Bv9ARM.ch06.html 664 KB
Newer Older
Rob Austein's avatar
regen  
Rob Austein committed
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2
 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
regen  
Mark Andrews committed
3
 - Copyright (C) 2000-2003 Internet Software Consortium.
Rob Austein's avatar
regen  
Rob Austein committed
4
 - 
Automatic Updater's avatar
regen  
Automatic Updater committed
5
 - Permission to use, copy, modify, and/or distribute this software for any
Rob Austein's avatar
regen  
Rob Austein committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 - 
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Chapter 6. BIND 9 Configuration Reference</title>
Tinderbox User's avatar
Tinderbox User committed
21
<meta name="generator" content="DocBook XSL Stylesheets V1.76.1">
Evan Hunt's avatar
Evan Hunt committed
22
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Rob Austein's avatar
regen  
Rob Austein committed
23 24 25 26 27 28 29
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
Mark Andrews's avatar
regen  
Mark Andrews committed
30
<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
Rob Austein's avatar
regen  
Rob Austein committed
31 32 33 34 35 36 37 38 39 40
<tr>
<td width="20%" align="left">
<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
<th width="60%" align="center"> </th>
<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
41 42 43
<div class="chapter" title="Chapter 6. BIND 9 Configuration Reference">
<div class="titlepage"><div><div><h2 class="title">
<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
Rob Austein's avatar
regen  
Rob Austein committed
44 45
<div class="toc">
<p><b>Table of Contents</b></p>
Tinderbox User's avatar
Tinderbox User committed
46
<dl>
Evan Hunt's avatar
Evan Hunt committed
47
<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
48
<dd><dl>
Evan Hunt's avatar
Evan Hunt committed
49
<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
50
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72554576">Comment Syntax</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
51
</dl></dd>
Evan Hunt's avatar
Evan Hunt committed
52
<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
53
<dd><dl>
Tinderbox User's avatar
Tinderbox User committed
54
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72611664"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
55
<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
56
          Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
57
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72643920"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
58
<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
59
          Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
60 61
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72690128"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72696912"><span class="command"><strong>include</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
62
          Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
63 64 65 66
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72699984"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72703312"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72714576"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72731600"><span class="command"><strong>logging</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
67
          Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
68 69 70 71
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72977616"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp72989776"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp73005776"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp73040976"><span class="command"><strong>masters</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
72
          Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
73
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp73044048"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
74
<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
75
          Usage</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
76 77
<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
78
            Usage</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
79
<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
80
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp74614992"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and
Automatic Updater's avatar
regen  
Automatic Updater committed
81
            Usage</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
82
<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
83
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp74660176"><span class="command"><strong>trusted-keys</strong></span> Statement Definition
Automatic Updater's avatar
regen  
Automatic Updater committed
84
            and Usage</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
85
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp74666960"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
86
<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition
Rob Austein's avatar
regen  
Rob Austein committed
87
            and Usage</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
88
<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
89
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp74711888"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
90
<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
91
            Statement Grammar</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
92
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp74933712"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
93
</dl></dd>
Tinderbox User's avatar
Tinderbox User committed
94
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp75311312">Zone File</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
95
<dd><dl>
Evan Hunt's avatar
Evan Hunt committed
96
<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
97
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp75670864">Discussion of MX Records</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
98
<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
Tinderbox User's avatar
Tinderbox User committed
99 100 101
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp75743696">Inverse Mapping in IPv4</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp75757008">Other Zone File Directives</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#idp75787344"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt>
Evan Hunt's avatar
Evan Hunt committed
102 103 104 105 106 107
<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
</dl></dd>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
<dd><dl>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt>
<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt>
Rob Austein's avatar
regen  
Rob Austein committed
108 109 110
</dl></dd>
</dl>
</div>
Evan Hunt's avatar
Evan Hunt committed
111 112 113
    

    <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
114 115
      <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
      to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
Rob Austein's avatar
regen  
Rob Austein committed
116
      areas
Mark Andrews's avatar
regen  
Mark Andrews committed
117 118
      of configuration, such as views. <acronym class="acronym">BIND</acronym>
      8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
Rob Austein's avatar
regen  
Rob Austein committed
119 120
      9, although more complex configurations should be reviewed to check
      if they can be more efficiently implemented using the new features
Mark Andrews's avatar
regen  
Mark Andrews committed
121
      found in <acronym class="acronym">BIND</acronym> 9.
Rob Austein's avatar
regen  
Rob Austein committed
122
    </p>
Evan Hunt's avatar
Evan Hunt committed
123 124

    <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
125
      <acronym class="acronym">BIND</acronym> 4 configuration files can be
Rob Austein's avatar
regen  
Rob Austein committed
126 127 128 129
      converted to the new format
      using the shell script
      <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
130
    <div class="section" title="Configuration File Elements">
Rob Austein's avatar
regen  
Rob Austein committed
131 132
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
133 134
      
      <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
135
        Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
Rob Austein's avatar
regen  
Rob Austein committed
136 137
        file documentation:
      </p>
Evan Hunt's avatar
Evan Hunt committed
138 139
      <div class="informaltable">
        <table border="1">
Rob Austein's avatar
regen  
Rob Austein committed
140
<colgroup>
Evan Hunt's avatar
Evan Hunt committed
141 142
<col width="1.855in" class="1">
<col width="3.770in" class="2">
Rob Austein's avatar
regen  
Rob Austein committed
143 144 145 146 147 148 149 150 151 152 153
</colgroup>
<tbody>
<tr>
<td>
                <p>
                  <code class="varname">acl_name</code>
                </p>
              </td>
<td>
                <p>
                  The name of an <code class="varname">address_match_list</code> as
Evan Hunt's avatar
Evan Hunt committed
154
                  defined by the <span class="command"><strong>acl</strong></span> statement.
Rob Austein's avatar
regen  
Rob Austein committed
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">address_match_list</code>
                </p>
              </td>
<td>
                <p>
                  A list of one or more
                  <code class="varname">ip_addr</code>,
                  <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
                  or <code class="varname">acl_name</code> elements, see
Evan Hunt's avatar
Evan Hunt committed
170
                  <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
Rob Austein's avatar
regen  
Rob Austein committed
171 172 173 174
                </p>
              </td>
</tr>
<tr>
Mark Andrews's avatar
gregen  
Mark Andrews committed
175 176 177 178 179 180 181 182
<td>
                <p>
                  <code class="varname">masters_list</code>
                </p>
              </td>
<td>
                <p>
                  A named list of one or more <code class="varname">ip_addr</code>
Mark Andrews's avatar
regen  
Mark Andrews committed
183
                  with optional <code class="varname">key_id</code> and/or
Mark Andrews's avatar
gregen  
Mark Andrews committed
184 185 186 187 188 189 190
                  <code class="varname">ip_port</code>.
                  A <code class="varname">masters_list</code> may include other
                  <code class="varname">masters_lists</code>.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
191 192 193 194 195 196 197 198 199 200 201 202 203
<td>
                <p>
                  <code class="varname">domain_name</code>
                </p>
              </td>
<td>
                <p>
                  A quoted string which will be used as
                  a DNS name, for example "<code class="literal">my.test.domain</code>".
                </p>
              </td>
</tr>
<tr>
Automatic Updater's avatar
regen  
Automatic Updater committed
204 205 206 207 208 209 210 211 212 213 214 215 216
<td>
                <p>
                  <code class="varname">namelist</code>
                </p>
              </td>
<td>
                <p>
                  A list of one or more <code class="varname">domain_name</code>
                  elements.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
217 218 219 220 221 222 223 224
<td>
                <p>
                  <code class="varname">dotted_decimal</code>
                </p>
              </td>
<td>
                <p>
                  One to four integers valued 0 through
Evan Hunt's avatar
Evan Hunt committed
225 226
                  255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>,
                  <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>.
Rob Austein's avatar
regen  
Rob Austein committed
227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">ip4_addr</code>
                </p>
              </td>
<td>
                <p>
                  An IPv4 address with exactly four elements
                  in <code class="varname">dotted_decimal</code> notation.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">ip6_addr</code>
                </p>
              </td>
<td>
                <p>
Evan Hunt's avatar
Evan Hunt committed
251
                  An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>.
Mark Andrews's avatar
regen  
Mark Andrews committed
252 253 254 255 256 257 258 259 260
                  IPv6 scoped addresses that have ambiguity on their
                  scope zones must be disambiguated by an appropriate
                  zone ID with the percent character (`%') as
                  delimiter.  It is strongly recommended to use
                  string zone names rather than numeric identifiers,
                  in order to be robust against system configuration
                  changes.  However, since there is no standard
                  mapping for such names and identifier values,
                  currently only interface names as link identifiers
Rob Austein's avatar
regen  
Rob Austein committed
261
                  are supported, assuming one-to-one mapping between
Mark Andrews's avatar
regen  
Mark Andrews committed
262
                  interfaces and links.  For example, a link-local
Evan Hunt's avatar
Evan Hunt committed
263 264 265
                  address <span class="command"><strong>fe80::1</strong></span> on the link
                  attached to the interface <span class="command"><strong>ne0</strong></span>
                  can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>.
Mark Andrews's avatar
regen  
Mark Andrews committed
266 267 268
                  Note that on most systems link-local addresses
                  always have the ambiguity, and need to be
                  disambiguated.
Rob Austein's avatar
regen  
Rob Austein committed
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">ip_addr</code>
                </p>
              </td>
<td>
                <p>
                  An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
                </p>
              </td>
</tr>
<tr>
Tinderbox User's avatar
Tinderbox User committed
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299
<td>
                <p>
                  <code class="varname">ip_dscp</code>
                </p>
              </td>
<td>
                <p>
                  A <code class="varname">number</code> between 0 and 63, used
                  to select a differentiated services code point (DSCP)
                  value for use with outgoing traffic on operating systems
                  that support DSCP.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
300 301 302 303 304 305 306 307
<td>
                <p>
                  <code class="varname">ip_port</code>
                </p>
              </td>
<td>
                <p>
                  An IP port <code class="varname">number</code>.
Mark Andrews's avatar
regen  
Mark Andrews committed
308
                  The <code class="varname">number</code> is limited to 0
Rob Austein's avatar
regen  
Rob Austein committed
309 310 311
                  through 65535, with values
                  below 1024 typically restricted to use by processes running
                  as root.
Mark Andrews's avatar
regen  
Mark Andrews committed
312
                  In some cases, an asterisk (`*') character can be used as a
Rob Austein's avatar
regen  
Rob Austein committed
313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330
                  placeholder to
                  select a random high-numbered port.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">ip_prefix</code>
                </p>
              </td>
<td>
                <p>
                  An IP network specified as an <code class="varname">ip_addr</code>,
                  followed by a slash (`/') and then the number of bits in the
                  netmask.
                  Trailing zeros in a <code class="varname">ip_addr</code>
                  may omitted.
Evan Hunt's avatar
Evan Hunt committed
331 332 333 334
                  For example, <span class="command"><strong>127/8</strong></span> is the
                  network <span class="command"><strong>127.0.0.0</strong></span> with
                  netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is
                  network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>.
Rob Austein's avatar
regen  
Rob Austein committed
335
                </p>
Mark Andrews's avatar
regen  
Mark Andrews committed
336 337 338 339 340
                <p>
                  When specifying a prefix involving a IPv6 scoped address
                  the scope may be omitted.  In that case the prefix will
                  match packets from any scope.
                </p>
Rob Austein's avatar
regen  
Rob Austein committed
341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">key_id</code>
                </p>
              </td>
<td>
                <p>
                  A <code class="varname">domain_name</code> representing
                  the name of a shared key, to be used for transaction
                  security.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">key_list</code>
                </p>
              </td>
<td>
                <p>
                  A list of one or more
                  <code class="varname">key_id</code>s,
                  separated by semicolons and ending with a semicolon.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">number</code>
                </p>
              </td>
<td>
                <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
379
                  A non-negative 32-bit integer
Rob Austein's avatar
regen  
Rob Austein committed
380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
                  (i.e., a number between 0 and 4294967295, inclusive).
                  Its acceptable value might further
                  be limited by the context in which it is used.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">path_name</code>
                </p>
              </td>
<td>
                <p>
                  A quoted string which will be used as
                  a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
                </p>
              </td>
</tr>
<tr>
Automatic Updater's avatar
regen  
Automatic Updater committed
400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426
<td>
                <p>
                  <code class="varname">port_list</code>
                </p>
              </td>
<td>
                <p>
                  A list of an <code class="varname">ip_port</code> or a port
                  range.
                  A port range is specified in the form of
                  <strong class="userinput"><code>range</code></strong> followed by
                  two <code class="varname">ip_port</code>s,
                  <code class="varname">port_low</code> and
                  <code class="varname">port_high</code>, which represents
                  port numbers from <code class="varname">port_low</code> through
                  <code class="varname">port_high</code>, inclusive.
                  <code class="varname">port_low</code> must not be larger than
                  <code class="varname">port_high</code>.
                  For example,
                  <strong class="userinput"><code>range 1024 65535</code></strong> represents
                  ports from 1024 through 65535.
                  In either case an asterisk (`*') character is not
                  allowed as a valid <code class="varname">ip_port</code>.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
427 428 429 430 431 432 433
<td>
                <p>
                  <code class="varname">size_spec</code>
                </p>
              </td>
<td>
                <p>
Tinderbox User's avatar
Tinderbox User committed
434 435 436
                  A 64-bit unsigned integer, or the keywords
                  <strong class="userinput"><code>unlimited</code></strong> or
                  <strong class="userinput"><code>default</code></strong>.
Rob Austein's avatar
regen  
Rob Austein committed
437
                </p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
438
                <p>
Tinderbox User's avatar
Tinderbox User committed
439 440
                  Integers may take values
                  0 &lt;= value &lt;= 18446744073709551615, though
Tinderbox User's avatar
Tinderbox User committed
441
                  certain parameters
Evan Hunt's avatar
Evan Hunt committed
442
                  (such as <span class="command"><strong>max-journal-size</strong></span>) may
Tinderbox User's avatar
Tinderbox User committed
443 444 445 446
                  use a more limited range within these extremes.
                  In most cases, setting a value to 0 does not
                  literally mean zero; it means "undefined" or
                  "as big as possible", depending on the context.
Tinderbox User's avatar
Tinderbox User committed
447
                  See the explanations of particular parameters
Tinderbox User's avatar
Tinderbox User committed
448
                  that use <code class="varname">size_spec</code>
Tinderbox User's avatar
Tinderbox User committed
449
                  for details on how they interpret its use.
Rob Austein's avatar
regen  
Rob Austein committed
450 451
                </p>
                <p>
Tinderbox User's avatar
Tinderbox User committed
452 453
                  Numeric values can optionally be followed by a
                  scaling factor:
Mark Andrews's avatar
gregen  
Mark Andrews committed
454 455 456 457
                  <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
                  for kilobytes,
                  <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
                  for megabytes, and
Tinderbox User's avatar
Tinderbox User committed
458 459 460
                  <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
                  for gigabytes, which scale by 1024, 1024*1024, and
                  1024*1024*1024 respectively.
Rob Austein's avatar
regen  
Rob Austein committed
461 462
                </p>
                <p>
Tinderbox User's avatar
Tinderbox User committed
463
                  <code class="varname">unlimited</code> generally means
Tinderbox User's avatar
Tinderbox User committed
464 465
                  "as big as possible", and is usually the best
                  way to safely set a very large number.
Tinderbox User's avatar
Tinderbox User committed
466 467
                </p>
                <p>
Tinderbox User's avatar
Tinderbox User committed
468
                  <code class="varname">default</code>
Tinderbox User's avatar
Tinderbox User committed
469
                  uses the limit that was in force when the server was started.
Rob Austein's avatar
regen  
Rob Austein committed
470 471 472 473
                </p>
              </td>
</tr>
<tr>
Tinderbox User's avatar
Tinderbox User committed
474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493
<td>
                <p>
                  <code class="varname">size_or_percent</code>
                </p>
              </td>
<td>
                <p>
                  <code class="varname">size_spec</code> or integer value
                  followed by '%' to represent percents.
                </p>
                <p>
                  The behaviour is exactly the same as
                  <code class="varname">size_spec</code>, but
                  <code class="varname">size_or_percent</code> allows also
                  to specify a positive integer value followed by
                  '%' sign to represent percents.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526
<td>
                <p>
                  <code class="varname">yes_or_no</code>
                </p>
              </td>
<td>
                <p>
                  Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
                  The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
                  also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
                  and <strong class="userinput"><code>0</code></strong>.
                </p>
              </td>
</tr>
<tr>
<td>
                <p>
                  <code class="varname">dialup_option</code>
                </p>
              </td>
<td>
                <p>
                  One of <strong class="userinput"><code>yes</code></strong>,
                  <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
                  <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
                  <strong class="userinput"><code>passive</code></strong>.
                  When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
                  <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
                  are restricted to slave and stub zones.
                </p>
              </td>
</tr>
</tbody>
Evan Hunt's avatar
Evan Hunt committed
527 528
</table>
      </div>
Tinderbox User's avatar
Tinderbox User committed
529
      <div class="section" title="Address Match Lists">
Rob Austein's avatar
regen  
Rob Austein committed
530 531
<div class="titlepage"><div><div><h3 class="title">
<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
532
        
Tinderbox User's avatar
Tinderbox User committed
533
        <div class="section" title="Syntax">
Rob Austein's avatar
regen  
Rob Austein committed
534
<div class="titlepage"><div><div><h4 class="title">
Tinderbox User's avatar
Tinderbox User committed
535
<a name="idp72526160"></a>Syntax</h4></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
536 537
          

Rob Austein's avatar
regen  
Rob Austein committed
538 539 540
<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
  [<span class="optional"> address_match_list_element; ... </span>]
<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
541
   key key_id | acl_name | { address_match_list } )
Rob Austein's avatar
regen  
Rob Austein committed
542
</pre>
Evan Hunt's avatar
Evan Hunt committed
543 544

        </div>
Tinderbox User's avatar
Tinderbox User committed
545
        <div class="section" title="Definition and Usage">
Rob Austein's avatar
regen  
Rob Austein committed
546
<div class="titlepage"><div><div><h4 class="title">
Tinderbox User's avatar
Tinderbox User committed
547
<a name="idp72537680"></a>Definition and Usage</h4></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
548 549
          
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
550 551
            Address match lists are primarily used to determine access
            control for various server operations. They are also used in
Evan Hunt's avatar
Evan Hunt committed
552
            the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span>
Mark Andrews's avatar
regen  
Mark Andrews committed
553 554
            statements. The elements which constitute an address match
            list can be any of the following:
Rob Austein's avatar
regen  
Rob Austein committed
555
          </p>
Tinderbox User's avatar
Tinderbox User committed
556
          <div class="itemizedlist"><ul class="itemizedlist" type="disc">
Evan Hunt's avatar
Evan Hunt committed
557 558 559 560 561 562 563 564 565
<li class="listitem">
              an IP address (IPv4 or IPv6)
            </li>
<li class="listitem">
              an IP prefix (in `/' notation)
            </li>
<li class="listitem">
              
                a key ID, as defined by the <span class="command"><strong>key</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
566
                statement
Evan Hunt's avatar
Evan Hunt committed
567 568 569 570 571 572 573 574 575 576
              
            </li>
<li class="listitem">
              the name of an address match list defined with
                the <span class="command"><strong>acl</strong></span> statement
              
            </li>
<li class="listitem">
              a nested address match list enclosed in braces
            </li>
Rob Austein's avatar
regen  
Rob Austein committed
577
</ul></div>
Evan Hunt's avatar
Evan Hunt committed
578 579

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
580 581
            Elements can be negated with a leading exclamation mark (`!'),
            and the match list names "any", "none", "localhost", and
Mark Andrews's avatar
regen  
Mark Andrews committed
582 583
            "localnets" are predefined. More information on those names
            can be found in the description of the acl statement.
Rob Austein's avatar
regen  
Rob Austein committed
584
          </p>
Evan Hunt's avatar
Evan Hunt committed
585 586

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
587 588 589
            The addition of the key clause made the name of this syntactic
            element something of a misnomer, since security keys can be used
            to validate access without regard to a host or network address.
Mark Andrews's avatar
regen  
Mark Andrews committed
590 591
            Nonetheless, the term "address match list" is still used
            throughout the documentation.
Rob Austein's avatar
regen  
Rob Austein committed
592
          </p>
Evan Hunt's avatar
Evan Hunt committed
593 594

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
595
            When a given IP address or prefix is compared to an address
Mark Andrews's avatar
regen  
Mark Andrews committed
596 597 598 599 600
            match list, the comparison takes place in approximately O(1)
            time.  However, key comparisons require that the list of keys
            be traversed until a matching key is found, and therefore may
            be somewhat slower.
          </p>
Evan Hunt's avatar
Evan Hunt committed
601 602

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
603
            The interpretation of a match depends on whether the list is being
Evan Hunt's avatar
Evan Hunt committed
604 605
            used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a
            <span class="command"><strong>sortlist</strong></span>, and whether the element was negated.
Rob Austein's avatar
regen  
Rob Austein committed
606
          </p>
Evan Hunt's avatar
Evan Hunt committed
607 608

          <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
609 610 611
            When used as an access control list, a non-negated match
            allows access and a negated match denies access. If
            there is no match, access is denied. The clauses
Evan Hunt's avatar
Evan Hunt committed
612 613 614 615 616 617 618 619 620 621 622 623 624
            <span class="command"><strong>allow-notify</strong></span>,
            <span class="command"><strong>allow-recursion</strong></span>,
            <span class="command"><strong>allow-recursion-on</strong></span>,
            <span class="command"><strong>allow-query</strong></span>,
            <span class="command"><strong>allow-query-on</strong></span>,
            <span class="command"><strong>allow-query-cache</strong></span>,
            <span class="command"><strong>allow-query-cache-on</strong></span>,
            <span class="command"><strong>allow-transfer</strong></span>,
            <span class="command"><strong>allow-update</strong></span>,
            <span class="command"><strong>allow-update-forwarding</strong></span>,
            <span class="command"><strong>blackhole</strong></span>, and
            <span class="command"><strong>keep-response-order</strong></span> all use address match
            lists.  Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the
Mark Andrews's avatar
regen  
Mark Andrews committed
625
            server to refuse queries on any of the machine's
Mark Andrews's avatar
regen  
Mark Andrews committed
626
            addresses which do not match the list.
Rob Austein's avatar
regen  
Rob Austein committed
627
          </p>
Evan Hunt's avatar
Evan Hunt committed
628 629

          <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
630
            Order of insertion is significant.  If more than one element
Mark Andrews's avatar
regen  
Mark Andrews committed
631 632 633 634 635 636 637
            in an ACL is found to match a given IP address or prefix,
            preference will be given to the one that came
            <span class="emphasis"><em>first</em></span> in the ACL definition.
            Because of this first-match behavior, an element that
            defines a subset of another element in the list should
            come before the broader element, regardless of whether
            either is negated. For example, in
Evan Hunt's avatar
Evan Hunt committed
638
            <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span>
Mark Andrews's avatar
regen  
Mark Andrews committed
639 640
            the 1.2.3.13 element is completely useless because the
            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
Evan Hunt's avatar
Evan Hunt committed
641
            element.  Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes
Mark Andrews's avatar
regen  
Mark Andrews committed
642 643
            that problem by having 1.2.3.13 blocked by the negation, but
            all other 1.2.3.* hosts fall through.
Rob Austein's avatar
regen  
Rob Austein committed
644
          </p>
Evan Hunt's avatar
Evan Hunt committed
645 646 647
        </div>
      </div>

Tinderbox User's avatar
Tinderbox User committed
648
      <div class="section" title="Comment Syntax">
Rob Austein's avatar
regen  
Rob Austein committed
649
<div class="titlepage"><div><div><h3 class="title">
Tinderbox User's avatar
Tinderbox User committed
650
<a name="idp72554576"></a>Comment Syntax</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
651 652 653
        

        <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
654
          The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
Rob Austein's avatar
regen  
Rob Austein committed
655
          comments to appear
Mark Andrews's avatar
regen  
Mark Andrews committed
656
          anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
Rob Austein's avatar
regen  
Rob Austein committed
657 658 659
          file. To appeal to programmers of all kinds, they can be written
          in the C, C++, or shell/perl style.
        </p>
Evan Hunt's avatar
Evan Hunt committed
660

Tinderbox User's avatar
Tinderbox User committed
661
        <div class="section" title="Syntax">
Rob Austein's avatar
regen  
Rob Austein committed
662
<div class="titlepage"><div><div><h4 class="title">
Tinderbox User's avatar
Tinderbox User committed
663
<a name="idp72556624"></a>Syntax</h4></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
664 665 666
          

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
667
            </p>
Mark Andrews's avatar
regen  
Mark Andrews committed
668
<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
Rob Austein's avatar
regen  
Rob Austein committed
669 670
<p>
            </p>
Mark Andrews's avatar
regen  
Mark Andrews committed
671
<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
Rob Austein's avatar
regen  
Rob Austein committed
672 673
<p>
            </p>
Automatic Updater's avatar
regen  
Automatic Updater committed
674 675
<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
# and perl</pre>
Rob Austein's avatar
regen  
Rob Austein committed
676 677
<p>
          </p>
Evan Hunt's avatar
Evan Hunt committed
678
        </div>
Tinderbox User's avatar
Tinderbox User committed
679
        <div class="section" title="Definition and Usage">
Rob Austein's avatar
regen  
Rob Austein committed
680
<div class="titlepage"><div><div><h4 class="title">
Tinderbox User's avatar
Tinderbox User committed
681
<a name="idp72560336"></a>Definition and Usage</h4></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
682 683
          
          <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
684
            Comments may appear anywhere that whitespace may appear in
Mark Andrews's avatar
regen  
Mark Andrews committed
685
            a <acronym class="acronym">BIND</acronym> configuration file.
Rob Austein's avatar
regen  
Rob Austein committed
686
          </p>
Evan Hunt's avatar
Evan Hunt committed
687
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
688 689 690 691 692
            C-style comments start with the two characters /* (slash,
            star) and end with */ (star, slash). Because they are completely
            delimited with these characters, they can be used to comment only
            a portion of a line or to span multiple lines.
          </p>
Evan Hunt's avatar
Evan Hunt committed
693
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
694 695 696
            C-style comments cannot be nested. For example, the following
            is not valid because the entire comment ends with the first */:
          </p>
Evan Hunt's avatar
Evan Hunt committed
697
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
698 699 700

</p>
<pre class="programlisting">/* This is the start of a comment.
701 702 703
   This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
   This is no longer in any comment. */
Rob Austein's avatar
regen  
Rob Austein committed
704 705 706 707
</pre>
<p>

          </p>
Evan Hunt's avatar
Evan Hunt committed
708 709

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
710 711 712 713 714 715
            C++-style comments start with the two characters // (slash,
            slash) and continue to the end of the physical line. They cannot
            be continued across multiple physical lines; to have one logical
            comment span multiple lines, each line must use the // pair.
            For example:
          </p>
Evan Hunt's avatar
Evan Hunt committed
716
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
717 718 719

</p>
<pre class="programlisting">// This is the start of a comment.  The next line
720 721
// is a new comment, even though it is logically
// part of the previous comment.
Rob Austein's avatar
regen  
Rob Austein committed
722 723 724 725
</pre>
<p>

          </p>
Evan Hunt's avatar
Evan Hunt committed
726
          <p>
Rob Austein's avatar
regen  
Rob Austein committed
727 728 729 730 731 732
            Shell-style (or perl-style, if you prefer) comments start
            with the character <code class="literal">#</code> (number sign)
            and continue to the end of the
            physical line, as in C++ comments.
            For example:
          </p>
Evan Hunt's avatar
Evan Hunt committed
733 734

          <p>
Rob Austein's avatar
regen  
Rob Austein committed
735 736 737

</p>
<pre class="programlisting"># This is the start of a comment.  The next line
738 739
# is a new comment, even though it is logically
# part of the previous comment.
Rob Austein's avatar
regen  
Rob Austein committed
740 741 742 743
</pre>
<p>

          </p>
Evan Hunt's avatar
Evan Hunt committed
744

Tinderbox User's avatar
Tinderbox User committed
745
          <div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;">
Rob Austein's avatar
regen  
Rob Austein committed
746
<h3 class="title">Warning</h3>
Evan Hunt's avatar
Evan Hunt committed
747
            <p>
Rob Austein's avatar
regen  
Rob Austein committed
748 749 750 751 752
              You cannot use the semicolon (`;') character
              to start a comment such as you would in a zone file. The
              semicolon indicates the end of a configuration
              statement.
            </p>
Evan Hunt's avatar
Evan Hunt committed
753 754 755 756 757
          </div>
        </div>
      </div>
    </div>

Tinderbox User's avatar
Tinderbox User committed
758
    <div class="section" title="Configuration File Grammar">
Rob Austein's avatar
regen  
Rob Austein committed
759 760
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
761 762 763
      

      <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
764
        A <acronym class="acronym">BIND</acronym> 9 configuration consists of
Rob Austein's avatar
regen  
Rob Austein committed
765 766 767 768 769 770
        statements and comments.
        Statements end with a semicolon. Statements and comments are the
        only elements that can appear without enclosing braces. Many
        statements contain a block of sub-statements, which are also
        terminated with a semicolon.
      </p>
Evan Hunt's avatar
Evan Hunt committed
771 772

      <p>
Rob Austein's avatar
regen  
Rob Austein committed
773 774
        The following statements are supported:
      </p>
Evan Hunt's avatar
Evan Hunt committed
775 776 777

      <div class="informaltable">
        <table border="1">
Rob Austein's avatar
regen  
Rob Austein committed
778
<colgroup>
Evan Hunt's avatar
Evan Hunt committed
779 780
<col width="1.336in" class="1">
<col width="3.778in" class="2">
Rob Austein's avatar
regen  
Rob Austein committed
781 782 783 784
</colgroup>
<tbody>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
785
                <p><span class="command"><strong>acl</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
786 787 788 789 790 791 792 793 794 795
              </td>
<td>
                <p>
                  defines a named IP address
                  matching list, for access control and other uses.
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
796
                <p><span class="command"><strong>controls</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
797 798 799 800
              </td>
<td>
                <p>
                  declares control channels to be used
Evan Hunt's avatar
Evan Hunt committed
801
                  by the <span class="command"><strong>rndc</strong></span> utility.
Rob Austein's avatar
regen  
Rob Austein committed
802 803 804 805 806
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
807
                <p><span class="command"><strong>include</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
808 809 810 811 812 813 814 815 816
              </td>
<td>
                <p>
                  includes a file.
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
817
                <p><span class="command"><strong>key</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
818 819 820 821 822 823 824 825 826 827
              </td>
<td>
                <p>
                  specifies key information for use in
                  authentication and authorization using TSIG.
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
828
                <p><span class="command"><strong>logging</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
829 830 831 832 833 834 835 836 837 838
              </td>
<td>
                <p>
                  specifies what the server logs, and where
                  the log messages are sent.
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
839
                <p><span class="command"><strong>lwres</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
840 841 842
              </td>
<td>
                <p>
Evan Hunt's avatar
Evan Hunt committed
843 844
                  configures <span class="command"><strong>named</strong></span> to
                  also act as a light-weight resolver daemon (<span class="command"><strong>lwresd</strong></span>).
Rob Austein's avatar
regen  
Rob Austein committed
845 846 847 848 849
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
850
                <p><span class="command"><strong>masters</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
851 852 853 854
              </td>
<td>
                <p>
                  defines a named masters list for
Automatic Updater's avatar
Automatic Updater committed
855
                  inclusion in stub and slave zones'
Evan Hunt's avatar
Evan Hunt committed
856 857
                  <span class="command"><strong>masters</strong></span> or
                  <span class="command"><strong>also-notify</strong></span> lists.
Rob Austein's avatar
regen  
Rob Austein committed
858 859 860 861 862
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
863
                <p><span class="command"><strong>options</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
864 865 866 867 868 869 870 871 872
              </td>
<td>
                <p>
                  controls global server configuration
                  options and sets defaults for other statements.
                </p>
              </td>
</tr>
<tr>
Mark Andrews's avatar
regen  
Mark Andrews committed
873
<td>
Evan Hunt's avatar
Evan Hunt committed
874
                <p><span class="command"><strong>server</strong></span></p>
Mark Andrews's avatar
regen  
Mark Andrews committed
875 876 877
              </td>
<td>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
878 879
                  sets certain configuration options on
                  a per-server basis.
Mark Andrews's avatar
regen  
Mark Andrews committed
880 881 882 883
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
884
<td>
Evan Hunt's avatar
Evan Hunt committed
885
                <p><span class="command"><strong>statistics-channels</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
886 887 888
              </td>
<td>
                <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
889
                  declares communication channels to get access to
Evan Hunt's avatar
Evan Hunt committed
890
                  <span class="command"><strong>named</strong></span> statistics.
Rob Austein's avatar
regen  
Rob Austein committed
891 892 893 894 895
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
896
                <p><span class="command"><strong>trusted-keys</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
897 898 899 900 901 902 903 904
              </td>
<td>
                <p>
                  defines trusted DNSSEC keys.
                </p>
              </td>
</tr>
<tr>
Automatic Updater's avatar
regen  
Automatic Updater committed
905
<td>
Evan Hunt's avatar
Evan Hunt committed
906
                <p><span class="command"><strong>managed-keys</strong></span></p>
Automatic Updater's avatar
regen  
Automatic Updater committed
907 908 909 910 911 912 913 914 915
              </td>
<td>
                <p>
                  lists DNSSEC keys to be kept up to date
                  using RFC 5011 trust anchor maintenance.
                </p>
              </td>
</tr>
<tr>
Rob Austein's avatar
regen  
Rob Austein committed
916
<td>
Evan Hunt's avatar
Evan Hunt committed
917
                <p><span class="command"><strong>view</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
918 919 920 921 922 923 924 925 926
              </td>
<td>
                <p>
                  defines a view.
                </p>
              </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
927
                <p><span class="command"><strong>zone</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
928 929 930 931 932 933 934 935
              </td>
<td>
                <p>
                  defines a zone.
                </p>
              </td>
</tr>
</tbody>
Evan Hunt's avatar
Evan Hunt committed
936 937 938 939 940 941
</table>
      </div>

      <p>
        The <span class="command"><strong>logging</strong></span> and
        <span class="command"><strong>options</strong></span> statements may only occur once
Rob Austein's avatar
regen  
Rob Austein committed
942 943 944
        per
        configuration.
      </p>
Evan Hunt's avatar
Evan Hunt committed
945

Tinderbox User's avatar
Tinderbox User committed
946
      <div class="section" title="acl Statement Grammar">
Rob Austein's avatar
regen  
Rob Austein committed
947
<div class="titlepage"><div><div><h3 class="title">
Tinderbox User's avatar
Tinderbox User committed
948
<a name="idp72611664"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
949 950 951
        

<pre class="programlisting"><span class="command"><strong>acl</strong></span> acl-name {
Mark Andrews's avatar
gregen  
Mark Andrews committed
952
    address_match_list
953
};
Rob Austein's avatar
regen  
Rob Austein committed
954
</pre>
Evan Hunt's avatar
Evan Hunt committed
955 956

      </div>
Tinderbox User's avatar
Tinderbox User committed
957
      <div class="section" title="acl Statement Definition and Usage">
Rob Austein's avatar
regen  
Rob Austein committed
958
<div class="titlepage"><div><div><h3 class="title">
Evan Hunt's avatar
Evan Hunt committed
959
<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
960
          Usage</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
961 962 963 964
        

        <p>
          The <span class="command"><strong>acl</strong></span> statement assigns a symbolic
Rob Austein's avatar
regen  
Rob Austein committed
965 966 967
          name to an address match list. It gets its name from a primary
          use of address match lists: Access Control Lists (ACLs).
        </p>
Evan Hunt's avatar
Evan Hunt committed
968 969

        <p>
Rob Austein's avatar
regen  
Rob Austein committed
970 971
          The following ACLs are built-in:
        </p>
Evan Hunt's avatar
Evan Hunt committed
972 973 974

        <div class="informaltable">
          <table border="1">
Rob Austein's avatar
regen  
Rob Austein committed
975
<colgroup>
Evan Hunt's avatar
Evan Hunt committed
976 977
<col width="1.130in" class="1">
<col width="4.000in" class="2">
Rob Austein's avatar
regen  
Rob Austein committed
978 979 980 981
</colgroup>
<tbody>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
982
                  <p><span class="command"><strong>any</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
983 984 985 986 987 988 989 990 991
                </td>
<td>
                  <p>
                    Matches all hosts.
                  </p>
                </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
992
                  <p><span class="command"><strong>none</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
993 994 995 996 997 998 999 1000 1001
                </td>
<td>
                  <p>
                    Matches no hosts.
                  </p>
                </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
1002
                  <p><span class="command"><strong>localhost</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
1003 1004 1005 1006
                </td>
<td>
                  <p>
                    Matches the IPv4 and IPv6 addresses of all network
Tinderbox User's avatar
Tinderbox User committed
1007
                    interfaces on the system.  When addresses are
Evan Hunt's avatar
Evan Hunt committed
1008
                    added or removed, the <span class="command"><strong>localhost</strong></span>
Tinderbox User's avatar
Tinderbox User committed
1009
                    ACL element is updated to reflect the changes.
Rob Austein's avatar
regen  
Rob Austein committed
1010 1011 1012 1013 1014
                  </p>
                </td>
</tr>
<tr>
<td>
Evan Hunt's avatar
Evan Hunt committed
1015
                  <p><span class="command"><strong>localnets</strong></span></p>
Rob Austein's avatar
regen  
Rob Austein committed
1016 1017 1018 1019 1020
                </td>
<td>
                  <p>
                    Matches any host on an IPv4 or IPv6 network
                    for which the system has an interface.
Tinderbox User's avatar
Tinderbox User committed
1021
                    When addresses are added or removed,
Evan Hunt's avatar
Evan Hunt committed
1022
                    the <span class="command"><strong>localnets</strong></span>
Tinderbox User's avatar
Tinderbox User committed
1023
                    ACL element is updated to reflect the changes.
Rob Austein's avatar
regen  
Rob Austein committed
1024 1025 1026
                    Some systems do not provide a way to determine the prefix
                    lengths of
                    local IPv6 addresses.
Evan Hunt's avatar
Evan Hunt committed
1027
                    In such a case, <span class="command"><strong>localnets</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
1028
                    only matches the local
Evan Hunt's avatar
Evan Hunt committed
1029
                    IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>.
Rob Austein's avatar
regen  
Rob Austein committed
1030 1031 1032 1033
                  </p>
                </td>
</tr>
</tbody>
Evan Hunt's avatar
Evan Hunt committed
1034 1035 1036
</table>
        </div>
      </div>
Tinderbox User's avatar
Tinderbox User committed
1037
      <div class="section" title="controls Statement Grammar">
Rob Austein's avatar
regen  
Rob Austein committed
1038
<div class="titlepage"><div><div><h3 class="title">
Tinderbox User's avatar
Tinderbox User committed
1039
<a name="idp72643920"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
1040 1041 1042
        

<pre class="programlisting"><span class="command"><strong>controls</strong></span> {
Automatic Updater's avatar
regen  
Automatic Updater committed
1043 1044
   [ inet ( ip_addr | * ) [ port ip_port ]
                allow { <em class="replaceable"><code> address_match_list </code></em> }
Mark Andrews's avatar
gregen  
Mark Andrews committed
1045 1046
                keys { <em class="replaceable"><code>key_list</code></em> }; ]
   [ inet ...; ]
Automatic Updater's avatar
regen  
Automatic Updater committed
1047 1048
   [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
     keys { <em class="replaceable"><code>key_list</code></em> }; ]
Mark Andrews's avatar
gregen  
Mark Andrews committed
1049
   [ unix ...; ]
1050
};
Rob Austein's avatar
regen  
Rob Austein committed
1051
</pre>
Evan Hunt's avatar
Evan Hunt committed
1052 1053 1054

      </div>

Tinderbox User's avatar
Tinderbox User committed
1055
      <div class="section" title="controls Statement Definition and Usage">
Rob Austein's avatar
regen  
Rob Austein committed
1056
<div class="titlepage"><div><div><h3 class="title">
Evan Hunt's avatar
Evan Hunt committed
1057
<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and
Rob Austein's avatar
regen  
Rob Austein committed
1058
          Usage</h3></div></div></div>
Evan Hunt's avatar
Evan Hunt committed
1059 1060 1061 1062
        

        <p>
          The <span class="command"><strong>controls</strong></span> statement declares control
Rob Austein's avatar
regen  
Rob Austein committed
1063 1064
          channels to be used by system administrators to control the
          operation of the name server. These control channels are
Evan Hunt's avatar
Evan Hunt committed
1065
          used by the <span class="command"><strong>rndc</strong></span> utility to send
Mark Andrews's avatar
gregen  
Mark Andrews committed
1066
          commands to and retrieve non-DNS results from a name server.
Rob Austein's avatar
regen  
Rob Austein committed
1067
        </p>
Evan Hunt's avatar
Evan Hunt committed
1068 1069 1070 1071 1072 1073

        <p>
          An <span class="command"><strong>inet</strong></span> control channel is a TCP socket
          listening at the specified <span class="command"><strong>ip_port</strong></span> on the
          specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6
          address.  An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
Mark Andrews's avatar
gregen  
Mark Andrews committed
1074 1075 1076
          interpreted as the IPv4 wildcard address; connections will be
          accepted on any of the system's IPv4 addresses.
          To listen on the IPv6 wildcard address,
Evan Hunt's avatar
Evan Hunt committed
1077 1078
          use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>.
          If you will only use <span class="command"><strong>rndc</strong></span> on the local host,
Rob Austein's avatar
regen  
Rob Austein committed
1079
          using the loopback address (<code class="literal">127.0.0.1</code>
Mark Andrews's avatar
gregen  
Mark Andrews committed
1080
          or <code class="literal">::1</code>) is recommended for maximum security.
Rob Austein's avatar
regen  
Rob Austein committed
1081
        </p>
Evan Hunt's avatar
Evan Hunt committed
1082 1083

        <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
1084
          If no port is specified, port 953 is used. The asterisk
Evan Hunt's avatar
Evan Hunt committed
1085
          "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>.
Rob Austein's avatar
regen  
Rob Austein committed
1086
        </p>
Evan Hunt's avatar
Evan Hunt committed
1087 1088

        <p>
Rob Austein's avatar
regen  
Rob Austein committed
1089
          The ability to issue commands over the control channel is
Evan Hunt's avatar
Evan Hunt committed
1090 1091
          restricted by the <span class="command"><strong>allow</strong></span> and
          <span class="command"><strong>keys</strong></span> clauses.
Mark Andrews's avatar
gregen  
Mark Andrews committed
1092
          Connections to the control channel are permitted based on the
Evan Hunt's avatar
Evan Hunt committed
1093 1094 1095
          <span class="command"><strong>address_match_list</strong></span>.  This is for simple
          IP address based filtering only; any <span class="command"><strong>key_id</strong></span>
          elements of the <span class="command"><strong>address_match_list</strong></span>
Mark Andrews's avatar
gregen  
Mark Andrews committed
1096 1097
          are ignored.
        </p>
Evan Hunt's avatar
Evan Hunt committed
1098 1099 1100

        <p>
          A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain
Mark Andrews's avatar
gregen  
Mark Andrews committed
1101
          socket listening at the specified path in the file system.
Evan Hunt's avatar
Evan Hunt committed
1102 1103
          Access to the socket is specified by the <span class="command"><strong>perm</strong></span>,
          <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses.
Mark Andrews's avatar
gregen  
Mark Andrews committed
1104
          Note on some platforms (SunOS and Solaris) the permissions
Evan Hunt's avatar
Evan Hunt committed
1105
          (<span class="command"><strong>perm</strong></span>) are applied to the parent directory
Mark Andrews's avatar
gregen  
Mark Andrews committed
1106
          as the permissions on the socket itself are ignored.
Rob Austein's avatar
regen  
Rob Austein committed
1107
        </p>
Evan Hunt's avatar
Evan Hunt committed
1108 1109

        <p>
Rob Austein's avatar
regen  
Rob Austein committed
1110
          The primary authorization mechanism of the command
Evan Hunt's avatar
Evan Hunt committed
1111 1112 1113
          channel is the <span class="command"><strong>key_list</strong></span>, which
          contains a list of <span class="command"><strong>key_id</strong></span>s.
          Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span>
Mark Andrews's avatar
gregen  
Mark Andrews committed
1114
          is authorized to execute commands over the control channel.
Evan Hunt's avatar
Evan Hunt committed
1115 1116
          See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
          for information about configuring keys in <span class="command"><strong>rndc</strong></span>.