named.conf.docbook 33.9 KB
Newer Older
1
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2
	       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3
	       [<!ENTITY mdash "&#8212;">]>
4
<!--
5
 - Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
6
 -
Automatic Updater's avatar
Automatic Updater committed
7
 - Permission to use, copy, modify, and/or distribute this software for any
8
9
10
11
12
13
14
15
16
17
18
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->
Mark Andrews's avatar
Mark Andrews committed
19

20
21
<refentry>
  <refentryinfo>
22
    <date>January 08, 2014</date>
23
24
25
26
27
28
29
30
31
32
  </refentryinfo>

  <refmeta>
    <refentrytitle><filename>named.conf</filename></refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>BIND9</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname><filename>named.conf</filename></refname>
33
    <refpurpose>configuration file for <command>named</command></refpurpose>
34
35
  </refnamediv>

36
37
38
39
  <docinfo>
    <copyright>
      <year>2004</year>
      <year>2005</year>
Mark Andrews's avatar
Mark Andrews committed
40
      <year>2006</year>
Mark Andrews's avatar
Mark Andrews committed
41
      <year>2007</year>
Automatic Updater's avatar
Automatic Updater committed
42
      <year>2008</year>
Automatic Updater's avatar
Automatic Updater committed
43
      <year>2009</year>
Automatic Updater's avatar
Automatic Updater committed
44
      <year>2010</year>
Automatic Updater's avatar
Automatic Updater committed
45
      <year>2011</year>
Tinderbox User's avatar
Tinderbox User committed
46
      <year>2012</year>
Tinderbox User's avatar
Tinderbox User committed
47
      <year>2013</year>
Tinderbox User's avatar
Tinderbox User committed
48
      <year>2014</year>
49
      <year>2015</year>
50
51
52
53
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>

54
55
56
57
58
59
60
61
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>named.conf</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>DESCRIPTION</title>
62
63
64
65
66
67
    <para><filename>named.conf</filename> is the configuration file
      for
      <command>named</command>.  Statements are enclosed
      in braces and terminated with a semi-colon.  Clauses in
      the statements are also semi-colon terminated.  The usual
      comment styles are supported:
68
69
    </para>
    <para>
70
      C style: /* */
71
72
    </para>
    <para>
73
      C++ style: // to end of line
74
75
    </para>
    <para>
76
      Unix style: # to end of line
77
78
79
    </para>
  </refsect1>

80
81
82
  <refsect1>
    <title>ACL</title>
    <literallayout>
83
84
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };

85
86
</literallayout>
  </refsect1>
87

88
89
90
  <refsect1>
    <title>KEY</title>
    <literallayout>
91
92
93
94
key <replaceable>domain_name</replaceable> {
	algorithm <replaceable>string</replaceable>;
	secret <replaceable>string</replaceable>;
};
95
96
</literallayout>
  </refsect1>
97

98
99
100
  <refsect1>
    <title>MASTERS</title>
    <literallayout>
101
102
103
104
masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
};
105
106
</literallayout>
  </refsect1>
107

108
109
110
  <refsect1>
    <title>SERVER</title>
    <literallayout>
111
server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
112
113
	bogus <replaceable>boolean</replaceable>;
	edns <replaceable>boolean</replaceable>;
114
	edns-udp-size <replaceable>integer</replaceable>;
115
	max-udp-size <replaceable>integer</replaceable>;
116
	tcp-only <replaceable>boolean</replaceable>;
117
118
119
120
121
122
123
124
125
126
127
128
	provide-ixfr <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	keys <replaceable>server_key</replaceable>;
	transfers <replaceable>integer</replaceable>;
	transfer-format ( many-answers | one-answer );
	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

	support-ixfr <replaceable>boolean</replaceable>; // obsolete
};
129
130
</literallayout>
  </refsect1>
131

132
133
134
  <refsect1>
    <title>TRUSTED-KEYS</title>
    <literallayout>
135
trusted-keys {
136
	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
137
};
138
139
</literallayout>
  </refsect1>
140

141
142
143
144
  <refsect1>
    <title>MANAGED-KEYS</title>
    <literallayout>
managed-keys {
145
	<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
146
147
148
149
};
</literallayout>
  </refsect1>

150
151
152
  <refsect1>
    <title>CONTROLS</title>
    <literallayout>
153
154
155
156
157
158
159
controls {
	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
		allow { <replaceable>address_match_element</replaceable>; ... }
		<optional> keys { <replaceable>string</replaceable>; ... } </optional>;
	unix <replaceable>unsupported</replaceable>; // not implemented
};
160
161
</literallayout>
  </refsect1>
162

163
164
165
  <refsect1>
    <title>LOGGING</title>
    <literallayout>
166
167
168
169
170
171
172
173
174
175
176
177
178
logging {
	channel <replaceable>string</replaceable> {
		file <replaceable>log_file</replaceable>;
		syslog <replaceable>optional_facility</replaceable>;
		null;
		stderr;
		severity <replaceable>log_severity</replaceable>;
		print-time <replaceable>boolean</replaceable>;
		print-severity <replaceable>boolean</replaceable>;
		print-category <replaceable>boolean</replaceable>;
	};
	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
};
179
180
</literallayout>
  </refsect1>
181

182
183
184
  <refsect1>
    <title>LWRES</title>
    <literallayout>
185
186
187
188
189
190
191
lwres {
	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
	};
	view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
	search { <replaceable>string</replaceable>; ... };
	ndots <replaceable>integer</replaceable>;
192
193
	lwres-tasks <replaceable>integer</replaceable>;
	lwres-clients <replaceable>integer</replaceable>;
194
};
195
196
</literallayout>
  </refsect1>
197

198
199
200
  <refsect1>
    <title>OPTIONS</title>
    <literallayout>
201
202
203
204
205
206
207
208
209
210
211
options {
	avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
	avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
	blackhole { <replaceable>address_match_element</replaceable>; ... };
	coresize <replaceable>size</replaceable>;
	datasize <replaceable>size</replaceable>;
	directory <replaceable>quoted_string</replaceable>;
	dump-file <replaceable>quoted_string</replaceable>;
	files <replaceable>size</replaceable>;
	heartbeat-interval <replaceable>integer</replaceable>;
	host-statistics <replaceable>boolean</replaceable>; // not implemented
212
	host-statistics-max <replaceable>number</replaceable>; // not implemented
213
214
	hostname ( <replaceable>quoted_string</replaceable> | none );
	interface-interval <replaceable>integer</replaceable>;
215
	keep-response-order { <replaceable>address_match_element</replaceable>; ... };
216
217
218
219
220
221
222
223
	listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
	match-mapped-addresses <replaceable>boolean</replaceable>;
	memstatistics-file <replaceable>quoted_string</replaceable>;
	pid-file ( <replaceable>quoted_string</replaceable> | none );
	port <replaceable>integer</replaceable>;
	querylog <replaceable>boolean</replaceable>;
	recursing-file <replaceable>quoted_string</replaceable>;
224
	reserved-sockets <replaceable>integer</replaceable>;
225
226
227
	random-device <replaceable>quoted_string</replaceable>;
	recursive-clients <replaceable>integer</replaceable>;
	serial-query-rate <replaceable>integer</replaceable>;
228
	server-id ( <replaceable>quoted_string</replaceable> | hostname | none );
229
230
231
232
233
234
235
	stacksize <replaceable>size</replaceable>;
	statistics-file <replaceable>quoted_string</replaceable>;
	statistics-interval <replaceable>integer</replaceable>; // not yet implemented
	tcp-clients <replaceable>integer</replaceable>;
	tcp-listen-queue <replaceable>integer</replaceable>;
	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
236
	tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
237
238
239
240
241
242
243
	tkey-domain <replaceable>quoted_string</replaceable>;
	transfers-per-ns <replaceable>integer</replaceable>;
	transfers-in <replaceable>integer</replaceable>;
	transfers-out <replaceable>integer</replaceable>;
	use-ixfr <replaceable>boolean</replaceable>;
	version ( <replaceable>quoted_string</replaceable> | none );
	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
244
	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
245
246
247
248
249
250
251
252
253
254
255
256
257
258
	sortlist { <replaceable>address_match_element</replaceable>; ... };
	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
	minimal-responses <replaceable>boolean</replaceable>;
	recursion <replaceable>boolean</replaceable>;
	rrset-order {
		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
	};
	provide-ixfr <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
	additional-from-auth <replaceable>boolean</replaceable>;
	additional-from-cache <replaceable>boolean</replaceable>;
Mark Andrews's avatar
Mark Andrews committed
259
260
	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
261
262
263
	use-queryport-pool <replaceable>boolean</replaceable>;
	queryport-pool-ports <replaceable>integer</replaceable>;
	queryport-pool-updateinterval <replaceable>integer</replaceable>;
264
	cleaning-interval <replaceable>integer</replaceable>;
265
	resolver-query-timeout <replaceable>integer</replaceable>;
266
267
268
269
270
	min-roots <replaceable>integer</replaceable>; // not implemented
	lame-ttl <replaceable>integer</replaceable>;
	max-ncache-ttl <replaceable>integer</replaceable>;
	max-cache-ttl <replaceable>integer</replaceable>;
	transfer-format ( many-answers | one-answer );
271
272
	max-cache-size <replaceable>size</replaceable>;
	max-acache-size <replaceable>size</replaceable>;
273
274
	clients-per-query <replaceable>number</replaceable>;
	max-clients-per-query <replaceable>number</replaceable>;
275
276
	check-names ( master | slave | response )
		( fail | warn | ignore );
277
	check-mx ( fail | warn | ignore );
278
279
280
	check-integrity <replaceable>boolean</replaceable>;
	check-mx-cname ( fail | warn | ignore );
	check-srv-cname ( fail | warn | ignore );
281
	cache-file <replaceable>quoted_string</replaceable>; // test option
282
283
284
285
286
287
	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
	preferred-glue <replaceable>string</replaceable>;
	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
288
	};
289
	edns-udp-size <replaceable>integer</replaceable>;
290
	max-udp-size <replaceable>integer</replaceable>;
291
292
	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
293
	disable-ds-digests <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
294
	dnssec-enable <replaceable>boolean</replaceable>;
295
	dnssec-validation <replaceable>boolean</replaceable>;
296
	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
297
	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
298
	dnssec-accept-expired <replaceable>boolean</replaceable>;
299

300
301
302
	dns64-server <replaceable>string</replaceable>;
	dns64-contact <replaceable>string</replaceable>;
	dns64 <replaceable>prefix</replaceable> {
303
304
305
		clients { <replaceable>acl</replaceable>; };
		exclude { <replaceable>acl</replaceable>; };
		mapped { <replaceable>acl</replaceable>; };
306
307
308
309
310
		break-dnssec <replaceable>boolean</replaceable>;
		recursive-only <replaceable>boolean</replaceable>;
		suffix <replaceable>ipv6_address</replaceable>;
	};

311
312
313
314
315
	empty-server <replaceable>string</replaceable>;
	empty-contact <replaceable>string</replaceable>;
	empty-zones-enable <replaceable>boolean</replaceable>;
	disable-empty-zone <replaceable>string</replaceable>;

316
317
318
319
	dialup <replaceable>dialuptype</replaceable>;
	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;

	allow-query { <replaceable>address_match_element</replaceable>; ... };
320
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
321
	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
322
	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
323
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
324
	allow-update { <replaceable>address_match_element</replaceable>; ... };
325
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
326
	update-check-ksk <replaceable>boolean</replaceable>;
327
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
328

Evan Hunt's avatar
Evan Hunt committed
329
	masterfile-format ( text | raw | map );
330
331
332
	notify <replaceable>notifytype</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
333
	notify-delay <replaceable>seconds</replaceable>;
334
	notify-to-soa <replaceable>boolean</replaceable>;
335
	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
336
337
		<optional> port <replaceable>integer</replaceable> </optional>; ...
		<optional> key <replaceable>keyname</replaceable> </optional> ... };
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
	allow-notify { <replaceable>address_match_element</replaceable>; ... };

	forward ( first | only );
	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
	};

	max-journal-size <replaceable>size_no_default</replaceable>;
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
	min-retry-time <replaceable>integer</replaceable>;
	max-refresh-time <replaceable>integer</replaceable>;
	min-refresh-time <replaceable>integer</replaceable>;
	multi-master <replaceable>boolean</replaceable>;
355

356
	sig-validity-interval <replaceable>integer</replaceable>;
357
358
359
360
	sig-re-signing-interval <replaceable>integer</replaceable>;
	sig-signing-nodes <replaceable>integer</replaceable>;
	sig-signing-signatures <replaceable>integer</replaceable>;
	sig-signing-type <replaceable>integer</replaceable>;
361
362
363
364
365
366
367
368
369
370
371
372
373
374

	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	use-alt-transfer-source <replaceable>boolean</replaceable>;

	zone-statistics <replaceable>boolean</replaceable>;
	key-directory <replaceable>quoted_string</replaceable>;
375
	managed-keys-directory <replaceable>quoted_string</replaceable>;
376
	auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>;
377
	try-tcp-refresh <replaceable>boolean</replaceable>;
378
379
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
380
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
381
382
383
384
385
386
387

	cookie-algorithm ( <replaceable>aes</replaceable> | <replaceable>sha1</replaceable> | <replaceable>sha256</replaceable> );
	cookie-secret <replaceable>string</replaceable>;
	require-server-cookie <replaceable>boolean</replaceable>;
	send-cookie <replaceable>boolean</replaceable>;
	nocookie-udp-size <replaceable>integer</replaceable>;

388
389
390
391
392
393
	deny-answer-addresses {
		<replaceable>address_match_list</replaceable>
	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
	deny-answer-aliases {
		<replaceable>namelist</replaceable>
	} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
394

395
396
	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

397
398
399
400
401
402
403
404
405
406
407
408
409
	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
	fake-iquery <replaceable>boolean</replaceable>; // obsolete
	fetch-glue <replaceable>boolean</replaceable>; // obsolete
	has-old-clients <replaceable>boolean</replaceable>; // obsolete
	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
	multiple-cnames <replaceable>boolean</replaceable>; // obsolete
	named-xfer <replaceable>quoted_string</replaceable>; // obsolete
	serial-queries <replaceable>integer</replaceable>; // obsolete
	treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
	use-id-pool <replaceable>boolean</replaceable>; // obsolete
};
410
411
</literallayout>
  </refsect1>
412

413
414
415
  <refsect1>
    <title>VIEW</title>
    <literallayout>
416
417
418
419
420
421
422
423
424
425
426
427
428
429
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
	match-clients { <replaceable>address_match_element</replaceable>; ... };
	match-destinations { <replaceable>address_match_element</replaceable>; ... };
	match-recursive-only <replaceable>boolean</replaceable>;

	key <replaceable>string</replaceable> {
		algorithm <replaceable>string</replaceable>;
		secret <replaceable>string</replaceable>;
	};

	zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
		...
	};

430
	server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
431
432
433
434
		...
	};

	trusted-keys {
435
436
		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
		<optional>...</optional>
437
438
439
	};

	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
440
	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
441
442
443
444
445
446
447
448
449
450
451
452
453
454
	sortlist { <replaceable>address_match_element</replaceable>; ... };
	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
	minimal-responses <replaceable>boolean</replaceable>;
	recursion <replaceable>boolean</replaceable>;
	rrset-order {
		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
	};
	provide-ixfr <replaceable>boolean</replaceable>;
	request-ixfr <replaceable>boolean</replaceable>;
	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
	additional-from-auth <replaceable>boolean</replaceable>;
	additional-from-cache <replaceable>boolean</replaceable>;
Mark Andrews's avatar
Mark Andrews committed
455
456
	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
457
458
459
	use-queryport-pool <replaceable>boolean</replaceable>;
	queryport-pool-ports <replaceable>integer</replaceable>;
	queryport-pool-updateinterval <replaceable>integer</replaceable>;
460
	cleaning-interval <replaceable>integer</replaceable>;
461
	resolver-query-timeout <replaceable>integer</replaceable>;
462
463
464
465
466
	min-roots <replaceable>integer</replaceable>; // not implemented
	lame-ttl <replaceable>integer</replaceable>;
	max-ncache-ttl <replaceable>integer</replaceable>;
	max-cache-ttl <replaceable>integer</replaceable>;
	transfer-format ( many-answers | one-answer );
467
468
	max-cache-size <replaceable>size</replaceable>;
	max-acache-size <replaceable>size</replaceable>;
469
470
	clients-per-query <replaceable>number</replaceable>;
	max-clients-per-query <replaceable>number</replaceable>;
471
472
	check-names ( master | slave | response )
		( fail | warn | ignore );
473
	check-mx ( fail | warn | ignore );
474
475
476
	check-integrity <replaceable>boolean</replaceable>;
	check-mx-cname ( fail | warn | ignore );
	check-srv-cname ( fail | warn | ignore );
477
	cache-file <replaceable>quoted_string</replaceable>; // test option
478
479
480
481
482
483
484
485
	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
	preferred-glue <replaceable>string</replaceable>;
	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
	};
	edns-udp-size <replaceable>integer</replaceable>;
486
	max-udp-size <replaceable>integer</replaceable>;
487
488
	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
489
	disable-ds-digests <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
490
	dnssec-enable <replaceable>boolean</replaceable>;
491
	dnssec-validation <replaceable>boolean</replaceable>;
492
	dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
493
	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
494
	dnssec-accept-expired <replaceable>boolean</replaceable>;
495

496
497
498
	dns64-server <replaceable>string</replaceable>;
	dns64-contact <replaceable>string</replaceable>;
	dns64 <replaceable>prefix</replaceable> {
499
500
501
		clients { <replaceable>acl</replaceable>; };
		exclude { <replaceable>acl</replaceable>; };
		mapped { <replaceable>acl</replaceable>; };
502
503
504
505
506
		break-dnssec <replaceable>boolean</replaceable>;
		recursive-only <replaceable>boolean</replaceable>;
		suffix <replaceable>ipv6_address</replaceable>;
	};

507
508
509
510
511
	empty-server <replaceable>string</replaceable>;
	empty-contact <replaceable>string</replaceable>;
	empty-zones-enable <replaceable>boolean</replaceable>;
	disable-empty-zone <replaceable>string</replaceable>;

512
513
514
515
	dialup <replaceable>dialuptype</replaceable>;
	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;

	allow-query { <replaceable>address_match_element</replaceable>; ... };
516
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
517
	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
518
	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
519
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
520
	allow-update { <replaceable>address_match_element</replaceable>; ... };
521
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
522
	update-check-ksk <replaceable>boolean</replaceable>;
523
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
524

Evan Hunt's avatar
Evan Hunt committed
525
	masterfile-format ( text | raw | map );
526
527
528
	notify <replaceable>notifytype</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
529
	notify-delay <replaceable>seconds</replaceable>;
530
	notify-to-soa <replaceable>boolean</replaceable>;
531
	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
532
533
		<optional> port <replaceable>integer</replaceable> </optional>; ...
		<optional> key <replaceable>keyname</replaceable> </optional> ... };
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
	allow-notify { <replaceable>address_match_element</replaceable>; ... };

	forward ( first | only );
	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
	};

	max-journal-size <replaceable>size_no_default</replaceable>;
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
	min-retry-time <replaceable>integer</replaceable>;
	max-refresh-time <replaceable>integer</replaceable>;
	min-refresh-time <replaceable>integer</replaceable>;
	multi-master <replaceable>boolean</replaceable>;
	sig-validity-interval <replaceable>integer</replaceable>;

	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	use-alt-transfer-source <replaceable>boolean</replaceable>;

	zone-statistics <replaceable>boolean</replaceable>;
565
	try-tcp-refresh <replaceable>boolean</replaceable>;
566
	key-directory <replaceable>quoted_string</replaceable>;
567
568
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
569
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
570

571
572
573
574
	require-server-cookie <replaceable>boolean</replaceable>;
	send-cookie <replaceable>boolean</replaceable>;
	nocookie-udp-size <replaceable>integer</replaceable>;

575
576
577
578
579
	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
	fetch-glue <replaceable>boolean</replaceable>; // obsolete
	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
};
580
581
</literallayout>
  </refsect1>
582

583
584
585
  <refsect1>
    <title>ZONE</title>
    <literallayout>
586
zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
587
	type ( master | slave | stub | hint | redirect |
588
589
590
591
592
593
594
595
596
597
598
599
		forward | delegation-only );
	file <replaceable>quoted_string</replaceable>;

	masters <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>masters</replaceable> |
		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
		<replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
	};

	database <replaceable>string</replaceable>;
	delegation-only <replaceable>boolean</replaceable>;
	check-names ( fail | warn | ignore );
600
	check-mx ( fail | warn | ignore );
601
602
603
	check-integrity <replaceable>boolean</replaceable>;
	check-mx-cname ( fail | warn | ignore );
	check-srv-cname ( fail | warn | ignore );
604
605
	dialup <replaceable>dialuptype</replaceable>;
	ixfr-from-differences <replaceable>boolean</replaceable>;
606
	journal <replaceable>quoted_string</replaceable>;
607
	zero-no-soa-ttl <replaceable>boolean</replaceable>;
608
	dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
609
610

	allow-query { <replaceable>address_match_element</replaceable>; ... };
611
	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
612
613
614
	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
	allow-update { <replaceable>address_match_element</replaceable>; ... };
	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
615
	update-policy <replaceable>local</replaceable> | <replaceable> {
616
		( grant | deny ) <replaceable>string</replaceable>
617
		( name | subdomain | wildcard | self | selfsub | selfwild |
618
		  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
619
620
621
622
		  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
		<replaceable>rrtypelist</replaceable>;
		<optional>...</optional>
	}</replaceable>;
623
	update-check-ksk <replaceable>boolean</replaceable>;
624
	dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
625

Evan Hunt's avatar
Evan Hunt committed
626
	masterfile-format ( text | raw | map );
627
628
629
	notify <replaceable>notifytype</replaceable>;
	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
630
	notify-delay <replaceable>seconds</replaceable>;
631
	notify-to-soa <replaceable>boolean</replaceable>;
632
	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
633
634
		<optional> port <replaceable>integer</replaceable> </optional>; ...
		<optional> key <replaceable>keyname</replaceable> </optional> ... };
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
	allow-notify { <replaceable>address_match_element</replaceable>; ... };

	forward ( first | only );
	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
	};

	max-journal-size <replaceable>size_no_default</replaceable>;
	max-transfer-time-in <replaceable>integer</replaceable>;
	max-transfer-time-out <replaceable>integer</replaceable>;
	max-transfer-idle-in <replaceable>integer</replaceable>;
	max-transfer-idle-out <replaceable>integer</replaceable>;
	max-retry-time <replaceable>integer</replaceable>;
	min-retry-time <replaceable>integer</replaceable>;
	max-refresh-time <replaceable>integer</replaceable>;
	min-refresh-time <replaceable>integer</replaceable>;
	multi-master <replaceable>boolean</replaceable>;
652
	request-ixfr <replaceable>boolean</replaceable>;
653
654
655
656
657
658
659
660
661
662
663
664
665
666
	sig-validity-interval <replaceable>integer</replaceable>;

	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
	use-alt-transfer-source <replaceable>boolean</replaceable>;

	zone-statistics <replaceable>boolean</replaceable>;
667
	try-tcp-refresh <replaceable>boolean</replaceable>;
668
669
	key-directory <replaceable>quoted_string</replaceable>;

670
671
	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

672
673
674
675
676
677
	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
};
678
679
680
681
682
683
684
685
686
687
688
689
</literallayout>
  </refsect1>

  <refsect1>
    <title>FILES</title>
    <para><filename>/etc/named.conf</filename>
    </para>
  </refsect1>

  <refsect1>
    <title>SEE ALSO</title>
    <para><citerefentry>
690
	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
691
      </citerefentry>,
692
      <citerefentry>
693
	<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
694
      </citerefentry>,
695
      <citerefentry>
696
	<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
697
      </citerefentry>,
698
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
699
700
701
702
    </para>
  </refsect1>

</refentry><!--
703
704
705
706
 - Local variables:
 - mode: sgml
 - End:
-->