
6964          <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
6965          included which can format the XML statistics into tables
6966          when viewed with a stylesheet-capable browser.  When
6967          <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats,
6968          a new XML schema is used (version 3) which adds additional
6969          zone statistics and uses a flatter tree for more efficient
6970          parsing.  The stylesheet included uses the Google Charts API
6971          to render data into into charts and graphs when using a
6972          javascript-capable browser.
6973        </p>
6974<p>
6975          Applications that depend on a particular XML schema
6976          can request
6977          <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
6978          of the statistics XML schema or
6979          <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
6980          If the requested schema is supported by the server, then
6981          it will respond; if not, it will return a "page not found"
6982          error.
6983        </p>
6984</div>
6985<div class="section">
6986<div class="titlepage"><div><div><h3 class="title">
6987<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
6988<pre class="programlisting"><span class="command"><strong>trusted-keys</strong></span> {
6989    <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
6990    [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
6991};
6992</pre>
6993</div>
6994<div class="section">
6995<div class="titlepage"><div><div><h3 class="title">
6996<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition
6997            and Usage</h3></div></div></div>
6998<p>
6999            The <span class="command"><strong>trusted-keys</strong></span> statement defines
7000            DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the
7001            public key for a non-authoritative zone is known, but
7002            cannot be securely obtained through DNS, either because
7003            it is the DNS root zone or because its parent zone is
7004            unsigned.  Once a key has been configured as a trusted
7005            key, it is treated as if it had been validated and
7006            proven secure. The resolver attempts DNSSEC validation
7007            on all DNS data in subdomains of a security root.
7008          </p>
7009<p>
7010            All keys (and corresponding zones) listed in
7011            <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless
7012            of what parent zones say.  Similarly for all keys listed in
7013            <span class="command"><strong>trusted-keys</strong></span> only those keys are
7014            used to validate the DNSKEY RRset.  The parent's DS RRset
7015            will not be used.
7016          </p>
7017<p>
7018            The <span class="command"><strong>trusted-keys</strong></span> statement can contain
7019            multiple key entries, each consisting of the key's
7020            domain name, flags, protocol, algorithm, and the Base-64
7021            representation of the key data.
7022            Spaces, tabs, newlines and carriage returns are ignored
7023            in the key data, so the configuration may be split up into
7024            multiple lines.
7025          </p>
7026<p>
7027            <span class="command"><strong>trusted-keys</strong></span> may be set at the top level
7028            of <code class="filename">named.conf</code> or within a view.  If it is
7029            set in both places, they are additive: keys defined at the top
7030            level are inherited by all views, but keys defined in a view
7031            are only used within that view.
7032          </p>
7033</div>
7034<div class="section">
7035<div class="titlepage"><div><div><h3 class="title">
7036<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div>
7037<pre class="programlisting"><span class="command"><strong>managed-keys</strong></span> {
7038    <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
7039    [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
7040};
7041</pre>
7042</div>
7043<div class="section">
7044<div class="titlepage"><div><div><h3 class="title">
7045<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition
7046            and Usage</h3></div></div></div>
7047<p>
7048            The <span class="command"><strong>managed-keys</strong></span> statement, like
7049            <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC
7050            security roots.  The difference is that
7051            <span class="command"><strong>managed-keys</strong></span> can be kept up to date
7052            automatically, without intervention from the resolver
7053            operator.
7054          </p>
7055<p>
7056            Suppose, for example, that a zone's key-signing
7057            key was compromised, and the zone owner had to revoke and
7058            replace the key.  A resolver which had the old key in a
7059            <span class="command"><strong>trusted-keys</strong></span> statement would be
7060            unable to validate this zone any longer; it would
7061            reply with a SERVFAIL response code.  This would
7062            continue until the resolver operator had updated the
7063            <span class="command"><strong>trusted-keys</strong></span> statement with the new key.
7064          </p>
7065<p>
7066            If, however, the zone were listed in a
7067            <span class="command"><strong>managed-keys</strong></span> statement instead, then the
7068            zone owner could add a "stand-by" key to the zone in advance.
7069            <span class="command"><strong>named</strong></span> would store the stand-by key, and
7070            when the original key was revoked, <span class="command"><strong>named</strong></span>
7071            would be able to transition smoothly to the new key.  It would
7072            also recognize that the old key had been revoked, and cease
7073            using that key to validate answers, minimizing the damage that
7074            the compromised key could do.
7075          </p>
7076<p>
7077            A <span class="command"><strong>managed-keys</strong></span> statement contains a list of
7078            the keys to be managed, along with information about how the
7079            keys are to be initialized for the first time.  The only
7080            initialization method currently supported (as of
7081            <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
7082            This means the <span class="command"><strong>managed-keys</strong></span> statement must
7083            contain a copy of the initializing key.  (Future releases may
7084            allow keys to be initialized by other methods, eliminating this
7085            requirement.)
7086          </p>
7087<p>
7088            Consequently, a <span class="command"><strong>managed-keys</strong></span> statement
7089            appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing
7090            in the presence of the second field, containing the keyword
7091            <code class="literal">initial-key</code>.  The difference is, whereas the
7092            keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be
7093            trusted until they are removed from
7094            <code class="filename">named.conf</code>, an initializing key listed
7095            in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted
7096            <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
7097            managed key database and start the RFC 5011 key maintenance
7098            process.
7099          </p>
7100<p>
7101            The first time <span class="command"><strong>named</strong></span> runs with a managed key
7102            configured in <code class="filename">named.conf</code>, it fetches the
7103            DNSKEY RRset directly from the zone apex, and validates it
7104            using the key specified in the <span class="command"><strong>managed-keys</strong></span>
7105            statement.  If the DNSKEY RRset is validly signed, then it is
7106            used as the basis for a new managed keys database.
7107          </p>
7108<p>
7109            From that point on, whenever <span class="command"><strong>named</strong></span> runs, it
7110            sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to
7111            make sure RFC 5011 key maintenance has already been initialized
7112            for the specified domain, and if so, it simply moves on.  The
7113            key specified in the <span class="command"><strong>managed-keys</strong></span> is not
7114            used to validate answers; it has been superseded by the key or
7115            keys stored in the managed keys database.
7116          </p>
7117<p>
7118            The next time <span class="command"><strong>named</strong></span> runs after a name
7119            has been <span class="emphasis"><em>removed</em></span> from the
7120            <span class="command"><strong>managed-keys</strong></span> statement, the corresponding
7121            zone will be removed from the managed keys database,
7122            and RFC 5011 key maintenance will no longer be used for that
7123            domain.
7124          </p>
7125<p>
7126            <span class="command"><strong>named</strong></span> only maintains a single managed keys
7127            database; consequently, unlike <span class="command"><strong>trusted-keys</strong></span>,
7128            <span class="command"><strong>managed-keys</strong></span> may only be set at the top
7129            level of <code class="filename">named.conf</code>, not within a view.
7130          </p>
7131<p>
7132            In the current implementation, the managed keys database is
7133            stored as a master-format zone file called
7134            <code class="filename">managed-keys.bind</code>.  When the key database
7135            is changed, the zone is updated.  As with any other dynamic
7136            zone, changes will be written into a journal file,
7137            <code class="filename">managed-keys.bind.jnl</code>.  They are committed
7138            to the master file as soon as possible afterward; in the case
7139            of the managed key database, this will usually occur within 30
7140            seconds.  So, whenever <span class="command"><strong>named</strong></span> is using
7141            automatic key maintenance, those two files can be expected to
7142            exist in the working directory.  (For this reason among others,
7143            the working directory should be always be writable by
7144            <span class="command"><strong>named</strong></span>.)
7145          </p>
7146<p>
7147            If the <span class="command"><strong>dnssec-validation</strong></span> option is
7148            set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span>
7149            will automatically initialize a managed key for the
7150            root zone.  Similarly, if the <span class="command"><strong>dnssec-lookaside</strong></span>
7151            option is set to <strong class="userinput"><code>auto</code></strong>,
7152            <span class="command"><strong>named</strong></span> will automatically initialize
7153            a managed key for the zone <code class="literal">dlv.isc.org</code>.
7154            In both cases, the key that is used to initialize the key
7155            maintenance process is built into <span class="command"><strong>named</strong></span>,
7156            and can be overridden from <span class="command"><strong>bindkeys-file</strong></span>.
7157          </p>
7158</div>
7159<div class="section">
7160<div class="titlepage"><div><div><h3 class="title">
7161<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div>
7162<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em>
7163      [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7164      match-clients { <em class="replaceable"><code>address_match_list</code></em> };
7165      match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
7166      match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
7167      [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
7168      [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
7169};
7170</pre>
7171</div>
7172<div class="section">
7173<div class="titlepage"><div><div><h3 class="title">
7174<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div>
7175<p>
7176            The <span class="command"><strong>view</strong></span> statement is a powerful
7177            feature
7178            of <acronym class="acronym">BIND</acronym> 9 that lets a name server
7179            answer a DNS query differently
7180            depending on who is asking. It is particularly useful for
7181            implementing
7182            split DNS setups without having to run multiple servers.
7183          </p>
7184<p>
7185            Each <span class="command"><strong>view</strong></span> statement defines a view
7186            of the
7187            DNS namespace that will be seen by a subset of clients.  A client
7188            matches
7189            a view if its source IP address matches the
7190            <code class="varname">address_match_list</code> of the view's
7191            <span class="command"><strong>match-clients</strong></span> clause and its
7192            destination IP address matches
7193            the <code class="varname">address_match_list</code> of the
7194            view's
7195            <span class="command"><strong>match-destinations</strong></span> clause.  If not
7196            specified, both
7197            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
7198            default to matching all addresses.  In addition to checking IP
7199            addresses
7200            <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span>
7201            can also take <span class="command"><strong>keys</strong></span> which provide an
7202            mechanism for the
7203            client to select the view.  A view can also be specified
7204            as <span class="command"><strong>match-recursive-only</strong></span>, which
7205            means that only recursive
7206            requests from matching clients will match that view.
7207            The order of the <span class="command"><strong>view</strong></span> statements is
7208            significant &#8212;
7209            a client request will be resolved in the context of the first
7210            <span class="command"><strong>view</strong></span> that it matches.
7211          </p>
7212<p>
7213            Zones defined within a <span class="command"><strong>view</strong></span>
7214            statement will
7215            only be accessible to clients that match the <span class="command"><strong>view</strong></span>.
7216            By defining a zone of the same name in multiple views, different
7217            zone data can be given to different clients, for example,
7218            "internal"
7219            and "external" clients in a split DNS setup.
7220          </p>
7221<p>
7222            Many of the options given in the <span class="command"><strong>options</strong></span> statement
7223            can also be used within a <span class="command"><strong>view</strong></span>
7224            statement, and then
7225            apply only when resolving queries with that view.  When no
7226            view-specific
7227            value is given, the value in the <span class="command"><strong>options</strong></span> statement
7228            is used as a default.  Also, zone options can have default values
7229            specified
7230            in the <span class="command"><strong>view</strong></span> statement; these
7231            view-specific defaults
7232            take precedence over those in the <span class="command"><strong>options</strong></span> statement.
7233          </p>
7234<p>
7235            Views are class specific.  If no class is given, class IN
7236            is assumed.  Note that all non-IN views must contain a hint zone,
7237            since only the IN class has compiled-in default hints.
7238          </p>
7239<p>
7240            If there are no <span class="command"><strong>view</strong></span> statements in
7241            the config
7242            file, a default view that matches any client is automatically
7243            created
7244            in class IN. Any <span class="command"><strong>zone</strong></span> statements
7245            specified on
7246            the top level of the configuration file are considered to be part
7247            of
7248            this default view, and the <span class="command"><strong>options</strong></span>
7249            statement will
7250            apply to the default view. If any explicit <span class="command"><strong>view</strong></span>
7251            statements are present, all <span class="command"><strong>zone</strong></span>
7252            statements must
7253            occur inside <span class="command"><strong>view</strong></span> statements.
7254          </p>
7255<p>
7256            Here is an example of a typical split DNS setup implemented
7257            using <span class="command"><strong>view</strong></span> statements:
7258          </p>
7259<pre class="programlisting">view "internal" {
7260      // This should match our internal networks.
7261      match-clients { 10.0.0.0/8; };
7262
7263      // Provide recursive service to internal
7264      // clients only.
7265      recursion yes;
7266
7267      // Provide a complete view of the example.com
7268      // zone including addresses of internal hosts.
7269      zone "example.com" {
7270            type master;
7271            file "example-internal.db";
7272      };
7273};
7274
7275view "external" {
7276      // Match all clients not matched by the
7277      // previous view.
7278      match-clients { any; };
7279
7280      // Refuse recursive service to external clients.
7281      recursion no;
7282
7283      // Provide a restricted view of the example.com
7284      // zone containing only publicly accessible hosts.
7285      zone "example.com" {
7286           type master;
7287           file "example-external.db";
7288      };
7289};
7290</pre>
7291</div>
7292<div class="section">
7293<div class="titlepage"><div><div><h3 class="title">
7294<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span>
7295            Statement Grammar</h3></div></div></div>
7296<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7297    type master;
7298    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7299    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7300    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7301    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7302    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7303    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7304    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
7305    [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
7306    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7307    [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7308    [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7309    [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7310    [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7311    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7312    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7313    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7314    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
7315    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
7316    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7317    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7318    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
7319    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7320    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
7321    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7322    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7323    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
7324    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
7325    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
7326    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
7327    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
7328    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7329    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7330    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7331    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7332    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7333    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
7334    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
7335    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
7336    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
7337    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7338    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7339    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7340    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7341    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7342    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
7343    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
7344    [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7345    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7346    [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
7347};
7348
7349zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7350    type slave;
7351    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7352    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7353    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7354    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7355    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7356    [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
7357    [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7358    [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7359    [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
7360    [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7361    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7362    [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7363                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7364                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7365    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7366    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7367    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7368    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7369    [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
7370    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
7371    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7372    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7373    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
7374    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7375    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
7376    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7377    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7378                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7379                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7380    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
7381    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
7382    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
7383    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
7384    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
7385    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
7386    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
7387    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7388    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7389    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7390    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7391    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7392    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7393                             [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7394    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7395    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7396    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7397    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7398    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
7399    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
7400    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
7401    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
7402    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7403    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7404    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7405    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7406    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7407    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
7408    [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
7409    [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7410    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7411    [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7412};
7413
7414zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7415    type hint;
7416    file <em class="replaceable"><code>string</code></em> ;
7417    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7418    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
7419};
7420
7421zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7422    type stub;
7423    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7424    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7425    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7426    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7427    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7428    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7429    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7430    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7431    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7432    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7433                              [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7434                              [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7435    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
7436    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
7437    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7438    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7439    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7440                         [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7441    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7442    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7443                            [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7444    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7445    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7446    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7447    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7448    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7449    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7450    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7451    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7452};
7453
7454zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7455    type static-stub;
7456    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7457    [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
7458    [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
7459    [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7460};
7461
7462zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7463    type forward;
7464    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7465    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7466    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7467};
7468
7469zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7470    type redirect;
7471    file <em class="replaceable"><code>string</code></em> ;
7472    [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7473    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7474};
7475
7476zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7477    type delegation-only;
7478};
7479
7480</pre>
7481</div>
7482<div class="section">
7483<div class="titlepage"><div><div><h3 class="title">
7484<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div>
7485<div class="section">
7486<div class="titlepage"><div><div><h4 class="title">
7487<a name="zone_types"></a>Zone Types</h4></div></div></div>
7488<p>
7489              The <span class="command"><strong>type</strong></span> keyword is required
7490              for the <span class="command"><strong>zone</strong></span> configuration. Its
7491              acceptable values include: <code class="varname">delegation-only</code>,
7492              <code class="varname">forward</code>, <code class="varname">hint</code>,
7493              <code class="varname">master</code>, <code class="varname">redirect</code>,
7494              <code class="varname">slave</code>, <code class="varname">static-stub</code>,
7495              and <code class="varname">stub</code>.
7496            </p>
7497<div class="informaltable"><table border="1">
7498<colgroup>
7499<col class="1">
7500<col width="4.017in" class="2">
7501</colgroup>
7502<tbody>
7503<tr>
7504<td>
7505                      <p>
7506                        <code class="varname">master</code>
7507                      </p>
7508                    </td>
7509<td>
7510                      <p>
7511                        The server has a master copy of the data
7512                        for the zone and will be able to provide authoritative
7513                        answers for
7514                        it.
7515                      </p>
7516                    </td>
7517</tr>
7518<tr>
7519<td>
7520                      <p>
7521                        <code class="varname">slave</code>
7522                      </p>
7523                    </td>
7524<td>
7525                      <p>
7526                        A slave zone is a replica of a master
7527                        zone. The <span class="command"><strong>masters</strong></span> list
7528                        specifies one or more IP addresses
7529                        of master servers that the slave contacts to update
7530                        its copy of the zone.
7531                        Masters list elements can also be names of other
7532                        masters lists.
7533                        By default, transfers are made from port 53 on the
7534                        servers; this can
7535                        be changed for all servers by specifying a port number
7536                        before the
7537                        list of IP addresses, or on a per-server basis after
7538                        the IP address.
7539                        Authentication to the master can also be done with
7540                        per-server TSIG keys.
7541                        If a file is specified, then the
7542                        replica will be written to this file whenever the zone
7543                        is changed,
7544                        and reloaded from this file on a server restart. Use
7545                        of a file is
7546                        recommended, since it often speeds server startup and
7547                        eliminates
7548                        a needless waste of bandwidth. Note that for large
7549                        numbers (in the
7550                        tens or hundreds of thousands) of zones per server, it
7551                        is best to
7552                        use a two-level naming scheme for zone filenames. For
7553                        example,
7554                        a slave server for the zone <code class="literal">example.com</code> might place
7555                        the zone contents into a file called
7556                        <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
7557                        just the first two letters of the zone name. (Most
7558                        operating systems
7559                        behave very slowly if you put 100000 files into
7560                        a single directory.)
7561                      </p>
7562                    </td>
7563</tr>
7564<tr>
7565<td>
7566                      <p>
7567                        <code class="varname">stub</code>
7568                      </p>
7569                    </td>
7570<td>
7571                      <p>
7572                        A stub zone is similar to a slave zone,
7573                        except that it replicates only the NS records of a
7574                        master zone instead
7575                        of the entire zone. Stub zones are not a standard part
7576                        of the DNS;
7577                        they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
7578                      </p>
7579
7580                      <p>
7581                        Stub zones can be used to eliminate the need for glue
7582                        NS record
7583                        in a parent zone at the expense of maintaining a stub
7584                        zone entry and
7585                        a set of name server addresses in <code class="filename">named.conf</code>.
7586                        This usage is not recommended for new configurations,
7587                        and BIND 9
7588                        supports it only in a limited way.
7589                        In <acronym class="acronym">BIND</acronym> 4/8, zone
7590                        transfers of a parent zone
7591                        included the NS records from stub children of that
7592                        zone. This meant
7593                        that, in some cases, users could get away with
7594                        configuring child stubs
7595                        only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
7596                        9 never mixes together zone data from different zones
7597                        in this
7598                        way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
7599                        zone has child stub zones configured, all the slave
7600                        servers for the
7601                        parent zone also need to have the same child stub
7602                        zones
7603                        configured.
7604                      </p>
7605
7606                      <p>
7607                        Stub zones can also be used as a way of forcing the
7608                        resolution
7609                        of a given domain to use a particular set of
7610                        authoritative servers.
7611                        For example, the caching name servers on a private
7612                        network using
7613                        RFC1918 addressing may be configured with stub zones
7614                        for
7615                        <code class="literal">10.in-addr.arpa</code>
7616                        to use a set of internal name servers as the
7617                        authoritative
7618                        servers for that domain.
7619                      </p>
7620                    </td>
7621</tr>
7622<tr>
7623<td>
7624                      <p>
7625                        <code class="varname">static-stub</code>
7626                      </p>
7627                    </td>
7628<td>
7629                      <p>
7630                        A static-stub zone is similar to a stub zone
7631                        with the following exceptions:
7632                        the zone data is statically configured, rather
7633                        than transferred from a master server;
7634                        when recursion is necessary for a query that
7635                        matches a static-stub zone, the locally
7636                        configured data (nameserver names and glue addresses)
7637                        is always used even if different authoritative
7638                        information is cached.
7639                      </p>
7640                      <p>
7641                        Zone data is configured via the
7642                        <span class="command"><strong>server-addresses</strong></span> and
7643                        <span class="command"><strong>server-names</strong></span> zone options.
7644                      </p>
7645                      <p>
7646                        The zone data is maintained in the form of NS
7647                        and (if necessary) glue A or AAAA RRs
7648                        internally, which can be seen by dumping zone
7649                        databases by <span class="command"><strong>rndc dumpdb -all</strong></span>.
7650                        The configured RRs are considered local configuration
7651                        parameters rather than public data.
7652                        Non recursive queries (i.e., those with the RD
7653                        bit off) to a static-stub zone are therefore
7654                        prohibited and will be responded with REFUSED.
7655                      </p>
7656                      <p>
7657                        Since the data is statically configured, no
7658                        zone maintenance action takes place for a static-stub
7659                        zone.
7660                        For example, there is no periodic refresh
7661                        attempt, and an incoming notify message
7662                        will be rejected with an rcode of NOTAUTH.
7663                      </p>
7664                      <p>
7665                        Each static-stub zone is configured with
7666                        internally generated NS and (if necessary)
7667                        glue A or AAAA RRs
7668                      </p>
7669                    </td>
7670</tr>
7671<tr>
7672<td>
7673                      <p>
7674                        <code class="varname">forward</code>
7675                      </p>
7676                    </td>
7677<td>
7678                      <p>
7679                        A "forward zone" is a way to configure
7680                        forwarding on a per-domain basis.  A <span class="command"><strong>zone</strong></span> statement
7681                        of type <span class="command"><strong>forward</strong></span> can
7682                        contain a <span class="command"><strong>forward</strong></span>
7683                        and/or <span class="command"><strong>forwarders</strong></span>
7684                        statement,
7685                        which will apply to queries within the domain given by
7686                        the zone
7687                        name. If no <span class="command"><strong>forwarders</strong></span>
7688                        statement is present or
7689                        an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no
7690                        forwarding will be done for the domain, canceling the
7691                        effects of
7692                        any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus
7693                        if you want to use this type of zone to change the
7694                        behavior of the
7695                        global <span class="command"><strong>forward</strong></span> option
7696                        (that is, "forward first"
7697                        to, then "forward only", or vice versa, but want to
7698                        use the same
7699                        servers as set globally) you need to re-specify the
7700                        global forwarders.
7701                      </p>
7702                    </td>
7703</tr>
7704<tr>
7705<td>
7706                      <p>
7707                        <code class="varname">hint</code>
7708                      </p>
7709                    </td>
7710<td>
7711                      <p>
7712                        The initial set of root name servers is
7713                        specified using a "hint zone". When the server starts
7714                        up, it uses
7715                        the root hints to find a root name server and get the
7716                        most recent
7717                        list of root name servers. If no hint zone is
7718                        specified for class
7719                        IN, the server uses a compiled-in default set of root
7720                        servers hints.
7721                        Classes other than IN have no built-in defaults hints.
7722                      </p>
7723                    </td>
7724</tr>
7725<tr>
7726<td>
7727                      <p>
7728                        <code class="varname">redirect</code>
7729                      </p>
7730                    </td>
7731<td>
7732                      <p>
7733                        Redirect zones are used to provide answers to
7734                        queries when normal resolution would result in
7735                        NXDOMAIN being returned.
7736                        Only one redirect zone is supported
7737                        per view.  <span class="command"><strong>allow-query</strong></span> can be
7738                        used to restrict which clients see these answers.
7739                      </p>
7740                      <p>
7741                        If the client has requested DNSSEC records (DO=1) and
7742                        the NXDOMAIN response is signed then no substitution
7743                        will occur.
7744                      </p>
7745                      <p>
7746                        To redirect all NXDOMAIN responses to
7747                        100.100.100.2 and
7748                        2001:ffff:ffff::100.100.100.2, one would
7749                        configure a type redirect zone named ".",
7750                        with the zone file containing wildcard records
7751                        that point to the desired addresses:
7752                        <code class="literal">"*. IN A 100.100.100.2"</code>
7753                        and
7754                        <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
7755                      </p>
7756                      <p>
7757                        To redirect all Spanish names (under .ES) one
7758                        would use similar entries but with the names
7759                        "*.ES." instead of "*.".  To redirect all
7760                        commercial Spanish names (under COM.ES) one
7761                        would use wildcard entries called "*.COM.ES.".
7762                      </p>
7763                      <p>
7764                        Note that the redirect zone supports all
7765                        possible types; it is not limited to A and
7766                        AAAA records.
7767                      </p>
7768                      <p>
7769                        Because redirect zones are not referenced
7770                        directly by name, they are not kept in the
7771                        zone lookup table with normal master and slave
7772                        zones. Consequently, it is not currently possible
7773                        to use
7774                        <span class="command"><strong>rndc reload
7775                                <em class="replaceable"><code>zonename</code></em></strong></span>
7776                        to reload a redirect zone.  However, when using
7777                        <span class="command"><strong>rndc reload</strong></span> without specifying
7778                        a zone name, redirect zones will be reloaded along
7779                        with other zones.
7780                      </p>
7781                    </td>
7782</tr>
7783<tr>
7784<td>
7785                      <p>
7786                        <code class="varname">delegation-only</code>
7787                      </p>
7788                    </td>
7789<td>
7790                      <p>
7791                        This is used to enforce the delegation-only
7792                        status of infrastructure zones (e.g. COM,
7793                        NET, ORG).  Any answer that is received
7794                        without an explicit or implicit delegation
7795                        in the authority section will be treated
7796                        as NXDOMAIN.  This does not apply to the
7797                        zone apex.  This should not be applied to
7798                        leaf zones.
7799                      </p>
7800                      <p>
7801                        <code class="varname">delegation-only</code> has no
7802                        effect on answers received from forwarders.
7803                      </p>
7804                      <p>
7805                        See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
7806                      </p>
7807                    </td>
7808</tr>
7809</tbody>
7810</table></div>
7811</div>
7812<div class="section">
7813<div class="titlepage"><div><div><h4 class="title">
7814<a name="class"></a>Class</h4></div></div></div>
7815<p>
7816              The zone's name may optionally be followed by a class. If
7817              a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
7818              is assumed. This is correct for the vast majority of cases.
7819            </p>
7820<p>
7821              The <code class="literal">hesiod</code> class is
7822              named for an information service from MIT's Project Athena. It
7823              is
7824              used to share information about various systems databases, such
7825              as users, groups, printers and so on. The keyword
7826              <code class="literal">HS</code> is
7827              a synonym for hesiod.
7828            </p>
7829<p>
7830              Another MIT development is Chaosnet, a LAN protocol created
7831              in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
7832            </p>
7833</div>
7834<div class="section">
7835<div class="titlepage"><div><div><h4 class="title">
7836<a name="zone_options"></a>Zone Options</h4></div></div></div>
7837<div class="variablelist"><dl class="variablelist">
7838<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt>
7839<dd><p>
7840                    See the description of
7841                    <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7842                  </p></dd>
7843<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt>
7844<dd><p>
7845                    See the description of
7846                    <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7847                  </p></dd>
7848<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt>
7849<dd><p>
7850                    See the description of
7851                    <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7852                  </p></dd>
7853<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
7854<dd><p>
7855                    See the description of <span class="command"><strong>allow-transfer</strong></span>
7856                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7857                  </p></dd>
7858<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt>
7859<dd><p>
7860                    See the description of <span class="command"><strong>allow-update</strong></span>
7861                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7862                  </p></dd>
7863<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt>
7864<dd><p>
7865                    Specifies a "Simple Secure Update" policy. See
7866                    <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
7867                  </p></dd>
7868<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt>
7869<dd><p>
7870                    See the description of <span class="command"><strong>allow-update-forwarding</strong></span>
7871                    in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
7872                  </p></dd>
7873<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt>
7874<dd><p>
7875                    Only meaningful if <span class="command"><strong>notify</strong></span>
7876                    is
7877                    active for this zone. The set of machines that will
7878                    receive a
7879                    <code class="literal">DNS NOTIFY</code> message
7880                    for this zone is made up of all the listed name servers
7881                    (other than
7882                    the primary master) for the zone plus any IP addresses
7883                    specified
7884                    with <span class="command"><strong>also-notify</strong></span>. A port
7885                    may be specified
7886                    with each <span class="command"><strong>also-notify</strong></span>
7887                    address to send the notify
7888                    messages to a port other than the default of 53.
7889                    A TSIG key may also be specified to cause the
7890                    <code class="literal">NOTIFY</code> to be signed by the
7891                    given key.
7892                    <span class="command"><strong>also-notify</strong></span> is not
7893                    meaningful for stub zones.
7894                    The default is the empty list.
7895                  </p></dd>
7896<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt>
7897<dd><p>
7898                    This option is used to restrict the character set and
7899                    syntax of
7900                    certain domain names in master files and/or DNS responses
7901                    received from the
7902                    network.  The default varies according to zone type.  For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>.  For <span class="command"><strong>slave</strong></span>
7903                    zones the default is <span class="command"><strong>warn</strong></span>.
7904                    It is not implemented for <span class="command"><strong>hint</strong></span> zones.
7905                  </p></dd>
7906<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt>
7907<dd><p>
7908                    See the description of
7909                    <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7910                  </p></dd>
7911<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt>
7912<dd><p>
7913                    See the description of
7914                    <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7915                  </p></dd>
7916<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt>
7917<dd><p>
7918                    See the description of
7919                    <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7920                  </p></dd>
7921<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt>
7922<dd><p>
7923                    See the description of
7924                    <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7925                  </p></dd>
7926<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt>
7927<dd><p>
7928                    See the description of
7929                    <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7930                  </p></dd>
7931<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt>
7932<dd><p>
7933                    See the description of
7934                    <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7935                  </p></dd>
7936<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt>
7937<dd><p>
7938                    See the description of
7939                    <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7940                  </p></dd>
7941<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt>
7942<dd><p>
7943                    See the description of
7944                    <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
7945          Usage&#8221;</a>.
7946                  </p></dd>
7947<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt>
7948<dd><p>
7949                    See the description of
7950                    <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
7951          Usage&#8221;</a>.
7952                  </p></dd>
7953<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt>
7954<dd><p>
7955                    See the description of
7956                    <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7957                  </p></dd>
7958<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt>
7959<dd><p>
7960                    See the description of
7961                    <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7962                  </p></dd>
7963<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt>
7964<dd>
7965<p>
7966                    Specify the type of database to be used for storing the
7967                    zone data.  The string following the <span class="command"><strong>database</strong></span> keyword
7968                    is interpreted as a list of whitespace-delimited words.
7969                    The first word
7970                    identifies the database type, and any subsequent words are
7971                    passed
7972                    as arguments to the database to be interpreted in a way
7973                    specific
7974                    to the database type.
7975                  </p>
7976<p>
7977                    The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
7978                    native in-memory
7979                    red-black-tree database.  This database does not take
7980                    arguments.
7981                  </p>
7982<p>
7983                    Other values are possible if additional database drivers
7984                    have been linked into the server.  Some sample drivers are
7985                    included
7986                    with the distribution but none are linked in by default.
7987                  </p>
7988</dd>
7989<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt>
7990<dd><p>
7991                    See the description of
7992                    <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
7993                  </p></dd>
7994<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt>
7995<dd>
7996<p>
7997                    The flag only applies to forward, hint and stub
7998                    zones.  If set to <strong class="userinput"><code>yes</code></strong>,
7999                    then the zone will also be treated as if it is
8000                    also a delegation-only type zone.
8001                  </p>
8002<p>
8003                    See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
8004                  </p>
8005</dd>
8006<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
8007<dd><p>
8008                    Only meaningful if the zone has a forwarders
8009                    list. The <span class="command"><strong>only</strong></span> value causes
8010                    the lookup to fail
8011                    after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would
8012                    allow a normal lookup to be tried.
8013                  </p></dd>
8014<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt>
8015<dd><p>
8016                    Used to override the list of global forwarders.
8017                    If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>,
8018                    no forwarding is done for the zone and the global options are
8019                    not used.
8020                  </p></dd>
8021<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt>
8022<dd><p>
8023                    Was used in <acronym class="acronym">BIND</acronym> 8 to
8024                    specify the name
8025                    of the transaction log (journal) file for dynamic update
8026                    and IXFR.
8027                    <acronym class="acronym">BIND</acronym> 9 ignores the option
8028                    and constructs the name of the journal
8029                    file by appending "<code class="filename">.jnl</code>"
8030                    to the name of the
8031                    zone file.
8032                  </p></dd>
8033<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt>
8034<dd><p>
8035                    Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
8036                    Ignored in <acronym class="acronym">BIND</acronym> 9.
8037                  </p></dd>
8038<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt>
8039<dd><p>
8040                    Allow the default journal's filename to be overridden.
8041                    The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
8042                    This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones.
8043                  </p></dd>
8044<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt>
8045<dd><p>
8046                    See the description of
8047                    <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
8048                  </p></dd>
8049<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt>
8050<dd><p>
8051                    See the description of
8052                    <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8053                  </p></dd>
8054<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt>
8055<dd><p>
8056                    See the description of
8057                    <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8058                  </p></dd>
8059<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt>
8060<dd><p>
8061                    See the description of
8062                    <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8063                  </p></dd>
8064<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt>
8065<dd><p>
8066                    See the description of
8067                    <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8068                  </p></dd>
8069<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt>
8070<dd><p>
8071                    See the description of
8072                    <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
8073                  </p></dd>
8074<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt>
8075<dd><p>
8076                    See the description of
8077                    <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8078                  </p></dd>
8079<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt>
8080<dd><p>
8081                    See the description of
8082                    <span class="command"><strong>notify-to-soa</strong></span> in
8083                    <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
8084                  </p></dd>
8085<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt>
8086<dd><p>
8087                    In <acronym class="acronym">BIND</acronym> 8, this option was
8088                    intended for specifying
8089                    a public zone key for verification of signatures in DNSSEC
8090                    signed
8091                    zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
8092                    on load and ignores the option.
8093                  </p></dd>
8094<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt>
8095<dd><p>
8096                    See the description of
8097                    <span class="command"><strong>zone-statistics</strong></span> in
8098                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
8099          Usage&#8221;</a>.
8100                  </p></dd>
8101<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt>
8102<dd>
8103<p>
8104                    Only meaningful for static-stub zones.
8105                    This is a list of IP addresses to which queries
8106                    should be sent in recursive resolution for the
8107                    zone.
8108                    A non empty list for this option will internally
8109                    configure the apex NS RR with associated glue A or
8110                    AAAA RRs.
8111                  </p>
8112<p>
8113                    For example, if "example.com" is configured as a
8114                    static-stub zone with 192.0.2.1 and 2001:db8::1234
8115                    in a <span class="command"><strong>server-addresses</strong></span> option,
8116                    the following RRs will be internally configured.
8117                  </p>
8118<pre class="programlisting">example.com. NS example.com.
8119example.com. A 192.0.2.1
8120example.com. AAAA 2001:db8::1234</pre>
8121<p>
8122                    These records are internally used to resolve
8123                    names under the static-stub zone.
8124                    For instance, if the server receives a query for
8125                    "www.example.com" with the RD bit on, the server
8126                    will initiate recursive resolution and send
8127                    queries to 192.0.2.1 and/or 2001:db8::1234.
8128                  </p>
8129</dd>
8130<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt>
8131<dd>
8132<p>
8133                    Only meaningful for static-stub zones.
8134                    This is a list of domain names of nameservers that
8135                    act as authoritative servers of the static-stub
8136                    zone.
8137                    These names will be resolved to IP addresses when
8138                    <span class="command"><strong>named</strong></span> needs to send queries to
8139                    these servers.
8140                    To make this supplemental resolution successful,
8141                    these names must not be a subdomain of the origin
8142                    name of static-stub zone.
8143                    That is, when "example.net" is the origin of a
8144                    static-stub zone, "ns.example" and
8145                    "master.example.com" can be specified in the
8146                    <span class="command"><strong>server-names</strong></span> option, but
8147                    "ns.example.net" cannot, and will be rejected by
8148                    the configuration parser.
8149                  </p>
8150<p>
8151                    A non empty list for this option will internally
8152                    configure the apex NS RR with the specified names.
8153                    For example, if "example.com" is configured as a
8154                    static-stub zone with "ns1.example.net" and
8155                    "ns2.example.net"
8156                    in a <span class="command"><strong>server-names</strong></span> option,
8157                    the following RRs will be internally configured.
8158                  </p>
8159<pre class="programlisting">example.com. NS ns1.example.net.
8160example.com. NS ns2.example.net.
8161</pre>
8162<p>
8163                    These records are internally used to resolve
8164                    names under the static-stub zone.
8165                    For instance, if the server receives a query for
8166                    "www.example.com" with the RD bit on, the server
8167                    initiate recursive resolution,
8168                    resolve "ns1.example.net" and/or
8169                    "ns2.example.net" to IP addresses, and then send
8170                    queries to (one or more of) these addresses.
8171                  </p>
8172</dd>
8173<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt>
8174<dd><p>
8175                    See the description of
8176                    <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8177                  </p></dd>
8178<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt>
8179<dd><p>
8180                    See the description of
8181                    <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8182                  </p></dd>
8183<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt>
8184<dd><p>
8185                    See the description of
8186                    <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8187                  </p></dd>
8188<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt>
8189<dd><p>
8190                    See the description of
8191                    <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8192                  </p></dd>
8193<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt>
8194<dd><p>
8195                    See the description of
8196                    <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8197                  </p></dd>
8198<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt>
8199<dd><p>
8200                    See the description of
8201                    <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8202                  </p></dd>
8203<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt>
8204<dd><p>
8205                    See the description of
8206                    <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8207                  </p></dd>
8208<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt>
8209<dd><p>
8210                    See the description of
8211                    <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8212                  </p></dd>
8213<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt>
8214<dd><p>
8215                    See the description of
8216                    <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8217                  </p></dd>
8218<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt>
8219<dd><p>
8220                    See the description of
8221                    <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8222                  </p></dd>
8223<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt>
8224<dd><p>
8225                    See the description of
8226                    <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
8227                  </p></dd>
8228<dt>
8229<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span>
8230</dt>
8231<dd><p>
8232                    See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8233                  </p></dd>
8234<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt>
8235<dd><p>
8236                    See the description of
8237                    <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
8238                    (Note that the <span class="command"><strong>ixfr-from-differences</strong></span>
8239                    <strong class="userinput"><code>master</code></strong> and
8240                    <strong class="userinput"><code>slave</code></strong> choices are not
8241                    available at the zone level.)
8242                  </p></dd>
8243<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt>
8244<dd><p>
8245                    See the description of
8246                    <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
8247          Usage&#8221;</a>.
8248                  </p></dd>
8249<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt>
8250<dd><p>
8251                    See the description of
8252                    <span class="command"><strong>auto-dnssec</strong></span> in
8253                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
8254          Usage&#8221;</a>.
8255                  </p></dd>
8256<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt>
8257<dd><p>
8258                    See the description of
8259                    <span class="command"><strong>serial-update-method</strong></span> in
8260                    <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
8261          Usage&#8221;</a>.
8262                  </p></dd>
8263<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt>
8264<dd><p>
8265                    If <code class="literal">yes</code>, this enables
8266                    "bump in the wire" signing of a zone, where a
8267                    unsigned zone is transferred in or loaded from
8268                    disk and a signed version of the zone is served,
8269                    with possibly, a different serial number.  This
8270                    behaviour is disabled by default.
8271                  </p></dd>
8272<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
8273<dd><p>
8274                    See the description of <span class="command"><strong>multi-master</strong></span> in
8275                    <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
8276                  </p></dd>
8277<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt>
8278<dd><p>
8279                    See the description of <span class="command"><strong>masterfile-format</strong></span>
8280                    in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
8281                  </p></dd>
8282<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt>
8283<dd><p>
8284                    See the description of
8285                    <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
8286                  </p></dd>
8287</dl></div>
8288</div>
8289<div class="section">
8290<div class="titlepage"><div><div><h4 class="title">
8291<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
8292<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
8293              methods of granting clients the right to perform
8294              dynamic updates to a zone, configured by the
8295              <span class="command"><strong>allow-update</strong></span> and
8296              <span class="command"><strong>update-policy</strong></span> option, respectively.
8297            </p>
8298<p>
8299              The <span class="command"><strong>allow-update</strong></span> clause works the
8300              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
8301              It grants given clients the permission to update any
8302              record of any name in the zone.
8303            </p>
8304<p>
8305              The <span class="command"><strong>update-policy</strong></span> clause
8306              allows more fine-grained control over what updates are
8307              allowed.  A set of rules is specified, where each rule
8308              either grants or denies permissions for one or more
8309              names to be updated by one or more identities.  If
8310              the dynamic update request message is signed (that is,
8311              it includes either a TSIG or SIG(0) record), the
8312              identity of the signer can be determined.
8313            </p>
8314<p>
8315              Rules are specified in the <span class="command"><strong>update-policy</strong></span>
8316              zone option, and are only meaningful for master zones.
8317              When the <span class="command"><strong>update-policy</strong></span> statement
8318              is present, it is a configuration error for the
8319              <span class="command"><strong>allow-update</strong></span> statement to be
8320              present.  The <span class="command"><strong>update-policy</strong></span> statement
8321              only examines the signer of a message; the source
8322              address is not relevant.
8323            </p>
8324<p>
8325              There is a pre-defined <span class="command"><strong>update-policy</strong></span>
8326              rule which can be switched on with the command
8327              <span class="command"><strong>update-policy local;</strong></span>.
8328              Switching on this rule in a zone causes
8329              <span class="command"><strong>named</strong></span> to generate a TSIG session
8330              key and place it in a file, and to allow that key
8331              to update the zone.  (By default, the file is
8332              <code class="filename">/var/run/named/session.key</code>, the key
8333              name is "local-ddns" and the key algorithm is HMAC-SHA256,
8334              but these values are configurable with the
8335              <span class="command"><strong>session-keyfile</strong></span>,
8336              <span class="command"><strong>session-keyname</strong></span> and
8337              <span class="command"><strong>session-keyalg</strong></span> options, respectively).
8338            </p>
8339<p>
8340              A client running on the local system, and with appropriate
8341              permissions, may read that file and use the key to sign update
8342              requests.  The zone's update policy will be set to allow that
8343              key to change any record within the zone.  Assuming the
8344              key name is "local-ddns", this policy is equivalent to:
8345            </p>
8346<pre class="programlisting">update-policy { grant local-ddns zonesub any; };
8347            </pre>
8348<p>
8349              The command <span class="command"><strong>nsupdate -l</strong></span> sends update
8350              requests to localhost, and signs them using the session key.
8351            </p>
8352<p>
8353              Other rule definitions look like this:
8354            </p>
8355<pre class="programlisting">
8356( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
8357</pre>
8358<p>
8359              Each rule grants or denies privileges.  Once a message has
8360              successfully matched a rule, the operation is immediately
8361              granted or denied and no further rules are examined.  A rule
8362              is matched when the signer matches the identity field, the
8363              name matches the name field in accordance with the nametype
8364              field, and the type matches the types specified in the type
8365              field.
8366            </p>
8367<p>
8368              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
8369              or <em class="replaceable"><code>6to4-self</code></em> however the standard
8370              reverse mapping / prefix conversion must match the identity
8371              field.
8372            </p>
8373<p>
8374              The identity field specifies a name or a wildcard
8375              name.  Normally, this is the name of the TSIG or
8376              SIG(0) key used to sign the update request.  When a
8377              TKEY exchange has been used to create a shared secret,
8378              the identity of the shared secret is the same as the
8379              identity of the key used to authenticate the TKEY
8380              exchange.  TKEY is also the negotiation method used
8381              by GSS-TSIG, which establishes an identity that is
8382              the Kerberos principal of the client, such as
8383              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
8384              <em class="replaceable"><code>identity</code></em> field specifies
8385              a wildcard name, it is subject to DNS wildcard
8386              expansion, so the rule will apply to multiple identities.
8387              The <em class="replaceable"><code>identity</code></em> field must
8388              contain a fully-qualified domain name.
8389            </p>
8390<p>
8391              For nametypes <code class="varname">krb5-self</code>,
8392              <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
8393              and <code class="varname">ms-subdomain</code> the
8394              <em class="replaceable"><code>identity</code></em> field specifies
8395              the Windows or Kerberos realm of the machine belongs to.
8396            </p>
8397<p>
8398              The <em class="replaceable"><code>nametype</code></em> field has 13
8399              values:
8400              <code class="varname">name</code>, <code class="varname">subdomain</code>,
8401              <code class="varname">wildcard</code>, <code class="varname">self</code>,
8402              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
8403              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
8404              <code class="varname">krb5-subdomain</code>,
8405              <code class="varname">ms-subdomain</code>,
8406              <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
8407              <code class="varname">zonesub</code>, and <code class="varname">external</code>.
8408            </p>
8409<div class="informaltable"><table border="1">
8410<colgroup>
8411<col width="0.819in" class="1">
8412<col width="3.681in" class="2">
8413</colgroup>
8414<tbody>
8415<tr>
8416<td>
8417                      <p>
8418                        <code class="varname">name</code>
8419                      </p>
8420                    </td>
8421<td>
8422                      <p>
8423                        Exact-match semantics.  This rule matches
8424                        when the name being updated is identical
8425                        to the contents of the
8426                        <em class="replaceable"><code>name</code></em> field.
8427                      </p>
8428                    </td>
8429</tr>
8430<tr>
8431<td>
8432                      <p>
8433                        <code class="varname">subdomain</code>
8434                      </p>
8435                    </td>
8436<td>
8437                      <p>
8438                        This rule matches when the name being updated
8439                        is a subdomain of, or identical to, the
8440                        contents of the <em class="replaceable"><code>name</code></em>
8441                        field.
8442                      </p>
8443                    </td>
8444</tr>
8445<tr>
8446<td>
8447                      <p>
8448                        <code class="varname">zonesub</code>
8449                      </p>
8450                    </td>
8451<td>
8452                      <p>
8453                        This rule is similar to subdomain, except that
8454                        it matches when the name being updated is a
8455                        subdomain of the zone in which the
8456                        <span class="command"><strong>update-policy</strong></span> statement
8457                        appears.  This obviates the need to type the zone
8458                        name twice, and enables the use of a standard
8459                        <span class="command"><strong>update-policy</strong></span> statement in
8460                        multiple zones without modification.
8461                      </p>
8462                      <p>
8463                        When this rule is used, the
8464                        <em class="replaceable"><code>name</code></em> field is omitted.
8465                      </p>
8466                    </td>
8467</tr>
8468<tr>
8469<td>
8470                      <p>
8471                        <code class="varname">wildcard</code>
8472                      </p>
8473                    </td>
8474<td>
8475                      <p>
8476                        The <em class="replaceable"><code>name</code></em> field
8477                        is subject to DNS wildcard expansion, and
8478                        this rule matches when the name being updated
8479                        is a valid expansion of the wildcard.
8480                      </p>
8481                    </td>
8482</tr>
8483<tr>
8484<td>
8485                      <p>
8486                        <code class="varname">self</code>
8487                      </p>
8488                    </td>
8489<td>
8490                      <p>
8491                        This rule matches when the name being updated
8492                        matches the contents of the
8493                        <em class="replaceable"><code>identity</code></em> field.
8494                        The <em class="replaceable"><code>name</code></em> field
8495                        is ignored, but should be the same as the
8496                        <em class="replaceable"><code>identity</code></em> field.
8497                        The <code class="varname">self</code> nametype is
8498                        most useful when allowing using one key per
8499                        name to update, where the key has the same
8500                        name as the name to be updated.  The
8501                        <em class="replaceable"><code>identity</code></em> would
8502                        be specified as <code class="constant">*</code> (an asterisk) in
8503                        this case.
8504                      </p>
8505                    </td>
8506</tr>
8507<tr>
8508<td>
8509                      <p>
8510                        <code class="varname">selfsub</code>
8511                      </p>
8512                    </td>
8513<td>
8514                      <p>
8515                        This rule is similar to <code class="varname">self</code>
8516                        except that subdomains of <code class="varname">self</code>
8517                        can also be updated.
8518                      </p>
8519                    </td>
8520</tr>
8521<tr>
8522<td>
8523                      <p>
8524                        <code class="varname">selfwild</code>
8525                      </p>
8526                    </td>
8527<td>
8528                      <p>
8529                        This rule is similar to <code class="varname">self</code>
8530                        except that only subdomains of
8531                        <code class="varname">self</code> can be updated.
8532                      </p>
8533                    </td>
8534</tr>
8535<tr>
8536<td>
8537                      <p>
8538                        <code class="varname">ms-self</code>
8539                      </p>
8540                    </td>
8541<td>
8542                      <p>
8543                        This rule takes a Windows machine principal
8544                        (machine$@REALM) for machine in REALM and
8545                        and converts it machine.realm allowing the machine
8546                        to update machine.realm.  The REALM to be matched
8547                        is specified in the <em class="replaceable"><code>identity</code></em>
8548                        field.
8549                      </p>
8550                    </td>
8551</tr>
8552<tr>
8553<td>
8554                      <p>
8555                        <code class="varname">ms-subdomain</code>
8556                      </p>
8557                    </td>
8558<td>
8559                      <p>
8560                        This rule takes a Windows machine principal
8561                        (machine$@REALM) for machine in REALM and
8562                        converts it to machine.realm allowing the machine
8563                        to update subdomains of machine.realm.  The REALM
8564                        to be matched is specified in the
8565                        <em class="replaceable"><code>identity</code></em> field.
8566                      </p>
8567                    </td>
8568</tr>
8569<tr>
8570<td>
8571                      <p>
8572                        <code class="varname">krb5-self</code>
8573                      </p>
8574                    </td>
8575<td>
8576                      <p>
8577                        This rule takes a Kerberos machine principal
8578                        (host/machine@REALM) for machine in REALM and
8579                        and converts it machine.realm allowing the machine
8580                        to update machine.realm.  The REALM to be matched
8581                        is specified in the <em class="replaceable"><code>identity</code></em>
8582                        field.
8583                      </p>
8584                    </td>
8585</tr>
8586<tr>
8587<td>
8588                      <p>
8589                        <code class="varname">krb5-subdomain</code>
8590                      </p>
8591                    </td>
8592<td>
8593                      <p>
8594                        This rule takes a Kerberos machine principal
8595                        (host/machine@REALM) for machine in REALM and
8596                        converts it to machine.realm allowing the machine
8597                        to update subdomains of machine.realm.  The REALM
8598                        to be matched is specified in the
8599                        <em class="replaceable"><code>identity</code></em> field.
8600                      </p>
8601                    </td>
8602</tr>
8603<tr>
8604<td>
8605                      <p>
8606                        <code class="varname">tcp-self</code>
8607                      </p>
8608                    </td>
8609<td>
8610                      <p>
8611                        Allow updates that have been sent via TCP and
8612                        for which the standard mapping from the initiating
8613                        IP address into the IN-ADDR.ARPA and IP6.ARPA
8614                        namespaces match the name to be updated.
8615                      </p>
8616                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
8617<h3 class="title">Note</h3>
8618                        It is theoretically possible to spoof these TCP
8619                        sessions.
8620                      </div>
8621                    </td>
8622</tr>
8623<tr>
8624<td>
8625                      <p>
8626                        <code class="varname">6to4-self</code>
8627                      </p>
8628                    </td>
8629<td>
8630                      <p>
8631                        Allow the 6to4 prefix to be update by any TCP
8632                        connection from the 6to4 network or from the
8633                        corresponding IPv4 address.  This is intended
8634                        to allow NS or DNAME RRsets to be added to the
8635                        reverse tree.
8636                      </p>
8637                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
8638<h3 class="title">Note</h3>
8639                        It is theoretically possible to spoof these TCP
8640                        sessions.
8641                      </div>
8642                    </td>
8643</tr>
8644<tr>
8645<td>
8646                      <p>
8647                        <code class="varname">external</code>
8648                      </p>
8649                    </td>
8650<td>
8651                      <p>
8652                        This rule allows <span class="command"><strong>named</strong></span>
8653                        to defer the decision of whether to allow a
8654                        given update to an external daemon.
8655                      </p>
8656                      <p>
8657                        The method of communicating with the daemon is
8658                        specified in the <em class="replaceable"><code>identity</code></em>
8659                        field, the format of which is
8660                        "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
8661                        where <em class="replaceable"><code>path</code></em> is the location
8662                        of a UNIX-domain socket.  (Currently, "local" is the
8663                        only supported mechanism.)
8664                      </p>
8665                      <p>
8666                        Requests to the external daemon are sent over the
8667                        UNIX-domain socket as datagrams with the following
8668                        format:
8669                      </p>
8670                      <pre class="programlisting">
8671   Protocol version number (4 bytes, network byte order, currently 1)
8672   Request length (4 bytes, network byte order)
8673   Signer (null-terminated string)
8674   Name (null-terminated string)
8675   TCP source address (null-terminated string)
8676   Rdata type (null-terminated string)
8677   Key (null-terminated string)
8678   TKEY token length (4 bytes, network byte order)
8679   TKEY token (remainder of packet)</pre>
8680                      <p>
8681                        The daemon replies with a four-byte value in
8682                        network byte order, containing either 0 or 1; 0
8683                        indicates that the specified update is not
8684                        permitted, and 1 indicates that it is.
8685                      </p>
8686                    </td>
8687</tr>
8688</tbody>
8689</table></div>
8690<p>
8691              In all cases, the <em class="replaceable"><code>name</code></em>
8692              field must specify a fully-qualified domain name.
8693            </p>
8694<p>
8695              If no types are explicitly specified, this rule matches
8696              all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
8697              may be specified by name, including "ANY" (ANY matches
8698              all types except NSEC and NSEC3, which can never be
8699              updated).  Note that when an attempt is made to delete
8700              all records associated with a name, the rules are
8701              checked for each existing record type.
8702            </p>
8703</div>
8704</div>
8705</div>
8706<div class="section">
8707<div class="titlepage"><div><div><h2 class="title" style="clear: both">
8708<a name="zone_file"></a>Zone File</h2></div></div></div>
8709<div class="section">
8710<div class="titlepage"><div><div><h3 class="title">
8711<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
8712<p>
8713            This section, largely borrowed from RFC 1034, describes the
8714            concept of a Resource Record (RR) and explains when each is used.
8715            Since the publication of RFC 1034, several new RRs have been
8716            identified
8717            and implemented in the DNS. These are also included.
8718          </p>
8719<div class="section">
8720<div class="titlepage"><div><div><h4 class="title">
8721<a name="id-1.7.6.2.3"></a>Resource Records</h4></div></div></div>
8722<p>
8723              A domain name identifies a node.  Each node has a set of
8724              resource information, which may be empty.  The set of resource
8725              information associated with a particular name is composed of
8726              separate RRs. The order of RRs in a set is not significant and
8727              need not be preserved by name servers, resolvers, or other
8728              parts of the DNS. However, sorting of multiple RRs is
8729              permitted for optimization purposes, for example, to specify
8730              that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span class="command"><strong>sortlist</strong></span> Statement&#8221;</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.
8731            </p>
8732<p>
8733              The components of a Resource Record are:
8734            </p>
8735<div class="informaltable"><table border="1">
8736<colgroup>
8737<col width="1.000in" class="1">
8738<col width="3.500in" class="2">
8739</colgroup>
8740<tbody>
8741<tr>
8742<td>
8743                      <p>
8744                        owner name
8745                      </p>
8746                    </td>
8747<td>
8748                      <p>
8749                        The domain name where the RR is found.
8750                      </p>
8751                    </td>
8752</tr>
8753<tr>
8754<td>
8755                      <p>
8756                        type
8757                      </p>
8758                    </td>
8759<td>
8760                      <p>
8761                        An encoded 16-bit value that specifies
8762                        the type of the resource record.
8763                      </p>
8764                    </td>
8765</tr>
8766<tr>
8767<td>
8768                      <p>
8769                        TTL
8770                      </p>
8771                    </td>
8772<td>
8773                      <p>
8774                        The time-to-live of the RR. This field
8775                        is a 32-bit integer in units of seconds, and is
8776                        primarily used by
8777                        resolvers when they cache RRs. The TTL describes how
8778                        long a RR can
8779                        be cached before it should be discarded.
8780                      </p>
8781                    </td>
8782</tr>
8783<tr>
8784<td>
8785                      <p>
8786                        class
8787                      </p>
8788                    </td>
8789<td>
8790                      <p>
8791                        An encoded 16-bit value that identifies
8792                        a protocol family or instance of a protocol.
8793                      </p>
8794                    </td>
8795</tr>
8796<tr>
8797<td>
8798                      <p>
8799                        RDATA
8800                      </p>
8801                    </td>
8802<td>
8803                      <p>
8804                        The resource data.  The format of the
8805                        data is type (and sometimes class) specific.
8806                      </p>
8807                    </td>
8808</tr>
8809</tbody>
8810</table></div>
8811<p>
8812              The following are <span class="emphasis"><em>types</em></span> of valid RRs:
8813            </p>
8814<div class="informaltable"><table border="1">
8815<colgroup>
8816<col width="0.875in" class="1">
8817<col width="3.625in" class="2">
8818</colgroup>
8819<tbody>
8820<tr>
8821<td>
8822                      <p>
8823                        A
8824                      </p>
8825                    </td>
8826<td>
8827                      <p>
8828                        A host address.  In the IN class, this is a
8829                        32-bit IP address.  Described in RFC 1035.
8830                      </p>
8831                    </td>
8832</tr>
8833<tr>
8834<td>
8835                      <p>
8836                        AAAA
8837                      </p>
8838                    </td>
8839<td>
8840                      <p>
8841                        IPv6 address.  Described in RFC 1886.
8842                      </p>
8843                    </td>
8844</tr>
8845<tr>
8846<td>
8847                      <p>
8848                        A6
8849                      </p>
8850                    </td>
8851<td>
8852                      <p>
8853                        IPv6 address.  This can be a partial
8854                        address (a suffix) and an indirection to the name
8855                        where the rest of the
8856                        address (the prefix) can be found.  Experimental.
8857                        Described in RFC 2874.
8858                      </p>
8859                    </td>
8860</tr>
8861<tr>
8862<td>
8863                      <p>
8864                        AFSDB
8865                      </p>
8866                    </td>
8867<td>
8868                      <p>
8869                        Location of AFS database servers.
8870                        Experimental.  Described in RFC 1183.
8871                      </p>
8872                    </td>
8873</tr>
8874<tr>
8875<td>
8876                      <p>
8877                        APL
8878                      </p>
8879                    </td>
8880<td>
8881                      <p>
8882                        Address prefix list.  Experimental.
8883                        Described in RFC 3123.
8884                      </p>
8885                    </td>
8886</tr>
8887<tr>
8888<td>
8889                      <p>
8890                        ATMA
8891                      </p>
8892                    </td>
8893<td>
8894                      <p>
8895                        ATM Address.
8896                      </p>
8897                    </td>
8898</tr>
8899<tr>
8900<td>
8901                      <p>
8902                        AVC
8903                      </p>
8904                    </td>
8905<td>
8906                      <p>
8907                        Application Visibility and Control record.
8908                      </p>
8909                    </td>
8910</tr>
8911<tr>
8912<td>
8913                      <p>
8914                        CAA
8915                      </p>
8916                    </td>
8917<td>
8918                      <p>
8919                        Identifies which Certificate Authorities can issue
8920                        certificates for this domain and what rules they
8921                        need to follow when doing so. Defined in RFC 6844.
8922                      </p>
8923                    </td>
8924</tr>
8925<tr>
8926<td>
8927                      <p>
8928                        CDNSKEY
8929                      </p>
8930                    </td>
8931<td>
8932                      <p>
8933                        Identifies which DNSKEY records should be published
8934                        as DS records in the parent zone.
8935                      </p>
8936                    </td>
8937</tr>
8938<tr>
8939<td>
8940                      <p>
8941                        CDS
8942                      </p>
8943                    </td>
8944<td>
8945                      <p>
8946                        Contains the set of DS records that should be published
8947                        by the parent zone.
8948                      </p>
8949                    </td>
8950</tr>
8951<tr>
8952<td>
8953                      <p>
8954                        CERT
8955                      </p>
8956                    </td>
8957<td>
8958                      <p>
8959                        Holds a digital certificate.
8960                        Described in RFC 2538.
8961                      </p>
8962                    </td>
8963</tr>
8964<tr>
8965<td>
8966                      <p>
8967                        CNAME
8968                      </p>
8969                    </td>
8970<td>
8971                      <p>
8972                        Identifies the canonical name of an alias.
8973                        Described in RFC 1035.
8974                      </p>
8975                    </td>
8976</tr>
8977<tr>
8978<td>
8979                      <p>
8980                        CSYNC
8981                      </p>
8982                    </td>
8983<td>
8984                      <p>
8985                        Child-to-Parent Synchronization in DNS as described
8986                        in RFC 7477.
8987                      </p>
8988                    </td>
8989</tr>
8990<tr>
8991<td>
8992                      <p>
8993                        DHCID
8994                      </p>
8995                    </td>
8996<td>
8997                      <p>
8998                        Is used for identifying which DHCP client is
8999                        associated with this name.  Described in RFC 4701.
9000                      </p>
9001                    </td>
9002</tr>
9003<tr>
9004<td>
9005                      <p>
9006                        DLV
9007                      </p>
9008                    </td>
9009<td>
9010                      <p>
9011                        A DNS Look-aside Validation record which contains
9012                        the records that are used as trust anchors for
9013                        zones in a DLV namespace.  Described in RFC 4431.
9014                      </p>
9015                    </td>
9016</tr>
9017<tr>
9018<td>
9019                      <p>
9020                        DNAME
9021                      </p>
9022                    </td>
9023<td>
9024                      <p>
9025                        Replaces the domain name specified with
9026                        another name to be looked up, effectively aliasing an
9027                        entire
9028                        subtree of the domain name space rather than a single
9029                        record
9030                        as in the case of the CNAME RR.
9031                        Described in RFC 2672.
9032                      </p>
9033                    </td>
9034</tr>
9035<tr>
9036<td>
9037                      <p>
9038                        DNSKEY
9039                      </p>
9040                    </td>
9041<td>
9042                      <p>
9043                        Stores a public key associated with a signed
9044                        DNS zone.  Described in RFC 4034.
9045                      </p>
9046                    </td>
9047</tr>
9048<tr>
9049<td>
9050                      <p>
9051                        DS
9052                      </p>
9053                    </td>
9054<td>
9055                      <p>
9056                        Stores the hash of a public key associated with a
9057                        signed DNS zone.  Described in RFC 4034.
9058                      </p>
9059                    </td>
9060</tr>
9061<tr>
9062<td>
9063                      <p>
9064                        EID
9065                      </p>
9066                    </td>
9067<td>
9068                      <p>
9069                        End Point Identifier.
9070                      </p>
9071                    </td>
9072</tr>
9073<tr>
9074<td>
9075                      <p>
9076                        EUI48
9077                      </p>
9078                    </td>
9079<td>
9080                      <p>
9081                        A 48-bit EUI address. Described in RFC 7043.
9082                      </p>
9083                    </td>
9084</tr>
9085<tr>
9086<td>
9087                      <p>
9088                        EUI64
9089                      </p>
9090                    </td>
9091<td>
9092                      <p>
9093                        A 64-bit EUI address. Described in RFC 7043.
9094                      </p>
9095                    </td>
9096</tr>
9097<tr>
9098<td>
9099                      <p>
9100                        GID
9101                      </p>
9102                    </td>
9103<td>
9104                      <p>
9105                        Reserved.
9106                      </p>
9107                    </td>
9108</tr>
9109<tr>
9110<td>
9111                      <p>
9112                        GPOS
9113                      </p>
9114                    </td>
9115<td>
9116                      <p>
9117                        Specifies the global position.  Superseded by LOC.
9118                      </p>
9119                    </td>
9120</tr>
9121<tr>
9122<td>
9123                      <p>
9124                        HINFO
9125                      </p>
9126                    </td>
9127<td>
9128                      <p>
9129                        Identifies the CPU and OS used by a host.
9130                        Described in RFC 1035.
9131                      </p>
9132                    </td>
9133</tr>
9134<tr>
9135<td>
9136                      <p>
9137                        HIP
9138                      </p>
9139                    </td>
9140<td>
9141                      <p>
9142                        Host Identity Protocol Address.
9143                        Described in RFC 5205.
9144                      </p>
9145                    </td>
9146</tr>
9147<tr>
9148<td>
9149                      <p>
9150                        IPSECKEY
9151                      </p>
9152                    </td>
9153<td>
9154                      <p>
9155                        Provides a method for storing IPsec keying material in
9156                        DNS.  Described in RFC 4025.
9157                      </p>
9158                    </td>
9159</tr>
9160<tr>
9161<td>
9162                      <p>
9163                        ISDN
9164                      </p>
9165                    </td>
9166<td>
9167                      <p>
9168                        Representation of ISDN addresses.
9169                        Experimental.  Described in RFC 1183.
9170                      </p>
9171                    </td>
9172</tr>
9173<tr>
9174<td>
9175                      <p>
9176                        KEY
9177                      </p>
9178                    </td>
9179<td>
9180                      <p>
9181                        Stores a public key associated with a
9182                        DNS name.  Used in original DNSSEC; replaced
9183                        by DNSKEY in DNSSECbis, but still used with
9184                        SIG(0).  Described in RFCs 2535 and 2931.
9185                      </p>
9186                    </td>
9187</tr>
9188<tr>
9189<td>
9190                      <p>
9191                        KX
9192                      </p>
9193                    </td>
9194<td>
9195                      <p>
9196                        Identifies a key exchanger for this
9197                        DNS name.  Described in RFC 2230.
9198                      </p>
9199                    </td>
9200</tr>
9201<tr>
9202<td>
9203                      <p>
9204                        L32
9205                      </p>
9206                    </td>
9207<td>
9208                      <p>
9209                        Holds 32-bit Locator values for
9210                        Identifier-Locator Network Protocol. Described
9211                        in RFC 6742.
9212                      </p>
9213                    </td>
9214</tr>
9215<tr>
9216<td>
9217                      <p>
9218                        L64
9219                      </p>
9220                    </td>
9221<td>
9222                      <p>
9223                        Holds 64-bit Locator values for
9224                        Identifier-Locator Network Protocol. Described
9225                        in RFC 6742.
9226                      </p>
9227                    </td>
9228</tr>
9229<tr>
9230<td>
9231                      <p>
9232                        LOC
9233                      </p>
9234                    </td>
9235<td>
9236                      <p>
9237                        For storing GPS info.  Described in RFC 1876.
9238                        Experimental.
9239                      </p>
9240                    </td>
9241</tr>
9242<tr>
9243<td>
9244                      <p>
9245                        LP
9246                      </p>
9247                    </td>
9248<td>
9249                      <p>
9250                        Identifier-Locator Network Protocol.
9251                        Described in RFC 6742.
9252                      </p>
9253                    </td>
9254</tr>
9255<tr>
9256<td>
9257                      <p>
9258                        MB
9259                      </p>
9260                    </td>
9261<td>
9262                      <p>
9263                        Mail Box.  Historical.
9264                      </p>
9265                    </td>
9266</tr>
9267<tr>
9268<td>
9269                      <p>
9270                        MD
9271                      </p>
9272                    </td>
9273<td>
9274                      <p>
9275                        Mail Destination.  Historical.
9276                      </p>
9277                    </td>
9278</tr>
9279<tr>
9280<td>
9281                      <p>
9282                        MF
9283                      </p>
9284                    </td>
9285<td>
9286                      <p>
9287                        Mail Forwarder.  Historical.
9288                      </p>
9289                    </td>
9290</tr>
9291<tr>
9292<td>
9293                      <p>
9294                        MG
9295                      </p>
9296                    </td>
9297<td>
9298                      <p>
9299                        Mail Group.  Historical.
9300                      </p>
9301                    </td>
9302</tr>
9303<tr>
9304<td>
9305                      <p>
9306                        MINFO
9307                      </p>
9308                    </td>
9309<td>
9310                      <p>
9311                        Mail Information.
9312                      </p>
9313                    </td>
9314</tr>
9315<tr>
9316<td>
9317                      <p>
9318                        MR
9319                      </p>
9320                    </td>
9321<td>
9322                      <p>
9323                        Mail Rename. Historical.
9324                      </p>
9325                    </td>
9326</tr>
9327<tr>
9328<td>
9329                      <p>
9330                        MX
9331                      </p>
9332                    </td>
9333<td>
9334                      <p>
9335                        Identifies a mail exchange for the domain with
9336                        a 16-bit preference value (lower is better)
9337                        followed by the host name of the mail exchange.
9338                        Described in RFC 974, RFC 1035.
9339                      </p>
9340                    </td>
9341</tr>
9342<tr>
9343<td>
9344                      <p>
9345                        NAPTR
9346                      </p>
9347                    </td>
9348<td>
9349                      <p>
9350                        Name authority pointer.  Described in RFC 2915.
9351                      </p>
9352                    </td>
9353</tr>
9354<tr>
9355<td>
9356                      <p>
9357                        NID
9358                      </p>
9359                    </td>
9360<td>
9361                      <p>
9362                        Holds values for Node Identifiers in
9363                        Identifier-Locator Network Protocol. Described
9364                        in RFC 6742.
9365                      </p>
9366                    </td>
9367</tr>
9368<tr>
9369<td>
9370                      <p>
9371                        NINFO
9372                      </p>
9373                    </td>
9374<td>
9375                      <p>
9376                        Contains zone status information.
9377                      </p>
9378                    </td>
9379</tr>
9380<tr>
9381<td>
9382                      <p>
9383                        NIMLOC
9384                      </p>
9385                    </td>
9386<td>
9387                      <p>
9388                        Nimrod Locator.
9389                      </p>
9390                    </td>
9391</tr>
9392<tr>
9393<td>
9394                      <p>
9395                        NSAP
9396                      </p>
9397                    </td>
9398<td>
9399                      <p>
9400                        A network service access point.
9401                        Described in RFC 1706.
9402                      </p>
9403                    </td>
9404</tr>
9405<tr>
9406<td>
9407                      <p>
9408                        NSAP-PTR
9409                      </p>
9410                    </td>
9411<td>
9412                      <p>
9413                        Historical.
9414                      </p>
9415                    </td>
9416</tr>
9417<tr>
9418<td>
9419                      <p>
9420                        NS
9421                      </p>
9422                    </td>
9423<td>
9424                      <p>
9425                        The authoritative name server for the
9426                        domain.  Described in RFC 1035.
9427                      </p>
9428                    </td>
9429</tr>
9430<tr>
9431<td>
9432                      <p>
9433                        NSEC
9434                      </p>
9435                    </td>
9436<td>
9437                      <p>
9438                        Used in DNSSECbis to securely indicate that
9439                        RRs with an owner name in a certain name interval do
9440                        not exist in
9441                        a zone and indicate what RR types are present for an
9442                        existing name.
9443                        Described in RFC 4034.
9444                      </p>
9445                    </td>
9446</tr>
9447<tr>
9448<td>
9449                      <p>
9450                        NSEC3
9451                      </p>
9452                    </td>
9453<td>
9454                      <p>
9455                        Used in DNSSECbis to securely indicate that
9456                        RRs with an owner name in a certain name
9457                        interval do not exist in a zone and indicate
9458                        what RR types are present for an existing
9459                        name.  NSEC3 differs from NSEC in that it
9460                        prevents zone enumeration but is more
9461                        computationally expensive on both the server
9462                        and the client than NSEC.  Described in RFC
9463                        5155.
9464                      </p>
9465                    </td>
9466</tr>
9467<tr>
9468<td>
9469                      <p>
9470                        NSEC3PARAM
9471                      </p>
9472                    </td>
9473<td>
9474                      <p>
9475                        Used in DNSSECbis to tell the authoritative
9476                        server which NSEC3 chains are available to use.
9477                        Described in RFC 5155.
9478                      </p>
9479                    </td>
9480</tr>
9481<tr>
9482<td>
9483                      <p>
9484                        NULL
9485                      </p>
9486                    </td>
9487<td>
9488                      <p>
9489                        This is an opaque container.
9490                      </p>
9491                    </td>
9492</tr>
9493<tr>
9494<td>
9495                      <p>
9496                        NXT
9497                      </p>
9498                    </td>
9499<td>
9500                      <p>
9501                        Used in DNSSEC to securely indicate that
9502                        RRs with an owner name in a certain name interval do
9503                        not exist in
9504                        a zone and indicate what RR types are present for an
9505                        existing name.
9506                        Used in original DNSSEC; replaced by NSEC in
9507                        DNSSECbis.
9508                        Described in RFC 2535.
9509                      </p>
9510                    </td>
9511</tr>
9512<tr>
9513<td>
9514                      <p>
9515                        OPENPGPKEY
9516                      </p>
9517                    </td>
9518<td>
9519                      <p>
9520                        Used to hold an OPENPGPKEY.
9521                      </p>
9522                    </td>
9523</tr>
9524<tr>
9525<td>
9526                      <p>
9527                        PTR
9528                      </p>
9529                    </td>
9530<td>
9531                      <p>
9532                        A pointer to another part of the domain
9533                        name space.  Described in RFC 1035.
9534                      </p>
9535                    </td>
9536</tr>
9537<tr>
9538<td>
9539                      <p>
9540                        PX
9541                      </p>
9542                    </td>
9543<td>
9544                      <p>
9545                        Provides mappings between RFC 822 and X.400
9546                        addresses.  Described in RFC 2163.
9547                      </p>
9548                    </td>
9549</tr>
9550<tr>
9551<td>
9552                      <p>
9553                        RKEY
9554                      </p>
9555                    </td>
9556<td>
9557                      <p>
9558                        Resource key.
9559                      </p>
9560                    </td>
9561</tr>
9562<tr>
9563<td>
9564                      <p>
9565                        RP
9566                      </p>
9567                    </td>
9568<td>
9569                      <p>
9570                        Information on persons responsible
9571                        for the domain.  Experimental.  Described in RFC 1183.
9572                      </p>
9573                    </td>
9574</tr>
9575<tr>
9576<td>
9577                      <p>
9578                        RRSIG
9579                      </p>
9580                    </td>
9581<td>
9582                      <p>
9583                        Contains DNSSECbis signature data.  Described
9584                        in RFC 4034.
9585                      </p>
9586                    </td>
9587</tr>
9588<tr>
9589<td>
9590                      <p>
9591                        RT
9592                      </p>
9593                    </td>
9594<td>
9595                      <p>
9596                        Route-through binding for hosts that
9597                        do not have their own direct wide area network
9598                        addresses.
9599                        Experimental.  Described in RFC 1183.
9600                      </p>
9601                    </td>
9602</tr>
9603<tr>
9604<td>
9605                      <p>
9606                        SIG
9607                      </p>
9608                    </td>
9609<td>
9610                      <p>
9611                        Contains DNSSEC signature data.  Used in
9612                        original DNSSEC; replaced by RRSIG in
9613                        DNSSECbis, but still used for SIG(0).
9614                        Described in RFCs 2535 and 2931.
9615                      </p>
9616                    </td>
9617</tr>
9618<tr>
9619<td>
9620                      <p>
9621                        SINK
9622                      </p>
9623                    </td>
9624<td>
9625                      <p>
9626                        The kitchen sink record.
9627                      </p>
9628                    </td>
9629</tr>
9630<tr>
9631<td>
9632                      <p>
9633                        SMIMEA
9634                      </p>
9635                    </td>
9636<td>
9637                      <p>
9638                        The S/MIME Security Certificate Association.
9639                      </p>
9640                    </td>
9641</tr>
9642<tr>
9643<td>
9644                      <p>
9645                        SOA
9646                      </p>
9647                    </td>
9648<td>
9649                      <p>
9650                        Identifies the start of a zone of authority.
9651                        Described in RFC 1035.
9652                      </p>
9653                    </td>
9654</tr>
9655<tr>
9656<td>
9657                      <p>
9658                        SPF
9659                      </p>
9660                    </td>
9661<td>
9662                      <p>
9663                        Contains the Sender Policy Framework information
9664                        for a given email domain.  Described in RFC 4408.
9665                      </p>
9666                    </td>
9667</tr>
9668<tr>
9669<td>
9670                      <p>
9671                        SRV
9672                      </p>
9673                    </td>
9674<td>
9675                      <p>
9676                        Information about well known network
9677                        services (replaces WKS).  Described in RFC 2782.
9678                      </p>
9679                    </td>
9680</tr>
9681<tr>
9682<td>
9683                      <p>
9684                        SSHFP
9685                      </p>
9686                    </td>
9687<td>
9688                      <p>
9689                        Provides a way to securely publish a secure shell key's
9690                        fingerprint.  Described in RFC 4255.
9691                      </p>
9692                    </td>
9693</tr>
9694<tr>
9695<td>
9696                      <p>
9697                        TA
9698                      </p>
9699                    </td>
9700<td>
9701                      <p>
9702                        Trust Anchor. Experimental.
9703                      </p>
9704                    </td>
9705</tr>
9706<tr>
9707<td>
9708                      <p>
9709                        TALINK
9710                      </p>
9711                    </td>
9712<td>
9713                      <p>
9714                        Trust Anchor Link.  Experimental.
9715                      </p>
9716                    </td>
9717</tr>
9718<tr>
9719<td>
9720                      <p>
9721                        TLSA
9722                      </p>
9723                    </td>
9724<td>
9725                      <p>
9726                        Transport Layer Security Certificate Association.
9727                        Described in RFC 6698.
9728                      </p>
9729                    </td>
9730</tr>
9731<tr>
9732<td>
9733                      <p>
9734                        TXT
9735                      </p>
9736                    </td>
9737<td>
9738                      <p>
9739                        Text records.  Described in RFC 1035.
9740                      </p>
9741                    </td>
9742</tr>
9743<tr>
9744<td>
9745                      <p>
9746                        UID
9747                      </p>
9748                    </td>
9749<td>
9750                      <p>
9751                        Reserved.
9752                      </p>
9753                    </td>
9754</tr>
9755<tr>
9756<td>
9757                      <p>
9758                        UINFO
9759                      </p>
9760                    </td>
9761<td>
9762                      <p>
9763                        Reserved.
9764                      </p>
9765                    </td>
9766</tr>
9767<tr>
9768<td>
9769                      <p>
9770                        UNSPEC
9771                      </p>
9772                    </td>
9773<td>
9774                      <p>
9775                        Reserved. Historical.
9776                      </p>
9777                    </td>
9778</tr>
9779<tr>
9780<td>
9781                      <p>
9782                        URI
9783                      </p>
9784                    </td>
9785<td>
9786                      <p>
9787                        Holds a URI. Described in RFC 7553.
9788                      </p>
9789                    </td>
9790</tr>
9791<tr>
9792<td>
9793                      <p>
9794                        WKS
9795                      </p>
9796                    </td>
9797<td>
9798                      <p>
9799                        Information about which well known
9800                        network services, such as SMTP, that a domain
9801                        supports. Historical.
9802                      </p>
9803                    </td>
9804</tr>
9805<tr>
9806<td>
9807                      <p>
9808                        X25
9809                      </p>
9810                    </td>
9811<td>
9812                      <p>
9813                        Representation of X.25 network addresses.
9814                        Experimental.  Described in RFC 1183.
9815                      </p>
9816                    </td>
9817</tr>
9818</tbody>
9819</table></div>
9820<p>
9821              The following <span class="emphasis"><em>classes</em></span> of resource records
9822              are currently valid in the DNS:
9823            </p>
9824<div class="informaltable"><table border="1">
9825<colgroup>
9826<col width="0.875in" class="1">
9827<col width="3.625in" class="2">
9828</colgroup>
9829<tbody>
9830<tr>
9831<td>
9832                      <p>
9833                        IN
9834                      </p>
9835                    </td>
9836<td>
9837                      <p>
9838                        The Internet.
9839                      </p>
9840                    </td>
9841</tr>
9842<tr>
9843<td>
9844                      <p>
9845                        CH
9846                      </p>
9847                    </td>
9848<td>
9849                      <p>
9850                        Chaosnet, a LAN protocol created at MIT in the
9851                        mid-1970s.
9852                        Rarely used for its historical purpose, but reused for
9853                        BIND's
9854                        built-in server information zones, e.g.,
9855                        <code class="literal">version.bind</code>.
9856                      </p>
9857                    </td>
9858</tr>
9859<tr>
9860<td>
9861                      <p>
9862                        HS
9863                      </p>
9864                    </td>
9865<td>
9866                      <p>
9867                        Hesiod, an information service
9868                        developed by MIT's Project Athena. It is used to share
9869                        information
9870                        about various systems databases, such as users,
9871                        groups, printers
9872                        and so on.
9873                      </p>
9874                    </td>
9875</tr>
9876</tbody>
9877</table></div>
9878<p>
9879              The owner name is often implicit, rather than forming an
9880              integral
9881              part of the RR.  For example, many name servers internally form
9882              tree
9883              or hash structures for the name space, and chain RRs off nodes.
9884              The remaining RR parts are the fixed header (type, class, TTL)
9885              which is consistent for all RRs, and a variable part (RDATA)
9886              that
9887              fits the needs of the resource being described.
9888            </p>
9889<p>
9890              The meaning of the TTL field is a time limit on how long an
9891              RR can be kept in a cache.  This limit does not apply to
9892              authoritative
9893              data in zones; it is also timed out, but by the refreshing
9894              policies
9895              for the zone.  The TTL is assigned by the administrator for the
9896              zone where the data originates.  While short TTLs can be used to
9897              minimize caching, and a zero TTL prohibits caching, the
9898              realities
9899              of Internet performance suggest that these times should be on
9900              the
9901              order of days for the typical host.  If a change can be
9902              anticipated,
9903              the TTL can be reduced prior to the change to minimize
9904              inconsistency
9905              during the change, and then increased back to its former value
9906              following
9907              the change.
9908            </p>
9909<p>
9910              The data in the RDATA section of RRs is carried as a combination
9911              of binary strings and domain names.  The domain names are
9912              frequently
9913              used as "pointers" to other data in the DNS.
9914            </p>
9915</div>
9916<div class="section">
9917<div class="titlepage"><div><div><h4 class="title">
9918<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div>
9919<p>
9920              RRs are represented in binary form in the packets of the DNS
9921              protocol, and are usually represented in highly encoded form
9922              when
9923              stored in a name server or resolver.  In the examples provided
9924              in
9925              RFC 1034, a style similar to that used in master files was
9926              employed
9927              in order to show the contents of RRs.  In this format, most RRs
9928              are shown on a single line, although continuation lines are
9929              possible
9930              using parentheses.
9931            </p>
9932<p>
9933              The start of the line gives the owner of the RR.  If a line
9934              begins with a blank, then the owner is assumed to be the same as
9935              that of the previous RR.  Blank lines are often included for
9936              readability.
9937            </p>
9938<p>
9939              Following the owner, we list the TTL, type, and class of the
9940              RR.  Class and type use the mnemonics defined above, and TTL is
9941              an integer before the type field.  In order to avoid ambiguity
9942              in
9943              parsing, type and class mnemonics are disjoint, TTLs are
9944              integers,
9945              and the type mnemonic is always last. The IN class and TTL
9946              values
9947              are often omitted from examples in the interests of clarity.
9948            </p>
9949<p>
9950              The resource data or RDATA section of the RR are given using
9951              knowledge of the typical representation for the data.
9952            </p>
9953<p>
9954              For example, we might show the RRs carried in a message as:
9955            </p>
9956<div class="informaltable"><table border="1">
9957<colgroup>
9958<col width="1.381in" class="1">
9959<col width="1.020in" class="2">
9960<col width="2.099in" class="3">
9961</colgroup>
9962<tbody>
9963<tr>
9964<td>
9965                      <p>
9966                        <code class="literal">ISI.EDU.</code>
9967                      </p>
9968                    </td>
9969<td>
9970                      <p>
9971                        <code class="literal">MX</code>
9972                      </p>
9973                    </td>
9974<td>
9975                      <p>
9976                        <code class="literal">10 VENERA.ISI.EDU.</code>
9977                      </p>
9978                    </td>
9979</tr>
9980<tr>
9981<td>
9982                      <p></p>
9983                    </td>
9984<td>
9985                      <p>
9986                        <code class="literal">MX</code>
9987                      </p>
9988                    </td>
9989<td>
9990                      <p>
9991                        <code class="literal">10 VAXA.ISI.EDU</code>
9992                      </p>
9993                    </td>
9994</tr>
9995<tr>
9996<td>
9997                      <p>
9998                        <code class="literal">VENERA.ISI.EDU</code>
9999                      </p>
10000                    </td>
10001<td>
10002                      <p>
10003                        <code class="literal">A</code>
10004                      </p>
10005                    </td>
10006<td>
10007                      <p>
10008                        <code class="literal">128.9.0.32</code>
10009                      </p>
10010                    </td>
10011</tr>
10012<tr>
10013<td>
10014                      <p></p>
10015                    </td>
10016<td>
10017                      <p>
10018                        <code class="literal">A</code>
10019                      </p>
10020                    </td>
10021<td>
10022                      <p>
10023                        <code class="literal">10.1.0.52</code>
10024                      </p>
10025                    </td>
10026</tr>
10027<tr>
10028<td>
10029                      <p>
10030                        <code class="literal">VAXA.ISI.EDU</code>
10031                      </p>
10032                    </td>
10033<td>
10034                      <p>
10035                        <code class="literal">A</code>
10036                      </p>
10037                    </td>
10038<td>
10039                      <p>
10040                        <code class="literal">10.2.0.27</code>
10041                      </p>
10042                    </td>
10043</tr>
10044<tr>
10045<td>
10046                      <p></p>
10047                    </td>
10048<td>
10049                      <p>
10050                        <code class="literal">A</code>
10051                      </p>
10052                    </td>
10053<td>
10054                      <p>
10055                        <code class="literal">128.9.0.33</code>
10056                      </p>
10057                    </td>
10058</tr>
10059</tbody>
10060</table></div>
10061<p>
10062              The MX RRs have an RDATA section which consists of a 16-bit
10063              number followed by a domain name.  The address RRs use a
10064              standard
10065              IP address format to contain a 32-bit internet address.
10066            </p>
10067<p>
10068              The above example shows six RRs, with two RRs at each of three
10069              domain names.
10070            </p>
10071<p>
10072              Similarly we might see:
10073            </p>
10074<div class="informaltable"><table border="1">
10075<colgroup>
10076<col width="1.491in" class="1">
10077<col width="1.067in" class="2">
10078<col width="2.067in" class="3">
10079</colgroup>
10080<tbody>
10081<tr>
10082<td>
10083                      <p>
10084                        <code class="literal">XX.LCS.MIT.EDU.</code>
10085                      </p>
10086                    </td>
10087<td>
10088                      <p>
10089                        <code class="literal">IN A</code>
10090                      </p>
10091                    </td>
10092<td>
10093                      <p>
10094                        <code class="literal">10.0.0.44</code>
10095                      </p>
10096                    </td>
10097</tr>
10098<tr>
10099<td>�</td>
10100<td>
10101                      <p>
10102                        <code class="literal">CH A</code>
10103                      </p>
10104                    </td>
10105<td>
10106                      <p>
10107                        <code class="literal">MIT.EDU. 2420</code>
10108                      </p>
10109                    </td>
10110</tr>
10111</tbody>
10112</table></div>
10113<p>
10114              This example shows two addresses for
10115              <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
10116            </p>
10117</div>
10118</div>
10119<div class="section">
10120<div class="titlepage"><div><div><h3 class="title">
10121<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div>
10122<p>
10123            As described above, domain servers store information as a
10124            series of resource records, each of which contains a particular
10125            piece of information about a given domain name (which is usually,
10126            but not always, a host). The simplest way to think of a RR is as
10127            a typed pair of data, a domain name matched with a relevant datum,
10128            and stored with some additional type information to help systems
10129            determine when the RR is relevant.
10130          </p>
10131<p>
10132            MX records are used to control delivery of email. The data
10133            specified in the record is a priority and a domain name. The
10134            priority
10135            controls the order in which email delivery is attempted, with the
10136            lowest number first. If two priorities are the same, a server is
10137            chosen randomly. If no servers at a given priority are responding,
10138            the mail transport agent will fall back to the next largest
10139            priority.
10140            Priority numbers do not have any absolute meaning &#8212; they are
10141            relevant
10142            only respective to other MX records for that domain name. The
10143            domain
10144            name given is the machine to which the mail will be delivered.
10145            It <span class="emphasis"><em>must</em></span> have an associated address record
10146            (A or AAAA) &#8212; CNAME is not sufficient.
10147          </p>
10148<p>
10149            For a given domain, if there is both a CNAME record and an
10150            MX record, the MX record is in error, and will be ignored.
10151            Instead,
10152            the mail will be delivered to the server specified in the MX
10153            record
10154            pointed to by the CNAME.
10155            For example:
10156          </p>
10157<div class="informaltable"><table border="1">
10158<colgroup>
10159<col width="1.708in" class="1">
10160<col width="0.444in" class="2">
10161<col width="0.444in" class="3">
10162<col width="0.976in" class="4">
10163<col width="1.553in" class="5">
10164</colgroup>
10165<tbody>
10166<tr>
10167<td>
10168                    <p>
10169                      <code class="literal">example.com.</code>
10170                    </p>
10171                  </td>
10172<td>
10173                    <p>
10174                      <code class="literal">IN</code>
10175                    </p>
10176                  </td>
10177<td>
10178                    <p>
10179                      <code class="literal">MX</code>
10180                    </p>
10181                  </td>
10182<td>
10183                    <p>
10184                      <code class="literal">10</code>
10185                    </p>
10186                  </td>
10187<td>
10188                    <p>
10189                      <code class="literal">mail.example.com.</code>
10190                    </p>
10191                  </td>
10192</tr>
10193<tr>
10194<td>
10195                    <p></p>
10196                  </td>
10197<td>
10198                    <p>
10199                      <code class="literal">IN</code>
10200                    </p>
10201                  </td>
10202<td>
10203                    <p>
10204                      <code class="literal">MX</code>
10205                    </p>
10206                  </td>
10207<td>
10208                    <p>
10209                      <code class="literal">10</code>
10210                    </p>
10211                  </td>
10212<td>
10213                    <p>
10214                      <code class="literal">mail2.example.com.</code>
10215                    </p>
10216                  </td>
10217</tr>
10218<tr>
10219<td>
10220                    <p></p>
10221                  </td>
10222<td>
10223                    <p>
10224                      <code class="literal">IN</code>
10225                    </p>
10226                  </td>
10227<td>
10228                    <p>
10229                      <code class="literal">MX</code>
10230                    </p>
10231                  </td>
10232<td>
10233                    <p>
10234                      <code class="literal">20</code>
10235                    </p>
10236                  </td>
10237<td>
10238                    <p>
10239                      <code class="literal">mail.backup.org.</code>
10240                    </p>
10241                  </td>
10242</tr>
10243<tr>
10244<td>
10245                    <p>
10246                      <code class="literal">mail.example.com.</code>
10247                    </p>
10248                  </td>
10249<td>
10250                    <p>
10251                      <code class="literal">IN</code>
10252                    </p>
10253                  </td>
10254<td>
10255                    <p>
10256                      <code class="literal">A</code>
10257                    </p>
10258                  </td>
10259<td>
10260                    <p>
10261                      <code class="literal">10.0.0.1</code>
10262                    </p>
10263                  </td>
10264<td>
10265                    <p></p>
10266                  </td>
10267</tr>
10268<tr>
10269<td>
10270                    <p>
10271                      <code class="literal">mail2.example.com.</code>
10272                    </p>
10273                  </td>
10274<td>
10275                    <p>
10276                      <code class="literal">IN</code>
10277                    </p>
10278                  </td>
10279<td>
10280                    <p>
10281                      <code class="literal">A</code>
10282                    </p>
10283                  </td>
10284<td>
10285                    <p>
10286                      <code class="literal">10.0.0.2</code>
10287                    </p>
10288                  </td>
10289<td>
10290                    <p></p>
10291                  </td>
10292</tr>
10293</tbody>
10294</table></div>
10295<p>
10296            Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
10297            <code class="literal">mail2.example.com</code> (in
10298            any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
10299            be attempted.
10300          </p>
10301</div>
10302<div class="section">
10303<div class="titlepage"><div><div><h3 class="title">
10304<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
10305<p>
10306            The time-to-live of the RR field is a 32-bit integer represented
10307            in units of seconds, and is primarily used by resolvers when they
10308            cache RRs. The TTL describes how long a RR can be cached before it
10309            should be discarded. The following three types of TTL are
10310            currently
10311            used in a zone file.
10312          </p>
10313<div class="informaltable"><table border="1">
10314<colgroup>
10315<col width="0.750in" class="1">
10316<col width="4.375in" class="2">
10317</colgroup>
10318<tbody>
10319<tr>
10320<td>
10321                    <p>
10322                      SOA
10323                    </p>
10324                  </td>
10325<td>
10326                    <p>
10327                      The last field in the SOA is the negative
10328                      caching TTL. This controls how long other servers will
10329                      cache no-such-domain
10330                      (NXDOMAIN) responses from you.
10331                    </p>
10332                    <p>
10333                      The maximum time for
10334                      negative caching is 3 hours (3h).
10335                    </p>
10336                  </td>
10337</tr>
10338<tr>
10339<td>
10340                    <p>
10341                      $TTL
10342                    </p>
10343                  </td>
10344<td>
10345                    <p>
10346                      The $TTL directive at the top of the
10347                      zone file (before the SOA) gives a default TTL for every
10348                      RR without
10349                      a specific TTL set.
10350                    </p>
10351                  </td>
10352</tr>
10353<tr>
10354<td>
10355                    <p>
10356                      RR TTLs
10357                    </p>
10358                  </td>
10359<td>
10360                    <p>
10361                      Each RR can have a TTL as the second
10362                      field in the RR, which will control how long other
10363                      servers can cache it.
10364                    </p>
10365                  </td>
10366</tr>
10367</tbody>
10368</table></div>
10369<p>
10370            All of these TTLs default to units of seconds, though units
10371            can be explicitly specified, for example, <code class="literal">1h30m</code>.
10372          </p>
10373</div>
10374<div class="section">
10375<div class="titlepage"><div><div><h3 class="title">
10376<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div>
10377<p>
10378            Reverse name resolution (that is, translation from IP address
10379            to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
10380            and PTR records. Entries in the in-addr.arpa domain are made in
10381            least-to-most significant order, read left to right. This is the
10382            opposite order to the way IP addresses are usually written. Thus,
10383            a machine with an IP address of 10.1.2.3 would have a
10384            corresponding
10385            in-addr.arpa name of
10386            3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10387            whose data field is the name of the machine or, optionally,
10388            multiple
10389            PTR records if the machine has more than one name. For example,
10390            in the [<span class="optional">example.com</span>] domain:
10391          </p>
10392<div class="informaltable"><table border="1">
10393<colgroup>
10394<col width="1.125in" class="1">
10395<col width="4.000in" class="2">
10396</colgroup>
10397<tbody>
10398<tr>
10399<td>
10400                    <p>
10401                      <code class="literal">$ORIGIN</code>
10402                    </p>
10403                  </td>
10404<td>
10405                    <p>
10406                      <code class="literal">2.1.10.in-addr.arpa</code>
10407                    </p>
10408                  </td>
10409</tr>
10410<tr>
10411<td>
10412                    <p>
10413                      <code class="literal">3</code>
10414                    </p>
10415                  </td>
10416<td>
10417                    <p>
10418                      <code class="literal">IN PTR foo.example.com.</code>
10419                    </p>
10420                  </td>
10421</tr>
10422</tbody>
10423</table></div>
10424<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
10425<h3 class="title">Note</h3>
10426<p>
10427              The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples
10428              are for providing context to the examples only &#8212; they do not
10429              necessarily
10430              appear in the actual usage. They are only used here to indicate
10431              that the example is relative to the listed origin.
10432            </p>
10433</div>
10434</div>
10435<div class="section">
10436<div class="titlepage"><div><div><h3 class="title">
10437<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div>
10438<p>
10439            The Master File Format was initially defined in RFC 1035 and
10440            has subsequently been extended. While the Master File Format
10441            itself
10442            is class independent all records in a Master File must be of the
10443            same
10444            class.
10445          </p>
10446<p>
10447            Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>,
10448            and <span class="command"><strong>$TTL.</strong></span>
10449          </p>
10450<div class="section">
10451<div class="titlepage"><div><div><h4 class="title">
10452<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div>
10453<p>
10454              When used in the label (or name) field, the asperand or
10455              at-sign (@) symbol represents the current origin.
10456              At the start of the zone file, it is the
10457              &lt;<code class="varname">zone_name</code>&gt; (followed by
10458              trailing dot).
10459            </p>
10460</div>
10461<div class="section">
10462<div class="titlepage"><div><div><h4 class="title">
10463<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div>
10464<p>
10465              Syntax: <span class="command"><strong>$ORIGIN</strong></span>
10466              <em class="replaceable"><code>domain-name</code></em>
10467              [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
10468            </p>
10469<p><span class="command"><strong>$ORIGIN</strong></span>
10470              sets the domain name that will be appended to any
10471              unqualified records. When a zone is first read in there
10472              is an implicit <span class="command"><strong>$ORIGIN</strong></span>
10473              &lt;<code class="varname">zone_name</code>&gt;<span class="command"><strong>.</strong></span>
10474              (followed by trailing dot).
10475              The current <span class="command"><strong>$ORIGIN</strong></span> is appended to
10476              the domain specified in the <span class="command"><strong>$ORIGIN</strong></span>
10477              argument if it is not absolute.
10478            </p>
10479<pre class="programlisting">
10480$ORIGIN example.com.
10481WWW     CNAME   MAIN-SERVER
10482</pre>
10483<p>
10484              is equivalent to
10485            </p>
10486<pre class="programlisting">
10487WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10488</pre>
10489</div>
10490<div class="section">
10491<div class="titlepage"><div><div><h4 class="title">
10492<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div>
10493<p>
10494              Syntax: <span class="command"><strong>$INCLUDE</strong></span>
10495              <em class="replaceable"><code>filename</code></em>
10496              [<span class="optional">
10497<em class="replaceable"><code>origin</code></em> </span>]
10498              [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
10499            </p>
10500<p>
10501              Read and process the file <code class="filename">filename</code> as
10502              if it were included into the file at this point.  If <span class="command"><strong>origin</strong></span> is
10503              specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set
10504              to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is
10505              used.
10506            </p>
10507<p>
10508              The origin and the current domain name
10509              revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once
10510              the file has been read.
10511            </p>
10512<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
10513<h3 class="title">Note</h3>
10514<p>
10515                RFC 1035 specifies that the current origin should be restored
10516                after
10517                an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent
10518                on whether the current
10519                domain name should also be restored.  BIND 9 restores both of
10520                them.
10521                This could be construed as a deviation from RFC 1035, a
10522                feature, or both.
10523              </p>
10524</div>
10525</div>
10526<div class="section">
10527<div class="titlepage"><div><div><h4 class="title">
10528<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div>
10529<p>
10530              Syntax: <span class="command"><strong>$TTL</strong></span>
10531              <em class="replaceable"><code>default-ttl</code></em>
10532              [<span class="optional">
10533<em class="replaceable"><code>comment</code></em> </span>]
10534            </p>
10535<p>
10536              Set the default Time To Live (TTL) for subsequent records
10537              with undefined TTLs. Valid TTLs are of the range 0-2147483647
10538              seconds.
10539            </p>
10540<p><span class="command"><strong>$TTL</strong></span>
10541               is defined in RFC 2308.
10542            </p>
10543</div>
10544</div>
10545<div class="section">
10546<div class="titlepage"><div><div><h3 class="title">
10547<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div>
10548<p>
10549            Syntax: <span class="command"><strong>$GENERATE</strong></span>
10550            <em class="replaceable"><code>range</code></em>
10551            <em class="replaceable"><code>lhs</code></em>
10552            [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
10553            [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
10554            <em class="replaceable"><code>type</code></em>
10555            <em class="replaceable"><code>rhs</code></em>
10556            [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
10557          </p>
10558<p><span class="command"><strong>$GENERATE</strong></span>
10559            is used to create a series of resource records that only
10560            differ from each other by an
10561            iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to
10562            easily generate the sets of records required to support
10563            sub /24 reverse delegations described in RFC 2317:
10564            Classless IN-ADDR.ARPA delegation.
10565          </p>
10566<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
10567$GENERATE 1-2 @ NS SERVER$.EXAMPLE.
10568$GENERATE 1-127 $ CNAME $.0</pre>
10569<p>
10570            is equivalent to
10571          </p>
10572<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
105730.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
105741.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
105752.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
10576...
10577127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
10578</pre>
10579<p>
10580            Generate a set of A and MX records.  Note the MX's right hand
10581            side is a quoted string.  The quotes will be stripped when the
10582            right hand side is processed.
10583           </p>
10584<pre class="programlisting">
10585$ORIGIN EXAMPLE.
10586$GENERATE 1-127 HOST-$ A 1.2.3.$
10587$GENERATE 1-127 HOST-$ MX "0 ."</pre>
10588<p>
10589            is equivalent to
10590          </p>
10591<pre class="programlisting">HOST-1.EXAMPLE.   A  1.2.3.1
10592HOST-1.EXAMPLE.   MX 0 .
10593HOST-2.EXAMPLE.   A  1.2.3.2
10594HOST-2.EXAMPLE.   MX 0 .
10595HOST-3.EXAMPLE.   A  1.2.3.3
10596HOST-3.EXAMPLE.   MX 0 .
10597...
10598HOST-127.EXAMPLE. A  1.2.3.127
10599HOST-127.EXAMPLE. MX 0 .
10600</pre>
10601<div class="informaltable"><table border="1">
10602<colgroup>
10603<col width="0.875in" class="1">
10604<col width="4.250in" class="2">
10605</colgroup>
10606<tbody>
10607<tr>
10608<td>
10609                    <p><span class="command"><strong>range</strong></span></p>
10610                  </td>
10611<td>
10612                    <p>
10613                      This can be one of two forms: start-stop
10614                      or start-stop/step. If the first form is used, then step
10615                      is set to 1. start, stop and step must be positive
10616                      integers between 0 and (2^31)-1. start must not be
10617                      larger than stop.
10618                    </p>
10619                  </td>
10620</tr>
10621<tr>
10622<td>
10623                    <p><span class="command"><strong>lhs</strong></span></p>
10624                  </td>
10625<td>
10626                    <p>This
10627                      describes the owner name of the resource records
10628                      to be created.  Any single <span class="command"><strong>$</strong></span>
10629                      (dollar sign)
10630                      symbols within the <span class="command"><strong>lhs</strong></span> string
10631                      are replaced by the iterator value.
10632
10633                      To get a $ in the output, you need to escape the
10634                      <span class="command"><strong>$</strong></span> using a backslash
10635                      <span class="command"><strong>\</strong></span>,
10636                      e.g. <span class="command"><strong>\$</strong></span>. The
10637                      <span class="command"><strong>$</strong></span> may optionally be followed
10638                      by modifiers which change the offset from the
10639                      iterator, field width and base.
10640
10641                      Modifiers are introduced by a
10642                      <span class="command"><strong>{</strong></span> (left brace) immediately following the
10643                      <span class="command"><strong>$</strong></span> as
10644                      <span class="command"><strong>${offset[,width[,base]]}</strong></span>.
10645                      For example, <span class="command"><strong>${-20,3,d}</strong></span>
10646                      subtracts 20 from the current value, prints the
10647                      result as a decimal in a zero-padded field of
10648                      width 3.
10649
10650                      Available output forms are decimal
10651                      (<span class="command"><strong>d</strong></span>), octal
10652                      (<span class="command"><strong>o</strong></span>), hexadecimal
10653                      (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span>
10654                      for uppercase) and nibble
10655                      (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\
10656                      for uppercase).  The default modifier is
10657                      <span class="command"><strong>${0,0,d}</strong></span>.  If the
10658                      <span class="command"><strong>lhs</strong></span> is not absolute, the
10659                      current <span class="command"><strong>$ORIGIN</strong></span> is appended
10660                      to the name.
10661                    </p>
10662                    <p>
10663                      In nibble mode the value will be treated as
10664                      if it was a reversed hexadecimal string
10665                      with each hexadecimal digit as a separate
10666                      label.  The width field includes the label
10667                      separator.
10668                    </p>
10669                    <p>
10670                      For compatibility with earlier versions,
10671                      <span class="command"><strong>$$</strong></span> is still recognized as
10672                      indicating a literal $ in the output.
10673                    </p>
10674                  </td>
10675</tr>
10676<tr>
10677<td>
10678                    <p><span class="command"><strong>ttl</strong></span></p>
10679                  </td>
10680<td>
10681                    <p>
10682                      Specifies the time-to-live of the generated records. If
10683                      not specified this will be inherited using the
10684                      normal TTL inheritance rules.
10685                    </p>
10686                    <p><span class="command"><strong>class</strong></span>
10687                      and <span class="command"><strong>ttl</strong></span> can be
10688                      entered in either order.
10689                    </p>
10690                  </td>
10691</tr>
10692<tr>
10693<td>
10694                    <p><span class="command"><strong>class</strong></span></p>
10695                  </td>
10696<td>
10697                    <p>
10698                      Specifies the class of the generated records.
10699                      This must match the zone class if it is
10700                      specified.
10701                    </p>
10702                    <p><span class="command"><strong>class</strong></span>
10703                      and <span class="command"><strong>ttl</strong></span> can be
10704                      entered in either order.
10705                    </p>
10706                  </td>
10707</tr>
10708<tr>
10709<td>
10710                    <p><span class="command"><strong>type</strong></span></p>
10711                  </td>
10712<td>
10713                    <p>
10714                      Any valid type.
10715                    </p>
10716                  </td>
10717</tr>
10718<tr>
10719<td>
10720                    <p><span class="command"><strong>rhs</strong></span></p>
10721                  </td>
10722<td>
10723                    <p>
10724                      <span class="command"><strong>rhs</strong></span>, optionally, quoted string.
10725                    </p>
10726                  </td>
10727</tr>
10728</tbody>
10729</table></div>
10730<p>
10731            The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
10732            and not part of the standard zone file format.
10733          </p>
10734<p>
10735            BIND 8 does not support the optional TTL and CLASS fields.
10736          </p>
10737</div>
10738<div class="section">
10739<div class="titlepage"><div><div><h3 class="title">
10740<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
10741<p>
10742            In addition to the standard textual format, BIND 9
10743            supports the ability to read or dump to zone files in
10744            other formats.  The <code class="constant">raw</code> format is
10745            currently available as an additional format.  It is a
10746            binary format representing BIND 9's internal data
10747            structure directly, thereby remarkably improving the
10748            loading time.
10749          </p>
10750<p>
10751            For a primary server, a zone file in the
10752            <code class="constant">raw</code> format is expected to be
10753            generated from a textual zone file by the
10754            <span class="command"><strong>named-compilezone</strong></span> command.  For a
10755            secondary server or for a dynamic zone, it is automatically
10756            generated (if this format is specified by the
10757            <span class="command"><strong>masterfile-format</strong></span> option) when
10758            <span class="command"><strong>named</strong></span> dumps the zone contents after
10759            zone transfer or when applying prior updates.
10760          </p>
10761<p>
10762            If a zone file in a binary format needs manual modification,
10763            it first must be converted to a textual form by the
10764            <span class="command"><strong>named-compilezone</strong></span> command.  All
10765            necessary modification should go to the text file, which
10766            should then be converted to the binary form by the
10767            <span class="command"><strong>named-compilezone</strong></span> command again.
10768          </p>
10769<p>
10770             Although the <code class="constant">raw</code> format uses the
10771             network byte order and avoids architecture-dependent
10772             data alignment so that it is as much portable as
10773             possible, it is primarily expected to be used inside
10774             the same single system.  In order to export a zone
10775             file in the <code class="constant">raw</code> format or make a
10776             portable backup of the file, it is recommended to
10777             convert the file to the standard textual representation.
10778          </p>
10779</div>
10780</div>
10781<div class="section">
10782<div class="titlepage"><div><div><h2 class="title" style="clear: both">
10783<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
10784<p>
10785          <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
10786          information and provides several interfaces for users to
10787          get access to the statistics.
10788          The available statistics include all statistics counters
10789          that were available in <acronym class="acronym">BIND</acronym> 8 and
10790          are meaningful in <acronym class="acronym">BIND</acronym> 9,
10791          and other information that is considered useful.
10792        </p>
10793<p>
10794          The statistics information is categorized into the following
10795          sections.
10796        </p>
10797<div class="informaltable"><table border="1">
10798<colgroup>
10799<col width="3.300in" class="1">
10800<col width="2.625in" class="2">
10801</colgroup>
10802<tbody>
10803<tr>
10804<td>
10805                  <p>Incoming Requests</p>
10806                </td>
10807<td>
10808                  <p>
10809                    The number of incoming DNS requests for each OPCODE.
10810                  </p>
10811                </td>
10812</tr>
10813<tr>
10814<td>
10815                  <p>Incoming Queries</p>
10816                </td>
10817<td>
10818                  <p>
10819                    The number of incoming queries for each RR type.
10820                  </p>
10821                </td>
10822</tr>
10823<tr>
10824<td>
10825                  <p>Outgoing Queries</p>
10826                </td>
10827<td>
10828                  <p>
10829                    The number of outgoing queries for each RR
10830                    type sent from the internal resolver.
10831                    Maintained per view.
10832                  </p>
10833                </td>
10834</tr>
10835<tr>
10836<td>
10837                  <p>Name Server Statistics</p>
10838                </td>
10839<td>
10840                  <p>
10841                    Statistics counters about incoming request processing.
10842                  </p>
10843                </td>
10844</tr>
10845<tr>
10846<td>
10847                  <p>Zone Maintenance Statistics</p>
10848                </td>
10849<td>
10850                  <p>
10851                    Statistics counters regarding zone maintenance
10852                    operations such as zone transfers.
10853                  </p>
10854                </td>
10855</tr>
10856<tr>
10857<td>
10858                  <p>Resolver Statistics</p>
10859                </td>
10860<td>
10861                  <p>
10862                    Statistics counters about name resolution
10863                    performed in the internal resolver.
10864                    Maintained per view.
10865                  </p>
10866                </td>
10867</tr>
10868<tr>
10869<td>
10870                  <p>Cache DB RRsets</p>
10871                </td>
10872<td>
10873                  <p>
10874                    The number of RRsets per RR type and nonexistent
10875                    names stored in the cache database.
10876                    If the exclamation mark (!) is printed for a RR
10877                    type, it means that particular type of RRset is
10878                    known to be nonexistent (this is also known as
10879                    "NXRRSET").
10880                    Maintained per view.
10881                  </p>
10882                </td>
10883</tr>
10884<tr>
10885<td>
10886                  <p>Socket I/O Statistics</p>
10887                </td>
10888<td>
10889                  <p>
10890                    Statistics counters about network related events.
10891                  </p>
10892                </td>
10893</tr>
10894</tbody>
10895</table></div>
10896<p>
10897          A subset of Name Server Statistics is collected and shown
10898          per zone for which the server has the authority when
10899          <span class="command"><strong>zone-statistics</strong></span> is set to
10900          <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong>
10901          for backward compatibility. See the description of
10902          <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span class="command"><strong>options</strong></span> Statement Definition and
10903          Usage&#8221;</a>
10904          for further details.
10905        </p>
10906<p>
10907          These statistics counters are shown with their zone and
10908          view names. The view name is omitted when the server is
10909          not configured with explicit views.</p>
10910<p>
10911          There are currently two user interfaces to get access to the
10912          statistics.
10913          One is in the plain text format dumped to the file specified
10914          by the <span class="command"><strong>statistics-file</strong></span> configuration option.
10915          The other is remotely accessible via a statistics channel
10916          when the <span class="command"><strong>statistics-channels</strong></span> statement
10917          is specified in the configuration file
10918          (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span class="command"><strong>statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
10919        </p>
10920<div class="section">
10921<div class="titlepage"><div><div><h3 class="title">
10922<a name="statsfile"></a>The Statistics File</h3></div></div></div>
10923<p>
10924            The text format statistics dump begins with a line, like:
10925          </p>
10926<p>
10927            <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span>
10928          </p>
10929<p>
10930            The number in parentheses is a standard
10931            Unix-style timestamp, measured as seconds since January 1, 1970.
10932
10933            Following
10934            that line is a set of statistics information, which is categorized
10935            as described above.
10936            Each section begins with a line, like:
10937          </p>
10938<p>
10939            <span class="command"><strong>++ Name Server Statistics ++</strong></span>
10940          </p>
10941<p>
10942            Each section consists of lines, each containing the statistics
10943            counter value followed by its textual description.
10944            See below for available counters.
10945            For brevity, counters that have a value of 0 are not shown
10946            in the statistics file.
10947          </p>
10948<p>
10949            The statistics dump ends with the line where the
10950            number is identical to the number in the beginning line; for example:
10951          </p>
10952<p>
10953            <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span>
10954          </p>
10955</div>
10956<div class="section">
10957<div class="titlepage"><div><div><h3 class="title">
10958<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
10959<p>
10960            The following tables summarize statistics counters that
10961            <acronym class="acronym">BIND</acronym> 9 provides.
10962            For each row of the tables, the leftmost column is the
10963            abbreviated symbol name of that counter.
10964            These symbols are shown in the statistics information
10965            accessed via an HTTP statistics channel.
10966            The rightmost column gives the description of the counter,
10967            which is also shown in the statistics file
10968            (but, in this document, possibly with slight modification
10969            for better readability).
10970            Additional notes may also be provided in this column.
10971            When a middle column exists between these two columns,
10972            it gives the corresponding counter name of the
10973            <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
10974          </p>
10975<div class="section">
10976<div class="titlepage"><div><div><h4 class="title">
10977<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div>
10978<div class="informaltable"><table border="1">
10979<colgroup>
10980<col width="1.150in" class="1">
10981<col width="1.150in" class="2">
10982<col width="3.350in" class="3">
10983</colgroup>
10984<tbody>
10985<tr>
10986<td>
10987                      <p>
10988                        <span class="emphasis"><em>Symbol</em></span>
10989                      </p>
10990                    </td>
10991<td>
10992                      <p>
10993                        <span class="emphasis"><em>BIND8 Symbol</em></span>
10994                      </p>
10995                    </td>
10996<td>
10997                      <p>
10998                        <span class="emphasis"><em>Description</em></span>
10999                      </p>
11000                    </td>
11001</tr>
11002<tr>
11003<td>
11004                      <p><span class="command"><strong>Requestv4</strong></span></p>
11005                    </td>
11006<td>
11007                      <p><span class="command"><strong>RQ</strong></span></p>
11008                    </td>
11009<td>
11010                      <p>
11011                        IPv4 requests received.
11012                        Note: this also counts non query requests.
11013                      </p>
11014                    </td>
11015</tr>
11016<tr>
11017<td>
11018                      <p><span class="command"><strong>Requestv6</strong></span></p>
11019                    </td>
11020<td>
11021                      <p><span class="command"><strong>RQ</strong></span></p>
11022                    </td>
11023<td>
11024                      <p>
11025                        IPv6 requests received.
11026                        Note: this also counts non query requests.
11027                      </p>
11028                    </td>
11029</tr>
11030<tr>
11031<td>
11032                      <p><span class="command"><strong>ReqEdns0</strong></span></p>
11033                    </td>
11034<td>
11035                      <p><span class="command"><strong></strong></span></p>
11036                    </td>
11037<td>
11038                      <p>
11039                        Requests with EDNS(0) received.
11040                      </p>
11041                    </td>
11042</tr>
11043<tr>
11044<td>
11045                      <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p>
11046                    </td>
11047<td>
11048                      <p><span class="command"><strong></strong></span></p>
11049                    </td>
11050<td>
11051                      <p>
11052                        Requests with unsupported EDNS version received.
11053                      </p>
11054                    </td>
11055</tr>
11056<tr>
11057<td>
11058                      <p><span class="command"><strong>ReqTSIG</strong></span></p>
11059                    </td>
11060<td>
11061                      <p><span class="command"><strong></strong></span></p>
11062                    </td>
11063<td>
11064                      <p>
11065                        Requests with TSIG received.
11066                      </p>
11067                    </td>
11068</tr>
11069<tr>
11070<td>
11071                      <p><span class="command"><strong>ReqSIG0</strong></span></p>
11072                    </td>
11073<td>
11074                      <p><span class="command"><strong></strong></span></p>
11075                    </td>
11076<td>
11077                      <p>
11078                        Requests with SIG(0) received.
11079                      </p>
11080                    </td>
11081</tr>
11082<tr>
11083<td>
11084                      <p><span class="command"><strong>ReqBadSIG</strong></span></p>
11085                    </td>
11086<td>
11087                      <p><span class="command"><strong></strong></span></p>
11088                    </td>
11089<td>
11090                      <p>
11091                        Requests with invalid (TSIG or SIG(0)) signature.
11092                      </p>
11093                    </td>
11094</tr>
11095<tr>
11096<td>
11097                      <p><span class="command"><strong>ReqTCP</strong></span></p>
11098                    </td>
11099<td>
11100                      <p><span class="command"><strong>RTCP</strong></span></p>
11101                    </td>
11102<td>
11103                      <p>
11104                        TCP requests received.
11105                      </p>
11106                    </td>
11107</tr>
11108<tr>
11109<td>
11110                      <p><span class="command"><strong>AuthQryRej</strong></span></p>
11111                    </td>
11112<td>
11113                      <p><span class="command"><strong>RUQ</strong></span></p>
11114                    </td>
11115<td>
11116                      <p>
11117                        Authoritative (non recursive) queries rejected.
11118                      </p>
11119                    </td>
11120</tr>
11121<tr>
11122<td>
11123                      <p><span class="command"><strong>RecQryRej</strong></span></p>
11124                    </td>
11125<td>
11126                      <p><span class="command"><strong>RURQ</strong></span></p>
11127                    </td>
11128<td>
11129                      <p>
11130                        Recursive queries rejected.
11131                      </p>
11132                    </td>
11133</tr>
11134<tr>
11135<td>
11136                      <p><span class="command"><strong>XfrRej</strong></span></p>
11137                    </td>
11138<td>
11139                      <p><span class="command"><strong>RUXFR</strong></span></p>
11140                    </td>
11141<td>
11142                      <p>
11143                        Zone transfer requests rejected.
11144                      </p>
11145                    </td>
11146</tr>
11147<tr>
11148<td>
11149                      <p><span class="command"><strong>UpdateRej</strong></span></p>
11150                    </td>
11151<td>
11152                      <p><span class="command"><strong>RUUpd</strong></span></p>
11153                    </td>
11154<td>
11155                      <p>
11156                        Dynamic update requests rejected.
11157                      </p>
11158                    </td>
11159</tr>
11160<tr>
11161<td>
11162                      <p><span class="command"><strong>Response</strong></span></p>
11163                    </td>
11164<td>
11165                      <p><span class="command"><strong>SAns</strong></span></p>
11166                    </td>
11167<td>
11168                      <p>
11169                        Responses sent.
11170                      </p>
11171                    </td>
11172</tr>
11173<tr>
11174<td>
11175                      <p><span class="command"><strong>RespTruncated</strong></span></p>
11176                    </td>
11177<td>
11178                      <p><span class="command"><strong></strong></span></p>
11179                    </td>
11180<td>
11181                      <p>
11182                        Truncated responses sent.
11183                      </p>
11184                    </td>
11185</tr>
11186<tr>
11187<td>
11188                      <p><span class="command"><strong>RespEDNS0</strong></span></p>
11189                    </td>
11190<td>
11191                      <p><span class="command"><strong></strong></span></p>
11192                    </td>
11193<td>
11194                      <p>
11195                        Responses with EDNS(0) sent.
11196                      </p>
11197                    </td>
11198</tr>
11199<tr>
11200<td>
11201                      <p><span class="command"><strong>RespTSIG</strong></span></p>
11202                    </td>
11203<td>
11204                      <p><span class="command"><strong></strong></span></p>
11205                    </td>
11206<td>
11207                      <p>
11208                        Responses with TSIG sent.
11209                      </p>
11210                    </td>
11211</tr>
11212<tr>
11213<td>
11214                      <p><span class="command"><strong>RespSIG0</strong></span></p>
11215                    </td>
11216<td>
11217                      <p><span class="command"><strong></strong></span></p>
11218                    </td>
11219<td>
11220                      <p>
11221                        Responses with SIG(0) sent.
11222                      </p>
11223                    </td>
11224</tr>
11225<tr>
11226<td>
11227                      <p><span class="command"><strong>QrySuccess</strong></span></p>
11228                    </td>
11229<td>
11230                      <p><span class="command"><strong></strong></span></p>
11231                    </td>
11232<td>
11233                      <p>
11234                        Queries resulted in a successful answer.
11235                        This means the query which returns a NOERROR response
11236                        with at least one answer RR.
11237                        This corresponds to the
11238                        <span class="command"><strong>success</strong></span> counter
11239                        of previous versions of
11240                        <acronym class="acronym">BIND</acronym> 9.
11241                      </p>
11242                    </td>
11243</tr>
11244<tr>
11245<td>
11246                      <p><span class="command"><strong>QryAuthAns</strong></span></p>
11247                    </td>
11248<td>
11249                      <p><span class="command"><strong></strong></span></p>
11250                    </td>
11251<td>
11252                      <p>
11253                        Queries resulted in authoritative answer.
11254                      </p>
11255                    </td>
11256</tr>
11257<tr>
11258<td>
11259                      <p><span class="command"><strong>QryNoauthAns</strong></span></p>
11260                    </td>
11261<td>
11262                      <p><span class="command"><strong>SNaAns</strong></span></p>
11263                    </td>
11264<td>
11265                      <p>
11266                        Queries resulted in non authoritative answer.
11267                      </p>
11268                    </td>
11269</tr>
11270<tr>
11271<td>
11272                      <p><span class="command"><strong>QryReferral</strong></span></p>
11273                    </td>
11274<td>
11275                      <p><span class="command"><strong></strong></span></p>
11276                    </td>
11277<td>
11278                      <p>
11279                        Queries resulted in referral answer.
11280                        This corresponds to the
11281                        <span class="command"><strong>referral</strong></span> counter
11282                        of previous versions of
11283                        <acronym class="acronym">BIND</acronym> 9.
11284                      </p>
11285                    </td>
11286</tr>
11287<tr>
11288<td>
11289                      <p><span class="command"><strong>QryNxrrset</strong></span></p>
11290                    </td>
11291<td>
11292                      <p><span class="command"><strong></strong></span></p>
11293                    </td>
11294<td>
11295                      <p>
11296                        Queries resulted in NOERROR responses with no data.
11297                        This corresponds to the
11298                        <span class="command"><strong>nxrrset</strong></span> counter
11299                        of previous versions of
11300                        <acronym class="acronym">BIND</acronym> 9.
11301                      </p>
11302                    </td>
11303</tr>
11304<tr>
11305<td>
11306                      <p><span class="command"><strong>QrySERVFAIL</strong></span></p>
11307                    </td>
11308<td>
11309                      <p><span class="command"><strong>SFail</strong></span></p>
11310                    </td>
11311<td>
11312                      <p>
11313                        Queries resulted in SERVFAIL.
11314                      </p>
11315                    </td>
11316</tr>
11317<tr>
11318<td>
11319                      <p><span class="command"><strong>QryFORMERR</strong></span></p>
11320                    </td>
11321<td>
11322                      <p><span class="command"><strong>SFErr</strong></span></p>
11323                    </td>
11324<td>
11325                      <p>
11326                        Queries resulted in FORMERR.
11327                      </p>
11328                    </td>
11329</tr>
11330<tr>
11331<td>
11332                      <p><span class="command"><strong>QryNXDOMAIN</strong></span></p>
11333                    </td>
11334<td>
11335                      <p><span class="command"><strong>SNXD</strong></span></p>
11336                    </td>
11337<td>
11338                      <p>
11339                        Queries resulted in NXDOMAIN.
11340                        This corresponds to the
11341                        <span class="command"><strong>nxdomain</strong></span> counter
11342                        of previous versions of
11343                        <acronym class="acronym">BIND</acronym> 9.
11344                      </p>
11345                    </td>
11346</tr>
11347<tr>
11348<td>
11349                      <p><span class="command"><strong>QryRecursion</strong></span></p>
11350                    </td>
11351<td>
11352                      <p><span class="command"><strong>RFwdQ</strong></span></p>
11353                    </td>
11354<td>
11355                      <p>
11356                        Queries which caused the server
11357                        to perform recursion in order to find the final answer.
11358                        This corresponds to the
11359                        <span class="command"><strong>recursion</strong></span> counter
11360                        of previous versions of
11361                        <acronym class="acronym">BIND</acronym> 9.
11362                      </p>
11363                    </td>
11364</tr>
11365<tr>
11366<td>
11367                      <p><span class="command"><strong>QryDuplicate</strong></span></p>
11368                    </td>
11369<td>
11370                      <p><span class="command"><strong>RDupQ</strong></span></p>
11371                    </td>
11372<td>
11373                      <p>
11374                        Queries which the server attempted to
11375                        recurse but discovered an existing query with the same
11376                        IP address, port, query ID, name, type and class
11377                        already being processed.
11378                        This corresponds to the
11379                        <span class="command"><strong>duplicate</strong></span> counter
11380                        of previous versions of
11381                        <acronym class="acronym">BIND</acronym> 9.
11382                      </p>
11383                    </td>
11384</tr>
11385<tr>
11386<td>
11387                      <p><span class="command"><strong>QryDropped</strong></span></p>
11388                    </td>
11389<td>
11390                      <p><span class="command"><strong></strong></span></p>
11391                    </td>
11392<td>
11393                      <p>
11394                        Recursive queries for which the server
11395                        discovered an excessive number of existing
11396                        recursive queries for the same name, type and
11397                        class and were subsequently dropped.
11398                        This is the number of dropped queries due to
11399                        the reason explained with the
11400                        <span class="command"><strong>clients-per-query</strong></span>
11401                        and
11402                        <span class="command"><strong>max-clients-per-query</strong></span>
11403                        options
11404                        (see the description about
11405                        <a class="xref" href="Bv9ARM.ch06.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.)
11406                        This corresponds to the
11407                        <span class="command"><strong>dropped</strong></span> counter
11408                        of previous versions of
11409                        <acronym class="acronym">BIND</acronym> 9.
11410                      </p>
11411                    </td>
11412</tr>
11413<tr>
11414<td>
11415                      <p><span class="command"><strong>QryFailure</strong></span></p>
11416                    </td>
11417<td>
11418                      <p><span class="command"><strong></strong></span></p>
11419                    </td>
11420<td>
11421                      <p>
11422                        Other query failures.
11423                        This corresponds to the
11424                        <span class="command"><strong>failure</strong></span> counter
11425                        of previous versions of
11426                        <acronym class="acronym">BIND</acronym> 9.
11427                        Note: this counter is provided mainly for
11428                        backward compatibility with the previous versions.
11429                        Normally a more fine-grained counters such as
11430                        <span class="command"><strong>AuthQryRej</strong></span> and
11431                        <span class="command"><strong>RecQryRej</strong></span>
11432                        that would also fall into this counter are provided,
11433                        and so this counter would not be of much
11434                        interest in practice.
11435                      </p>
11436                    </td>
11437</tr>
11438<tr>
11439<td>
11440                      <p><span class="command"><strong>XfrReqDone</strong></span></p>
11441                    </td>
11442<td>
11443                      <p><span class="command"><strong></strong></span></p>
11444                    </td>
11445<td>
11446                      <p>
11447                        Requested zone transfers completed.
11448                      </p>
11449                    </td>
11450</tr>
11451<tr>
11452<td>
11453                      <p><span class="command"><strong>UpdateReqFwd</strong></span></p>
11454                    </td>
11455<td>
11456                      <p><span class="command"><strong></strong></span></p>
11457                    </td>
11458<td>
11459                      <p>
11460                        Update requests forwarded.
11461                      </p>
11462                    </td>
11463</tr>
11464<tr>
11465<td>
11466                      <p><span class="command"><strong>UpdateRespFwd</strong></span></p>
11467                    </td>
11468<td>
11469                      <p><span class="command"><strong></strong></span></p>
11470                    </td>
11471<td>
11472                      <p>
11473                        Update responses forwarded.
11474                      </p>
11475                    </td>
11476</tr>
11477<tr>
11478<td>
11479                      <p><span class="command"><strong>UpdateFwdFail</strong></span></p>
11480                    </td>
11481<td>
11482                      <p><span class="command"><strong></strong></span></p>
11483                    </td>
11484<td>
11485                      <p>
11486                        Dynamic update forward failed.
11487                      </p>
11488                    </td>
11489</tr>
11490<tr>
11491<td>
11492                      <p><span class="command"><strong>UpdateDone</strong></span></p>
11493                    </td>
11494<td>
11495                      <p><span class="command"><strong></strong></span></p>
11496                    </td>
11497<td>
11498                      <p>
11499                        Dynamic updates completed.
11500                      </p>
11501                    </td>
11502</tr>
11503<tr>
11504<td>
11505                      <p><span class="command"><strong>UpdateFail</strong></span></p>
11506                    </td>
11507<td>
11508                      <p><span class="command"><strong></strong></span></p>
11509                    </td>
11510<td>
11511                      <p>
11512                        Dynamic updates failed.
11513                      </p>
11514                    </td>
11515</tr>
11516<tr>
11517<td>
11518                      <p><span class="command"><strong>UpdateBadPrereq</strong></span></p>
11519                    </td>
11520<td>
11521                      <p><span class="command"><strong></strong></span></p>
11522                    </td>
11523<td>
11524                      <p>
11525                        Dynamic updates rejected due to prerequisite failure.
11526                      </p>
11527                    </td>
11528</tr>
11529<tr>
11530<td>
11531                      <p><span class="command"><strong>RPZRewrites</strong></span></p>
11532                    </td>
11533<td>
11534                      <p><span class="command"><strong></strong></span></p>
11535                    </td>
11536<td>
11537                      <p>
11538                        Response policy zone rewrites.
11539                      </p>
11540                    </td>
11541</tr>
11542<tr>
11543<td>
11544                      <p><span class="command"><strong>RateDropped</strong></span></p>
11545                    </td>
11546<td>
11547                      <p><span class="command"><strong></strong></span></p>
11548                    </td>
11549<td>
11550                      <p>
11551                        Responses dropped by rate limits.
11552                      </p>
11553                    </td>
11554</tr>
11555<tr>
11556<td>
11557                      <p><span class="command"><strong>RateSlipped</strong></span></p>
11558                    </td>
11559<td>
11560                      <p><span class="command"><strong></strong></span></p>
11561                    </td>
11562<td>
11563                      <p>
11564                        Responses truncated by rate limits.
11565                      </p>
11566                    </td>
11567</tr>
11568</tbody>
11569</table></div>
11570</div>
11571<div class="section">
11572<div class="titlepage"><div><div><h4 class="title">
11573<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
11574<div class="informaltable"><table border="1">
11575<colgroup>
11576<col width="1.150in" class="1">
11577<col width="3.350in" class="2">
11578</colgroup>
11579<tbody>
11580<tr>
11581<td>
11582                      <p>
11583                        <span class="emphasis"><em>Symbol</em></span>
11584                      </p>
11585                    </td>
11586<td>
11587                      <p>
11588                        <span class="emphasis"><em>Description</em></span>
11589                      </p>
11590                    </td>
11591</tr>
11592<tr>
11593<td>
11594                      <p><span class="command"><strong>NotifyOutv4</strong></span></p>
11595                    </td>
11596<td>
11597                      <p>
11598                        IPv4 notifies sent.
11599                      </p>
11600                    </td>
11601</tr>
11602<tr>
11603<td>
11604                      <p><span class="command"><strong>NotifyOutv6</strong></span></p>
11605                    </td>
11606<td>
11607                      <p>
11608                        IPv6 notifies sent.
11609                      </p>
11610                    </td>
11611</tr>
11612<tr>
11613<td>
11614                      <p><span class="command"><strong>NotifyInv4</strong></span></p>
11615                    </td>
11616<td>
11617                      <p>
11618                        IPv4 notifies received.
11619                      </p>
11620                    </td>
11621</tr>
11622<tr>
11623<td>
11624                      <p><span class="command"><strong>NotifyInv6</strong></span></p>
11625                    </td>
11626<td>
11627                      <p>
11628                        IPv6 notifies received.
11629                      </p>
11630                    </td>
11631</tr>
11632<tr>
11633<td>
11634                      <p><span class="command"><strong>NotifyRej</strong></span></p>
11635                    </td>
11636<td>
11637                      <p>
11638                        Incoming notifies rejected.
11639                      </p>
11640                    </td>
11641</tr>
11642<tr>
11643<td>
11644                      <p><span class="command"><strong>SOAOutv4</strong></span></p>
11645                    </td>
11646<td>
11647                      <p>
11648                        IPv4 SOA queries sent.
11649                      </p>
11650                    </td>
11651</tr>
11652<tr>
11653<td>
11654                      <p><span class="command"><strong>SOAOutv6</strong></span></p>
11655                    </td>
11656<td>
11657                      <p>
11658                        IPv6 SOA queries sent.
11659                      </p>
11660                    </td>
11661</tr>
11662<tr>
11663<td>
11664                      <p><span class="command"><strong>AXFRReqv4</strong></span></p>
11665                    </td>
11666<td>
11667                      <p>
11668                        IPv4 AXFR requested.
11669                      </p>
11670                    </td>
11671</tr>
11672<tr>
11673<td>
11674                      <p><span class="command"><strong>AXFRReqv6</strong></span></p>
11675                    </td>
11676<td>
11677                      <p>
11678                        IPv6 AXFR requested.
11679                      </p>
11680                    </td>
11681</tr>
11682<tr>
11683<td>
11684                      <p><span class="command"><strong>IXFRReqv4</strong></span></p>
11685                    </td>
11686<td>
11687                      <p>
11688                        IPv4 IXFR requested.
11689                      </p>
11690                    </td>
11691</tr>
11692<tr>
11693<td>
11694                      <p><span class="command"><strong>IXFRReqv6</strong></span></p>
11695                    </td>
11696<td>
11697                      <p>
11698                        IPv6 IXFR requested.
11699                      </p>
11700                    </td>
11701</tr>
11702<tr>
11703<td>
11704                      <p><span class="command"><strong>XfrSuccess</strong></span></p>
11705                    </td>
11706<td>
11707                      <p>
11708                        Zone transfer requests succeeded.
11709                      </p>
11710                    </td>
11711</tr>
11712<tr>
11713<td>
11714                      <p><span class="command"><strong>XfrFail</strong></span></p>
11715                    </td>
11716<td>
11717                      <p>
11718                        Zone transfer requests failed.
11719                      </p>
11720                    </td>
11721</tr>
11722</tbody>
11723</table></div>
11724</div>
11725<div class="section">
11726<div class="titlepage"><div><div><h4 class="title">
11727<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div>
11728<div class="informaltable"><table border="1">
11729<colgroup>
11730<col width="1.150in" class="1">
11731<col width="1.150in" class="2">
11732<col width="3.350in" class="3">
11733</colgroup>
11734<tbody>
11735<tr>
11736<td>
11737                      <p>
11738                        <span class="emphasis"><em>Symbol</em></span>
11739                      </p>
11740                    </td>
11741<td>
11742                      <p>
11743                        <span class="emphasis"><em>BIND8 Symbol</em></span>
11744                      </p>
11745                    </td>
11746<td>
11747                      <p>
11748                        <span class="emphasis"><em>Description</em></span>
11749                      </p>
11750                    </td>
11751</tr>
11752<tr>
11753<td>
11754                      <p><span class="command"><strong>Queryv4</strong></span></p>
11755                    </td>
11756<td>
11757                      <p><span class="command"><strong>SFwdQ</strong></span></p>
11758                    </td>
11759<td>
11760                      <p>
11761                        IPv4 queries sent.
11762                      </p>
11763                    </td>
11764</tr>
11765<tr>
11766<td>
11767                      <p><span class="command"><strong>Queryv6</strong></span></p>
11768                    </td>
11769<td>
11770                      <p><span class="command"><strong>SFwdQ</strong></span></p>
11771                    </td>
11772<td>
11773                      <p>
11774                        IPv6 queries sent.
11775                      </p>
11776                    </td>
11777</tr>
11778<tr>
11779<td>
11780                      <p><span class="command"><strong>Responsev4</strong></span></p>
11781                    </td>
11782<td>
11783                      <p><span class="command"><strong>RR</strong></span></p>
11784                    </td>
11785<td>
11786                      <p>
11787                        IPv4 responses received.
11788                      </p>
11789                    </td>
11790</tr>
11791<tr>
11792<td>
11793                      <p><span class="command"><strong>Responsev6</strong></span></p>
11794                    </td>
11795<td>
11796                      <p><span class="command"><strong>RR</strong></span></p>
11797                    </td>
11798<td>
11799                      <p>
11800                        IPv6 responses received.
11801                      </p>
11802                    </td>
11803</tr>
11804<tr>
11805<td>
11806                      <p><span class="command"><strong>NXDOMAIN</strong></span></p>
11807                    </td>
11808<td>
11809                      <p><span class="command"><strong>RNXD</strong></span></p>
11810                    </td>
11811<td>
11812                      <p>
11813                        NXDOMAIN received.
11814                      </p>
11815                    </td>
11816</tr>
11817<tr>
11818<td>
11819                      <p><span class="command"><strong>SERVFAIL</strong></span></p>
11820                    </td>
11821<td>
11822                      <p><span class="command"><strong>RFail</strong></span></p>
11823                    </td>
11824<td>
11825                      <p>
11826                        SERVFAIL received.
11827                      </p>
11828                    </td>
11829</tr>
11830<tr>
11831<td>
11832                      <p><span class="command"><strong>FORMERR</strong></span></p>
11833                    </td>
11834<td>
11835                      <p><span class="command"><strong>RFErr</strong></span></p>
11836                    </td>
11837<td>
11838                      <p>
11839                        FORMERR received.
11840                      </p>
11841                    </td>
11842</tr>
11843<tr>
11844<td>
11845                      <p><span class="command"><strong>OtherError</strong></span></p>
11846                    </td>
11847<td>
11848                      <p><span class="command"><strong>RErr</strong></span></p>
11849                    </td>
11850<td>
11851                      <p>
11852                        Other errors received.
11853                      </p>
11854                    </td>
11855</tr>
11856<tr>
11857<td>
11858                      <p><span class="command"><strong>EDNS0Fail</strong></span></p>
11859                                                 </td>
11860<td>
11861                      <p><span class="command"><strong></strong></span></p>
11862                    </td>
11863<td>
11864                      <p>
11865                        EDNS(0) query failures.
11866                      </p>
11867                    </td>
11868</tr>
11869<tr>
11870<td>
11871                      <p><span class="command"><strong>Mismatch</strong></span></p>
11872                    </td>
11873<td>
11874                      <p><span class="command"><strong>RDupR</strong></span></p>
11875                    </td>
11876<td>
11877                      <p>
11878                        Mismatch responses received.
11879                        The DNS ID, response's source address,
11880                        and/or the response's source port does not
11881                        match what was expected.
11882                        (The port must be 53 or as defined by
11883                        the <span class="command"><strong>port</strong></span> option.)
11884                        This may be an indication of a cache
11885                        poisoning attempt.
11886                      </p>
11887                    </td>
11888</tr>
11889<tr>
11890<td>
11891                      <p><span class="command"><strong>Truncated</strong></span></p>
11892                    </td>
11893<td>
11894                      <p><span class="command"><strong></strong></span></p>
11895                    </td>
11896<td>
11897                      <p>
11898                        Truncated responses received.
11899                      </p>
11900                    </td>
11901</tr>
11902<tr>
11903<td>
11904                      <p><span class="command"><strong>Lame</strong></span></p>
11905                    </td>
11906<td>
11907                      <p><span class="command"><strong>RLame</strong></span></p>
11908                    </td>
11909<td>
11910                      <p>
11911                        Lame delegations received.
11912                      </p>
11913                    </td>
11914</tr>
11915<tr>
11916<td>
11917                      <p><span class="command"><strong>Retry</strong></span></p>
11918                    </td>
11919<td>
11920                      <p><span class="command"><strong>SDupQ</strong></span></p>
11921                    </td>
11922<td>
11923                      <p>
11924                        Query retries performed.
11925                      </p>
11926                    </td>
11927</tr>
11928<tr>
11929<td>
11930                      <p><span class="command"><strong>QueryAbort</strong></span></p>
11931                    </td>
11932<td>
11933                      <p><span class="command"><strong></strong></span></p>
11934                    </td>
11935<td>
11936                      <p>
11937                        Queries aborted due to quota control.
11938                      </p>
11939                    </td>
11940</tr>
11941<tr>
11942<td>
11943                      <p><span class="command"><strong>QuerySockFail</strong></span></p>
11944                    </td>
11945<td>
11946                      <p><span class="command"><strong></strong></span></p>
11947                    </td>
11948<td>
11949                      <p>
11950                        Failures in opening query sockets.
11951                        One common reason for such failures is a
11952                        failure of opening a new socket due to a
11953                        limitation on file descriptors.
11954                      </p>
11955                    </td>
11956</tr>
11957<tr>
11958<td>
11959                      <p><span class="command"><strong>QueryTimeout</strong></span></p>
11960                    </td>
11961<td>
11962                      <p><span class="command"><strong></strong></span></p>
11963                    </td>
11964<td>
11965                      <p>
11966                        Query timeouts.
11967                      </p>
11968                    </td>
11969</tr>
11970<tr>
11971<td>
11972                      <p><span class="command"><strong>GlueFetchv4</strong></span></p>
11973                    </td>
11974<td>
11975                      <p><span class="command"><strong>SSysQ</strong></span></p>
11976                    </td>
11977<td>
11978                      <p>
11979                        IPv4 NS address fetches invoked.
11980                      </p>
11981                    </td>
11982</tr>
11983<tr>
11984<td>
11985                      <p><span class="command"><strong>GlueFetchv6</strong></span></p>
11986                    </td>
11987<td>
11988                      <p><span class="command"><strong>SSysQ</strong></span></p>
11989                    </td>
11990<td>
11991                      <p>
11992                        IPv6 NS address fetches invoked.
11993                      </p>
11994                    </td>
11995</tr>
11996<tr>
11997<td>
11998                      <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p>
11999                    </td>
12000<td>
12001                      <p><span class="command"><strong></strong></span></p>
12002                    </td>
12003<td>
12004                      <p>
12005                        IPv4 NS address fetch failed.
12006                      </p>
12007                    </td>
12008</tr>
12009<tr>
12010<td>
12011                      <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p>
12012                    </td>
12013<td>
12014                      <p><span class="command"><strong></strong></span></p>
12015                    </td>
12016<td>
12017                      <p>
12018                        IPv6 NS address fetch failed.
12019                      </p>
12020                    </td>
12021</tr>
12022<tr>
12023<td>
12024                      <p><span class="command"><strong>ValAttempt</strong></span></p>
12025                    </td>
12026<td>
12027                      <p><span class="command"><strong></strong></span></p>
12028                    </td>
12029<td>
12030                      <p>
12031                        DNSSEC validation attempted.
12032                      </p>
12033                    </td>
12034</tr>
12035<tr>
12036<td>
12037                      <p><span class="command"><strong>ValOk</strong></span></p>
12038                    </td>
12039<td>
12040                      <p><span class="command"><strong></strong></span></p>
12041                    </td>
12042<td>
12043                      <p>
12044                        DNSSEC validation succeeded.
12045                      </p>
12046                    </td>
12047</tr>
12048<tr>
12049<td>
12050                      <p><span class="command"><strong>ValNegOk</strong></span></p>
12051                    </td>
12052<td>
12053                      <p><span class="command"><strong></strong></span></p>
12054                    </td>
12055<td>
12056                      <p>
12057                        DNSSEC validation on negative information succeeded.
12058                      </p>
12059                    </td>
12060</tr>
12061<tr>
12062<td>
12063                      <p><span class="command"><strong>ValFail</strong></span></p>
12064                    </td>
12065<td>
12066                      <p><span class="command"><strong></strong></span></p>
12067                    </td>
12068<td>
12069                      <p>
12070                        DNSSEC validation failed.
12071                      </p>
12072                    </td>
12073</tr>
12074<tr>
12075<td>
12076                      <p><span class="command"><strong>QryRTTnn</strong></span></p>
12077                    </td>
12078<td>
12079                      <p><span class="command"><strong></strong></span></p>
12080                    </td>
12081<td>
12082                      <p>
12083                        Frequency table on round trip times (RTTs) of
12084                        queries.
12085                        Each <span class="command"><strong>nn</strong></span> specifies the corresponding
12086                        frequency.
12087                        In the sequence of
12088                        <span class="command"><strong>nn_1</strong></span>,
12089                        <span class="command"><strong>nn_2</strong></span>,
12090                        ...,
12091                        <span class="command"><strong>nn_m</strong></span>,
12092                        the value of <span class="command"><strong>nn_i</strong></span> is the
12093                        number of queries whose RTTs are between
12094                        <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and
12095                        <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds.
12096                        For the sake of convenience we define
12097                        <span class="command"><strong>nn_0</strong></span> to be 0.
12098                        The last entry should be represented as
12099                        <span class="command"><strong>nn_m+</strong></span>, which means the
12100                        number of queries whose RTTs are equal to or over
12101                        <span class="command"><strong>nn_m</strong></span> milliseconds.
12102                      </p>
12103                    </td>
12104</tr>
12105</tbody>
12106</table></div>
12107</div>
12108<div class="section">
12109<div class="titlepage"><div><div><h4 class="title">
12110<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div>
12111<p>
12112              Socket I/O statistics counters are defined per socket
12113              types, which are
12114              <span class="command"><strong>UDP4</strong></span> (UDP/IPv4),
12115              <span class="command"><strong>UDP6</strong></span> (UDP/IPv6),
12116              <span class="command"><strong>TCP4</strong></span> (TCP/IPv4),
12117              <span class="command"><strong>TCP6</strong></span> (TCP/IPv6),
12118              <span class="command"><strong>Unix</strong></span> (Unix Domain), and
12119              <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the
12120              socket module).
12121              In the following table <span class="command"><strong>&lt;TYPE&gt;</strong></span>
12122              represents a socket type.
12123              Not all counters are available for all socket types;
12124              exceptions are noted in the description field.
12125            </p>
12126<div class="informaltable"><table border="1">
12127<colgroup>
12128<col width="1.150in" class="1">
12129<col width="3.350in" class="2">
12130</colgroup>
12131<tbody>
12132<tr>
12133<td>
12134                      <p>
12135                        <span class="emphasis"><em>Symbol</em></span>
12136                      </p>
12137                    </td>
12138<td>
12139                      <p>
12140                        <span class="emphasis"><em>Description</em></span>
12141                      </p>
12142                    </td>
12143</tr>
12144<tr>
12145<td>
12146                      <p><span class="command"><strong>&lt;TYPE&gt;Open</strong></span></p>
12147                    </td>
12148<td>
12149                      <p>
12150                        Sockets opened successfully.
12151                        This counter is not applicable to the
12152                        <span class="command"><strong>FDwatch</strong></span> type.
12153                      </p>
12154                    </td>
12155</tr>
12156<tr>
12157<td>
12158                      <p><span class="command"><strong>&lt;TYPE&gt;OpenFail</strong></span></p>
12159                    </td>
12160<td>
12161                      <p>
12162                        Failures of opening sockets.
12163                        This counter is not applicable to the
12164                        <span class="command"><strong>FDwatch</strong></span> type.
12165                      </p>
12166                    </td>
12167</tr>
12168<tr>
12169<td>
12170                      <p><span class="command"><strong>&lt;TYPE&gt;Close</strong></span></p>
12171                    </td>
12172<td>
12173                      <p>
12174                        Sockets closed.
12175                      </p>
12176                    </td>
12177</tr>
12178<tr>
12179<td>
12180                      <p><span class="command"><strong>&lt;TYPE&gt;BindFail</strong></span></p>
12181                    </td>
12182<td>
12183                      <p>
12184                        Failures of binding sockets.
12185                      </p>
12186                    </td>
12187</tr>
12188<tr>
12189<td>
12190                      <p><span class="command"><strong>&lt;TYPE&gt;ConnFail</strong></span></p>
12191                    </td>
12192<td>
12193                      <p>
12194                        Failures of connecting sockets.
12195                      </p>
12196                    </td>
12197</tr>
12198<tr>
12199<td>
12200                      <p><span class="command"><strong>&lt;TYPE&gt;Conn</strong></span></p>
12201                    </td>
12202<td>
12203                      <p>
12204                        Connections established successfully.
12205                      </p>
12206                    </td>
12207</tr>
12208<tr>
12209<td>
12210                      <p><span class="command"><strong>&lt;TYPE&gt;AcceptFail</strong></span></p>
12211                    </td>
12212<td>
12213                      <p>
12214                        Failures of accepting incoming connection requests.
12215                        This counter is not applicable to the
12216                        <span class="command"><strong>UDP</strong></span> and
12217                        <span class="command"><strong>FDwatch</strong></span> types.
12218                      </p>
12219                    </td>
12220</tr>
12221<tr>
12222<td>
12223                      <p><span class="command"><strong>&lt;TYPE&gt;Accept</strong></span></p>
12224                    </td>
12225<td>
12226                      <p>
12227                        Incoming connections successfully accepted.
12228                        This counter is not applicable to the
12229                        <span class="command"><strong>UDP</strong></span> and
12230                        <span class="command"><strong>FDwatch</strong></span> types.
12231                      </p>
12232                    </td>
12233</tr>
12234<tr>
12235<td>
12236                      <p><span class="command"><strong>&lt;TYPE&gt;SendErr</strong></span></p>
12237                    </td>
12238<td>
12239                      <p>
12240                        Errors in socket send operations.
12241                        This counter corresponds
12242                        to <span class="command"><strong>SErr</strong></span> counter of
12243                        <span class="command"><strong>BIND</strong></span> 8.
12244                      </p>
12245                    </td>
12246</tr>
12247<tr>
12248<td>
12249                      <p><span class="command"><strong>&lt;TYPE&gt;RecvErr</strong></span></p>
12250                    </td>
12251<td>
12252                      <p>
12253                        Errors in socket receive operations.
12254                        This includes errors of send operations on a
12255                        connected UDP socket notified by an ICMP error
12256                        message.
12257                      </p>
12258                    </td>
12259</tr>
12260</tbody>
12261</table></div>
12262</div>
12263<div class="section">
12264<div class="titlepage"><div><div><h4 class="title">
12265<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
12266<p>
12267              Most statistics counters that were available
12268              in <span class="command"><strong>BIND</strong></span> 8 are also supported in
12269              <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables.
12270              Here are notes about other counters that do not appear
12271              in these tables.
12272            </p>
12273<div class="variablelist"><dl class="variablelist">
12274<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt>
12275<dd><p>
12276                    These counters are not supported
12277                    because <span class="command"><strong>BIND</strong></span> 9 does not adopt
12278                    the notion of <span class="emphasis"><em>forwarding</em></span>
12279                    as <span class="command"><strong>BIND</strong></span> 8 did.
12280                  </p></dd>
12281<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt>
12282<dd><p>
12283                    This counter is accessible in the Incoming Queries section.
12284                  </p></dd>
12285<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt>
12286<dd><p>
12287                    This counter is accessible in the Incoming Requests section.
12288                  </p></dd>
12289<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt>
12290<dd><p>
12291                    This counter is not supported
12292                    because <span class="command"><strong>BIND</strong></span> 9 does not care
12293                    about IP options in the first place.
12294                  </p></dd>
12295</dl></div>
12296</div>
12297</div>
12298</div>
12299</div>
12300<div class="navfooter">
12301<hr>
12302<table width="100%" summary="Navigation footer">
12303<tr>
12304<td width="40%" align="left">
12305<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td>
12306<td width="20%" align="center">�</td>
12307<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
12308</td>
12309</tr>
12310<tr>
12311<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td>
12312<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
12313<td width="40%" align="right" valign="top">�Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
12314</tr>
12315</table>
12316</div>
12317<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P4 (Extended Support Version)</p>
12318</body>
12319</html>
12320