named.conf.docbook 62.1 KB
Newer Older
1
<!--
2
 - Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
3
 -
4 5 6
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
7
-->
Tinderbox User's avatar
Tinderbox User committed
8

9 10
<!-- Generated by doc/misc/docbook-options.pl -->

11
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
Evan Hunt's avatar
Evan Hunt committed
12
  <info>
13
    <date>2017-03-08</date>
Evan Hunt's avatar
Evan Hunt committed
14
  </info>
15
  <refentryinfo>
Evan Hunt's avatar
Evan Hunt committed
16 17
    <corpname>ISC</corpname>
    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
18 19 20 21 22 23 24 25 26 27
  </refentryinfo>

  <refmeta>
    <refentrytitle><filename>named.conf</filename></refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>BIND9</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname><filename>named.conf</filename></refname>
28
    <refpurpose>configuration file for <command>named</command></refpurpose>
29 30
  </refnamediv>

31 32 33 34
  <docinfo>
    <copyright>
      <year>2004</year>
      <year>2005</year>
Mark Andrews's avatar
Mark Andrews committed
35
      <year>2006</year>
Mark Andrews's avatar
Mark Andrews committed
36
      <year>2007</year>
Automatic Updater's avatar
Automatic Updater committed
37
      <year>2008</year>
Automatic Updater's avatar
Automatic Updater committed
38
      <year>2009</year>
Automatic Updater's avatar
Automatic Updater committed
39
      <year>2010</year>
Automatic Updater's avatar
Automatic Updater committed
40
      <year>2011</year>
Tinderbox User's avatar
Tinderbox User committed
41
      <year>2012</year>
Tinderbox User's avatar
Tinderbox User committed
42
      <year>2013</year>
Tinderbox User's avatar
Tinderbox User committed
43
      <year>2014</year>
44
      <year>2015</year>
45
      <year>2016</year>
Tinderbox User's avatar
Tinderbox User committed
46
      <year>2017</year>
47 48 49 50
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>

51
  <refsynopsisdiv>
Evan Hunt's avatar
Evan Hunt committed
52
    <cmdsynopsis sepchar=" ">
53 54 55 56
      <command>named.conf</command>
    </cmdsynopsis>
  </refsynopsisdiv>

Evan Hunt's avatar
Evan Hunt committed
57
  <refsection><info><title>DESCRIPTION</title></info>
58

59 60 61 62 63 64
    <para><filename>named.conf</filename> is the configuration file
      for
      <command>named</command>.  Statements are enclosed
      in braces and terminated with a semi-colon.  Clauses in
      the statements are also semi-colon terminated.  The usual
      comment styles are supported:
65 66
    </para>
    <para>
67
      C style: /* */
68 69
    </para>
    <para>
70
      C++ style: // to end of line
71 72
    </para>
    <para>
73
      Unix style: # to end of line
74
    </para>
Evan Hunt's avatar
Evan Hunt committed
75
  </refsection>
76

Evan Hunt's avatar
Evan Hunt committed
77
  <refsection><info><title>ACL</title></info>
78

Evan Hunt's avatar
Evan Hunt committed
79
    <literallayout class="normal">
80
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
81
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
82
  </refsection>
83

84
  <refsection><info><title>CONTROLS</title></info>
85

Evan Hunt's avatar
Evan Hunt committed
86
    <literallayout class="normal">
87 88 89 90 91 92 93 94 95 96
controls {
	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
	    * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> allow
	    { <replaceable>address_match_element</replaceable>; ... } <optional>
	    keys { <replaceable>string</replaceable>; ... } </optional> <optional> read-only
	    <replaceable>boolean</replaceable> </optional>;
	unix <replaceable>quoted_string</replaceable> perm <replaceable>integer</replaceable>
	    owner <replaceable>integer</replaceable> group <replaceable>integer</replaceable> <optional>
	    keys { <replaceable>string</replaceable>; ... } </optional> <optional> read-only
	    <replaceable>boolean</replaceable> </optional>;
97
};
98
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
99
  </refsection>
100

101
  <refsection><info><title>DLZ</title></info>
102

Evan Hunt's avatar
Evan Hunt committed
103
    <literallayout class="normal">
104 105 106
dlz <replaceable>string</replaceable> {
	database <replaceable>string</replaceable>;
	search <replaceable>boolean</replaceable>;
107
};
108
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
109
  </refsection>
110

111
  <refsection><info><title>DYNDB</title></info>
112

Evan Hunt's avatar
Evan Hunt committed
113
    <literallayout class="normal">
114 115
dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
    <replaceable>unspecified-text</replaceable> };
116
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
117
  </refsection>
118

119
  <refsection><info><title>KEY</title></info>
120

Evan Hunt's avatar
Evan Hunt committed
121
    <literallayout class="normal">
122 123 124
key <replaceable>string</replaceable> {
	algorithm <replaceable>string</replaceable>;
	secret <replaceable>string</replaceable>;
125
};
126
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
127
  </refsection>
128

129
  <refsection><info><title>LOGGING</title></info>
130

Evan Hunt's avatar
Evan Hunt committed
131
    <literallayout class="normal">
132 133 134 135 136 137 138 139 140 141 142 143 144 145
logging {
	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
	channel <replaceable>string</replaceable> {
		buffered <replaceable>boolean</replaceable>;
		file <replaceable>quoted_string</replaceable> <optional> versions ( unlimited | <replaceable>integer</replaceable> ) </optional>
		    <optional> size <replaceable>size</replaceable> </optional> <optional> suffix ( increment | timestamp ) </optional>;
		null;
		print-category <replaceable>boolean</replaceable>;
		print-severity <replaceable>boolean</replaceable>;
		print-time ( iso8601 | iso8601-utc | local | <replaceable>boolean</replaceable> );
		severity <replaceable>log_severity</replaceable>;
		stderr;
		syslog <optional> <replaceable>syslog_facility</replaceable> </optional>;
	};
146 147
};
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
148
  </refsection>
149

150
  <refsection><info><title>LWRES</title></info>
151

Evan Hunt's avatar
Evan Hunt committed
152
    <literallayout class="normal">
153 154 155 156 157 158 159 160
lwres {
	listen-on <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
	lwres-clients <replaceable>integer</replaceable>;
	lwres-tasks <replaceable>integer</replaceable>;
	ndots <replaceable>integer</replaceable>;
	search { <replaceable>string</replaceable>; ... };
	view <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional>;
161
};
162
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
163
  </refsection>
164

165
  <refsection><info><title>MANAGED-KEYS</title></info>
166

Evan Hunt's avatar
Evan Hunt committed
167
    <literallayout class="normal">
168 169
managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable> <replaceable>integer</replaceable>
    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
170
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
171
  </refsection>
172

173
  <refsection><info><title>MASTERS</title></info>
174

Evan Hunt's avatar
Evan Hunt committed
175
    <literallayout class="normal">
176 177 178 179
masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
    <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
180
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
181
  </refsection>
182

Evan Hunt's avatar
Evan Hunt committed
183
  <refsection><info><title>OPTIONS</title></info>
184

Evan Hunt's avatar
Evan Hunt committed
185
    <literallayout class="normal">
186
options {
187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
	acache-cleaning-interval <replaceable>integer</replaceable>;
	acache-enable <replaceable>boolean</replaceable>;
	additional-from-auth <replaceable>boolean</replaceable>;
	additional-from-cache <replaceable>boolean</replaceable>;
	allow-new-zones <replaceable>boolean</replaceable>;
	allow-notify { <replaceable>address_match_element</replaceable>; ... };
	allow-query { <replaceable>address_match_element</replaceable>; ... };
	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
	allow-update { <replaceable>address_match_element</replaceable>; ... };
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	attach-cache <replaceable>string</replaceable>;
	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
	auto-dnssec ( allow | maintain | off );
	automatic-interface-scan <replaceable>boolean</replaceable>;
	avoid-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
	avoid-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
	bindkeys-file <replaceable>quoted_string</replaceable>;
216
	blackhole { <replaceable>address_match_element</replaceable>; ... };
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
	cache-file <replaceable>quoted_string</replaceable>;
	catalog-zones { zone <replaceable>quoted_string</replaceable> <optional> default-masters <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
	    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key
	    <replaceable>string</replaceable> </optional>; ... } </optional> <optional> zone-directory <replaceable>quoted_string</replaceable> </optional> <optional>
	    in-memory <replaceable>boolean</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional>; ... };
	check-dup-records ( fail | warn | ignore );
	check-integrity <replaceable>boolean</replaceable>;
	check-mx ( fail | warn | ignore );
	check-mx-cname ( fail | warn | ignore );
	check-names ( master | slave | response
	    ) ( fail | warn | ignore );
	check-sibling <replaceable>boolean</replaceable>;
	check-spf ( warn | ignore );
	check-srv-cname ( fail | warn | ignore );
	check-wildcard <replaceable>boolean</replaceable>;
	cleaning-interval <replaceable>integer</replaceable>;
	clients-per-query <replaceable>integer</replaceable>;
	cookie-algorithm ( aes | sha1 | sha256 );
	cookie-secret <replaceable>string</replaceable>;
	coresize ( default | unlimited | <replaceable>sizeval</replaceable> );
	datasize ( default | unlimited | <replaceable>sizeval</replaceable> );
	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } <optional>
	    except-from { <replaceable>quoted_string</replaceable>; ... } </optional>;
	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } <optional> except-from {
	    <replaceable>quoted_string</replaceable>; ... } </optional>;
	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
244
	directory <replaceable>quoted_string</replaceable>;
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283
	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
	    ... };
	disable-ds-digests <replaceable>string</replaceable> { <replaceable>string</replaceable>;
	    ... };
	disable-empty-zone <replaceable>string</replaceable>;
	dns64 <replaceable>netprefix</replaceable> {
		break-dnssec <replaceable>boolean</replaceable>;
		clients { <replaceable>address_match_element</replaceable>; ... };
		exclude { <replaceable>address_match_element</replaceable>; ... };
		mapped { <replaceable>address_match_element</replaceable>; ... };
		recursive-only <replaceable>boolean</replaceable>;
		suffix <replaceable>ipv6_address</replaceable>;
	};
	dns64-contact <replaceable>string</replaceable>;
	dns64-server <replaceable>string</replaceable>;
	dnssec-accept-expired <replaceable>boolean</replaceable>;
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
	dnssec-enable <replaceable>boolean</replaceable>;
	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
	dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
	    <replaceable>string</replaceable> | auto | no );
	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
	dnssec-update-mode ( maintain | no-resign );
	dnssec-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder |
	    resolver ) <optional> ( query | response ) </optional>; ... };
	dnstap-identity ( <replaceable>quoted_string</replaceable> | none |
	    hostname );
	dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> <optional>
	    size ( unlimited | <replaceable>size</replaceable> ) </optional> <optional> versions (
	    unlimited | <replaceable>integer</replaceable> ) </optional> <optional> suffix ( increment
	    | timestamp ) </optional>;
	dnstap-version ( <replaceable>quoted_string</replaceable> | none );
	dscp <replaceable>integer</replaceable>;
	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv4_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> ); ... };
284
	dump-file <replaceable>quoted_string</replaceable>;
285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308
	edns-udp-size <replaceable>integer</replaceable>;
	empty-contact <replaceable>string</replaceable>;
	empty-server <replaceable>string</replaceable>;
	empty-zones-enable <replaceable>boolean</replaceable>;
	fetch-quota-params <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
	fetches-per-server <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
	fetches-per-zone <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
	files ( default | unlimited | <replaceable>sizeval</replaceable> );
	filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
	filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
	filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
	flush-zones-on-shutdown <replaceable>boolean</replaceable>;
	forward ( first | only );
	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
	fstrm-set-buffer-hint <replaceable>integer</replaceable>;
	fstrm-set-flush-timeout <replaceable>integer</replaceable>;
	fstrm-set-input-queue-size <replaceable>integer</replaceable>;
	fstrm-set-output-notify-threshold <replaceable>integer</replaceable>;
	fstrm-set-output-queue-model ( mpsc | spsc );
	fstrm-set-output-queue-size <replaceable>integer</replaceable>;
	fstrm-set-reopen-interval <replaceable>integer</replaceable>;
	geoip-directory ( <replaceable>quoted_string</replaceable> | none );
	geoip-use-ecs ( <replaceable>quoted_string</replaceable> | none );
309 310
	heartbeat-interval <replaceable>integer</replaceable>;
	hostname ( <replaceable>quoted_string</replaceable> | none );
311
	inline-signing <replaceable>boolean</replaceable>;
312
	interface-interval <replaceable>integer</replaceable>;
313
	ixfr-from-differences ( master | slave | <replaceable>boolean</replaceable> );
314
	keep-response-order { <replaceable>address_match_element</replaceable>; ... };
315 316 317 318 319 320 321 322 323 324 325 326
	key-directory <replaceable>quoted_string</replaceable>;
	lame-ttl <replaceable>ttlval</replaceable>;
	listen-on <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
	    <replaceable>integer</replaceable> </optional> {
	    <replaceable>address_match_element</replaceable>; ... };
	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp
	    <replaceable>integer</replaceable> </optional> {
	    <replaceable>address_match_element</replaceable>; ... };
	lock-file ( <replaceable>quoted_string</replaceable> | none );
	managed-keys-directory <replaceable>quoted_string</replaceable>;
	masterfile-format ( map | raw | text );
	masterfile-style ( full | relative );
327
	match-mapped-addresses <replaceable>boolean</replaceable>;
328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346
	max-acache-size ( unlimited | <replaceable>sizeval</replaceable> );
	max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
	max-cache-ttl <replaceable>integer</replaceable>;
	max-clients-per-query <replaceable>integer</replaceable>;
	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
	max-ncache-ttl <replaceable>integer</replaceable>;
	max-records <replaceable>integer</replaceable>;
	max-recursion-depth <replaceable>integer</replaceable>;
	max-recursion-queries <replaceable>integer</replaceable>;
	max-refresh-time <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
	max-rsa-exponent-size <replaceable>integer</replaceable>;
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-udp-size <replaceable>integer</replaceable>;
	max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
	memstatistics <replaceable>boolean</replaceable>;
347
	memstatistics-file <replaceable>quoted_string</replaceable>;
348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367
	message-compression <replaceable>boolean</replaceable>;
	min-refresh-time <replaceable>integer</replaceable>;
	min-retry-time <replaceable>integer</replaceable>;
	minimal-any <replaceable>boolean</replaceable>;
	minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
	multi-master <replaceable>boolean</replaceable>;
	no-case-compress { <replaceable>address_match_element</replaceable>; ... };
	nocookie-udp-size <replaceable>integer</replaceable>;
	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
	notify-delay <replaceable>integer</replaceable>;
	notify-rate <replaceable>integer</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
	    <optional> dscp <replaceable>integer</replaceable> </optional>;
	notify-to-soa <replaceable>boolean</replaceable>;
	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
	nta-lifetime <replaceable>ttlval</replaceable>;
	nta-recheck <replaceable>ttlval</replaceable>;
	nxdomain-redirect <replaceable>string</replaceable>;
368 369
	pid-file ( <replaceable>quoted_string</replaceable> | none );
	port <replaceable>integer</replaceable>;
370 371 372 373 374 375 376 377 378
	preferred-glue <replaceable>string</replaceable>;
	prefetch <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
	provide-ixfr <replaceable>boolean</replaceable>;
	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
379 380
	querylog <replaceable>boolean</replaceable>;
	random-device <replaceable>quoted_string</replaceable>;
381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
	rate-limit {
		all-per-second <replaceable>integer</replaceable>;
		errors-per-second <replaceable>integer</replaceable>;
		exempt-clients { <replaceable>address_match_element</replaceable>; ... };
		ipv4-prefix-length <replaceable>integer</replaceable>;
		ipv6-prefix-length <replaceable>integer</replaceable>;
		log-only <replaceable>boolean</replaceable>;
		max-table-size <replaceable>integer</replaceable>;
		min-table-size <replaceable>integer</replaceable>;
		nodata-per-second <replaceable>integer</replaceable>;
		nxdomains-per-second <replaceable>integer</replaceable>;
		qps-scale <replaceable>integer</replaceable>;
		referrals-per-second <replaceable>integer</replaceable>;
		responses-per-second <replaceable>integer</replaceable>;
		slip <replaceable>integer</replaceable>;
		window <replaceable>integer</replaceable>;
	};
	recursing-file <replaceable>quoted_string</replaceable>;
	recursion <replaceable>boolean</replaceable>;
400
	recursive-clients <replaceable>integer</replaceable>;
401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421
	request-expire <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	request-nsid <replaceable>boolean</replaceable>;
	require-server-cookie <replaceable>boolean</replaceable>;
	reserved-sockets <replaceable>integer</replaceable>;
	resolver-query-timeout <replaceable>integer</replaceable>;
	response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
	    <replaceable>integer</replaceable>;
	response-policy { zone <replaceable>quoted_string</replaceable> <optional> log <replaceable>boolean</replaceable> </optional> <optional>
	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
	    policy ( cname | disabled | drop | given | no-op | nodata |
	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) </optional> <optional>
	    recursive-only <replaceable>boolean</replaceable> </optional>; ... } <optional> break-dnssec <replaceable>boolean</replaceable> </optional> <optional>
	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
	    min-ns-dots <replaceable>integer</replaceable> </optional> <optional> nsip-wait-recurse <replaceable>boolean</replaceable> </optional> <optional>
	    qname-wait-recurse <replaceable>boolean</replaceable> </optional> <optional> recursive-only <replaceable>boolean</replaceable> </optional>;
	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
	rrset-order { <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional> <optional> name
	    <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
	secroots-file <replaceable>quoted_string</replaceable>;
	send-cookie <replaceable>boolean</replaceable>;
422
	serial-query-rate <replaceable>integer</replaceable>;
423 424 425 426 427 428 429 430 431 432 433 434 435
	serial-update-method ( date | increment | unixtime );
	server-id ( <replaceable>quoted_string</replaceable> | none | hostname );
	servfail-ttl <replaceable>ttlval</replaceable>;
	session-keyalg <replaceable>string</replaceable>;
	session-keyfile ( <replaceable>quoted_string</replaceable> | none );
	session-keyname <replaceable>string</replaceable>;
	sig-signing-nodes <replaceable>integer</replaceable>;
	sig-signing-signatures <replaceable>integer</replaceable>;
	sig-signing-type <replaceable>integer</replaceable>;
	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
	sortlist { <replaceable>address_match_element</replaceable>; ... };
	stacksize ( default | unlimited | <replaceable>sizeval</replaceable> );
	startup-notify-rate <replaceable>integer</replaceable>;
436
	statistics-file <replaceable>quoted_string</replaceable>;
437
	tcp-advertised-timeout <replaceable>integer</replaceable>;
438
	tcp-clients <replaceable>integer</replaceable>;
439 440 441
	tcp-idle-timeout <replaceable>integer</replaceable>;
	tcp-initial-timeout <replaceable>integer</replaceable>;
	tcp-keepalive-timeout <replaceable>integer</replaceable>;
442 443
	tcp-listen-queue <replaceable>integer</replaceable>;
	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
444
	tkey-domain <replaceable>quoted_string</replaceable>;
445
	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
446
	tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
447
	transfer-format ( many-answers | one-answer );
448
	transfer-message-size <replaceable>integer</replaceable>;
449 450 451 452
	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
453 454
	transfers-in <replaceable>integer</replaceable>;
	transfers-out <replaceable>integer</replaceable>;
455 456 457
	transfers-per-ns <replaceable>integer</replaceable>;
	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
	try-tcp-refresh <replaceable>boolean</replaceable>;
458
	update-check-ksk <replaceable>boolean</replaceable>;
459
	use-alt-transfer-source <replaceable>boolean</replaceable>;
460 461 462 463
	use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
	use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
	v6-bias <replaceable>integer</replaceable>;
	version ( <replaceable>quoted_string</replaceable> | none );
464 465
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
466
	zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
467
};
468
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
469
  </refsection>
470

471
  <refsection><info><title>SERVER</title></info>
472

Evan Hunt's avatar
Evan Hunt committed
473
    <literallayout class="normal">
474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507
server <replaceable>netprefix</replaceable> {
	bogus <replaceable>boolean</replaceable>;
	edns <replaceable>boolean</replaceable>;
	edns-udp-size <replaceable>integer</replaceable>;
	edns-version <replaceable>integer</replaceable>;
	keys <replaceable>server_key</replaceable>;
	max-udp-size <replaceable>integer</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
	    <optional> dscp <replaceable>integer</replaceable> </optional>;
	padding <replaceable>integer</replaceable>;
	provide-ixfr <replaceable>boolean</replaceable>;
	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
	request-expire <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	request-nsid <replaceable>boolean</replaceable>;
	send-cookie <replaceable>boolean</replaceable>;
	tcp-keepalive <replaceable>boolean</replaceable>;
	tcp-only <replaceable>boolean</replaceable>;
	transfer-format ( many-answers | one-answer );
	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	transfers <replaceable>integer</replaceable>;
};
</literallayout>
  </refsection>
508

509
  <refsection><info><title>STATISTICS-CHANNELS</title></info>
510

511 512 513 514 515 516 517 518 519
    <literallayout class="normal">
statistics-channels {
	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> |
	    * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    allow { <replaceable>address_match_element</replaceable>; ...
	    } </optional>;
};
</literallayout>
  </refsection>
520

521
  <refsection><info><title>TRUSTED-KEYS</title></info>
522

523 524 525 526 527
    <literallayout class="normal">
trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
    <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ... };
</literallayout>
  </refsection>
528

529
  <refsection><info><title>VIEW</title></info>
530

531 532 533 534 535 536 537 538 539 540 541 542
    <literallayout class="normal">
view <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
	acache-cleaning-interval <replaceable>integer</replaceable>;
	acache-enable <replaceable>boolean</replaceable>;
	additional-from-auth <replaceable>boolean</replaceable>;
	additional-from-cache <replaceable>boolean</replaceable>;
	allow-new-zones <replaceable>boolean</replaceable>;
	allow-notify { <replaceable>address_match_element</replaceable>; ... };
	allow-query { <replaceable>address_match_element</replaceable>; ... };
	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
543
	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
544
	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
545 546 547 548 549 550 551 552 553 554 555
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
	allow-update { <replaceable>address_match_element</replaceable>; ... };
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	attach-cache <replaceable>string</replaceable>;
556
	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
557 558 559 560 561 562 563 564
	auto-dnssec ( allow | maintain | off );
	cache-file <replaceable>quoted_string</replaceable>;
	catalog-zones { zone <replaceable>quoted_string</replaceable> <optional> default-masters <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>
	    port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key
	    <replaceable>string</replaceable> </optional>; ... } </optional> <optional> zone-directory <replaceable>quoted_string</replaceable> </optional> <optional>
	    in-memory <replaceable>boolean</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional>; ... };
	check-dup-records ( fail | warn | ignore );
565
	check-integrity <replaceable>boolean</replaceable>;
566
	check-mx ( fail | warn | ignore );
567
	check-mx-cname ( fail | warn | ignore );
568 569 570 571
	check-names ( master | slave | response
	    ) ( fail | warn | ignore );
	check-sibling <replaceable>boolean</replaceable>;
	check-spf ( warn | ignore );
572
	check-srv-cname ( fail | warn | ignore );
573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588
	check-wildcard <replaceable>boolean</replaceable>;
	cleaning-interval <replaceable>integer</replaceable>;
	clients-per-query <replaceable>integer</replaceable>;
	deny-answer-addresses { <replaceable>address_match_element</replaceable>; ... } <optional>
	    except-from { <replaceable>quoted_string</replaceable>; ... } </optional>;
	deny-answer-aliases { <replaceable>quoted_string</replaceable>; ... } <optional> except-from {
	    <replaceable>quoted_string</replaceable>; ... } </optional>;
	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>;
	    ... };
	disable-ds-digests <replaceable>string</replaceable> { <replaceable>string</replaceable>;
	    ... };
	disable-empty-zone <replaceable>string</replaceable>;
	dlz <replaceable>string</replaceable> {
		database <replaceable>string</replaceable>;
		search <replaceable>boolean</replaceable>;
589
	};
590
	dns64 <replaceable>netprefix</replaceable> {
591
		break-dnssec <replaceable>boolean</replaceable>;
592 593 594
		clients { <replaceable>address_match_element</replaceable>; ... };
		exclude { <replaceable>address_match_element</replaceable>; ... };
		mapped { <replaceable>address_match_element</replaceable>; ... };
595 596 597
		recursive-only <replaceable>boolean</replaceable>;
		suffix <replaceable>ipv6_address</replaceable>;
	};
598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618
	dns64-contact <replaceable>string</replaceable>;
	dns64-server <replaceable>string</replaceable>;
	dnssec-accept-expired <replaceable>boolean</replaceable>;
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
	dnssec-enable <replaceable>boolean</replaceable>;
	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
	dnssec-lookaside ( <replaceable>string</replaceable> trust-anchor
	    <replaceable>string</replaceable> | auto | no );
	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
	dnssec-update-mode ( maintain | no-resign );
	dnssec-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder |
	    resolver ) <optional> ( query | response ) </optional>; ... };
	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>quoted_string</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv4_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> ); ... };
	dyndb <replaceable>string</replaceable> <replaceable>quoted_string</replaceable> {
	    <replaceable>unspecified-text</replaceable> };
	edns-udp-size <replaceable>integer</replaceable>;
619
	empty-contact <replaceable>string</replaceable>;
620
	empty-server <replaceable>string</replaceable>;
621
	empty-zones-enable <replaceable>boolean</replaceable>;
622 623 624 625 626 627
	fetch-quota-params <replaceable>integer</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable> <replaceable>fixedpoint</replaceable>;
	fetches-per-server <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
	fetches-per-zone <replaceable>integer</replaceable> <optional> ( drop | fail ) </optional>;
	filter-aaaa { <replaceable>address_match_element</replaceable>; ... };
	filter-aaaa-on-v4 ( break-dnssec | <replaceable>boolean</replaceable> );
	filter-aaaa-on-v6 ( break-dnssec | <replaceable>boolean</replaceable> );
628
	forward ( first | only );
629 630 631 632 633 634 635
	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
	inline-signing <replaceable>boolean</replaceable>;
	ixfr-from-differences ( master | slave | <replaceable>boolean</replaceable> );
	key <replaceable>string</replaceable> {
		algorithm <replaceable>string</replaceable>;
		secret <replaceable>string</replaceable>;
636
	};
637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652
	key-directory <replaceable>quoted_string</replaceable>;
	lame-ttl <replaceable>ttlval</replaceable>;
	managed-keys { <replaceable>string</replaceable> <replaceable>string</replaceable>
	    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable>
	    <replaceable>quoted_string</replaceable>; ... };
	masterfile-format ( map | raw | text );
	masterfile-style ( full | relative );
	match-clients { <replaceable>address_match_element</replaceable>; ... };
	match-destinations { <replaceable>address_match_element</replaceable>; ... };
	match-recursive-only <replaceable>boolean</replaceable>;
	max-acache-size ( unlimited | <replaceable>sizeval</replaceable> );
	max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
	max-cache-ttl <replaceable>integer</replaceable>;
	max-clients-per-query <replaceable>integer</replaceable>;
	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
	max-ncache-ttl <replaceable>integer</replaceable>;
653
	max-records <replaceable>integer</replaceable>;
654 655 656 657
	max-recursion-depth <replaceable>integer</replaceable>;
	max-recursion-queries <replaceable>integer</replaceable>;
	max-refresh-time <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
658 659
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
660 661 662 663 664
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-udp-size <replaceable>integer</replaceable>;
	max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
	message-compression <replaceable>boolean</replaceable>;
665
	min-refresh-time <replaceable>integer</replaceable>;
666 667 668
	min-retry-time <replaceable>integer</replaceable>;
	minimal-any <replaceable>boolean</replaceable>;
	minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
669
	multi-master <replaceable>boolean</replaceable>;
670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778
	no-case-compress { <replaceable>address_match_element</replaceable>; ... };
	nocookie-udp-size <replaceable>integer</replaceable>;
	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
	notify-delay <replaceable>integer</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
	    <optional> dscp <replaceable>integer</replaceable> </optional>;
	notify-to-soa <replaceable>boolean</replaceable>;
	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
	nta-lifetime <replaceable>ttlval</replaceable>;
	nta-recheck <replaceable>ttlval</replaceable>;
	nxdomain-redirect <replaceable>string</replaceable>;
	preferred-glue <replaceable>string</replaceable>;
	prefetch <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
	provide-ixfr <replaceable>boolean</replaceable>;
	query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
	query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
	    <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) </optional>
	    port ( <replaceable>integer</replaceable> | * ) ) ) <optional> dscp <replaceable>integer</replaceable> </optional>;
	rate-limit {
		all-per-second <replaceable>integer</replaceable>;
		errors-per-second <replaceable>integer</replaceable>;
		exempt-clients { <replaceable>address_match_element</replaceable>; ... };
		ipv4-prefix-length <replaceable>integer</replaceable>;
		ipv6-prefix-length <replaceable>integer</replaceable>;
		log-only <replaceable>boolean</replaceable>;
		max-table-size <replaceable>integer</replaceable>;
		min-table-size <replaceable>integer</replaceable>;
		nodata-per-second <replaceable>integer</replaceable>;
		nxdomains-per-second <replaceable>integer</replaceable>;
		qps-scale <replaceable>integer</replaceable>;
		referrals-per-second <replaceable>integer</replaceable>;
		responses-per-second <replaceable>integer</replaceable>;
		slip <replaceable>integer</replaceable>;
		window <replaceable>integer</replaceable>;
	};
	recursion <replaceable>boolean</replaceable>;
	request-expire <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	request-nsid <replaceable>boolean</replaceable>;
	require-server-cookie <replaceable>boolean</replaceable>;
	resolver-query-timeout <replaceable>integer</replaceable>;
	response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
	    <replaceable>integer</replaceable>;
	response-policy { zone <replaceable>quoted_string</replaceable> <optional> log <replaceable>boolean</replaceable> </optional> <optional>
	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
	    policy ( cname | disabled | drop | given | no-op | nodata |
	    nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) </optional> <optional>
	    recursive-only <replaceable>boolean</replaceable> </optional>; ... } <optional> break-dnssec <replaceable>boolean</replaceable> </optional> <optional>
	    max-policy-ttl <replaceable>integer</replaceable> </optional> <optional> min-update-interval <replaceable>integer</replaceable> </optional> <optional>
	    min-ns-dots <replaceable>integer</replaceable> </optional> <optional> nsip-wait-recurse <replaceable>boolean</replaceable> </optional> <optional>
	    qname-wait-recurse <replaceable>boolean</replaceable> </optional> <optional> recursive-only <replaceable>boolean</replaceable> </optional>;
	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
	rrset-order { <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional> <optional> name
	    <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ... };
	send-cookie <replaceable>boolean</replaceable>;
	serial-update-method ( date | increment | unixtime );
	server <replaceable>netprefix</replaceable> {
		bogus <replaceable>boolean</replaceable>;
		edns <replaceable>boolean</replaceable>;
		edns-udp-size <replaceable>integer</replaceable>;
		edns-version <replaceable>integer</replaceable>;
		keys <replaceable>server_key</replaceable>;
		max-udp-size <replaceable>integer</replaceable>;
		notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | *
		    ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable>
		    | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		padding <replaceable>integer</replaceable>;
		provide-ixfr <replaceable>boolean</replaceable>;
		query-source ( ( <optional> address </optional> ( <replaceable>ipv4_address</replaceable> | * ) <optional> port
		    ( <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> (
		    <replaceable>ipv4_address</replaceable> | * ) </optional> port ( <replaceable>integer</replaceable> | * ) ) ) <optional>
		    dscp <replaceable>integer</replaceable> </optional>;
		query-source-v6 ( ( <optional> address </optional> ( <replaceable>ipv6_address</replaceable> | * ) <optional>
		    port ( <replaceable>integer</replaceable> | * ) </optional> ) | ( <optional> <optional> address </optional> (
		    <replaceable>ipv6_address</replaceable> | * ) </optional> port ( <replaceable>integer</replaceable> | * ) ) ) <optional>
		    dscp <replaceable>integer</replaceable> </optional>;
		request-expire <replaceable>boolean</replaceable>;
		request-ixfr <replaceable>boolean</replaceable>;
		request-nsid <replaceable>boolean</replaceable>;
		send-cookie <replaceable>boolean</replaceable>;
		tcp-keepalive <replaceable>boolean</replaceable>;
		tcp-only <replaceable>boolean</replaceable>;
		transfer-format ( many-answers | one-answer );
		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
		    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		transfers <replaceable>integer</replaceable>;
	};
	servfail-ttl <replaceable>ttlval</replaceable>;
	sig-signing-nodes <replaceable>integer</replaceable>;
	sig-signing-signatures <replaceable>integer</replaceable>;
	sig-signing-type <replaceable>integer</replaceable>;
	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
	sortlist { <replaceable>address_match_element</replaceable>; ... };
	transfer-format ( many-answers | one-answer );
	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
	trusted-keys { <replaceable>string</replaceable> <replaceable>integer</replaceable>
	    <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
	    ... };
779
	try-tcp-refresh <replaceable>boolean</replaceable>;
780 781 782
	update-check-ksk <replaceable>boolean</replaceable>;
	use-alt-transfer-source <replaceable>boolean</replaceable>;
	v6-bias <replaceable>integer</replaceable>;
783 784
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885
	zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
		allow-notify { <replaceable>address_match_element</replaceable>; ... };
		allow-query { <replaceable>address_match_element</replaceable>; ... };
		allow-query-on { <replaceable>address_match_element</replaceable>; ... };
		allow-transfer { <replaceable>address_match_element</replaceable>; ... };
		allow-update { <replaceable>address_match_element</replaceable>; ... };
		allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
		also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { (
		    <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> |
		    <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>;
		    ... };
		alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port (
		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		auto-dnssec ( allow | maintain | off );
		check-dup-records ( fail | warn | ignore );
		check-integrity <replaceable>boolean</replaceable>;
		check-mx ( fail | warn | ignore );
		check-mx-cname ( fail | warn | ignore );
		check-names ( fail | warn | ignore );
		check-sibling <replaceable>boolean</replaceable>;
		check-spf ( warn | ignore );
		check-srv-cname ( fail | warn | ignore );
		check-wildcard <replaceable>boolean</replaceable>;
		database <replaceable>string</replaceable>;
		delegation-only <replaceable>boolean</replaceable>;
		dialup ( notify | notify-passive | passive | refresh |
		    <replaceable>boolean</replaceable> );
		dlz <replaceable>string</replaceable>;
		dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
		dnssec-loadkeys-interval <replaceable>integer</replaceable>;
		dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
		dnssec-update-mode ( maintain | no-resign );
		file <replaceable>quoted_string</replaceable>;
		forward ( first | only );
		forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { (
		    <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional>
		    dscp <replaceable>integer</replaceable> </optional>; ... };
		in-view <replaceable>string</replaceable>;
		inline-signing <replaceable>boolean</replaceable>;
		ixfr-from-differences <replaceable>boolean</replaceable>;
		journal <replaceable>quoted_string</replaceable>;
		key-directory <replaceable>quoted_string</replaceable>;
		masterfile-format ( map | raw | text );
		masterfile-style ( full | relative );
		masters <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable>
		    | <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional>
		    port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
		max-ixfr-log-size ( default | unlimited |
		max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
		max-records <replaceable>integer</replaceable>;
		max-refresh-time <replaceable>integer</replaceable>;
		max-retry-time <replaceable>integer</replaceable>;
		max-transfer-idle-in <replaceable>integer</replaceable>;
		max-transfer-idle-out <replaceable>integer</replaceable>;
		max-transfer-time-in <replaceable>integer</replaceable>;
		max-transfer-time-out <replaceable>integer</replaceable>;
		max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
		min-refresh-time <replaceable>integer</replaceable>;
		min-retry-time <replaceable>integer</replaceable>;
		multi-master <replaceable>boolean</replaceable>;
		notify ( explicit | master-only | <replaceable>boolean</replaceable> );
		notify-delay <replaceable>integer</replaceable>;
		notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | *
		    ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable>
		    | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		notify-to-soa <replaceable>boolean</replaceable>;
		nsec3-test-zone <replaceable>boolean</replaceable>; // test only
		pubkey <replaceable>integer</replaceable>
		    <replaceable>integer</replaceable>
		    <replaceable>integer</replaceable>
		request-expire <replaceable>boolean</replaceable>;
		request-ixfr <replaceable>boolean</replaceable>;
		serial-update-method ( date | increment | unixtime );
		server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional>
		    port <replaceable>integer</replaceable> </optional>; ... };
		server-names { <replaceable>quoted_string</replaceable>; ... };
		sig-signing-nodes <replaceable>integer</replaceable>;
		sig-signing-signatures <replaceable>integer</replaceable>;
		sig-signing-type <replaceable>integer</replaceable>;
		sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
		transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
		    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port (
		    <replaceable>integer</replaceable> | * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
		try-tcp-refresh <replaceable>boolean</replaceable>;
		type ( delegation-only | forward | hint | master | redirect
		    | slave | static-stub | stub );
		update-check-ksk <replaceable>boolean</replaceable>;
		update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
		    6to4-self | external | krb5-self | krb5-subdomain |
		    ms-self | ms-subdomain | name | self | selfsub |
		    selfwild | subdomain | tcp-self | wildcard | zonesub )
		    <optional> <replaceable>string</replaceable> </optional> <replaceable>rrtypelist</replaceable>; ... };
		use-alt-transfer-source <replaceable>boolean</replaceable>;
		zero-no-soa-ttl <replaceable>boolean</replaceable>;
		zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
	};
	zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
886
};
887
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
888
  </refsection>
889

Evan Hunt's avatar
Evan Hunt committed
890
  <refsection><info><title>ZONE</title></info>
891

Evan Hunt's avatar
Evan Hunt committed
892
    <literallayout class="normal">
893 894
zone <replaceable>string</replaceable> <optional> <replaceable>class</replaceable> </optional> {
	allow-notify { <replaceable>address_match_element</replaceable>; ... };
895
	allow-query { <replaceable>address_match_element</replaceable>; ... };
896
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
897 898 899
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
	allow-update { <replaceable>address_match_element</replaceable>; ... };
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920
	also-notify <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> |
	    * ) </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
	auto-dnssec ( allow | maintain | off );
	check-dup-records ( fail | warn | ignore );
	check-integrity <replaceable>boolean</replaceable>;
	check-mx ( fail | warn | ignore );
	check-mx-cname ( fail | warn | ignore );
	check-names ( fail | warn | ignore );
	check-sibling <replaceable>boolean</replaceable>;
	check-spf ( warn | ignore );
	check-srv-cname ( fail | warn | ignore );
	check-wildcard <replaceable>boolean</replaceable>;
	database <replaceable>string</replaceable>;
	delegation-only <replaceable>boolean</replaceable>;
	dialup ( notify | notify-passive | passive | refresh | <replaceable>boolean</replaceable> );
	dlz <replaceable>string</replaceable>;
921
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
922 923 924 925
	dnssec-loadkeys-interval <replaceable>integer</replaceable>;
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
	dnssec-update-mode ( maintain | no-resign );
	file <replaceable>quoted_string</replaceable>;
926
	forward ( first | only );
927 928 929 930 931 932 933 934 935 936 937 938 939
	forwarders <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable>
	    | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional>; ... };
	in-view <replaceable>string</replaceable>;
	inline-signing <replaceable>boolean</replaceable>;
	ixfr-from-differences <replaceable>boolean</replaceable>;
	journal <replaceable>quoted_string</replaceable>;
	key-directory <replaceable>quoted_string</replaceable>;
	masterfile-format ( map | raw | text );
	masterfile-style ( full | relative );
	masters <optional> port <replaceable>integer</replaceable> </optional> <optional> dscp <replaceable>integer</replaceable> </optional> { ( <replaceable>masters</replaceable> |
	    <replaceable>ipv4_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> | <replaceable>ipv6_address</replaceable> <optional> port
	    <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ... };
	max-journal-size ( unlimited | <replaceable>sizeval</replaceable> );
940
	max-records <replaceable>integer</replaceable>;
941 942
	max-refresh-time <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
943 944
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
945 946 947
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
948
	min-refresh-time <replaceable>integer</replaceable>;
949
	min-retry-time <replaceable>integer</replaceable>;
950
	multi-master <replaceable>boolean</replaceable>;
951 952 953 954 955 956 957 958 959 960
	notify ( explicit | master-only | <replaceable>boolean</replaceable> );
	notify-delay <replaceable>integer</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
	    <optional> dscp <replaceable>integer</replaceable> </optional>;
	notify-to-soa <replaceable>boolean</replaceable>;
	nsec3-test-zone <replaceable>boolean</replaceable>; // test only
	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable>
	request-expire <replaceable>boolean</replaceable>;
961
	request-ixfr <replaceable>boolean</replaceable>;
962 963 964 965 966 967 968 969 970 971 972 973
	serial-update-method ( date | increment | unixtime );
	server-addresses { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port
	    <replaceable>integer</replaceable> </optional>; ... };
	server-names { <replaceable>quoted_string</replaceable>; ... };
	sig-signing-nodes <replaceable>integer</replaceable>;
	sig-signing-signatures <replaceable>integer</replaceable>;
	sig-signing-type <replaceable>integer</replaceable>;
	sig-validity-interval <replaceable>integer</replaceable> <optional> <replaceable>integer</replaceable> </optional>;
	transfer-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional> <optional>
	    dscp <replaceable>integer</replaceable> </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * )
	    </optional> <optional> dscp <replaceable>integer</replaceable> </optional>;
974
	try-tcp-refresh <replaceable>boolean</replaceable>;
975 976 977 978 979 980 981 982 983 984
	type ( delegation-only | forward | hint | master | redirect | slave
	    | static-stub | stub );
	update-check-ksk <replaceable>boolean</replaceable>;
	update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self |
	    external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
	    | name | self | selfsub | selfwild | subdomain | tcp-self |
	    wildcard | zonesub ) <optional> <replaceable>string</replaceable> </optional> <replaceable>rrtypelist</replaceable>; ... };
	use-alt-transfer-source <replaceable>boolean</replaceable>;
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
	zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
985
};
986
</literallayout>
Evan Hunt's avatar
Evan Hunt committed
987
  </refsection>
988

Evan Hunt's avatar
Evan Hunt committed
989
  <refsection><info><title>FILES</title></info>
990

991 992
    <para><filename>/etc/named.conf</filename>
    </para>
Evan Hunt's avatar
Evan Hunt committed
993
  </refsection>
994

Evan Hunt's avatar
Evan Hunt committed
995
  <refsection><info><title>SEE ALSO</title></info>
996

997
    <para><citerefentry>
998 999 1000
	<refentrytitle>ddns-confgen</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
1001
	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
1002
      </citerefentry>,
1003
      <citerefentry>
1004
	<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
1005
      </citerefentry>,
1006
      <citerefentry>
1007
	<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
1008
      </citerefentry>,
1009 1010 1011
      <citerefentry>
	<refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
1012
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
1013
    </para>
Evan Hunt's avatar
Evan Hunt committed
1014
  </refsection>
1015

Evan Hunt's avatar
Evan Hunt committed
1016
</refentry>