1NAMED.CONF(5) BIND 9 NAMED.CONF(5)
2
6 named.conf - configuration file for **named**
7
9 named.conf
10
12 named.conf is the configuration file for named.
13 For complete documentation about the configuration statements, please
15 refer to the Configuration Reference section in the BIND 9 Administra‐
16 tor Reference Manual.
17 Statements are enclosed in braces and terminated with a semi-colon.
19 Clauses in the statements are also semi-colon terminated. The usual
20 comment styles are supported:
21 C style: /* */
23 C++ style: // to end of line
25 Unix style: # to end of line
27 acl <string> { <address_match_element>; ... }; // may occur multiple times
29 controls {
31 inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
32 unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
33 }; // may occur multiple times
34 dlz <string> {
36 database <string>;
37 search <boolean>;
38 }; // may occur multiple times
39 dnssec-policy <string> {
41 cdnskey <boolean>;
42 cds-digest-types { <string>; ... };
43 dnskey-ttl <duration>;
44 inline-signing <boolean>;
45 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
46 max-zone-ttl <duration>;
47 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
48 parent-ds-ttl <duration>;
49 parent-propagation-delay <duration>;
50 publish-safety <duration>;
51 purge-keys <duration>;
52 retire-safety <duration>;
53 signatures-refresh <duration>;
54 signatures-validity <duration>;
55 signatures-validity-dnskey <duration>;
56 zone-propagation-delay <duration>;
57 }; // may occur multiple times
58 dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
60 http <string> {
62 endpoints { <quoted_string>; ... };
63 listener-clients <integer>;
64 streams-per-connection <integer>;
65 }; // may occur multiple times
66 key <string> {
68 algorithm <string>;
69 secret <string>;
70 }; // may occur multiple times
71 logging {
73 category <string> { <string>; ... }; // may occur multiple times
74 channel <string> {
75 buffered <boolean>;
76 file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
77 null;
78 print-category <boolean>;
79 print-severity <boolean>;
80 print-time ( iso8601 | iso8601-utc | local | <boolean> );
81 severity <log_severity>;
82 stderr;
83 syslog [ <syslog_facility> ];
84 }; // may occur multiple times
85 };
86 managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
88 options {
90 allow-new-zones <boolean>;
91 allow-notify { <address_match_element>; ... };
92 allow-query { <address_match_element>; ... };
93 allow-query-cache { <address_match_element>; ... };
94 allow-query-cache-on { <address_match_element>; ... };
95 allow-query-on { <address_match_element>; ... };
96 allow-recursion { <address_match_element>; ... };
97 allow-recursion-on { <address_match_element>; ... };
98 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
99 allow-update { <address_match_element>; ... };
100 allow-update-forwarding { <address_match_element>; ... };
101 also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
102 answer-cookie <boolean>;
103 attach-cache <string>;
104 auth-nxdomain <boolean>;
105 automatic-interface-scan <boolean>;
106 avoid-v4-udp-ports { <portrange>; ... }; // deprecated
107 avoid-v6-udp-ports { <portrange>; ... }; // deprecated
108 bindkeys-file <quoted_string>; // test only
109 blackhole { <address_match_element>; ... };
110 catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
111 check-dup-records ( fail | warn | ignore );
112 check-integrity <boolean>;
113 check-mx ( fail | warn | ignore );
114 check-mx-cname ( fail | warn | ignore );
115 check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
116 check-sibling <boolean>;
117 check-spf ( warn | ignore );
118 check-srv-cname ( fail | warn | ignore );
119 check-svcb <boolean>;
120 check-wildcard <boolean>;
121 clients-per-query <integer>;
122 cookie-algorithm ( aes | siphash24 );
123 cookie-secret <string>; // may occur multiple times
124 deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
125 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
126 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
127 directory <quoted_string>;
128 disable-algorithms <string> { <string>; ... }; // may occur multiple times
129 disable-ds-digests <string> { <string>; ... }; // may occur multiple times
130 disable-empty-zone <string>; // may occur multiple times
131 dns64 <netprefix> {
132 break-dnssec <boolean>;
133 clients { <address_match_element>; ... };
134 exclude { <address_match_element>; ... };
135 mapped { <address_match_element>; ... };
136 recursive-only <boolean>;
137 suffix <ipv6_address>;
138 }; // may occur multiple times
139 dns64-contact <string>;
140 dns64-server <string>;
141 dnskey-sig-validity <integer>; // obsolete
142 dnsrps-enable <boolean>; // not configured
143 dnsrps-library <quoted_string>; // not configured
144 dnsrps-options { <unspecified-text> }; // not configured
145 dnssec-accept-expired <boolean>;
146 dnssec-dnskey-kskonly <boolean>; // obsolete
147 dnssec-loadkeys-interval <integer>;
148 dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
149 dnssec-policy <string>;
150 dnssec-secure-to-insecure <boolean>; // obsolete
151 dnssec-update-mode ( maintain | no-resign ); // obsolete
152 dnssec-validation ( yes | no | auto );
153 dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
154 dnstap-identity ( <quoted_string> | none | hostname ); // not configured
155 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
156 dnstap-version ( <quoted_string> | none ); // not configured
157 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
158 dump-file <quoted_string>;
159 edns-udp-size <integer>;
160 empty-contact <string>;
161 empty-server <string>;
162 empty-zones-enable <boolean>;
163 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
164 fetches-per-server <integer> [ ( drop | fail ) ];
165 fetches-per-zone <integer> [ ( drop | fail ) ];
166 flush-zones-on-shutdown <boolean>;
167 forward ( first | only );
168 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
169 fstrm-set-buffer-hint <integer>; // not configured
170 fstrm-set-flush-timeout <integer>; // not configured
171 fstrm-set-input-queue-size <integer>; // not configured
172 fstrm-set-output-notify-threshold <integer>; // not configured
173 fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
174 fstrm-set-output-queue-size <integer>; // not configured
175 fstrm-set-reopen-interval <duration>; // not configured
176 geoip-directory ( <quoted_string> | none );
177 heartbeat-interval <integer>; // deprecated
178 hostname ( <quoted_string> | none );
179 http-listener-clients <integer>;
180 http-port <integer>;
181 http-streams-per-connection <integer>;
182 https-port <integer>;
183 interface-interval <duration>;
184 ipv4only-contact <string>;
185 ipv4only-enable <boolean>;
186 ipv4only-server <string>;
187 ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
188 keep-response-order { <address_match_element>; ... }; // obsolete
189 key-directory <quoted_string>;
190 lame-ttl <duration>;
191 listen-on [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
192 listen-on-v6 [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
193 lmdb-mapsize <sizeval>;
194 managed-keys-directory <quoted_string>;
195 masterfile-format ( raw | text );
196 masterfile-style ( full | relative );
197 match-mapped-addresses <boolean>;
198 max-cache-size ( default | unlimited | <sizeval> | <percentage> );
199 max-cache-ttl <duration>;
200 max-clients-per-query <integer>;
201 max-ixfr-ratio ( unlimited | <percentage> );
202 max-journal-size ( default | unlimited | <sizeval> );
203 max-ncache-ttl <duration>;
204 max-records <integer>;
205 max-recursion-depth <integer>;
206 max-recursion-queries <integer>;
207 max-refresh-time <integer>;
208 max-retry-time <integer>;
209 max-rsa-exponent-size <integer>;
210 max-stale-ttl <duration>;
211 max-transfer-idle-in <integer>;
212 max-transfer-idle-out <integer>;
213 max-transfer-time-in <integer>;
214 max-transfer-time-out <integer>;
215 max-udp-size <integer>;
216 max-zone-ttl ( unlimited | <duration> ); // deprecated
217 memstatistics <boolean>;
218 memstatistics-file <quoted_string>;
219 message-compression <boolean>;
220 min-cache-ttl <duration>;
221 min-ncache-ttl <duration>;
222 min-refresh-time <integer>;
223 min-retry-time <integer>;
224 minimal-any <boolean>;
225 minimal-responses ( no-auth | no-auth-recursive | <boolean> );
226 multi-master <boolean>;
227 new-zones-directory <quoted_string>;
228 no-case-compress { <address_match_element>; ... };
229 nocookie-udp-size <integer>;
230 notify ( explicit | master-only | primary-only | <boolean> );
231 notify-delay <integer>;
232 notify-rate <integer>;
233 notify-source ( <ipv4_address> | * );
234 notify-source-v6 ( <ipv6_address> | * );
235 notify-to-soa <boolean>;
236 nsec3-test-zone <boolean>; // test only
237 nta-lifetime <duration>;
238 nta-recheck <duration>;
239 nxdomain-redirect <string>;
240 parental-source ( <ipv4_address> | * );
241 parental-source-v6 ( <ipv6_address> | * );
242 pid-file ( <quoted_string> | none );
243 port <integer>;
244 preferred-glue <string>;
245 prefetch <integer> [ <integer> ];
246 provide-ixfr <boolean>;
247 qname-minimization ( strict | relaxed | disabled | off );
248 query-source [ address ] ( <ipv4_address> | * );
249 query-source-v6 [ address ] ( <ipv6_address> | * );
250 querylog <boolean>;
251 rate-limit {
252 all-per-second <integer>;
253 errors-per-second <integer>;
254 exempt-clients { <address_match_element>; ... };
255 ipv4-prefix-length <integer>;
256 ipv6-prefix-length <integer>;
257 log-only <boolean>;
258 max-table-size <integer>;
259 min-table-size <integer>;
260 nodata-per-second <integer>;
261 nxdomains-per-second <integer>;
262 qps-scale <integer>;
263 referrals-per-second <integer>;
264 responses-per-second <integer>;
265 slip <integer>;
266 window <integer>;
267 };
268 recursing-file <quoted_string>;
269 recursion <boolean>;
270 recursive-clients <integer>;
271 request-expire <boolean>;
272 request-ixfr <boolean>;
273 request-nsid <boolean>;
274 require-server-cookie <boolean>;
275 resolver-nonbackoff-tries <integer>;
276 resolver-query-timeout <integer>;
277 resolver-retry-interval <integer>;
278 resolver-use-dns64 <boolean>;
279 response-padding { <address_match_element>; ... } block-size <integer>;
280 response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
281 reuseport <boolean>;
282 root-key-sentinel <boolean>;
283 rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
284 secroots-file <quoted_string>;
285 send-cookie <boolean>;
286 serial-query-rate <integer>;
287 serial-update-method ( date | increment | unixtime );
288 server-id ( <quoted_string> | none | hostname );
289 servfail-ttl <duration>;
290 session-keyalg <string>;
291 session-keyfile ( <quoted_string> | none );
292 session-keyname <string>;
293 sig-signing-nodes <integer>;
294 sig-signing-signatures <integer>;
295 sig-signing-type <integer>;
296 sig-validity-interval <integer> [ <integer> ]; // obsolete
297 sortlist { <address_match_element>; ... };
298 stale-answer-client-timeout ( disabled | off | <integer> );
299 stale-answer-enable <boolean>;
300 stale-answer-ttl <duration>;
301 stale-cache-enable <boolean>;
302 stale-refresh-time <duration>;
303 startup-notify-rate <integer>;
304 statistics-file <quoted_string>;
305 synth-from-dnssec <boolean>;
306 tcp-advertised-timeout <integer>;
307 tcp-clients <integer>;
308 tcp-idle-timeout <integer>;
309 tcp-initial-timeout <integer>;
310 tcp-keepalive-timeout <integer>;
311 tcp-listen-queue <integer>;
312 tcp-receive-buffer <integer>;
313 tcp-send-buffer <integer>;
314 tkey-domain <quoted_string>;
315 tkey-gssapi-credential <quoted_string>;
316 tkey-gssapi-keytab <quoted_string>;
317 tls-port <integer>;
318 transfer-format ( many-answers | one-answer );
319 transfer-message-size <integer>;
320 transfer-source ( <ipv4_address> | * );
321 transfer-source-v6 ( <ipv6_address> | * );
322 transfers-in <integer>;
323 transfers-out <integer>;
324 transfers-per-ns <integer>;
325 trust-anchor-telemetry <boolean>; // experimental
326 try-tcp-refresh <boolean>;
327 udp-receive-buffer <integer>;
328 udp-send-buffer <integer>;
329 update-check-ksk <boolean>; // obsolete
330 update-quota <integer>;
331 use-v4-udp-ports { <portrange>; ... }; // deprecated
332 use-v6-udp-ports { <portrange>; ... }; // deprecated
333 v6-bias <integer>;
334 validate-except { <string>; ... };
335 version ( <quoted_string> | none );
336 zero-no-soa-ttl <boolean>;
337 zero-no-soa-ttl-cache <boolean>;
338 zone-statistics ( full | terse | none | <boolean> );
339 };
340 parental-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
342 plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
344 primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
346 server <netprefix> {
348 bogus <boolean>;
349 edns <boolean>;
350 edns-udp-size <integer>;
351 edns-version <integer>;
352 keys <server_key>;
353 max-udp-size <integer>;
354 notify-source ( <ipv4_address> | * );
355 notify-source-v6 ( <ipv6_address> | * );
356 padding <integer>;
357 provide-ixfr <boolean>;
358 query-source [ address ] ( <ipv4_address> | * );
359 query-source-v6 [ address ] ( <ipv6_address> | * );
360 request-expire <boolean>;
361 request-ixfr <boolean>;
362 request-nsid <boolean>;
363 require-cookie <boolean>;
364 send-cookie <boolean>;
365 tcp-keepalive <boolean>;
366 tcp-only <boolean>;
367 transfer-format ( many-answers | one-answer );
368 transfer-source ( <ipv4_address> | * );
369 transfer-source-v6 ( <ipv6_address> | * );
370 transfers <integer>;
371 }; // may occur multiple times
372 statistics-channels {
374 inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
375 }; // may occur multiple times
376 tls <string> {
378 ca-file <quoted_string>;
379 cert-file <quoted_string>;
380 ciphers <string>;
381 dhparam-file <quoted_string>;
382 key-file <quoted_string>;
383 prefer-server-ciphers <boolean>;
384 protocols { <string>; ... };
385 remote-hostname <quoted_string>;
386 session-tickets <boolean>;
387 }; // may occur multiple times
388 trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
390 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
392 view <string> [ <class> ] {
394 allow-new-zones <boolean>;
395 allow-notify { <address_match_element>; ... };
396 allow-query { <address_match_element>; ... };
397 allow-query-cache { <address_match_element>; ... };
398 allow-query-cache-on { <address_match_element>; ... };
399 allow-query-on { <address_match_element>; ... };
400 allow-recursion { <address_match_element>; ... };
401 allow-recursion-on { <address_match_element>; ... };
402 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
403 allow-update { <address_match_element>; ... };
404 allow-update-forwarding { <address_match_element>; ... };
405 also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
406 attach-cache <string>;
407 auth-nxdomain <boolean>;
408 catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
409 check-dup-records ( fail | warn | ignore );
410 check-integrity <boolean>;
411 check-mx ( fail | warn | ignore );
412 check-mx-cname ( fail | warn | ignore );
413 check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
414 check-sibling <boolean>;
415 check-spf ( warn | ignore );
416 check-srv-cname ( fail | warn | ignore );
417 check-svcb <boolean>;
418 check-wildcard <boolean>;
419 clients-per-query <integer>;
420 deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
421 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
422 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
423 disable-algorithms <string> { <string>; ... }; // may occur multiple times
424 disable-ds-digests <string> { <string>; ... }; // may occur multiple times
425 disable-empty-zone <string>; // may occur multiple times
426 dlz <string> {
427 database <string>;
428 search <boolean>;
429 }; // may occur multiple times
430 dns64 <netprefix> {
431 break-dnssec <boolean>;
432 clients { <address_match_element>; ... };
433 exclude { <address_match_element>; ... };
434 mapped { <address_match_element>; ... };
435 recursive-only <boolean>;
436 suffix <ipv6_address>;
437 }; // may occur multiple times
438 dns64-contact <string>;
439 dns64-server <string>;
440 dnskey-sig-validity <integer>; // obsolete
441 dnsrps-enable <boolean>; // not configured
442 dnsrps-options { <unspecified-text> }; // not configured
443 dnssec-accept-expired <boolean>;
444 dnssec-dnskey-kskonly <boolean>; // obsolete
445 dnssec-loadkeys-interval <integer>;
446 dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
447 dnssec-policy <string>;
448 dnssec-secure-to-insecure <boolean>; // obsolete
449 dnssec-update-mode ( maintain | no-resign ); // obsolete
450 dnssec-validation ( yes | no | auto );
451 dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
452 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
453 dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
454 edns-udp-size <integer>;
455 empty-contact <string>;
456 empty-server <string>;
457 empty-zones-enable <boolean>;
458 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
459 fetches-per-server <integer> [ ( drop | fail ) ];
460 fetches-per-zone <integer> [ ( drop | fail ) ];
461 forward ( first | only );
462 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
463 ipv4only-contact <string>;
464 ipv4only-enable <boolean>;
465 ipv4only-server <string>;
466 ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
467 key <string> {
468 algorithm <string>;
469 secret <string>;
470 }; // may occur multiple times
471 key-directory <quoted_string>;
472 lame-ttl <duration>;
473 lmdb-mapsize <sizeval>;
474 managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
475 masterfile-format ( raw | text );
476 masterfile-style ( full | relative );
477 match-clients { <address_match_element>; ... };
478 match-destinations { <address_match_element>; ... };
479 match-recursive-only <boolean>;
480 max-cache-size ( default | unlimited | <sizeval> | <percentage> );
481 max-cache-ttl <duration>;
482 max-clients-per-query <integer>;
483 max-ixfr-ratio ( unlimited | <percentage> );
484 max-journal-size ( default | unlimited | <sizeval> );
485 max-ncache-ttl <duration>;
486 max-records <integer>;
487 max-recursion-depth <integer>;
488 max-recursion-queries <integer>;
489 max-refresh-time <integer>;
490 max-retry-time <integer>;
491 max-stale-ttl <duration>;
492 max-transfer-idle-in <integer>;
493 max-transfer-idle-out <integer>;
494 max-transfer-time-in <integer>;
495 max-transfer-time-out <integer>;
496 max-udp-size <integer>;
497 max-zone-ttl ( unlimited | <duration> ); // deprecated
498 message-compression <boolean>;
499 min-cache-ttl <duration>;
500 min-ncache-ttl <duration>;
501 min-refresh-time <integer>;
502 min-retry-time <integer>;
503 minimal-any <boolean>;
504 minimal-responses ( no-auth | no-auth-recursive | <boolean> );
505 multi-master <boolean>;
506 new-zones-directory <quoted_string>;
507 no-case-compress { <address_match_element>; ... };
508 nocookie-udp-size <integer>;
509 notify ( explicit | master-only | primary-only | <boolean> );
510 notify-delay <integer>;
511 notify-source ( <ipv4_address> | * );
512 notify-source-v6 ( <ipv6_address> | * );
513 notify-to-soa <boolean>;
514 nsec3-test-zone <boolean>; // test only
515 nta-lifetime <duration>;
516 nta-recheck <duration>;
517 nxdomain-redirect <string>;
518 parental-source ( <ipv4_address> | * );
519 parental-source-v6 ( <ipv6_address> | * );
520 plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
521 preferred-glue <string>;
522 prefetch <integer> [ <integer> ];
523 provide-ixfr <boolean>;
524 qname-minimization ( strict | relaxed | disabled | off );
525 query-source [ address ] ( <ipv4_address> | * );
526 query-source-v6 [ address ] ( <ipv6_address> | * );
527 rate-limit {
528 all-per-second <integer>;
529 errors-per-second <integer>;
530 exempt-clients { <address_match_element>; ... };
531 ipv4-prefix-length <integer>;
532 ipv6-prefix-length <integer>;
533 log-only <boolean>;
534 max-table-size <integer>;
535 min-table-size <integer>;
536 nodata-per-second <integer>;
537 nxdomains-per-second <integer>;
538 qps-scale <integer>;
539 referrals-per-second <integer>;
540 responses-per-second <integer>;
541 slip <integer>;
542 window <integer>;
543 };
544 recursion <boolean>;
545 request-expire <boolean>;
546 request-ixfr <boolean>;
547 request-nsid <boolean>;
548 require-server-cookie <boolean>;
549 resolver-nonbackoff-tries <integer>;
550 resolver-query-timeout <integer>;
551 resolver-retry-interval <integer>;
552 resolver-use-dns64 <boolean>;
553 response-padding { <address_match_element>; ... } block-size <integer>;
554 response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
555 root-key-sentinel <boolean>;
556 rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
557 send-cookie <boolean>;
558 serial-update-method ( date | increment | unixtime );
559 server <netprefix> {
560 bogus <boolean>;
561 edns <boolean>;
562 edns-udp-size <integer>;
563 edns-version <integer>;
564 keys <server_key>;
565 max-udp-size <integer>;
566 notify-source ( <ipv4_address> | * );
567 notify-source-v6 ( <ipv6_address> | * );
568 padding <integer>;
569 provide-ixfr <boolean>;
570 query-source [ address ] ( <ipv4_address> | * );
571 query-source-v6 [ address ] ( <ipv6_address> | * );
572 request-expire <boolean>;
573 request-ixfr <boolean>;
574 request-nsid <boolean>;
575 require-cookie <boolean>;
576 send-cookie <boolean>;
577 tcp-keepalive <boolean>;
578 tcp-only <boolean>;
579 transfer-format ( many-answers | one-answer );
580 transfer-source ( <ipv4_address> | * );
581 transfer-source-v6 ( <ipv6_address> | * );
582 transfers <integer>;
583 }; // may occur multiple times
584 servfail-ttl <duration>;
585 sig-signing-nodes <integer>;
586 sig-signing-signatures <integer>;
587 sig-signing-type <integer>;
588 sig-validity-interval <integer> [ <integer> ]; // obsolete
589 sortlist { <address_match_element>; ... };
590 stale-answer-client-timeout ( disabled | off | <integer> );
591 stale-answer-enable <boolean>;
592 stale-answer-ttl <duration>;
593 stale-cache-enable <boolean>;
594 stale-refresh-time <duration>;
595 synth-from-dnssec <boolean>;
596 transfer-format ( many-answers | one-answer );
597 transfer-source ( <ipv4_address> | * );
598 transfer-source-v6 ( <ipv6_address> | * );
599 trust-anchor-telemetry <boolean>; // experimental
600 trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
601 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
602 try-tcp-refresh <boolean>;
603 update-check-ksk <boolean>; // obsolete
604 v6-bias <integer>;
605 validate-except { <string>; ... };
606 zero-no-soa-ttl <boolean>;
607 zero-no-soa-ttl-cache <boolean>;
608 zone-statistics ( full | terse | none | <boolean> );
609 }; // may occur multiple times
610 Any of these zone statements can also be set inside the view statement.
614 zone <string> [ <class> ] {
616 type primary;
617 allow-query { <address_match_element>; ... };
618 allow-query-on { <address_match_element>; ... };
619 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
620 allow-update { <address_match_element>; ... };
621 also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
622 check-dup-records ( fail | warn | ignore );
623 check-integrity <boolean>;
624 check-mx ( fail | warn | ignore );
625 check-mx-cname ( fail | warn | ignore );
626 check-names ( fail | warn | ignore );
627 check-sibling <boolean>;
628 check-spf ( warn | ignore );
629 check-srv-cname ( fail | warn | ignore );
630 check-svcb <boolean>;
631 check-wildcard <boolean>;
632 checkds ( explicit | <boolean> );
633 database <string>;
634 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
635 dlz <string>;
636 dnskey-sig-validity <integer>; // obsolete
637 dnssec-dnskey-kskonly <boolean>; // obsolete
638 dnssec-loadkeys-interval <integer>;
639 dnssec-policy <string>;
640 dnssec-secure-to-insecure <boolean>; // obsolete
641 dnssec-update-mode ( maintain | no-resign ); // obsolete
642 file <quoted_string>;
643 forward ( first | only );
644 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
645 inline-signing <boolean>;
646 ixfr-from-differences <boolean>;
647 journal <quoted_string>;
648 key-directory <quoted_string>;
649 masterfile-format ( raw | text );
650 masterfile-style ( full | relative );
651 max-ixfr-ratio ( unlimited | <percentage> );
652 max-journal-size ( default | unlimited | <sizeval> );
653 max-records <integer>;
654 max-transfer-idle-out <integer>;
655 max-transfer-time-out <integer>;
656 max-zone-ttl ( unlimited | <duration> ); // deprecated
657 notify ( explicit | master-only | primary-only | <boolean> );
658 notify-delay <integer>;
659 notify-source ( <ipv4_address> | * );
660 notify-source-v6 ( <ipv6_address> | * );
661 notify-to-soa <boolean>;
662 nsec3-test-zone <boolean>; // test only
663 parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
664 parental-source ( <ipv4_address> | * );
665 parental-source-v6 ( <ipv6_address> | * );
666 serial-update-method ( date | increment | unixtime );
667 sig-signing-nodes <integer>;
668 sig-signing-signatures <integer>;
669 sig-signing-type <integer>;
670 sig-validity-interval <integer> [ <integer> ]; // obsolete
671 update-check-ksk <boolean>; // obsolete
672 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
673 zero-no-soa-ttl <boolean>;
674 zone-statistics ( full | terse | none | <boolean> );
675 };
676 zone <string> [ <class> ] {
679 type secondary;
680 allow-notify { <address_match_element>; ... };
681 allow-query { <address_match_element>; ... };
682 allow-query-on { <address_match_element>; ... };
683 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
684 allow-update-forwarding { <address_match_element>; ... };
685 also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
686 check-names ( fail | warn | ignore );
687 checkds ( explicit | <boolean> );
688 database <string>;
689 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
690 dlz <string>;
691 dnskey-sig-validity <integer>; // obsolete
692 dnssec-dnskey-kskonly <boolean>; // obsolete
693 dnssec-loadkeys-interval <integer>;
694 dnssec-policy <string>;
695 dnssec-update-mode ( maintain | no-resign ); // obsolete
696 file <quoted_string>;
697 forward ( first | only );
698 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
699 inline-signing <boolean>;
700 ixfr-from-differences <boolean>;
701 journal <quoted_string>;
702 key-directory <quoted_string>;
703 masterfile-format ( raw | text );
704 masterfile-style ( full | relative );
705 max-ixfr-ratio ( unlimited | <percentage> );
706 max-journal-size ( default | unlimited | <sizeval> );
707 max-records <integer>;
708 max-refresh-time <integer>;
709 max-retry-time <integer>;
710 max-transfer-idle-in <integer>;
711 max-transfer-idle-out <integer>;
712 max-transfer-time-in <integer>;
713 max-transfer-time-out <integer>;
714 min-refresh-time <integer>;
715 min-retry-time <integer>;
716 multi-master <boolean>;
717 notify ( explicit | master-only | primary-only | <boolean> );
718 notify-delay <integer>;
719 notify-source ( <ipv4_address> | * );
720 notify-source-v6 ( <ipv6_address> | * );
721 notify-to-soa <boolean>;
722 nsec3-test-zone <boolean>; // test only
723 parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
724 parental-source ( <ipv4_address> | * );
725 parental-source-v6 ( <ipv6_address> | * );
726 primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
727 request-expire <boolean>;
728 request-ixfr <boolean>;
729 sig-signing-nodes <integer>;
730 sig-signing-signatures <integer>;
731 sig-signing-type <integer>;
732 sig-validity-interval <integer> [ <integer> ]; // obsolete
733 transfer-source ( <ipv4_address> | * );
734 transfer-source-v6 ( <ipv6_address> | * );
735 try-tcp-refresh <boolean>;
736 update-check-ksk <boolean>; // obsolete
737 zero-no-soa-ttl <boolean>;
738 zone-statistics ( full | terse | none | <boolean> );
739 };
740 zone <string> [ <class> ] {
743 type mirror;
744 allow-notify { <address_match_element>; ... };
745 allow-query { <address_match_element>; ... };
746 allow-query-on { <address_match_element>; ... };
747 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
748 allow-update-forwarding { <address_match_element>; ... };
749 also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
750 check-names ( fail | warn | ignore );
751 database <string>;
752 file <quoted_string>;
753 ixfr-from-differences <boolean>;
754 journal <quoted_string>;
755 masterfile-format ( raw | text );
756 masterfile-style ( full | relative );
757 max-ixfr-ratio ( unlimited | <percentage> );
758 max-journal-size ( default | unlimited | <sizeval> );
759 max-records <integer>;
760 max-refresh-time <integer>;
761 max-retry-time <integer>;
762 max-transfer-idle-in <integer>;
763 max-transfer-idle-out <integer>;
764 max-transfer-time-in <integer>;
765 max-transfer-time-out <integer>;
766 min-refresh-time <integer>;
767 min-retry-time <integer>;
768 multi-master <boolean>;
769 notify ( explicit | master-only | primary-only | <boolean> );
770 notify-delay <integer>;
771 notify-source ( <ipv4_address> | * );
772 notify-source-v6 ( <ipv6_address> | * );
773 primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
774 request-expire <boolean>;
775 request-ixfr <boolean>;
776 transfer-source ( <ipv4_address> | * );
777 transfer-source-v6 ( <ipv6_address> | * );
778 try-tcp-refresh <boolean>;
779 zero-no-soa-ttl <boolean>;
780 zone-statistics ( full | terse | none | <boolean> );
781 };
782 zone <string> [ <class> ] {
785 type forward;
786 forward ( first | only );
787 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
788 };
789 zone <string> [ <class> ] {
792 type hint;
793 check-names ( fail | warn | ignore );
794 file <quoted_string>;
795 };
796 zone <string> [ <class> ] {
799 type redirect;
800 allow-query { <address_match_element>; ... };
801 allow-query-on { <address_match_element>; ... };
802 dlz <string>;
803 file <quoted_string>;
804 masterfile-format ( raw | text );
805 masterfile-style ( full | relative );
806 max-records <integer>;
807 max-zone-ttl ( unlimited | <duration> ); // deprecated
808 primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
809 zone-statistics ( full | terse | none | <boolean> );
810 };
811 zone <string> [ <class> ] {
814 type static-stub;
815 allow-query { <address_match_element>; ... };
816 allow-query-on { <address_match_element>; ... };
817 forward ( first | only );
818 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
819 max-records <integer>;
820 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
821 server-names { <string>; ... };
822 zone-statistics ( full | terse | none | <boolean> );
823 };
824 zone <string> [ <class> ] {
827 type stub;
828 allow-query { <address_match_element>; ... };
829 allow-query-on { <address_match_element>; ... };
830 check-names ( fail | warn | ignore );
831 database <string>;
832 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
833 file <quoted_string>;
834 forward ( first | only );
835 forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
836 masterfile-format ( raw | text );
837 masterfile-style ( full | relative );
838 max-records <integer>;
839 max-refresh-time <integer>;
840 max-retry-time <integer>;
841 max-transfer-idle-in <integer>;
842 max-transfer-time-in <integer>;
843 min-refresh-time <integer>;
844 min-retry-time <integer>;
845 multi-master <boolean>;
846 primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
847 transfer-source ( <ipv4_address> | * );
848 transfer-source-v6 ( <ipv6_address> | * );
849 zone-statistics ( full | terse | none | <boolean> );
850 };
851 zone <string> [ <class> ] {
854 in-view <string>;
855 };
856
859 /etc/named.conf
860
862 named(8), named-checkconf(8), rndc(8), rndc-confgen(8), tsig-keygen(8),
863 BIND 9 Administrator Reference Manual.
864
866 Internet Systems Consortium
867
869 2023, Internet Systems Consortium
8709.19.18 NAMED.CONF(5)