1NAMED.CONF(5) BIND 9 NAMED.CONF(5)
2
6 named.conf - configuration file for **named**
7
9 named.conf
10
12 named.conf is the configuration file for named.
13 For complete documentation about the configuration statements, please
15 refer to the Configuration Reference section in the BIND 9 Administra‐
16 tor Reference Manual.
17 Statements are enclosed in braces and terminated with a semi-colon.
19 Clauses in the statements are also semi-colon terminated. The usual
20 comment styles are supported:
21 C style: /* */
23 C++ style: // to end of line
25 Unix style: # to end of line
27 acl <string> { <address_match_element>; ... }; // may occur multiple times
29 controls {
31 inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
32 unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
33 }; // may occur multiple times
34 dlz <string> {
36 database <string>;
37 search <boolean>;
38 }; // may occur multiple times
39 dnssec-policy <string> {
41 dnskey-ttl <duration>;
42 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
43 max-zone-ttl <duration>;
44 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
45 parent-ds-ttl <duration>;
46 parent-propagation-delay <duration>;
47 parent-registration-delay <duration>; // obsolete
48 publish-safety <duration>;
49 purge-keys <duration>;
50 retire-safety <duration>;
51 signatures-refresh <duration>;
52 signatures-validity <duration>;
53 signatures-validity-dnskey <duration>;
54 zone-propagation-delay <duration>;
55 }; // may occur multiple times
56 dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
58 http <string> {
60 endpoints { <quoted_string>; ... };
61 listener-clients <integer>;
62 streams-per-connection <integer>;
63 }; // may occur multiple times
64 key <string> {
66 algorithm <string>;
67 secret <string>;
68 }; // may occur multiple times
69 logging {
71 category <string> { <string>; ... }; // may occur multiple times
72 channel <string> {
73 buffered <boolean>;
74 file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
75 null;
76 print-category <boolean>;
77 print-severity <boolean>;
78 print-time ( iso8601 | iso8601-utc | local | <boolean> );
79 severity <log_severity>;
80 stderr;
81 syslog [ <syslog_facility> ];
82 }; // may occur multiple times
83 };
84 managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
86 options {
88 allow-new-zones <boolean>;
89 allow-notify { <address_match_element>; ... };
90 allow-query { <address_match_element>; ... };
91 allow-query-cache { <address_match_element>; ... };
92 allow-query-cache-on { <address_match_element>; ... };
93 allow-query-on { <address_match_element>; ... };
94 allow-recursion { <address_match_element>; ... };
95 allow-recursion-on { <address_match_element>; ... };
96 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
97 allow-update { <address_match_element>; ... };
98 allow-update-forwarding { <address_match_element>; ... };
99 also-notify [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
100 alt-transfer-source ( <ipv4_address> | * ) ; // deprecated
101 alt-transfer-source-v6 ( <ipv6_address> | * ) ; // deprecated
102 answer-cookie <boolean>;
103 attach-cache <string>;
104 auth-nxdomain <boolean>;
105 auto-dnssec ( allow | maintain | off ); // deprecated
106 automatic-interface-scan <boolean>;
107 avoid-v4-udp-ports { <portrange>; ... }; // deprecated
108 avoid-v6-udp-ports { <portrange>; ... }; // deprecated
109 bindkeys-file <quoted_string>;
110 blackhole { <address_match_element>; ... };
111 catalog-zones { zone <string> [ default-primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
112 check-dup-records ( fail | warn | ignore );
113 check-integrity <boolean>;
114 check-mx ( fail | warn | ignore );
115 check-mx-cname ( fail | warn | ignore );
116 check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
117 check-sibling <boolean>;
118 check-spf ( warn | ignore );
119 check-srv-cname ( fail | warn | ignore );
120 check-wildcard <boolean>;
121 clients-per-query <integer>;
122 cookie-algorithm ( aes | siphash24 );
123 cookie-secret <string>; // may occur multiple times
124 coresize ( default | unlimited | <sizeval> ); // deprecated
125 datasize ( default | unlimited | <sizeval> ); // deprecated
126 deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
127 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
128 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
129 directory <quoted_string>;
130 disable-algorithms <string> { <string>; ... }; // may occur multiple times
131 disable-ds-digests <string> { <string>; ... }; // may occur multiple times
132 disable-empty-zone <string>; // may occur multiple times
133 dns64 <netprefix> {
134 break-dnssec <boolean>;
135 clients { <address_match_element>; ... };
136 exclude { <address_match_element>; ... };
137 mapped { <address_match_element>; ... };
138 recursive-only <boolean>;
139 suffix <ipv6_address>;
140 }; // may occur multiple times
141 dns64-contact <string>;
142 dns64-server <string>;
143 dnskey-sig-validity <integer>;
144 dnsrps-enable <boolean>; // not configured
145 dnsrps-options { <unspecified-text> }; // not configured
146 dnssec-accept-expired <boolean>;
147 dnssec-dnskey-kskonly <boolean>;
148 dnssec-loadkeys-interval <integer>;
149 dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
150 dnssec-policy <string>;
151 dnssec-secure-to-insecure <boolean>;
152 dnssec-update-mode ( maintain | no-resign );
153 dnssec-validation ( yes | no | auto );
154 dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
155 dnstap-identity ( <quoted_string> | none | hostname ); // not configured
156 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
157 dnstap-version ( <quoted_string> | none ); // not configured
158 dscp <integer>; // obsolete
159 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
160 dump-file <quoted_string>;
161 edns-udp-size <integer>;
162 empty-contact <string>;
163 empty-server <string>;
164 empty-zones-enable <boolean>;
165 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
166 fetches-per-server <integer> [ ( drop | fail ) ];
167 fetches-per-zone <integer> [ ( drop | fail ) ];
168 files ( default | unlimited | <sizeval> ); // deprecated
169 flush-zones-on-shutdown <boolean>;
170 forward ( first | only );
171 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
172 fstrm-set-buffer-hint <integer>; // not configured
173 fstrm-set-flush-timeout <integer>; // not configured
174 fstrm-set-input-queue-size <integer>; // not configured
175 fstrm-set-output-notify-threshold <integer>; // not configured
176 fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
177 fstrm-set-output-queue-size <integer>; // not configured
178 fstrm-set-reopen-interval <duration>; // not configured
179 geoip-directory ( <quoted_string> | none );
180 glue-cache <boolean>; // deprecated
181 heartbeat-interval <integer>; // deprecated
182 hostname ( <quoted_string> | none );
183 http-listener-clients <integer>;
184 http-port <integer>;
185 http-streams-per-connection <integer>;
186 https-port <integer>;
187 interface-interval <duration>;
188 ipv4only-contact <string>;
189 ipv4only-enable <boolean>;
190 ipv4only-server <string>;
191 ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
192 keep-response-order { <address_match_element>; ... };
193 key-directory <quoted_string>;
194 lame-ttl <duration>;
195 listen-on [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
196 listen-on-v6 [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
197 lmdb-mapsize <sizeval>;
198 lock-file ( <quoted_string> | none );
199 managed-keys-directory <quoted_string>;
200 masterfile-format ( raw | text );
201 masterfile-style ( full | relative );
202 match-mapped-addresses <boolean>;
203 max-cache-size ( default | unlimited | <sizeval> | <percentage> );
204 max-cache-ttl <duration>;
205 max-clients-per-query <integer>;
206 max-ixfr-ratio ( unlimited | <percentage> );
207 max-journal-size ( default | unlimited | <sizeval> );
208 max-ncache-ttl <duration>;
209 max-records <integer>;
210 max-recursion-depth <integer>;
211 max-recursion-queries <integer>;
212 max-refresh-time <integer>;
213 max-retry-time <integer>;
214 max-rsa-exponent-size <integer>;
215 max-stale-ttl <duration>;
216 max-transfer-idle-in <integer>;
217 max-transfer-idle-out <integer>;
218 max-transfer-time-in <integer>;
219 max-transfer-time-out <integer>;
220 max-udp-size <integer>;
221 max-zone-ttl ( unlimited | <duration> );
222 memstatistics <boolean>;
223 memstatistics-file <quoted_string>;
224 message-compression <boolean>;
225 min-cache-ttl <duration>;
226 min-ncache-ttl <duration>;
227 min-refresh-time <integer>;
228 min-retry-time <integer>;
229 minimal-any <boolean>;
230 minimal-responses ( no-auth | no-auth-recursive | <boolean> );
231 multi-master <boolean>;
232 new-zones-directory <quoted_string>;
233 no-case-compress { <address_match_element>; ... };
234 nocookie-udp-size <integer>;
235 notify ( explicit | master-only | primary-only | <boolean> );
236 notify-delay <integer>;
237 notify-rate <integer>;
238 notify-source ( <ipv4_address> | * ) ;
239 notify-source-v6 ( <ipv6_address> | * ) ;
240 notify-to-soa <boolean>;
241 nsec3-test-zone <boolean>; // test only
242 nta-lifetime <duration>;
243 nta-recheck <duration>;
244 nxdomain-redirect <string>;
245 parental-source ( <ipv4_address> | * ) ;
246 parental-source-v6 ( <ipv6_address> | * ) ;
247 pid-file ( <quoted_string> | none );
248 port <integer>;
249 preferred-glue <string>;
250 prefetch <integer> [ <integer> ];
251 provide-ixfr <boolean>;
252 qname-minimization ( strict | relaxed | disabled | off );
253 query-source [ address ] ( <ipv4_address> | * );
254 query-source-v6 [ address ] ( <ipv6_address> | * );
255 querylog <boolean>;
256 random-device ( <quoted_string> | none ); // obsolete
257 rate-limit {
258 all-per-second <integer>;
259 errors-per-second <integer>;
260 exempt-clients { <address_match_element>; ... };
261 ipv4-prefix-length <integer>;
262 ipv6-prefix-length <integer>;
263 log-only <boolean>;
264 max-table-size <integer>;
265 min-table-size <integer>;
266 nodata-per-second <integer>;
267 nxdomains-per-second <integer>;
268 qps-scale <integer>;
269 referrals-per-second <integer>;
270 responses-per-second <integer>;
271 slip <integer>;
272 window <integer>;
273 };
274 recursing-file <quoted_string>;
275 recursion <boolean>;
276 recursive-clients <integer>;
277 request-expire <boolean>;
278 request-ixfr <boolean>;
279 request-nsid <boolean>;
280 require-server-cookie <boolean>;
281 reserved-sockets <integer>; // deprecated
282 resolver-nonbackoff-tries <integer>;
283 resolver-query-timeout <integer>;
284 resolver-retry-interval <integer>;
285 response-padding { <address_match_element>; ... } block-size <integer>;
286 response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
287 reuseport <boolean>;
288 root-delegation-only [ exclude { <string>; ... } ]; // deprecated
289 root-key-sentinel <boolean>;
290 rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
291 secroots-file <quoted_string>;
292 send-cookie <boolean>;
293 serial-query-rate <integer>;
294 serial-update-method ( date | increment | unixtime );
295 server-id ( <quoted_string> | none | hostname );
296 servfail-ttl <duration>;
297 session-keyalg <string>;
298 session-keyfile ( <quoted_string> | none );
299 session-keyname <string>;
300 sig-signing-nodes <integer>;
301 sig-signing-signatures <integer>;
302 sig-signing-type <integer>;
303 sig-validity-interval <integer> [ <integer> ];
304 sortlist { <address_match_element>; ... };
305 stacksize ( default | unlimited | <sizeval> ); // deprecated
306 stale-answer-client-timeout ( disabled | off | <integer> );
307 stale-answer-enable <boolean>;
308 stale-answer-ttl <duration>;
309 stale-cache-enable <boolean>;
310 stale-refresh-time <duration>;
311 startup-notify-rate <integer>;
312 statistics-file <quoted_string>;
313 suppress-initial-notify <boolean>; // obsolete
314 synth-from-dnssec <boolean>;
315 tcp-advertised-timeout <integer>;
316 tcp-clients <integer>;
317 tcp-idle-timeout <integer>;
318 tcp-initial-timeout <integer>;
319 tcp-keepalive-timeout <integer>;
320 tcp-listen-queue <integer>;
321 tcp-receive-buffer <integer>;
322 tcp-send-buffer <integer>;
323 tkey-dhkey <quoted_string> <integer>; // deprecated
324 tkey-domain <quoted_string>;
325 tkey-gssapi-credential <quoted_string>;
326 tkey-gssapi-keytab <quoted_string>;
327 tls-port <integer>;
328 transfer-format ( many-answers | one-answer );
329 transfer-message-size <integer>;
330 transfer-source ( <ipv4_address> | * ) ;
331 transfer-source-v6 ( <ipv6_address> | * ) ;
332 transfers-in <integer>;
333 transfers-out <integer>;
334 transfers-per-ns <integer>;
335 trust-anchor-telemetry <boolean>; // experimental
336 try-tcp-refresh <boolean>;
337 udp-receive-buffer <integer>;
338 udp-send-buffer <integer>;
339 update-check-ksk <boolean>;
340 update-quota <integer>;
341 use-alt-transfer-source <boolean>; // deprecated
342 use-v4-udp-ports { <portrange>; ... }; // deprecated
343 use-v6-udp-ports { <portrange>; ... }; // deprecated
344 v6-bias <integer>;
345 validate-except { <string>; ... };
346 version ( <quoted_string> | none );
347 zero-no-soa-ttl <boolean>;
348 zero-no-soa-ttl-cache <boolean>;
349 zone-statistics ( full | terse | none | <boolean> );
350 };
351 parental-agents <string> [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
353 plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
355 primaries <string> [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
357 server <netprefix> {
359 bogus <boolean>;
360 edns <boolean>;
361 edns-udp-size <integer>;
362 edns-version <integer>;
363 keys <server_key>;
364 max-udp-size <integer>;
365 notify-source ( <ipv4_address> | * ) ;
366 notify-source-v6 ( <ipv6_address> | * ) ;
367 padding <integer>;
368 provide-ixfr <boolean>;
369 query-source [ address ] ( <ipv4_address> | * );
370 query-source-v6 [ address ] ( <ipv6_address> | * );
371 request-expire <boolean>;
372 request-ixfr <boolean>;
373 request-nsid <boolean>;
374 send-cookie <boolean>;
375 tcp-keepalive <boolean>;
376 tcp-only <boolean>;
377 transfer-format ( many-answers | one-answer );
378 transfer-source ( <ipv4_address> | * ) ;
379 transfer-source-v6 ( <ipv6_address> | * ) ;
380 transfers <integer>;
381 }; // may occur multiple times
382 statistics-channels {
384 inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
385 }; // may occur multiple times
386 tls <string> {
388 ca-file <quoted_string>;
389 cert-file <quoted_string>;
390 ciphers <string>;
391 dhparam-file <quoted_string>;
392 key-file <quoted_string>;
393 prefer-server-ciphers <boolean>;
394 protocols { <string>; ... };
395 remote-hostname <quoted_string>;
396 session-tickets <boolean>;
397 }; // may occur multiple times
398 trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
400 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
402 view <string> [ <class> ] {
404 allow-new-zones <boolean>;
405 allow-notify { <address_match_element>; ... };
406 allow-query { <address_match_element>; ... };
407 allow-query-cache { <address_match_element>; ... };
408 allow-query-cache-on { <address_match_element>; ... };
409 allow-query-on { <address_match_element>; ... };
410 allow-recursion { <address_match_element>; ... };
411 allow-recursion-on { <address_match_element>; ... };
412 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
413 allow-update { <address_match_element>; ... };
414 allow-update-forwarding { <address_match_element>; ... };
415 also-notify [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
416 alt-transfer-source ( <ipv4_address> | * ) ; // deprecated
417 alt-transfer-source-v6 ( <ipv6_address> | * ) ; // deprecated
418 attach-cache <string>;
419 auth-nxdomain <boolean>;
420 auto-dnssec ( allow | maintain | off ); // deprecated
421 catalog-zones { zone <string> [ default-primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
422 check-dup-records ( fail | warn | ignore );
423 check-integrity <boolean>;
424 check-mx ( fail | warn | ignore );
425 check-mx-cname ( fail | warn | ignore );
426 check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
427 check-sibling <boolean>;
428 check-spf ( warn | ignore );
429 check-srv-cname ( fail | warn | ignore );
430 check-wildcard <boolean>;
431 clients-per-query <integer>;
432 deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
433 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
434 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
435 disable-algorithms <string> { <string>; ... }; // may occur multiple times
436 disable-ds-digests <string> { <string>; ... }; // may occur multiple times
437 disable-empty-zone <string>; // may occur multiple times
438 dlz <string> {
439 database <string>;
440 search <boolean>;
441 }; // may occur multiple times
442 dns64 <netprefix> {
443 break-dnssec <boolean>;
444 clients { <address_match_element>; ... };
445 exclude { <address_match_element>; ... };
446 mapped { <address_match_element>; ... };
447 recursive-only <boolean>;
448 suffix <ipv6_address>;
449 }; // may occur multiple times
450 dns64-contact <string>;
451 dns64-server <string>;
452 dnskey-sig-validity <integer>;
453 dnsrps-enable <boolean>; // not configured
454 dnsrps-options { <unspecified-text> }; // not configured
455 dnssec-accept-expired <boolean>;
456 dnssec-dnskey-kskonly <boolean>;
457 dnssec-loadkeys-interval <integer>;
458 dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
459 dnssec-policy <string>;
460 dnssec-secure-to-insecure <boolean>;
461 dnssec-update-mode ( maintain | no-resign );
462 dnssec-validation ( yes | no | auto );
463 dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
464 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
465 dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
466 edns-udp-size <integer>;
467 empty-contact <string>;
468 empty-server <string>;
469 empty-zones-enable <boolean>;
470 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
471 fetches-per-server <integer> [ ( drop | fail ) ];
472 fetches-per-zone <integer> [ ( drop | fail ) ];
473 forward ( first | only );
474 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
475 glue-cache <boolean>; // deprecated
476 ipv4only-contact <string>;
477 ipv4only-enable <boolean>;
478 ipv4only-server <string>;
479 ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
480 key <string> {
481 algorithm <string>;
482 secret <string>;
483 }; // may occur multiple times
484 key-directory <quoted_string>;
485 lame-ttl <duration>;
486 lmdb-mapsize <sizeval>;
487 managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
488 masterfile-format ( raw | text );
489 masterfile-style ( full | relative );
490 match-clients { <address_match_element>; ... };
491 match-destinations { <address_match_element>; ... };
492 match-recursive-only <boolean>;
493 max-cache-size ( default | unlimited | <sizeval> | <percentage> );
494 max-cache-ttl <duration>;
495 max-clients-per-query <integer>;
496 max-ixfr-ratio ( unlimited | <percentage> );
497 max-journal-size ( default | unlimited | <sizeval> );
498 max-ncache-ttl <duration>;
499 max-records <integer>;
500 max-recursion-depth <integer>;
501 max-recursion-queries <integer>;
502 max-refresh-time <integer>;
503 max-retry-time <integer>;
504 max-stale-ttl <duration>;
505 max-transfer-idle-in <integer>;
506 max-transfer-idle-out <integer>;
507 max-transfer-time-in <integer>;
508 max-transfer-time-out <integer>;
509 max-udp-size <integer>;
510 max-zone-ttl ( unlimited | <duration> );
511 message-compression <boolean>;
512 min-cache-ttl <duration>;
513 min-ncache-ttl <duration>;
514 min-refresh-time <integer>;
515 min-retry-time <integer>;
516 minimal-any <boolean>;
517 minimal-responses ( no-auth | no-auth-recursive | <boolean> );
518 multi-master <boolean>;
519 new-zones-directory <quoted_string>;
520 no-case-compress { <address_match_element>; ... };
521 nocookie-udp-size <integer>;
522 notify ( explicit | master-only | primary-only | <boolean> );
523 notify-delay <integer>;
524 notify-source ( <ipv4_address> | * ) ;
525 notify-source-v6 ( <ipv6_address> | * ) ;
526 notify-to-soa <boolean>;
527 nsec3-test-zone <boolean>; // test only
528 nta-lifetime <duration>;
529 nta-recheck <duration>;
530 nxdomain-redirect <string>;
531 parental-source ( <ipv4_address> | * ) ;
532 parental-source-v6 ( <ipv6_address> | * ) ;
533 plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
534 preferred-glue <string>;
535 prefetch <integer> [ <integer> ];
536 provide-ixfr <boolean>;
537 qname-minimization ( strict | relaxed | disabled | off );
538 query-source [ address ] ( <ipv4_address> | * );
539 query-source-v6 [ address ] ( <ipv6_address> | * );
540 rate-limit {
541 all-per-second <integer>;
542 errors-per-second <integer>;
543 exempt-clients { <address_match_element>; ... };
544 ipv4-prefix-length <integer>;
545 ipv6-prefix-length <integer>;
546 log-only <boolean>;
547 max-table-size <integer>;
548 min-table-size <integer>;
549 nodata-per-second <integer>;
550 nxdomains-per-second <integer>;
551 qps-scale <integer>;
552 referrals-per-second <integer>;
553 responses-per-second <integer>;
554 slip <integer>;
555 window <integer>;
556 };
557 recursion <boolean>;
558 request-expire <boolean>;
559 request-ixfr <boolean>;
560 request-nsid <boolean>;
561 require-server-cookie <boolean>;
562 resolver-nonbackoff-tries <integer>;
563 resolver-query-timeout <integer>;
564 resolver-retry-interval <integer>;
565 response-padding { <address_match_element>; ... } block-size <integer>;
566 response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
567 root-delegation-only [ exclude { <string>; ... } ]; // deprecated
568 root-key-sentinel <boolean>;
569 rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
570 send-cookie <boolean>;
571 serial-update-method ( date | increment | unixtime );
572 server <netprefix> {
573 bogus <boolean>;
574 edns <boolean>;
575 edns-udp-size <integer>;
576 edns-version <integer>;
577 keys <server_key>;
578 max-udp-size <integer>;
579 notify-source ( <ipv4_address> | * ) ;
580 notify-source-v6 ( <ipv6_address> | * ) ;
581 padding <integer>;
582 provide-ixfr <boolean>;
583 query-source [ address ] ( <ipv4_address> | * );
584 query-source-v6 [ address ] ( <ipv6_address> | * );
585 request-expire <boolean>;
586 request-ixfr <boolean>;
587 request-nsid <boolean>;
588 send-cookie <boolean>;
589 tcp-keepalive <boolean>;
590 tcp-only <boolean>;
591 transfer-format ( many-answers | one-answer );
592 transfer-source ( <ipv4_address> | * ) ;
593 transfer-source-v6 ( <ipv6_address> | * ) ;
594 transfers <integer>;
595 }; // may occur multiple times
596 servfail-ttl <duration>;
597 sig-signing-nodes <integer>;
598 sig-signing-signatures <integer>;
599 sig-signing-type <integer>;
600 sig-validity-interval <integer> [ <integer> ];
601 sortlist { <address_match_element>; ... };
602 stale-answer-client-timeout ( disabled | off | <integer> );
603 stale-answer-enable <boolean>;
604 stale-answer-ttl <duration>;
605 stale-cache-enable <boolean>;
606 stale-refresh-time <duration>;
607 suppress-initial-notify <boolean>; // obsolete
608 synth-from-dnssec <boolean>;
609 transfer-format ( many-answers | one-answer );
610 transfer-source ( <ipv4_address> | * ) ;
611 transfer-source-v6 ( <ipv6_address> | * ) ;
612 trust-anchor-telemetry <boolean>; // experimental
613 trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
614 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
615 try-tcp-refresh <boolean>;
616 update-check-ksk <boolean>;
617 use-alt-transfer-source <boolean>; // deprecated
618 v6-bias <integer>;
619 validate-except { <string>; ... };
620 zero-no-soa-ttl <boolean>;
621 zero-no-soa-ttl-cache <boolean>;
622 zone-statistics ( full | terse | none | <boolean> );
623 }; // may occur multiple times
624 Any of these zone statements can also be set inside the view statement.
628 zone <string> [ <class> ] {
630 type primary;
631 allow-query { <address_match_element>; ... };
632 allow-query-on { <address_match_element>; ... };
633 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
634 allow-update { <address_match_element>; ... };
635 also-notify [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
636 alt-transfer-source ( <ipv4_address> | * ) ; // deprecated
637 alt-transfer-source-v6 ( <ipv6_address> | * ) ; // deprecated
638 auto-dnssec ( allow | maintain | off ); // deprecated
639 check-dup-records ( fail | warn | ignore );
640 check-integrity <boolean>;
641 check-mx ( fail | warn | ignore );
642 check-mx-cname ( fail | warn | ignore );
643 check-names ( fail | warn | ignore );
644 check-sibling <boolean>;
645 check-spf ( warn | ignore );
646 check-srv-cname ( fail | warn | ignore );
647 check-wildcard <boolean>;
648 database <string>;
649 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
650 dlz <string>;
651 dnskey-sig-validity <integer>;
652 dnssec-dnskey-kskonly <boolean>;
653 dnssec-loadkeys-interval <integer>;
654 dnssec-policy <string>;
655 dnssec-secure-to-insecure <boolean>;
656 dnssec-update-mode ( maintain | no-resign );
657 file <quoted_string>;
658 forward ( first | only );
659 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
660 inline-signing <boolean>;
661 ixfr-from-differences <boolean>;
662 journal <quoted_string>;
663 key-directory <quoted_string>;
664 masterfile-format ( raw | text );
665 masterfile-style ( full | relative );
666 max-ixfr-ratio ( unlimited | <percentage> );
667 max-journal-size ( default | unlimited | <sizeval> );
668 max-records <integer>;
669 max-transfer-idle-out <integer>;
670 max-transfer-time-out <integer>;
671 max-zone-ttl ( unlimited | <duration> );
672 notify ( explicit | master-only | primary-only | <boolean> );
673 notify-delay <integer>;
674 notify-source ( <ipv4_address> | * ) ;
675 notify-source-v6 ( <ipv6_address> | * ) ;
676 notify-to-soa <boolean>;
677 nsec3-test-zone <boolean>; // test only
678 parental-agents [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
679 parental-source ( <ipv4_address> | * ) ;
680 parental-source-v6 ( <ipv6_address> | * ) ;
681 serial-update-method ( date | increment | unixtime );
682 sig-signing-nodes <integer>;
683 sig-signing-signatures <integer>;
684 sig-signing-type <integer>;
685 sig-validity-interval <integer> [ <integer> ];
686 update-check-ksk <boolean>;
687 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
688 zero-no-soa-ttl <boolean>;
689 zone-statistics ( full | terse | none | <boolean> );
690 };
691 zone <string> [ <class> ] {
694 type secondary;
695 allow-notify { <address_match_element>; ... };
696 allow-query { <address_match_element>; ... };
697 allow-query-on { <address_match_element>; ... };
698 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
699 allow-update-forwarding { <address_match_element>; ... };
700 also-notify [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
701 alt-transfer-source ( <ipv4_address> | * ) ; // deprecated
702 alt-transfer-source-v6 ( <ipv6_address> | * ) ; // deprecated
703 auto-dnssec ( allow | maintain | off ); // deprecated
704 check-names ( fail | warn | ignore );
705 database <string>;
706 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
707 dlz <string>;
708 dnskey-sig-validity <integer>;
709 dnssec-dnskey-kskonly <boolean>;
710 dnssec-loadkeys-interval <integer>;
711 dnssec-policy <string>;
712 dnssec-update-mode ( maintain | no-resign );
713 file <quoted_string>;
714 forward ( first | only );
715 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
716 inline-signing <boolean>;
717 ixfr-from-differences <boolean>;
718 journal <quoted_string>;
719 key-directory <quoted_string>;
720 masterfile-format ( raw | text );
721 masterfile-style ( full | relative );
722 max-ixfr-ratio ( unlimited | <percentage> );
723 max-journal-size ( default | unlimited | <sizeval> );
724 max-records <integer>;
725 max-refresh-time <integer>;
726 max-retry-time <integer>;
727 max-transfer-idle-in <integer>;
728 max-transfer-idle-out <integer>;
729 max-transfer-time-in <integer>;
730 max-transfer-time-out <integer>;
731 min-refresh-time <integer>;
732 min-retry-time <integer>;
733 multi-master <boolean>;
734 notify ( explicit | master-only | primary-only | <boolean> );
735 notify-delay <integer>;
736 notify-source ( <ipv4_address> | * ) ;
737 notify-source-v6 ( <ipv6_address> | * ) ;
738 notify-to-soa <boolean>;
739 nsec3-test-zone <boolean>; // test only
740 parental-agents [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
741 parental-source ( <ipv4_address> | * ) ;
742 parental-source-v6 ( <ipv6_address> | * ) ;
743 primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
744 request-expire <boolean>;
745 request-ixfr <boolean>;
746 sig-signing-nodes <integer>;
747 sig-signing-signatures <integer>;
748 sig-signing-type <integer>;
749 sig-validity-interval <integer> [ <integer> ];
750 transfer-source ( <ipv4_address> | * ) ;
751 transfer-source-v6 ( <ipv6_address> | * ) ;
752 try-tcp-refresh <boolean>;
753 update-check-ksk <boolean>;
754 use-alt-transfer-source <boolean>; // deprecated
755 zero-no-soa-ttl <boolean>;
756 zone-statistics ( full | terse | none | <boolean> );
757 };
758 zone <string> [ <class> ] {
761 type mirror;
762 allow-notify { <address_match_element>; ... };
763 allow-query { <address_match_element>; ... };
764 allow-query-on { <address_match_element>; ... };
765 allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
766 allow-update-forwarding { <address_match_element>; ... };
767 also-notify [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
768 alt-transfer-source ( <ipv4_address> | * ) ; // deprecated
769 alt-transfer-source-v6 ( <ipv6_address> | * ) ; // deprecated
770 check-names ( fail | warn | ignore );
771 database <string>;
772 file <quoted_string>;
773 ixfr-from-differences <boolean>;
774 journal <quoted_string>;
775 masterfile-format ( raw | text );
776 masterfile-style ( full | relative );
777 max-ixfr-ratio ( unlimited | <percentage> );
778 max-journal-size ( default | unlimited | <sizeval> );
779 max-records <integer>;
780 max-refresh-time <integer>;
781 max-retry-time <integer>;
782 max-transfer-idle-in <integer>;
783 max-transfer-idle-out <integer>;
784 max-transfer-time-in <integer>;
785 max-transfer-time-out <integer>;
786 min-refresh-time <integer>;
787 min-retry-time <integer>;
788 multi-master <boolean>;
789 notify ( explicit | master-only | primary-only | <boolean> );
790 notify-delay <integer>;
791 notify-source ( <ipv4_address> | * ) ;
792 notify-source-v6 ( <ipv6_address> | * ) ;
793 primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
794 request-expire <boolean>;
795 request-ixfr <boolean>;
796 transfer-source ( <ipv4_address> | * ) ;
797 transfer-source-v6 ( <ipv6_address> | * ) ;
798 try-tcp-refresh <boolean>;
799 use-alt-transfer-source <boolean>; // deprecated
800 zero-no-soa-ttl <boolean>;
801 zone-statistics ( full | terse | none | <boolean> );
802 };
803 zone <string> [ <class> ] {
806 type forward;
807 delegation-only <boolean>; // deprecated
808 forward ( first | only );
809 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
810 };
811 zone <string> [ <class> ] {
814 type hint;
815 check-names ( fail | warn | ignore );
816 delegation-only <boolean>; // deprecated
817 file <quoted_string>;
818 };
819 zone <string> [ <class> ] {
822 type redirect;
823 allow-query { <address_match_element>; ... };
824 allow-query-on { <address_match_element>; ... };
825 dlz <string>;
826 file <quoted_string>;
827 masterfile-format ( raw | text );
828 masterfile-style ( full | relative );
829 max-records <integer>;
830 max-zone-ttl ( unlimited | <duration> );
831 primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
832 zone-statistics ( full | terse | none | <boolean> );
833 };
834 zone <string> [ <class> ] {
837 type static-stub;
838 allow-query { <address_match_element>; ... };
839 allow-query-on { <address_match_element>; ... };
840 forward ( first | only );
841 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
842 max-records <integer>;
843 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
844 server-names { <string>; ... };
845 zone-statistics ( full | terse | none | <boolean> );
846 };
847 zone <string> [ <class> ] {
850 type stub;
851 allow-query { <address_match_element>; ... };
852 allow-query-on { <address_match_element>; ... };
853 check-names ( fail | warn | ignore );
854 database <string>;
855 delegation-only <boolean>; // deprecated
856 dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
857 file <quoted_string>;
858 forward ( first | only );
859 forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ]; ... };
860 masterfile-format ( raw | text );
861 masterfile-style ( full | relative );
862 max-records <integer>;
863 max-refresh-time <integer>;
864 max-retry-time <integer>;
865 max-transfer-idle-in <integer>;
866 max-transfer-time-in <integer>;
867 min-refresh-time <integer>;
868 min-retry-time <integer>;
869 multi-master <boolean>;
870 primaries [ port <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
871 transfer-source ( <ipv4_address> | * ) ;
872 transfer-source-v6 ( <ipv6_address> | * ) ;
873 use-alt-transfer-source <boolean>; // deprecated
874 zone-statistics ( full | terse | none | <boolean> );
875 };
876 zone <string> [ <class> ] {
879 type delegation-only;
880 };
881 zone <string> [ <class> ] {
884 in-view <string>;
885 };
886
889 /etc/named.conf
890
892 named(8), named-checkconf(8), rndc(8), rndc-confgen(8), tsig-keygen(8),
893 BIND 9 Administrator Reference Manual.
894
896 Internet Systems Consortium
897
899 2023, Internet Systems Consortium
9009.18.20 NAMED.CONF(5)