named.conf 15.9 KB
Newer Older
David Lawrence's avatar
David Lawrence committed
1
/*
2
 * Copyright (C) 2004, 2007, 2011, 2015  Internet Systems Consortium, Inc. ("ISC")
Brian Wellington's avatar
Brian Wellington committed
3
 * Copyright (C) 1999-2001  Internet Software Consortium.
4
 *
Automatic Updater's avatar
Automatic Updater committed
5
 * Permission to use, copy, modify, and/or distribute this software for any
David Lawrence's avatar
David Lawrence committed
6 7
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
8
 *
Mark Andrews's avatar
Mark Andrews committed
9 10 11 12 13 14 15
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
David Lawrence's avatar
David Lawrence committed
16 17
 */

Automatic Updater's avatar
Automatic Updater committed
18
/* $Id: named.conf,v 1.60 2011/03/03 23:47:31 tbox Exp $ */
David Lawrence's avatar
David Lawrence committed
19

20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
/*
 * This is a worthless, nonrunnable example of a named.conf file that has
 * every conceivable syntax element in use.  We use it to test the parser.
 * It could also be used as a conceptual template for users of new features.
 */

/*
 * C-style comments are OK
 */

// So are C++-style comments

# So are shell-style comments

// watch out for ";" -- it's important!

options {
37 38
	additional-from-auth true;
	additional-from-cache false;
39

40
	version "my version string";
41
	random-device "/dev/random";
42
	directory "/tmp";
James Brister's avatar
James Brister committed
43

44 45
	port 666;

46 47
	sig-validity-interval 33;

James Brister's avatar
James Brister committed
48
# Obsolete
49
	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER
James Brister's avatar
James Brister committed
50

51 52 53 54 55
	dump-file "named_dump.db";  	// _PATH_DUMPFILE
	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
	statistics-file "named.stats";  // _PATH_STATS
	memstatistics-file "named.memstats";	// _PATH_MEMSTATS

56
	max-cache-ttl 999;
57 58 59 60
	auth-nxdomain yes;		// always set AA on NXDOMAIN.
					// don't set this to 'no' unless
					// you know what you're doing -- older
					// servers won't like it.
James Brister's avatar
James Brister committed
61 62

# Obsolete
63
	deallocate-on-exit no;
64

65 66 67 68 69
	dialup yes;

# Obsolete
	fake-iquery no;

70
	fetch-glue yes;
71 72
	has-old-clients yes;
	host-statistics no;
James Brister's avatar
James Brister committed
73 74

# Obsolete
75 76 77 78 79 80 81
	multiple-cnames no;		// if yes, then a name my have more
					// than one CNAME RR.  This use
					// is non-standard and is not
					// recommended, but it is available
					// because previous releases supported
					// it and it was used by large sites
					// for load balancing.
James Brister's avatar
James Brister committed
82

83 84 85 86
	notify yes;			// send NOTIFY messages.  You can set
					// notify on a zone-by-zone
					// basis in the "zone" statement
					// see (below)
87 88
	recursion yes;
	rfc2308-type1	no;
James Brister's avatar
James Brister committed
89 90

# Obsolete
91
	use-id-pool yes;
James Brister's avatar
James Brister committed
92

93 94 95 96 97 98 99 100 101 102 103 104
# Obsolete
	treat-cr-as-space yes;

	also-notify { 10.0.2.3; };

	// The "forward" option is only meaningful if you've defined
	// forwarders.  "first" gives the normal BIND
	// forwarding behavior, i.e. ask the forwarders first, and if that
	// doesn't work then do the full lookup.  You can also say
	// "forward only;" which is what used to be specified with
	// "slave" or "options forward-only".  "only" will never attempt
	// a full lookup; only the forwarders will be used.
105 106 107 108 109
	forward first;
	forwarders {
		1.2.3.4;
		5.6.7.8;
	};
110 111 112 113 114 115 116 117 118

	check-names master fail;
	check-names slave warn;
	check-names response ignore;

	allow-query { any; };
	allow-transfer { any; };
	allow-recursion { !any; };
	blackhole { 45/24; };
119
	keep-response-order { 46/24; };
120

121
	listen-on {
122
		10/24;
123
		10.0.0.3;
124 125
	};

126 127 128 129 130 131 132 133
	listen-on port 53 { any; };

	listen-on { 5.6.7.8; };

	listen-on port 1234 {
		!1.2.3.4;
		1.2.3/24;
	};
134

135
	listen-on-v6 {
136
		1:1:1:1:1:1:1:1;
137 138 139
	};

	listen-on-v6 port 777 {
140
		2:2:2:2:2:2:2:2;
141 142
	};

143 144 145
	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
	query-source port * address 10.0.0.54  ;

146
	lame-ttl 444;
147 148 149 150 151

	max-transfer-time-in 300;
	max-transfer-time-out 10;
	max-transfer-idle-in 100;
	max-transfer-idle-out 11;
152

153 154 155 156
	max-retry-time 1234;
	min-retry-time 1111;
	max-refresh-time 888;
	min-refresh-time 777;
157

158 159 160 161 162 163 164 165 166 167 168 169 170 171 172
	max-ncache-ttl 333;
	min-roots 15;
	serial-queries 34;

	transfer-format one-answer;

	transfers-in 10;
	transfers-per-ns 2;
	transfers-out 0;

	transfer-source 10.0.0.5;
	transfer-source-v6 4:3:2:1:5:6:7:8;

	request-ixfr yes;
	provide-ixfr yes;
James Brister's avatar
James Brister committed
173 174 175 176

# Now called 'provide-ixfr'
#    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR

177
	max-ixfr-log-size 20m;
178 179 180
	coresize 100;
	datasize 101;
	files 230;
181
	max-cache-size 1m;
182 183 184 185 186
	stacksize 231;
	cleaning-interval 1000;
	heartbeat-interval 1001;
	interface-interval 1002;
	statistics-interval 1003;
187

188
	topology {
189 190 191 192 193 194 195
		10/8;

		!1.2.3/24;

		{ 1.2/16; 3/8; };


196 197 198 199 200 201
	};

	sortlist { 10/8; 11/8; };

	tkey-domain	"foo.com";
	tkey-dhkey	"xyz" 666 ;
202 203 204 205 206

	rrset-order {
		class IN type A name "foo" order random;
		order cyclic;
	};
207 208 209 210 211 212
};

/*
 * Control listeners, for "ndc".  Every nameserver needs at least one.
 */
controls {
213 214
	// 'inet' lines without a 'port' defaults to 'port 953'
	// 'keys' must be used and the list must have at least one entry
215
	inet * port 52 allow { any; } keys { "key2"; };
216
	unix "/var/run/ndc" perm 0600 owner 0 group 0;	// ignored by named.
217 218 219
	inet 10.0.0.1 allow { any; key foo; } keys { "key4";};
	inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; };
	inet 10.0.0.2 allow { none; };
220 221 222
};

zone "master.demo.zone" {
223
	type master;			// what used to be called "primary"
224
	database "somedb -option1 -option2 arg1 arg2 arg3";
225 226 227
	file "master.demo.zone";
	check-names fail;
	allow-update { none; };
228
	allow-update-forwarding { 10.0.0.5; !any; };
229 230
	allow-transfer { any; };
	allow-query { any; };
231
	sig-validity-interval 990;
232
	notify explicit;
233
	also-notify {  1.0.0.1; };	// don't notify any nameservers other
234 235
					// than those on the NS list for this
					// zone
James Brister's avatar
James Brister committed
236 237
	forward first;
	forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; };
238 239 240
};

zone "slave.demo.zone" {
241
	type slave;			// what used to be called "secondary"
242 243 244
	file "slave.demo.zone";
	ixfr-base  "slave.demo.zone.ixfr";  // File name for IXFR transaction log file
	masters {
245
		1.2.3.4 port 10 key "foo"; // where to zone transfer from
246
		5.6.7.8;
247
		6.7.8.9 key "zippo";
248 249 250 251 252
	};
	transfer-source 10.0.0.53;	// fixes multihoming problems
	check-names warn;
	allow-update { none; };
	allow-transfer { any; };
253
	allow-update-forwarding { any; };
254 255
	allow-query { any; };
	max-transfer-time-in 120;	// if not set, global option is used.
256 257 258
	max-transfer-time-out 1;	// if not set, global option is used.
	max-transfer-idle-in 2;	// if not set, global option is used.
	max-transfer-idle-out 3;	// if not set, global option is used.
259
	also-notify { 1.0.0.2; };
James Brister's avatar
James Brister committed
260 261
	forward only;
	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
262 263
};

264
key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
265

266
view "test-view" in {
267
	key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
268
	also-notify { 10.2.2.3; };
269
	trusted-keys {
270
		foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz";
271
	};
272
	sig-validity-interval 45;
273
	max-cache-size 100000;
James Brister's avatar
James Brister committed
274
	allow-query { 10.0.0.30;};
275 276
	additional-from-cache false;
	additional-from-auth no;
James Brister's avatar
James Brister committed
277
	match-clients { 10.0.0.1 ; };
James Brister's avatar
James Brister committed
278 279 280
	check-names master warn;
	check-names slave ignore;
	check-names response fail;
James Brister's avatar
James Brister committed
281 282 283 284 285 286 287 288 289 290
	auth-nxdomain false;
	recursion true;
	provide-ixfr false;
	request-ixfr true;
	fetch-glue true;
	notify false;
	rfc2308-type1 false;
	transfer-source 10.0.0.55;
	transfer-source-v6 4:3:8:1:5:6:7:8;
	query-source port * address 10.0.0.54  ;
291
	query-source-v6 address 6:6:6:6:6:6:6:6 port *;
James Brister's avatar
James Brister committed
292 293 294 295 296 297
	max-transfer-time-out 45;
	max-transfer-idle-out 55;
	cleaning-interval 100;
	min-roots 3;
	lame-ttl 477;
	max-ncache-ttl 333;
298
	max-cache-ttl 777;
299
	transfer-format many-answers;
300 301 302 303
	max-retry-time 7;
	min-retry-time 4;
	max-refresh-time 999;
	min-refresh-time 111;
304

305 306
	zone "view-zone.com" {
		type master;
307
		allow-update-forwarding { 10.0.0.34;};
308 309
		file "view-zone-master";
	};
310 311 312 313

	server 5.6.7.8 {
		keys "viewkey";
	};
314 315 316 317

	server 10.9.8.7 {
		keys "non-viewkey";
	};
318
	dialup yes;
319 320
};

321

322 323 324 325
zone "stub.demo.zone" {
	type stub;			// stub zones are like slave zones,
					// except that only the NS records
					// are transferred.
326
	dialup yes;
327 328
	file "stub.demo.zone";
	masters {
329 330
		1.2.3.4 ;		// where to zone transfer from
		5.6.7.8 port 999;
331 332 333 334 335
	};
	check-names warn;
	allow-update { none; };
	allow-transfer { any; };
	allow-query { any; };
336 337 338 339 340

	max-retry-time 10;
	min-retry-time 11;
	max-refresh-time 12;
	min-refresh-time 13;
341

342
	max-transfer-time-in 120;	// if not set, global option is used.
343 344
	pubkey 257 255 1 "a useless key";
	pubkey 257 255 1 "another useless key";
345 346 347 348
};

zone "." {
	type hint;			// used to be specified w/ "cache"
349
	file "cache.db";
350 351 352
//	pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};

353
trusted-keys {
354
	"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
355
};
356 357 358 359 360 361 362


acl can_query { !1.2.3/24; any; };	// network 1.2.3.0 mask 255.255.255.0
					// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; };	// host 1.2.3.4 and any host allowed
					// by can_query are OK

363 364 365 366
zone "disabled-zone.com" {
	type master;
	file "bar";

367 368 369 370
	max-retry-time 100;
	min-retry-time 110;
	max-refresh-time 120;
	min-refresh-time 130;
371 372
};

373 374 375 376 377 378 379 380 381
zone "non-default-acl.demo.zone" {
	type master;
	file "foo";
	allow-query { can_query; };
	allow-transfer { can_axfr; };
	allow-update {
		1.2.3.4;
		5.6.7.8;
	};
382
	pubkey 666 665 664 "key of the beast";
383 384 385 386
	// Errors trapped by parser:
	//	identity or name not absolute
	//	'wildcard' match type and no wildcard character in name
	//
387
	// issues:
388 389 390
	//	- certain rdatatype values (such as "key") are config file keywords and
	// 	  must be quoted or a syntax error will occur.
	//
James Brister's avatar
James Brister committed
391 392

	update-policy {
393 394 395
		grant root.domain. subdomain host.domain. A MX CNAME;
		grant sub.root.domain. wildcard *.host.domain. A;
		grant root.domain. name host.domain. a ns md mf cname soa mb mg
James Brister's avatar
James Brister committed
396
			mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
397
			isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx
Francis Dupont's avatar
Francis Dupont committed
398
			cert a6 dname opt unspec uri tkey tsig ;
James Brister's avatar
James Brister committed
399 400
		grant foo.bar.com. self foo.bar.com. a;
	};
401 402 403 404
};

key sample_key {			// for TSIG; supported by parser
	algorithm hmac-md5;		// but not yet implemented in the
405
	secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
406 407 408 409
};

key key2 {
	algorithm hmac-md5;
410
	secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
411 412 413 414 415
};

acl key_acl { key sample_key; };	// a request signed with sample_key

server 1.2.3.4 {
416 417
	request-ixfr no;
	provide-ixfr no;
418 419 420 421 422 423 424 425
	bogus no;			// if yes, we won't query or listen
					// to this server
	transfer-format one-answer;	// set transfer format for this
					// server (see the description of
					// 'transfer-format' above)
					// if not specified, the global option
					// will be used
	transfers 0;			// not implemented
426
	keys { "sample_key" };	// for TSIG; supported by the parser
427 428
					// but not yet implemented in the
					// rest of the server
James Brister's avatar
James Brister committed
429 430
# Now called 'request-ixfr'
#	support-ixfr yes;      // for IXFR supported by server
431
					// if yes, the listed server talks IXFR
432 433 434 435 436 437 438 439 440 441 442 443 444
};

logging {
	/*
	 * All log output goes to one or more "channels"; you can make as
	 * many of them as you want.
	 */

	channel syslog_errors {		// this channel will send errors or
		syslog user;		// or worse to syslog (user facility)
		severity error;
	};

445 446 447 448
	channel stderr_errors {
		stderr;
	};

449
	/*
450
	 * Channels have a severity level.  Messages at severity levels
451 452 453 454 455
	 * greater than or equal to the channel's level will be logged on
	 * the channel.  In order of decreasing severity, the levels are:
	 *
	 * 	critical		a fatal error
	 *	error
456
	 *	warning
457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554
	 *	notice			a normal, but significant event
	 *	info			an informational message
	 *	debug 1			the least detailed debugging info
	 *	...
	 *	debug 99		the most detailed debugging info
	 */

	/*
	 * Here are the built-in channels:
	 *
	 * 	channel default_syslog {
	 *		syslog daemon;
	 *		severity info;
	 *	};
	 *
	 *	channel default_debug {
	 *		file "named.run";	// note: stderr is used instead
	 *					// of "named.run" if the server
	 *					// is started with the "-f"
	 *					// option.
	 *		severity dynamic;	// this means log debugging
	 *					// at whatever debugging level
	 *					// the server is at, and don't
	 *					// log anything if not
	 *					// debugging.
	 *	};
	 *
	 *	channel null {			// this is the bit bucket;
	 *		file "/dev/null";	// any logging to this channel
	 *					// is discarded.
	 *	};
	 *
	 *	channel default_stderr {	// writes to stderr
	 *		file "<stderr>";	// this is illustrative only;
	 *					// there's currently no way
	 *					// of saying "stderr" in the
	 *					// configuration language.
	 *					// i.e. don't try this at home.
	 *		severity info;
	 *	};
	 *
	 *	default_stderr only works before the server daemonizes (i.e.
	 *	during initial startup) or when it is running in foreground
	 *	mode (-f command line option).
	 */

	/*
	 * There are many categories, so you can send the logs
	 * you want to see wherever you want, without seeing logs you
	 * don't want.  Right now the categories are
	 *
	 *	default			the catch-all.  many things still
	 *				aren't classified into categories, and
	 *				they all end up here.  also, if you
	 *				don't specify any channels for a
	 *				category, the default category is used
	 *				instead.
	 *	config			high-level configuration file
	 *				processing
	 *	parser			low-level configuration file processing
	 *	queries			what used to be called "query logging"
	 *	lame-servers		messages like "Lame server on ..."
	 *	statistics
	 *	panic			if the server has to shut itself
	 *				down due to an internal problem, it
	 *				logs the problem here (as well as
	 *				in the problem's native category)
	 *	update			dynamic update
	 *	ncache			negative caching
	 *	xfer-in			zone transfers we're receiving
	 *	xfer-out		zone transfers we're sending
	 *	db			all database operations
	 *	eventlib		debugging info from the event system
	 *				(see below)
	 *	packet			dumps of packets received and sent
	 *				(see below)
	 *	notify			the NOTIFY protocol
	 *	cname			messages like "XX points to a CNAME"
	 *	security		approved/unapproved requests
	 *	os			operating system problems
	 *	insist			consistency check failures
	 *	maintenance		periodic maintenance
	 *	load			zone loading
	 *	response-checks		messages like
	 *				"Malformed response ..."
	 *				"wrong ans. name ..."
	 *				"unrelated additional info ..."
	 *				"invalid RR type ..."
	 *				"bad referral ..."
	 */

	category parser {
		syslog_errors;		// you can log to as many channels
		default_syslog;		// as you want
	};

	category lame-servers { null; };	// don't log these at all

555
	channel moderate_debug {
556 557 558 559 560 561 562 563 564 565 566 567 568
		file "foo";			// foo
		severity debug 3;		// level 3 debugging to file
		print-time yes;			// timestamp log entries
		print-category yes;		// print category name
		print-severity yes;		// print severity level
		/*
		 * Note that debugging must have been turned on either
		 * on the command line or with a signal to get debugging
		 * output (non-debugging output will still be written to
		 * this channel).
		 */
	};

569 570 571 572 573 574 575
	channel another {
		file "bar" versions 99 size 10M;
		severity info;
	};

	channel third {
		file "bar" size 100000 versions unlimited;
Andreas Gustafsson's avatar
Andreas Gustafsson committed
576
		severity debug; // use default debug level
577 578
	};

579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617
	/*
	 * If you don't want to see "zone XXXX loaded" messages but do
	 * want to see any problems, you could do the following.
	 */
	channel no_info_messages {
		syslog;
		severity notice;
	};

	category load { no_info_messages; };

	/*
	 * You can also define category "default"; it gets used when no
	 * "category" statement has been given for a category.
	 */
	category default {
		default_syslog;
		moderate_debug;
	};

	/*
	 * If you don't define category default yourself, the default
	 * default category will be used.  It is
	 *
	 * 	category default { default_syslog; default_debug; };
	 */

	/*
	 * If you don't define category panic yourself, the default
	 * panic category will be used.  It is
	 *
	 * 	category panic { default_syslog; default_stderr; };
	 */

	/*
	 * Two categories, 'packet' and 'eventlib', are special.  Only one
	 * channel may be assigned to each of them, and it must be a
	 * file channel.  If you don't define them  yourself, they default to
	 *
618
	 *	category eventlib { default_debug; };
619 620 621 622 623 624
	 *
	 *	category packet { default_debug; };
	 */
};

#include "filename";			// can't do within a statement
625