named.conf(4) Kernel Interfaces Manual named.conf(4)
NAME
named.conf - configuration file for Internet domain name server
SYNOPSIS
DESCRIPTION
is the configuration file for the name server daemon. The default path name is
BIND 9 configuration is broadly similar to BIND 8.x. However, there are a few new areas of configuration, such as views. BIND 8.x config-
uration files should work with few alterations in BIND 9.3, although more complex configurations need to be reviewed to see if they can be
more efficiently implemented using the new features implemented in BIND 9.3. BIND 4.9.7 configuration files can be converted to the BIND
9.3 format using the shell script,
Syntax Rules
In the syntax descriptions in this manpage, the following typographic rules apply:
Characters in this font should be entered as is.
variable Characters in this font should be replaced with appropriate values.
( ) Parentheses are metacharacters that enclose required content. (The brace characters are used in the configuration syntax as
block delimiters.)
[ ] Brackets are metacharacters that enclose optional content.
| Bars within parentheses and brackets are metacharacters that separate alternatives.
token ... [ ]... ( )...
Trailing ellipses are metacharacters that indicate that the previous token, parenthesized item, or bracketed item may be
repeated.
Configuration File Elements
The following configuration elements are used in the BIND 9.3 configuration file grammar:
acl_name The name of an address_match_list as defined by an statement.
address_match_list
A list of one or more ip_addr, ip_prefix, key_id, or acl_name elements.
dialup_option One of or When used in a zone, and are restricted to slave and stub zones.
domain_name A quoted string that is used as a DNS name; for example, .
dotted_decimal One or more integers valued 0 through 255 separated only by periods such as or
ip4_addr An IPv4 address with exactly four elements in dotted_decimal notation.
ip6_addr An IPv6 address, such as
ip_addr An ip4_addr or ip6_addr.
ip_port An IP port number. This is limited to 0 through 65535, with values below 1024 typically restricted to root-owned processes.
In some cases, an asterisk character can be used as a placeholder to select a random high-numbered port.
ip_prefix An IP network specified as an ip_addr, followed by a slash and then the number of bits in the netmask. Trailing zero ele-
ments in ip_addr may be omitted. For example, is the network with netmask and is the network with netmask
key_id A domain_name representing the name of a shared key, to be used for transaction security.
key_list A list of one or more key_ids, separated by semicolons and ending with a semicolon.
number A nonnegative 32-bit unsigned integer (that is, a number between 0 and 4294967295, inclusive). Its acceptable value might
further be limited by the context in which it is used.
path_name A quoted string that is used as a path name, such as .
size_spec One of the following:
number A decimal number, optionally be followed by a scaling factor: or for kilobytes, or for megabytes, and or for giga-
bytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively. The value must be representable as a
64-bit unsigned integer (0 to 18446744073709551615, inclusive).
Uses the limit that was in force when the server was started.
Requests unlimited use, or the maximum available amount.
This is the best way to set a really large number.
yes_or_no Either or The words and and the numbers and are also accepted, respectively.
Address Match List Syntax
An address_match_list has the format:
address_match_list_element ;
[ address_match_list_element ; ]...
An address_match_list_element has the format:
[ ! ] ( ip_addr
| ip_prefix
| key key_id
| acl_name
| { address_match_list } )
Address Match List Definition and Usage
Address match lists are primarily used to determine access control for various server operations. They are also used to define priorities
for querying other name servers and to set the addresses on which will listen for queries. The elements which constitute an address match
list may be any of the following:
o An IP address (IPv4 or IPv6).
o An IP prefix (in the
o A key ID, as defined by the statement.
o The name of an address match list previously defined with an statement.
o A nested address match list enclosed in braces.
Elements can be negated with a leading exclamation mark The match list names of and are predefined. For more information on these match
list names, refer to section. The addition of the clause made the name of this syntactic element something of a misnomer, since security
keys can be used to validate access without regard to a host or network address. However, the term is still being used.
When a given IP address or prefix is compared to an address match list, the list is traversed in order until an element matches. The
interpretation of a match depends on whether the list is being used for access control, defining ports and whether the element was
negated. When used as an access control list, a nonnegated match allows access and a negated match denies access. If there is no match,
access is denied.
The clauses and which can be specified in the and/or statements use the address match lists. Similarly, the option causes the server not
to accept queries on any of the machine's addresses which do not match the list.
Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before
the broader element, regardless of whether either is negated. For example, in the 1.2.3.13 element is of no use because the algorithm
will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using fixes that problem by having 1.2.3.13 blocked by the negation but all
other 1.2.3.* hosts fall through.
Comment Syntax
Comments in the BIND 9.3 configuration file can be written in the following styles:
C:
C++:
UNIX:
Note: Unlike a zone file, you cannot use a semicolon character to start a comment in the BIND 9.3 configuration file. The semicolon indi-
cates the end of a configuration statement.
CONFIGURATION FILE GRAMMAR
A BIND 9.3 configuration file consists of statements and comments. Statements end with a semicolon. Statements and comments are the only
elements that can appear without enclosing braces. Many statements contain a block of substatements, which is terminated with a semicolon.
The following statements are supported:
Defines a named IP address matching list,
for access control and other uses.
Declares control channels to be used by the
utility.
Includes a file.
Specifies key information for use in authentication and authorization
using TSIG.
Specifies what data the server logs, and where the log messages are sent.
Configures the name server to also act as a lightweight resolver server.
Defines a masters list for inclusion in
clauses of stub and slave statements
Controls global server configuration options
and sets defaults for other statements.
Sets certain configuration options on a per-server basis.
Defines trusted DNSSEC keys.
Defines a view.
Defines a zone.
The and statements may occur only once per configuration.
The acl Statement
acl acl-name {
address_match_list
};
The statement assigns a symbolic name to an address match list. It gets its name from the primary use of address match lists for Access
Control Lists (ACLs). Note that an address match list's name must be defined with before it can be used elsewhere; no forward references
are allowed. The following ACL names are built-in:
Matches all hosts.
Matches no hosts.
Matches the IPv4 addresses of all network interfaces on the system.
Matches any host on an IPv4 network for which the system has an interface.
The and ACLs do not currently support IPv6 (that is, does not match the host's IPv6 addresses, and does not match the host's attached IPv6
networks) due to the lack of a standard method of determining the complete set of local IPv6 addresses for a host.
The controls Statement
controls {
( inet ( ip_addr | * ) [ port ip_port ]
allow { address_match_list }
keys { key_list }; )...
};
The statement declares control channels to be used by system administrators to control the operation of the local name server. These con-
trol channels are used by the utility to send commands to and retrieve non-DNS results from a name server.
An control channel is a TCP/IP socket accessible to the Internet, created at the specified ip_port on the specified ip_addr. If no port is
specified, port 953 is used by default. cannot be used for ip_port.
The and clauses restrict the ability to issue commands over the control channel. Connections to the control channel are permitted based on
the address permissions in address_match_list. members of the address_match_list are ignored, and instead are interpreted independently
based on the key_list. Each key_id in the key_list is allowed to be used to authenticate commands and responses given over the control
channel by digitally signing each message between the server and a command client. All commands to the control channel must be signed by
one of its specified keys to be honored.
If no statement is present, will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1.
In this case, and also when the statement is present but does not have a clause, will attempt to load the command channel key from the file
To create a file, run The feature was implemented to ease the transition of systems from BIND 8, which did not have digital signatures on
its command channel messages and thus did not have a clause.
Since the feature is only intended to allow the backward-compatible usage of BIND 8 configuration files, this feature does not have a high
degree of configurability. You cannot easily change the key name or the size of the secret, so you should make an with your own key if you
wish to change them. The file also has its permissions set such that only the owner of the file (the user that is running as) can access
it. If you desire greater flexibility in allowing other users to access commands, then you need to create an and make it group-readable by
a group that contains the users who should have access.
The UNIX control channel type of BIND 8 is not supported in BIND 9.3, and is not expected to be added in future releases. If it is present
in the statement from a BIND 8 configuration file, it is ignored and a warning is logged.
As a special case, to disable the command channel, use an empty statement:
The include Statement
include filename ;
The statement inserts the specified file at the point where the statement is encountered. The statement facilitates the administration of
configuration files by permitting the reading or writing of some things but not others. For example, the statement could include private
keys that are readable only by a name server.
The key Statement
key key_id {
algorithm algoname ;
secret secretstring ;
};
The statement defines a shared secret key for use with TSIG. The statement can occur at the top level of the configuration file or inside
a statement. Keys defined in top-level key statements can be used in all views. Keys intended for use in a statement must be defined at
the top level.
key_id A domain name uniquely identifying the key. Also known as the key name. It can be used in a statement to sign requests
with this key or in address match lists to verify that incoming requests have been signed with a key matching this name,
algorithm, and secret.
algoname A string that specifies a security/authentication algorithm. is the only algorithm which is currently supported with TSIG
authentication.
secretstring A base-64-encoded secret string to be used by the algorithm.
The logging Statement
logging {
[ channel channel_name {
( file path name
[ versions ( number | unlimited ) ]
[ size size spec ]
| null
| stderr
| syslog syslog_facility
) ;
[ severity ( critical | error | warning | notice
| info | debug [ level ] | dynamic ) ; ]
[ print-category yes_or_no ; ]
[ print-severity yes_or_no ; ]
[ print-time yes_or_no ; ]
}; ]...
[ category category_name {
( channel_name ; )...
}; ]...
};
The and clauses may be repeated in any order. The statement configures a wide variety of logging options for the name server. Its phrase
associates output methods, format options, and severity levels with a name, channel_name, that can be used with the phrase to select how
various classes of messages are logged.
Only one statement is used to define any number of channels and categories. If there is no statement, the logging configuration defaults
to:
logging {
category "unmatched" { "null"; };
category "default" { "default_syslog"; "default_debug"; };
};
In BIND 9.3, the logging configuration is established only when the entire configuration file has been parsed. In BIND 8, it was estab-
lished as soon as the statement was parsed. When the server starts up, all logging messages related to syntax errors in the configuration
file go to the default channels, or to standard error if the option is specified. All log output goes to one or more user-defined or pre-
defined channels. Every definition must include a destination clause that says whether messages selected for the channel go to a file, or
to a particular syslog facility, or to the standard error stream, or are discarded. It can optionally also limit the message severity
level that will be accepted by the channel (the default is and whether to include a time stamp, the category name, and/or severity level
(the default is not to include any).
The destination clause directs the channel to a disk file. It can include limitations on both the file size and the number of versions of
the file that are saved each time the file is opened.
If you use the log file option, then will retain that many backup versions of the file by renaming them when opening.
For example, if you choose to keep three old versions of the file then, just before it is opened:
Use if you do not want to limit the number of versions. If a option is associated with the log file, then renaming is only done when the
file being opened exceeds the indicated size. No backup versions are kept, by default; any existing log file is simply appended.
The option for is used to limit log growth. If the file size exceeds the limit, then will stop writing to the file unless it has a option
associated with it. If backup versions are kept, the files are rolled as described above and a new file is opened. If there is no option,
no more data will be written to the log until the log file is removed or truncated (by some external process) to less than the maximum
size. The default behavior is not to limit the size of the file.
Example usage of the and options:
channel "an_example_channel" {
file "example.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
The destination clause directs the channel to the system log. Its argument is a syslog facility as described in the syslog(3C) manpage.
The syslog(3C) manpage also describes how will handle messages sent to this facility. If you have a system which uses a very old version
of that uses only two arguments to the function, then the destination clause is ignored.
The destination clause directs the channel to the server's standard error stream. This is intended for use when the server is running as a
foreground process, for example when debugging the configuration.
The destination clause discards all message sent to the channel, the and clauses irrelevant.
The clause works like the priority parameter except that it can also be used if you are writing straight to a file rather than using Mes-
sages that are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be
accepted. If you are using the option, then the priorities will also determine what eventually passes through (see syslogd(1M)).
For example, defining a channel facility and severity as and but only logging via will cause messages of severity and to be dropped. If
the situation were reversed, with writing messages of only or higher, then would print all messages it received from the channel.
The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than
zero, then debugging mode will be active. The global debug level is set either by starting the server with the option followed by a posi-
tive integer, or by running The global debug level can be set to zero, and debugging mode turned off, by running All debugging messages in
the server have a debug level, and higher debug levels give more detailed output. For example:
channel "specific_debug_level" {
file "foo";
severity debug 3;
};
In this example, channels that specify a particular debug severity will get debugging output of level 3 or less any time the server is in
debugging mode, regardless of the global debugging level. Channels with severity use the server's global level to determine what messages
to print.
If is then the date and time will be logged. may be specified for a channel, but that is usually pointless, since also prints the date and
time.
If is then the category of the message is logged as well.
If is then the severity level of the message will be logged.
The options may be used in any combination, and will always be printed in the order time, category, severity. Here is an example where all
three options are
Time:
Category:
Severity:
Message:
There are four predefined channels that are used for default logging, as follows:
channel "default_syslog" {
syslog daemon; // send to syslog's daemon
// facility
severity info; // only send priority info
// and higher
};
channel "default_debug" {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel "default_stderr" {
stderr; // writes to stderr
severity info; // only send priority info
// and higher
};
channel "null" {
null; // toss anything sent to
// this channel
};
The channel has the special property that it only produces output when the server's debug level is nonzero. It normally writes to a file,
in the server's working directory.
For security reasons, when the command-line option is used, the file is created only after has changed to the new UID, and any debug output
that is generated while is starting up and still running as root is discarded. If you need to capture this output, you must run the server
with the option and redirect standard error to a file.
Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default
logging by pointing categories at channels you have defined. Predefined categories allow you to fine-tune what messages you want to log
and where you want to log those messages to. If you do not specify a list of channels for a category, then log messages in that category
will be sent to the category instead. If you do not specify a category, the following category is used:
category "default" { "default_syslog"; "default_debug"; };
For example, if you want to log security events to a file and also want to keep the default logging behavior, you need to specify the fol-
lowing in the statement:
channel "my_security_channel" {
file "my_security_file";
severity info;
};
category "security" {
"my_security_channel";
"default_syslog";
"default_debug";
};
To discard all messages in a category, specify the channel, as in the following:
category "xfer-out" { "null"; };
category "notify" { "null"; };
The following are the available categories and brief descriptions of the types of log information they contain. More categories may be
added in future BIND releases.
Defines the logging options for categories
where no specific configuration has been defined.
The catch-all. All unclassified categories belong to this category.
Processing of client requests
Configuration file parsing and processing.
Messages relating to the databases used internally by the name
server to store zone and cache data.
Logs queries that have have been forced to NXDOMAIN as the
result of a zone or a in a or zone declaration.
Dispatching of incoming packets to the server modules where they
are to be processed.
DNSSEC and TSIG protocol processing.
Lame servers are misconfigurations in remote servers,
discovered by BIND 9 when trying to query those servers during resolution.
Network operations.
The NOTIFY protocol.
Enable query logging.
DNS resolution, such as recursive lookups performed on behalf of
clients by a caching name server.
Approval and denial of requests.
Messages that was unable to determine the class of or for which there was no matching view. A one-line summary is also logged to the cat-
egory. This category is best sent to a or by default, it is sent to the channel.
Dynamic updates
Approval and denial of update requests.
Zone transfers the server is receiving.
Zone transfers the server is sending.
The lwres Statement
lwres {
[ listen-on { ( ip_addr [ port ip_port ] ; )... }; ]
[ ndots number ; ]
[ search { domain_name ; [ domain_name ; ]... }; ]
[ view view_name ; ]
};
The statement configures the name server to also act as a lightweight resolver server. There may be be multiple statements configuring
lightweight resolver servers with different properties.
The statement specifies a list of addresses and ports that a lightweight resolver daemon should accept requests on. If no port is speci-
fied, port 921 is used. If this statement is omitted, requests will be accepted on 127.0.0.1, port 921.
The statement is equivalent to the directive in It indicates the minimum number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
The statement is equivalent to the directive in It provides a list of domains that are appended to relative names in queries.
The statement binds this instance of a lightweight resolver daemon to a view in the DNS name space, so that the response will be con-
structed in the same manner as a normal DNS query matching this view. If this statement is omitted, the default view is used, and if there
is no default view, an error is triggered.
The masters Statement
masters name [ port ip_port ] { (
( masters_list | ip_addr [ port ip_port ] [ key key ] ) ;
)... };
A statement defines a masters list. This allows you to include sets of masters in the clauses of multiple stub and slave statements. See
and in the section.
name The name of the statement.
masters_list The acl_name of an statement that specifies a list of masters.
The options Statement
options {
// General Options
[ directory path_name ; ]
[ disable-algorithms domain { algorithm ; [ algorithm ; ] }; ]
[ dnssec-lookaside domain trust-anchor domain ; ]
[ dnssec-must-be-secure domain yes_or_no ; ]
[ dump-file path_name ; ]
[ key-directory path_name ; ]
[ memstatistics-file path_name ; ]
[ pid-file path_name ; ]
[ port ip_port ; ]
[ preferred-glue ( A | AAAA | NONE ) ; ]
[ random-device path_name ; ]
[ root-delegation-only [ exclude { namelist } ] ; ]
[ statistics-file path_name ; ]
[ tkey-dhkey key_name key_tag ; ]
[ tkey-domain domainname ; ]
// Boolean Options
[ additional-from-auth yes_or_no ; ]
[ additional-from-cache yes_or_no ; ]
[ auth-nxdomain yes_or_no ; ]
[ check-names ( master | slave | response )
( warn | fail | ignore ) ; ]
[ dialup dialup_option ; ]
[ dnssec-enable yes_or_no ; ]
[ flush-zones-on-shutdown yes_or_no ; ]
[ match-mapped-addresses yes_or_no ; ]
[ minimal-responses yes_or_no ; ]
[ notify ( yes_or_no | explicit ) ; ]
[ provide-ixfr yes_or_no ; ]
[ querylog yes_or_no ; ]
[ recursion yes_or_no ; ]
[ request-ixfr yes_or_no ; ]
[ zone-statistics yes_or_no ; ]
// Access Control Options
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-recursion { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ allow-update-forwarding { address_match_list }; ]
[ blackhole { address_match_list }; ]
// Bad UDP Port List Options
[ avoid-v4-udp-ports { port_list }; ]
[ avoid-v6-udp-ports { port_list }; ]
// Built-In Server Information Zone Options
[ hostname hostname_string ; ]
[ server-id server_id_string ; ]
[ version version_string ; ]
// Dual-Stack Server Option
[ dual-stack-servers [ port ip_port ] { (
( domain_name [ port ip_port ] | ip_addr [ port ip_port ] ) ;
)... }; ]
// Empty Zone Options
[ disable-empty-zone zone_name_string ; ]
[ empty-contact empty_contact_name_string ; ]
[ empty-server empty_server_name_string ; ]
[ empty-zones-enable yes_or_no ; ]
// Forwarding Options
[ forward ( only | first ) ; ]
[ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]
// Interface Options
[ listen-on [ port ip_port ] { address_match_list }; ]
[ listen-on-v6 [ port ip_port ] { address_match_list }; ]
// Obsolete Option
[ allow-v6-synthesis yes_or_no ; ]
// Operating System Resource Limit Options
[ coresize size_spec ; ]
[ datasize size_spec ; ]
[ files size_spec ; ]
[ stacksize size_spec ; ]
// Periodic Task Interval Options
[ cleaning-interval number ; ]
[ heartbeat-interval number ; ]
[ interface-interval number ; ]
// Query Address Options
[ query-source [ address ( ip_addr | * ) ]
[ port ( ip_port | * ) ] ; ]
[ query-source-v6 [ address ( ip_addr | * ) ]
[ port ( ip_port | * ) ] ; ]
// RRset Ordering Option
[ rrset-order { order_spec ; [ order_spec ; ]... }; ]
// Server Resource Limit Options
[ max-cache-size size_spec ; ]
[ max-journal-size size_spec ; ]
[ recursive-clients number ; ]
[ tcp-clients number ; ]
[ tcp-listen-queue number ; ]
// Sorting Option
[ sortlist { address_match_list }; ]
// Tuning Options
[ edns-udp-size number ; ]
[ lame-ttl number ; ]
[ max-cache-ttl number ; ]
[ max-ncache-ttl number ; ]
[ max-refresh-time number ; ]
[ max-retry-time number ; ]
[ min-refresh-time number ; ]
[ min-retry-time number ; ]
[ sig-validity-interval number ; ]
// Zone Transfer Options
[ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
[ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ max-transfer-idle-in number ; ]
[ max-transfer-idle-out number ; ]
[ max-transfer-time-in number ; ]
[ max-transfer-time-out number ; ]
[ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ serial-query-rate number ; ]
[ transfer-format ( one-answer | many-answers ) ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ transfers-in number ; ]
[ transfers-out number ; ]
[ transfers-per-ns number ; ]
[ use-alt-transfer-source yes_or_no ; ]
};
The statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If more than one
occurrence is found, the first occurrence determines the actual options used, and a warning is generated. If there is no statement, an
options block with each option set to its default will be used.
The working directory of the server.
Any nonabsolute path names in the configuration file will be taken as relative to this directory. The default location for
most server output files (for example, is this directory. If a directory is not specified, the working directory defaults
to the directory from which the server was started The directory specified should be an absolute path.
Disable the specified DNSSEC algorithms at and below the specified name.
Multiple statements are allowed. Only the most specific is applied.
When set, provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or
below a domain specified by the deepest and the normal DNSSEC validation has left the key untrusted, the will be appended to
the key name and a DLV record will be looked up to see if it can validate the key. If the DLV record validates a DNSKEY
(similar to the way a DS record does it), the DNSKEY RRset is deemed to be trusted.
Specify hierarchies which must be or may not be secure (signed and validated).
If will only accept answers if they are secure. If normal DNSSEC validation applies and insecure answers are accepted. The
specified domain must be under a trusted key, or must be active.
The path name of the file to which the server dumps the database
with The default is
The directory where the public and private key files should be found,
if it is not the working directory. The specified directory must be an absolute path.
The path name of the file to which
the server writes the memory usage statistics. The default is
The path name of the file in which the server writes its process ID.
The default path name is The is used by programs that need to send signals to the running name server.
Specifying disables the use of a PID file; no file is written and any existing file is removed. Note that is a keyword, not
a file name, and therefore is not enclosed in quotation marks.
The UDP/TCP port number the server uses for receiving and sending DNS
protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than
53 will not be able to communicate with the global DNS.
If specified, the listed type
or will be emitted before other glue in the additional section of a query response. The default is not to prefer any type
("Glue" is a record that is created as part of a delegation.)
The source of entropy (random data) to be used by the server.
Entropy is primarily needed for DNSSEC operations, This option specifies the device (or file) from which to read entropy.
If this is a file, operations requiring entropy will fail when the file has been exhausted. The default value is (or the
equivalent) when present, and none otherwise. The option takes effect during the initial configuration load at server
startup time and is ignored on subsequent reloads.
Turn on enforcement of
in top level domains (TLD) and root zones, with an optional list.
Note: Some TLDs are (for example, and
options {
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
The path name of the file in which the server appends statistics using
The default is in the server's current directory. The file format is described in section.
The Diffie-Hellman key
used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to
load the public and private keys from files in the working directory. In most cases, the key_name should be the server's
host name. The key_tag is an integer that is part of the key.
The domain appended to the names of all shared keys generated with TKEY.
When a client requests a TKEY exchange, it can specify a preferred name for the key. If the name is present, the name of
the shared key will be Otherwise, the name of the shared key will be random_hex_digits+tkey-domain. In most cases, the
domain name should be the server's domain name.
These options control the behavior of an authoritative server when
answering queries which have additional data, or when following CNAME and DNAME chains.
When both of these options are set to (the default) and a query is being answered from authoritative data (a zone configured
into the server), the additional data section of the reply will be filled in using data from other authoritative zones and
from the cache. In some situations this is undesirable, such as when there is concern over the correctness of the cache, or
in servers where slave zones may be added and modified by untrusted third parties. Also, avoiding the search for this addi-
tional data will speed up server operations at the possible expense of additional queries to resolve what would otherwise be
provided in the additional section.
For example, if a query asks for an record for host and the record found is normally the address records and for will be
provided as well, if known. Set these options to to disable this behavior.
These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set them to
without also specifying will cause the server to ignore the options and log a warning message.
Specifying actually disables the use of the cache not only for additional data lookups but also when looking up the answer.
This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue.
When a name server is nonrecursively queried for a name that is not below the apex of any served zone, it normally answers
with an "upwards referral" to the root servers or the servers of some other known parent of the query name. Since the data
in an upwards referral comes from the cache, the server will not be able to provide upwards referrals when has been speci-
fied. Instead, it will respond to such queries with REFUSED. This should not cause any problems since upwards referrals
are not required for the resolution process.
If then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is If
you are using an old version of BIND, you might need to set this option to
Restrict the character set and syntax
of certain domain names in master files and/or DNS responses received from the network. The default varies according to
usage area. For master zones, the default is For slave zones, the default is For answers received from the network the
default is
The rules for legal host names and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.
applies to the owner names of and records. It also applies to the domain names in the rrdata of and records. It also
applies to the rrdata of records where the owner name indicated that it is a reverse lookup of a host name (the owner name
ends in
If then the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be
brought up by traffic originating from this server. This has different effects according to zone type and concentrates the
zone maintenance so that it all happens in a short interval, once every and hopefully during the one call. It also sup-
presses some of the normal zone maintenance traffic. The default is
The option may also be specified in and statements, in which case, it overrides the global dialup option.
If the zone is a master zone, then the server will send out a NOTIFY request to all the slaves. This will trigger the zone
serial number check in the slave (provided it supports NOTIFY), allowing the slave to verify the zone while the connection
is active.
If the zone is a slave or stub zone, then the server will suppress the regular "zone up to date" (refresh) queries and only
perform them when the expires in addition to sending NOTIFY requests.
Finer control can be achieved by using which only sends NOTIFY messages; which sends NOTIFY messages and suppresses the nor-
mal refresh queries; which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval
expires; and which just disables normal refresh processing.
Enable DNSSEC support in
Unless set to behaves as if it does not support DNSSEC. The default is
If flush any pending zone writes when the name server exits due to receiving a The default is do not flush on
If then an IPv4-mapped IPv6 address will match any address match list entries that match the corresponding IPv4 address.
If the server will only add records to the authority when generating responses and additional data sections when they are
required (for example, delegations, negative responses). This may improve the performance of the server. The default is
If (the default), DNS NOTIFY messages are sent when a zone for which the server is authoritative, changes. The messages are
sent to the servers listed in the zone's NS records (except the master server identified in the MNAME field), and to any
servers listed in the option. If is specified, NOTIFY messages are sent only to servers explicitly listed using If no
NOTIFY messages are sent.
The option may also be specified in the statement, in which case it overrides the specified in the statement. It needs to
be turned off only when the slaves crash.
Determines whether the local server, acting as master,
will respond with an incremental zone transfer when the given remote server, a slave, requests it. If an incremental trans-
fer will be provided whenever possible. If all transfers to the remote server will be nonincremental. If not set in a
statement, the value of the option in the or global statement is used as a default.
If start query logging when starts. If do not start query logging when starts. If is not specified, query logging is deter-
mined from the presence of the logging category
If and a DNS query requests recursion, then the server will attempt to answer the query. If and the server does not know the
answer, it will return a referral response. The default is
Note that setting to does not prevent clients from getting data from the server's cache; it only prevents new data from
being cached as an effect of client queries. Caching may still occur as an effect of the server's internal operation, such
as NOTIFY address lookups.
Determines whether the local server, acting as a slave,
will request incremental zone transfers from the given remote server, a master. If not set in a statement, the value of the
option in the or global statement is used as a default.
If the server will, by default, collect statistical data on all zones in the server. These statistics may be accessed using
the command, which will dump them to the file listed in the option.
Access to the server can be restricted based on the IP address of the requesting system.
Specifies which hosts are allowed to notify slaves of a zone change in
addition to the zone masters. may also be specified in the statement, in which case it overrides the statement. It is only
meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master.
Specifies which hosts are allowed to ask ordinary questions.
may also be specified in the statement, in which case it overrides the statement. If not specified, the default is to allow
queries from all hosts.
Specifies which hosts are allowed to make recursive queries through
this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive
queries for a host does not prevent the host from retrieving data that is already in the server's cache.
Specifies which hosts are allowed to submit Dynamic DNS updates to
slave zones to be forwarded to the master. The default is which means that no update forwarding will be performed. To
enable update forwarding, specify Specifying values other than or is usually counterproductive, since the responsibility for
update access control should rest with the master server, not the slaves.
Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP-address-
based access control to attacks.
Specifies the hosts that are allowed to receive zone transfers from
the server. may also be specified in the statement, in which case it overrides the statement. If not specified, the
default is to allow transfers from all hosts.
Specifies a list of addresses that the server will not accept queries
from or use to resolve a query. Queries from these addresses will not be responded to. The default is
Specify a list of IPv4 and IPv6 UDP ports that will not be used as system
assigned source ports for UDP sockets. These lists prevent from choosing as its random source port a port that is blocked
by your firewall. If a query went out with such a source port, the answer would not get by the firewall and the name server
would have to query again.
The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain bind in the
class. These zones are part of a built-in view of class which is separate from the default view of class therefore, any global server
options such as do not apply the these zones. If you feel the need to disable these zones, use the options below, or hide the built-in
view by defining an explicit view of class that matches all clients.
The host name the server should report via a query of the name
with type class This defaults to the host name of the machine hosting the name server as found by (see gethostname(2)). The
primary purpose of such queries is to identify which of a group of servers is actually answering your queries. Specifying
disables processing of the queries.
The ID the server should report via a query of the name
with type class The primary purpose of such queries is to identify which of a group of anycast servers is actually answering
your queries. Specifying disables processing of the queries. Specifying causes to use the host name as found by The
default is
The version the server should report via a query of the name
with type and class The default is the real version number of this server. Specifying disables processing of the queries.
Dual-stack servers are used as a last resort to workaround reachability problems due to the lack of support for either IPv4 or IPv6 on the
host machine.
Specifies host names or addresses of machines
with access to both IPv4 and IPv6 transports. If a host name is used, the server must be able to resolve the name using
only the transport it has. If the machine is dual-stacked then the have no effect unless access to a transport has been
disabled on the command line (for example, with
By default, a reverse lookup query for an address in the following zone will not be to the root server for resolution.
Please note that right now we have only one zone in this list. Additional zones may be added to at later point of time.
By default, BIND is the authoritative server for the and returns for any queries to addresses in these zones. This feature can be overrid-
den by manually configuring named(1M) to be authoritative for these zones.
Disables an individual
By default, none of the empty-zones are disabled. If more than one needs to be disabled, use this option multiple number of
times.
Specifies the contact name that must appear in the returned
SOA record for empty zones. If this option is not specified, then a period is used.
Specifies the server name that appears in the returned
SOA record for empty zones. If this option is not specified, then the zone name is used.
Enables or disables all empty zones. By default, the
are enabled.
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name
servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior
names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
This option is useful only if the
list is not empty. The default value causes the server to query the forwarders first, and if that is unable to answer the
question, the server will then look for the answer itself. If is specified, the server will only query the forwarders.
Specifies the IP addresses to be used for forwarding.
The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways.
You can set a particular domain to use different forwarders, or have a different or behavior, or not forward at all; see section.
The interfaces and ports that the server will answer queries from, may be specified using the option.
The server listens on all interfaces allowed by the
address match list. If a port is not specified, port 53 is used.
Multiple statements are allowed. For example,
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
will enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2
that is not 1.2.3.4. If no is specified, the server will listen on port 53 on all interfaces.
Specifies the ports on which the server will
listen for incoming queries sent using IPv6.
The server does not bind a separate socket to each IPv6 interface address as it does for IPv4. Instead, it always listens
on the IPv6 wildcard address. Therefore, the only values allowed for the address_match_list argument of the statement are:
and
Multiple options can be used to listen on multiple ports:
listen-on-v6 port 53 { any; };
listen-on-v6 port 1234 { any; };
To make the server not to listen on any IPv6 address, use
listen-on-v6 { none; };
If no statement is specified, the server will not listen on any IPv6 address.
This option was introduced for the smooth transition from
to and from "nibble labels" to binary labels. However, since both and binary labels were then deprecated, this option was
also deprecated. It is now ignored with some warning messages.
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, can
be used instead of 1073741824 to specify a limit of one gigabyte. An size_spec requests unlimited use, or the maximum available amount.
uses the limit that was in force when the server was started.
The following options set operating system resource limits for the name server process. A warning will be issued if an unsupported limit
is used.
The maximum size of a core dump.
The default is
The maximum amount of data memory the server may use.
The default is This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this
limit, the allocation will fail, which may in turn leave the server unable to perform DNS service. Therefore, this option
is rarely useful as a way of limiting the amount of memory used by the server, but it can be used to raise an operating sys-
tem data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the and
options instead; see the section.
The maximum number of files the server may have open concurrently.
The default is
The maximum amount of stack memory the server may use.
The default is
The server will remove expired resource records from the cache every
minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, no periodic cleaning will
occur.
The server will perform zone maintenance tasks for all zones marked as
whenever this interval expires. The default is 60 minutes. The maximum value is 28 days (40320 minutes). Reasonable val-
ues are up to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.
The server will scan the network interface list every
minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will
only occur when the configuration file is loaded. After the scan, listeners will be started on any new interfaces (provided
they are allowed by the configuration). Listeners on interfaces that have gone away will be cleaned up.
If the server is unable to answer a question, it will query other name servers.
Specifies the address and port used for such queries.
Specifies the address and port used
for queries sent over IPv6.
If address is or is omitted, a wildcard IP address is used. If port is or is omitted, a random unprivileged port will be used. The
default address and port are:
query-source address * port * ;
query-source-v6 address * port * ;
Note: The address specified in the option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries
always use a random unprivileged port. When multiple records are returned in an answer, it may be useful to configure the order of the
records placed into the response.
The option permits the configuration of the ordering of the records in a multiple record response.
order_spec is defined as:
[ class class_name ] [ type type_name ] [ name "domain_name" ]
order ordering
If no is specified, the default is If no is specified, the default is If no is specified, the default is
The values for ordering are:
Records are returned in the order they are defined in the zone file.
Records are returned in some random order.
Records are returned in a round-robin order.
In this example, any responses for type records in class that have as a suffix, are always returned in order. All other records are
returned in order.
rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
If multiple statements appear, they are not combined; the last one applies. The following options set limits on the server's resource con-
sumption that are enforced internally by the server rather than the operating system.
The maximum amount of memory to use for the server's cache, in bytes.
When the amount of data in the cache reaches this limit, the server will cause records to expire prematurely so that the
limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The
default is meaning that records are purged from the cache only when their TTLs expire.
Sets a maximum size for each journal file.
When the journal file approaches the specified size, some of the oldest transactions in the journal will be automatically
removed. The default is
The maximum number of simultaneous recursive lookups the server will
perform on behalf of clients. The default is 1000. Because each recursing client uses a fair bit of memory, on the order
of 20 kilobytes, the value of the option may have to be decreased on hosts with limited memory.
The maximum number of simultaneous client TCP connections that the
server will accept. The default is 100.
The listen queue depth.
The default and minimum is 3. If the kernel supports the accept filter "dataready", this also controls how many TCP connec-
tions that will be queued in kernel space waiting for some data before being passed to accept. Values less than 3 are
silently raised.
The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will
normally return the RRs within the RRset in an indeterminate order (but see the statement in the section). The client resolver code should
rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all
resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server,
based on the client's address. This only requires configuring the name servers, not all the clients.
The option takes an address_match_list and interprets it. Each top level statement in the must itself be an explicit address_match_list
with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name, or a nested address_match_list) of
each top level list is checked against the source address of the query until a match is found.
Once the source address of the query has been matched, if the top level statement contains only one element, the actual primitive element
that matched the source address is used to select the address in the response to move to the beginning of the response. If the statement
is a list of two elements, then the second element is interpreted in a special way. Each top level element is assigned a distance and the
address in the response with the minimum distance is moved to the beginning of the response.
In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any
of the locally connected networks. Next will be addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or
192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network will
prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or
the 192.168.5/24 network will only prefer other addresses on their directly connected networks.
sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
192.168.1/24; // following nets
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.1/24; // IF on class C 192.168.1
{ 192.168.1/24; // THEN use .1, or .2 or .3
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.2/24; // IF on class C 192.168.2
{ 192.168.2/24; // THEN use .2, or .1 or .3
{ 192.168.1/24; 192.168.3/24; }; }; };
{ 192.168.3/24; // IF on class C 192.168.3
{ 192.168.3/24; // THEN use .3, or .1 or .2
{ 192.168.1/24; 192.168.2/24; }; }; };
{ // IF .4 or .5, prefer that net
{ 192.168.4/24; 192.168.5/24; }; };
};
The following example gives reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior
of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks.
Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to
other queries will not be sorted.
sortlist {
{ localhost; localnets; };
{ localnets; };
};
Sets the advertised Extended DNS (EDNS) UDP buffer size in bytes.
Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual
reason for setting to a nondefault value is to get UDP answers to pass through broken firewalls that block fragmented pack-
ets and/or block UDP packets that are greater than 512 bytes.
Sets the number of seconds to cache a lame server indication.
0 disables caching. (This is recommended.) The default is 600 (10 minutes). The maximum value is 1800 (30 minutes). (See
the keyword in section.)
Sets the maximum time in seconds for which the server will cache ordinary
(positive) answers. The default is one week (7 days).
To reduce network traffic and increase performance,
the server stores negative answers. is used to set a maximum retention time for these answers in the server in seconds.
The default is 10800 seconds (3 hours). The maximum is 7 days and will be truncated to 7 days if set to a greater value.
These options control the server's behavior on refreshing a zone
(querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are
set by the master, giving slave server administrators little control over their contents.
These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or per-
server. These options are valid for master, slave and stub zones, and clamp the SOA refresh and retry times to the speci-
fied values.
Specifies the number of days into the future when DNSSEC signatures
that were automatically generated as a result of dynamic updates will expire. The default is 30 days. The maximum is 10
years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a
limited amount of clock skew.
BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The
following options apply to zone transfers.
Defines a global list of IP addresses of name servers that are also sent
NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records.
This helps to ensure that copies of the zones will quickly converge on stealth servers. If an list is given in a statement,
it will override the statement. When a statement is set to the IP addresses in the global list will not be sent NOTIFY mes-
sages for that zone. The default is the empty list (no global notification list).
An alternate transfer source if the one listed in
fails and is set.
An alternate transfer source if the one listed in
fails and is set.
Inbound zone transfers making no progress in this many minutes will be
terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
Outbound zone transfers making no progress in this many minutes will be
terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes).
Inbound zone transfers running longer than this many minutes will be
terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
Outbound zone transfers running longer than this many minutes will be
terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes).
Determines which local source address, and optionally UDP port,
will be used to send NOTIFY messages. This address must appear in the slave server's clause or in an clause. This state-
ment sets the for all zones, but can be overridden on a per-zone or per-view basis by including a statement within the or
statement in the configuration file.
The same as but applies to NOTIFY messages sent to IPv6 addresses.
Slave servers will periodically query master servers to find out if
zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit
the amount of bandwidth used, BIND 9.3 limits the rate at which queries are sent. The value of the option, an integer, is
the maximum number of queries sent per second. The default is 20.
Zone transfers can be sent using two different formats,
and The option is used on the master server to determine which format it sends. uses one DNS message per resource record
transferred. packs as many resource records as possible into a message. is more efficient, but is only supported by rela-
tively new slave servers, such as BIND 9.3, BIND 8.x, and patched versions of BIND 4.9.x. The default is may be overridden
on a per-server basis by using the statement.
Determines which local address will be bound to IPv4 TCP
connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and option-
ally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system-con-
trolled value which will usually be the address of the interface "closest to" the remote end. This address must appear in
the remote end's option for the zone being transferred, if one is specified. This statement sets the for all zones, but can
be overridden on a per-view or per-zone basis by including a statement within the or block in the configuration file.
The same as except that zone transfers are performed using IPv6.
The maximum number of concurrently running inbound zone transfers.
The default value is 10. The maximum value is 28 days (40320 minutes). Increasing may speed up the convergence of slave
zones, but it may also increase the load on the local system.
The maximum number of concurrently running outbound zone transfers.
Zone transfer requests in excess of the limit will be refused. The default value is 10.
The maximum number of concurrently running inbound zone transfers
from a given remote name server. The default value is 2. Increasing may speed up the convergence of slave zones, but it
also may increase the load on the remote name server. may be overridden on a per-server basis by using the phrase of the
statement.
Use the alternate transfer sources or not.
If views are specified, this defaults to otherwise, it defaults to (for BIND 8 compatibility).
The server Statement
server ip_addr {
[ bogus yes_or_no ; ]
[ edns yes_or_no ; ]
[ keys { string ; [ string ; ]... }; ]
[ provide-ixfr yes_or_no ; ]
[ request-ixfr yes_or_no ; ]
[ transfer-format ( one-answer | many-answers ) ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ transfers number ; ]
};
The statement defines characteristics to be associated with a remote name server. The statement can occur at the top level of the configu-
ration file or inside a statement. If a statement contains one or more statements, only those apply to the view and any top-level ones are
ignored. If a statement contains no statements, any top-level statements are used as defaults.
If you discover that a remote server is giving out bad data,
marking it as will prevent further queries to it. The default value is
(Extended DNS) Determines whether the local server will attempt to use EDNS when communicating with the remote server. The default is
Identifies a key_id defined by a statement, to be used for transaction security when talking to the remote server. The statement must
come before the statement that references it. When a request is sent to the remote server, a request signature will be gen-
erated using the key specified here, and appended to the message. A request originating from the remote server is not
required to be signed by this key. Although the grammar of the clause allows for multiple keys, only a single key per
server is currently supported.
Determines whether the local server, acting as master,
will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to incremental
transfer will be provided whenever possible. If set to all transfers to the remote server will be nonincremental. If not
set, the value of the option in the or global statement is used as a default.
Determines whether the local server, acting as a slave,
will request incremental zone transfers from the given remote server, a master. If not set, the value of the option in the
or global statement is used as a default.
IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to man-
ually list which servers support IXFR and which ones do not; the global default of should always work. The purpose of the
and clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it; for exam-
ple, if one of the servers is defective and crashes or corrupts data when IXFR is used.
The server supports two zone transfer methods.
uses one DNS message per resource record transferred. packs as many resource records as possible into a message. is more
efficient, but is only known to be understood by BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. You can specify
which method to use for a server with the option. If is not specified, the specified by the statement is used.
Specify the IPv4 and IPv6 source address to be used for zone transfer
with the remote server, respectively. For an IPv4 remote server, only can be specified. Similarly, for an IPv6 remote
server, only can be specified.
Limits the number of concurrent inbound zone transfers
from the specified server. If no clause is specified, the limit is set according to the option.
The trusted-keys Statement
trusted-keys {
( domain_name flags protocol algorithm key_data ; )...
};
The statement defines DNSSEC security roots. A security root is defined when the public key for a nonauthoritative zone is known, but can-
not be securely obtained through DNS, either because it is the DNS root zone or its parent zone is unsigned. Once a key has been config-
ured as a trusted key, it is treated as if it had been validated and proven secure. The resolver attempts DNSSEC validation on all DNS
data in subdomains of a security root.
The statement can contain multiple key entries, each consisting of the key's five parameters: domain_name (string), flags (number), proto-
col (number), algorithm (number), and the base-64 representation of the key_data (string).
The view Statement
view view_name [ class ] {
[ match-clients { address_match_list } ; ]
[ match-destinations { address_match_list } ; ]
[ match-recursive-only { yes_or_no } ; ]
[ view_option ; ]...
[ zone_statement ; ]...
};
The statement lets a name server answer a DNS query differently depending on who is asking. It is particularly useful for implementing
split DNS setups without having to run multiple servers. Each statement defines a view of the DNS name space that will be seen by a subset
of clients. The order of the statements is significant; a client request will be resolved in the context of the first view that it
matches.
view_name A name for the view.
class Views are class-specific. If no class is given, class is assumed. Note that all views must contain a hint zone, since only
the class has compiled-in default hints.
A client matches a view if its source IP address matches the
address_match_list of the statement's clause and its destination IP address matches the address_match_list of the state-
ment's clause.
If not specified, and each default to matching all addresses.
Means that only recursive requests from matching clients match that view.
view_option Many of the options given in the statement can also be used within a statement, and then apply only when resolving queries
with that view. When no view-specific value is given, the value in the statement is used as a default. Also, zone options
can have default values specified in the statement; these view-specific defaults take precedence over those in the state-
ment. See section.
zone_statement Zones defined within a statement will only be accessible to clients that match the view. By defining a zone of the same
name in multiple views, different zone data can be given to different clients; for example, and clients in a split DNS set-
up. See section.
If there are no statements in the configuration file, a default view that matches any client is automatically created in class and any
statements specified on the top level of the configuration file are considered to be part of this default view. If any explicit statements
are present, all statements must occur inside statements.
Here is an example of a typical split DNS setup, implemented with statements.
view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
// Provide recursive service to internal clients only.
recursion yes;
// Provide a complete view of the example.com zone
// including addresses of internal hosts.
zone "example.com" {
type master;
file "example-internal.db";
};
};
view "external" {
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide a restricted view of the example.com zone
// containing only publicly accessible hosts.
zone "example.com" {
type master;
file "example-external.db";
};
};
The zone Statement
zone zone_name [ class ] [ {
type ( master | slave | hint
| stub | forward | delegation-only ) ;
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ allow-update { address_match_list }; ]
[ allow-update-forwarding { address_match_list }; ]
[ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
[ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ check-names ( warn | fail | ignore ) ; ]
[ database string ; ]
[ delegation-only yes_or_no ; ]
[ dialup dialup_option ; ]
[ file string ; ]
[ forward ( only | first ) ; ]
[ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]
[ ixfr-from-differences yes_or_no ; ]
[ key-directory path_name ; ]
[ masters [ port ip_port ] { (
( masters_name | ip_addr [ port ip_port ] [ key key ] ) ;
)... }; ]
[ max-refresh-time number ; ]
[ max-retry-time number ; ]
[ max-transfer-idle-in number ; ]
[ max-transfer-idle-out number ; ]
[ max-transfer-time-in number ; ]
[ max-transfer-time-out number ; ]
[ min-refresh-time number ; ]
[ min-retry-time number ; ]
[ multi-master yes_or_no ; ]
[ notify yes_or_no | explicit ; ]
[ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ sig-validity-interval number ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ update-policy { update_policy_rule }; ]...
[ use-alt-transfer-source yes_or_no ; ]
[ zone-statistics yes_or_no ; ]
} ] ;
zone_name A name for the zone.
class The class of the zone; one of the following:
The Internet class.
This is the default. is correct for the vast majority of cases.
This class is named for an information service from MIT's Project Athena.
It is used to share information about various systems databases, such as users, groups, printers and so on.
Another MIT development is Chaosnet, a LAN protocol created in the mid-1970s.
The type of the zone.
The server has a master copy of the data for the zone and will be
able to provide authoritative answers for it.
A slave zone is a replica of a master zone.
The list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone.
By default, transfers are made from port 53 on the servers; this can be changed for all servers by specifying a port number
before the list of IP addresses, or on a per-server basis after the IP address. Authentication to the master can also be
done with per-server TSIG keys.
If a file is specified, then the replica will be written to this file whenever the zone is changed, and reloaded from this
file on a server restart. Use of a file is recommended, since it often speeds server start-up and eliminates a needless
waste of bandwidth. If the database files are very large, it is recommended to place them in different directories.
A stub zone is similar to a slave zone,
except that it replicates only the NS records of a master zone instead of the entire zone.
Stub zones are not a standard part of the DNS; they are a feature specific to the BIND implementation. Stub zones can be
used to eliminate the need for glue NS records in a parent zone at the expense of maintaining a stub zone entry and a set of
name server addresses in
This usage is not recommended for new configurations, and BIND 9.3 supports it only in a limited way. In BIND 4/8, zone
transfers of a parent zone included the NS records from stub children of that zone. This meant that, in some cases, users
could get away with configuring child stubs only in the master server for the parent zone. BIND 9 never mixes together zone
data from different zones in this way. Therefore, if a BIND 9 master serving a parent zone has child stub zones configured,
all the slave servers for the parent zone also need to have the same child stub zones configured.
Stub zones can also be used to force the resolution of a given domain to use a particular set of authoritative servers. For
example, the caching name servers on a private network using RFC 2157 addressing may be configured with stub zones for to
use a set of internal name servers as the authoritative servers for that domain.
A forward zone can be used to configure forwarding on a per-domain basis. A zone statement of type can contain a and/or statement, which
will apply to queries within the domain given by the zone name. If no statement is present or an empty list of forwarders
is given, then no forwarding will be done for the domain, canceling the effects of any forwarders in the statement. Thus,
if you want to use this type of zone to change the behavior of the global option (that is, then or vice versa, but want to
use the same servers as set globally), you need to respecify the global forwarders.
The initial set of root name servers is specified using a hint zone.
When the server starts up, it uses the root hints to find a root name server and get the most recent list of root name
servers. If no hint zone is specified for class the server uses a compiled-in default set of root servers hints. Classes
other than have no built-in defaults hints.
This is used to enforce the delegation-only status of infrastructure zones
(for example, Any answer that is received without a explicit or implicit delegation in the authority section will be treated
as NXDOMAIN. This does not apply to the zone apex. This be applied to leaf zones. has no effect on answers received from
forwarders.
See the description in
section.
See the description in
section.
See the description in
section.
Specifies which hosts are allowed to submit Dynamic DNS updates for
master zones. The default is to deny updates from all hosts. Please note that this option is not applicable for slave
zones. See the section for more details.
Specifies which hosts are allowed to submit Dynamic DNS updates to
slave zones to be forwarded to the master. The default is which means that no update forwarding will be performed. To
enable update forwarding, specify Specifying values other than or is usually counterproductive, since the responsibility for
update access control should rest with the master server, not the slaves. Note that enabling the update forwarding feature
on a slave server may expose master servers that rely on insecure IP-address-based access control to attacks.
Only meaningful if
is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the
listed name servers (other than the primary master) for the zone plus any IP addresses specified with A port may be speci-
fied with each address to send the notify messages to a port other than the default of 53. is not meaningful for stub
zones. The default is the empty list.
See the description in
section.
See the description in
section.
Restrict the character set and syntax of certain
domain names in master files and/or DNS responses received from the network. The default varies according to zone type.
For zones, the default is For zones, the default is
Specify the type of database to be used for storing the zone data.
The string following the keyword is interpreted as a list of whitespace-delimited words. The first word identifies the
database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the
database type. The default is BIND 9's native in-memory red-black-tree database. This database does not take arguments.
Other values are possible if additional database drivers have been linked into the server.
The flag only applies to
and zones. If set to then the zone is also treated as if it is also a type zone.
See the description in
section.
A zone file designates a domain name
with all of its associated subdomains, IP addresses, and mail server. A zone file contains resource records and so on).
Only meaningful if the zone has a
list. The value causes the lookup to fail after trying the forwarders and getting no answer, while allows a normal lookup
to be tried.
Used to override the list of global forwarders.
If it is not specified in a zone of type no forwarding is done for the zone; the global options are not used.
If and the server loads a new version of a master zone from its zone file or receives a new version of a slave file by a nonin-
cremental zone transfer, it will compare the new version to the previous one and calculate a set of differences. The dif-
ferences are then logged in the zone's journal file such that the changes can be transmitted to downstream slaves as an
incremental zone transfer.
By allowing incremental zone transfers to be used for nondynamic zones, this option saves bandwidth at the expense of
increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different
from the previous one, the set of differences will be of a size comparable to the combined size of the old and new zone ver-
sion, and the server will need to temporarily allocate memory to hold this complete difference set.
See the description in
section.
See the and descriptions at the beginning of this section, and the description in section.
masters_name
The name of a statement.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
This should be set when you have multiple masters for a zone and the addresses
refer to different machines. If will not log when the serial number on the master is less than what currently has. The
default is
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
Specifies a "Simple Secure Update" policy.
See the section for more details.
See the description in
section.
If the server will keep statistical information for this zone, which can be dumped to the defined in the options.
BIND 9.3 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the and
options, respectively.
The clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in
the zone.
The clause is new in BIND 9.3 and allows more fine-grained control over what updates are allowed. A set of rules is specified, where each
rule either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request mes-
sage is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the zone option, and are only meaningful for master zones. When the statement is present, it is a configuration
error for the statement to be present. The statement only examines the signer of a message; the source address is not relevant.
A sample rule definition is as shown below:
( grant | deny ) identity nametype name [ types ]
Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is immediately granted or denied and
no further rules are examined. A rule is matched when the signer matches the identity field, the name matches the name field, and the type
is specified in the list in the types field.
The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0) key used to sign the update
request. When a TKEY exchange has been used to create a shared secret, the identity of the shared secret is the same as the identity of
the key used to authenticate the TKEY exchange. When the identity field specifies a wildcard name, it is subject to DNS wildcard expan-
sion, so the rule will apply to multiple identities. The identity field must contain a fully qualified domain name.
The nametype field has four possible values:
Exact-match semantics.
This rule matches when the name being updated is identical to the contents of the name field.
This rule matches when the name being updated is a subdomain of, or identical
to, the contents of the name field.
The name field is subject to DNS wildcard expansion, and this rule matches when the name being updated is a valid expansion of
the wildcard.
This rule matches when the name being updated matches the contents of the
identity field. The name field is ignored, but should be the same as the identity field. The nametype is most useful when
allowing the use of one key per name to update, where the key has the same name as the name to be updated. The identity
would be specified as in this case.
In all cases, the name field must specify a fully qualified domain name.
If no types are explicitly specified, this rule matches all types except and A type may be specified by name, including (which matches all
types except which can never be updated). Note that when an attempt is made to delete all records associated with a name, the rules are
checked for each existing record type.
The Statistics File
The statistics file generated by BIND 9.3 is similar, but not identical, to that generated by BIND 8. The statistics dump begins with the
line
where the number in parentheses is a standard UNIX-style time stamp, measured as seconds since January 1, 1970. Following that line are a
series of lines containing a counter type, the value of the counter, optionally a zone name, and optionally a view name. The lines without
view and zone listed are global statistics for the entire server. Lines with a zone and view name are for the given view and zone (the
view name is omitted for the default view). The statistics dump ends with the line
where the number is identical to the number in the beginning line.
The following statistics counters are maintained:
The number of successful queries made to the server or zone.
A successful query is defined as query which returns a NOERROR response other than a referral response.
The number of queries which resulted in referral responses.
The number of queries which resulted in NOERROR responses with no data.
The number of queries which resulted in NXDOMAIN responses.
The number of queries which caused the server to perform
recursion in order to find the final answer.
The number of queries which resulted in a failure response other
than those above.
ZONE FILES
A is a text file that defines a zone, designating a domain name, with all of its associated subdomains, IP addresses, and mail servers. It
may contain directives, resource records, and comments. Blank lines may be included for readability. A zone definition starts with an
resource record. The zone file name is used in the substatement of a statement in the configuration file,
A consists of those contiguous parts of the domain tree for which a domain server has complete information and over which it has authority.
A domain server may be authoritative for more than one zone.
An or fully qualified domain name (FQDN) in a zone file is one that ends in a period For example, is an absolute domain name.
A in a zone file does not end in a period. For example, is a relative domain name.
An in a zone file is an absolute domain name that is appended to a relative domain name to complete it. For example, if is the origin and
is a relative domain name, they would combine to form the absolute domain name,
A starts with a semicolon and continues to the end of the line. A comment can appear on a line by itself or at the end of any directive or
resource record line, including lines that are continued. For example, in the following record, is a comment.
Records normally end at the end of a line. However, they may be continued across lines if the text is enclosed in parentheses, See the
example in the section.
Zone File Directives
Zone file directives help to simplify resource records. The directives include and The directive sets the origin that will be appended to
any subsequent relative domain names. This provides a convenient shorthand for writing resource records.
Syntax
origin A domain name that serves as the suffix for subsequent relative domain names.
When starts, the default origin is the zone_name in the statement of the configuration file,
If the new origin is not absolute (does not have a terminating period), the old origin is appended to it.
For example,
$ORIGIN com.
$ORIGIN example
WWW CNAME MAIN-SERVER
is equivalent to:
$ORIGIN example.com.
WWW CNAME MAIN-SERVER
is equivalent to:
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
The directive reads and processes a file as if it were included into the file at this point.
Syntax
filename The name of the file to be included.
origin The origin for the data in the included file. The default is the current origin of the including (parent) file.
Neither the origin field nor statements in the included file affect the origin of the parent file.
Once the included file has been processed, the origin and the current record owner name revert to the values they had prior to the direc-
tive.
Note: RFC 1035 specifies that the current origin should be restored after an but it is silent on whether the current record owner name
should also be restored. BIND 9 restores both of them. This could be construed as a deviation from RFC 1035, a feature, or both.
The directive sets the default Time to Live (TTL) value for subsequent RRs that have undefined TTLs.
Syntax
default-ttl
The default TTL value for subsequent RRs. See the and sections for more detail.
The directive creates a series of resource records that differ from each other only by an iterator value.
is a BIND extension and not part of the standard DNS zone file format.
Syntax
(ttl and class may be entered in either order.)
range The range of the iterator value. range can be in either of the forms: or If the first form is used, then step is set to
1. All of start, stop, and step must be positive.
lhs An expression that evaluates to the owner_name for each resource record that is created. If lhs is not an absolute domain
name, the current origin is appended to it.
Any single symbols within lhs are replaced by the iterator value.
The may optionally be followed by modifiers that change the offset from the iterator, the field width, and the base. Mod-
ifiers are introduced by a immediately following the in the format For example, which subtracts 20 from the current value
and prints the result as a decimal in a zero-padded field of 3 characters. The available base values are (decimal),
(octal), (lowercase hexadecimal), and (uppercase hexadecimal). The default modifier is
To get a in the output, escape the with a backslash for example, For compatibility with earlier versions, is still recog-
nized as indicating a literal in the output.
ttl The TTL for the generated records. If it is omitted, the normal TTL inheritance rules apply. See the and sections for
more detail.
class The class of the generated records. This must match the zone class, if it is specified.
type At present, the only supported types are and
rhs An expression that evaluates to the rrdata for each resource record that is created. At present, this must be a domain
name. It uses the same processing as lhs.
Example
easily generates the sets of records required to support the sub reverse delegations described in RFC 2317, "Classless IN-ADDR.ARPA delega-
tion".
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0
is equivalent to:
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
Resource Records (RRs)
This section, based on RFC 1034, describes the concept of a resource record, known as an RR, and when an RR is used. Since the publication
of RFC 1034, several new RRs have been identified and implemented in the DNS. These are also included.
A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource information associ-
ated with a particular name is composed of separate RRs. The order of RRs in a set is not significant and need not be preserved by name
servers, resolvers, or other parts of the DNS. However, the sorting of multiple RRs is permitted for optimization purposes, for example,
to specify that a particular nearby server be tried first.
Domain servers store information as a series of resource records, each of which contains a particular piece of information about a given
domain name (which is usually, but not always, a host). The simplest way to think of a RR is as a typed pair of data, a domain name
matched with relevant data, and stored with some additional type information to help systems determine when the RR is relevant.
Note: RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form when
stored in a name server or resolver. The binary format is defined in the RFCs that are listed with the RR type keywords in the
following section. The owner_name is often implicit, rather than forming an integral part of the RR. For example, many name
servers internally form tree or hash structures for the name space, and chain RRs off nodes.
Syntax
owner_name [ ttl ] [ class ] type rrdata
(ttl and class may be entered in either order. The class and ttl values are often omitted from examples in the interests of clar-
ity.)
owner_name
The domain name of the owner of the information in the RR. This can be one of:
The domain name of the DNS root name server.
The current origin.
domain_name
A standard domain name. If domain_name does not end with a period it is relative and the current origin is
appended to it. If domain_name ends with a period it is absolute.
blank If the first character of the record is blank, the previous owner_name is used.
ttl The Time to Live (TTL) of the RR. This field is a 32-bit integer in units of seconds and is primarily used by resolvers
when they cache RRs. The ttl defines how long a RR can be cached before it should be discarded. See the and sections for
more detail.
class A keyword, encoded as a 16-bit value, that identifies a protocol family or an instance of a protocol. The following key-
words are supported:
The Internet system, the default.
Chaosnet, a LAN protocol created at MIT in the mid-1970s.
Rarely used for its historical purpose, but reused for BIND's built-in server information zones, for example,
Hesiod, an information service developed by MIT's Project Athena.
It is used to share information about various systems databases, such as users, groups, printers, and so on.
All records in a zone file must be of the same class.
type A keyword, encoded as a 16-bit value, that specifies the type of the resource in this resource record. Types refer to
abstract resources.
The following keywords are supported. Some of these listed, although not obsolete, are experimental or historical and not
in general use.
Defines an IPv4 host address.
In the class, this is a 32-bit IP address. Described in RFC 1035.
Defines an IPv6 host address.
This can be a partial address (a suffix) and an indirection to the name where the rest of the address (the pre-
fix) can be found. Experimental. Obsoleted/deprecated. Use instead. Described in RFC 2874.
Defines an IPv6 address.
Described in RFC 1886.
Holds a digital certificate.
Described in RFC 2538.
The canonical name of an alias.
Described in RFC 1035.
Delegates reverse addresses.
Replaces the domain name specified with another name to be looked up. Described in RFC 2672.
Specifies the global position.
Described in RFC 1712.
Identifies the CPU and OS used by a host.
Described in RFC 1035.
Stores a public key associated with a DNS name.
Described in RFC 2535.
Identifies a key exchanger for this DNS name.
Described in RFC 2230.
Identifies a mail exchange for the domain.
A 16-bit preference value (lower is better) followed by the host name of the mail exchange. See the section.
Described in RFC 974 and RFC 1035.
Name authority pointer.
Described in RFC 2915.
A network service access point.
Described in RFC 1706.
An authoritative name server for the domain.
Described in RFC 1035.
Used in DNSSEC to securely indicate that RRs with an owner name
in a certain name interval do not exist in a zone and indicate what RR types are present for an existing name.
Described in RFC 2535.
Domain name pointer.
A pointer to another part of the domain name space. Often user to associate an IP address with a domain name.
Described in RFC 1035.
Provides mappings between RFC 822 and X.400 addresses.
Described in RFC 2163.
Contains data authenticated in the secure DNS.
Described in RFC 2535.
Identifies the start of a zone of authority in a zone file.
See the section. Described in RFC 1035.
Information about the well-known network services,
such as SMTP, that a domain supports. Supersedes Described in RFC 2282.
Text records.
Described in RFC 1035.
Information about well known network services.
Historical. Superseded by Described in RFC 1035.
rrdata The type-dependent and sometimes class-dependent data that describes the resource. This data is defined in the RFCs that
are specified with each type keyword.
MX Resource Records
records control the delivery of e-mail. Described in RFC 974 and RFC 1035.
Syntax
priority host_domain_name
... The owner_name, ttl, and class have been omitted for clarity.
priority The priority controls the order in which e-mail delivery is attempted, with the lowest number first. If two priorities
are the same, a server is chosen randomly. If no servers at a given priority are responding, the mail transport agent
will fall back to the next largest priority. Priority numbers do not have any absolute meaning: they are relevant only
respective to other records for that domain name.
host_domain_name
The domain name of the machine to which the mail should be delivered.
An record must have an associated record; a is not sufficient. For a given domain, if there is both a record and an record, the record is
in error and will be ignored. Instead, the mail will be delivered to the server specified in the record pointed to by the
Example
example.com. IN MX 10 mail.example.com.
IN MX 10 mail2.example.com.
IN MX 20 mail.backup.org.
mail.example.com. IN A 10.0.0.1
mail2.example.com. IN A 10.0.0.2
Mail delivery will be attempted to and (in any order), and if neither of those succeed, delivery to will be attempted.
SOA Resource Records
Each zone file begins with an record for the zone. All records in a zone file must be of the same class. Described in RFC 1035.
Syntax
mname rname serial refresh retry expire minimum
... The owner_name, ttl, and class have been omitted for clarity.
mname The domain name of the name server that is the source of data for this zone.
rname A domain name that specifies the mailbox of the person responsible for this zone. The first period represents the in the
e-mail address. If the mailbox user name contains a period, you can escape it with a backslash See the example.
serial An arbitrary unsigned 32-bit integer serial number for the zone. The range is 0 to 4294967295 (2^32-1).
refresh A 32-bit integer time interval in seconds to refresh the zone. See the section for more detail.
retry A 32-bit integer time to wait in seconds before retrying a failed refresh. See the section for more detail.
expire A 32-bit integer time interval in seconds after which the zone is no longer authoritative. See the section for more
detail.
minimum The TTL in seconds for resolvers that cache negative responses. See the and sections for more detail.
The specifies a serial number, which should be changed each time the zone file is changed. Note that it is not advisable to give the
serial number as a dotted number, since the translation to normal integers is via concatenation rather than multiplication and addition.
You can represent the year, month, day of month, and a 0..99 version number (yyyymmddvv) and still fit inside the unsigned 32-bit size of
this field. (It's true that we will have to rethink this strategy in the year 4294.)
Secondary servers check the serial number at intervals specified by the refresh time in seconds; if the serial number changes, a zone
transfer will be done to load the new data. If a master server cannot be contacted when a refresh is due, the retry time specifies the
interval at which refreshes should be attempted. If a master server cannot be contacted within the interval given by the expire time, all
data from the zone is discarded by secondary servers.
Example
@ IN SOA ucbvax.Berkeley.EDU. Jane.Doe.ucbvax.Berkeley.EDU. (
1989020501 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
Time to Live (TTL)
The TTL field of an RR is a 32-bit integer representing time in seconds. It is primarily used by resolvers when they cache RRs. The TTL
describes how long a RR can be cached before it should be discarded. This limit does not apply to authoritative data in zones; it is also
timed out, but by the refreshing policies for the zone. The TTL is assigned by the administrator for the zone where the data originates.
While short TTLs can be used to minimize caching, and a zero TTL prohibits caching, the realities of Internet performance suggest that
these times should be on the order of days for the typical host. If a change can be anticipated, the TTL can be reduced prior to the
change to minimize inconsistency during the change, and then increased back to its former value following the change.
The following three types of TTL are currently used in a zone file.
The minimum field in an RR is the negative-caching TTL. This controls how long other servers will cache responses from you.
The maximum time for negative caching is 3 hours
Note: This use of the minimum field was implemented in RFC 2308, largely superseding the usage specified in RFC 1034 (but
see the default calculation for the ttl field below).
A directive at the top of the zone file (before the provides a default TTL for subsequent RRs.
Note: The directive, defined in RFC 2308, supersedes the original use of the minimum field specified in RFC 1034.
ttl The ttl field in an RR specifies the TTL for the record. If it is omitted, the value specified by the previous directive
is used. If there is no previous directive, the minimum field in the resource record is used.
Time Specification
All the TTLs and and the time fields are specified in seconds, as a 32-bit integer value in the range 0 to 2147483647 (2^31-1).
Here's a table of convenient values:
Seconds in an Integer Value
minimum 0 seconds
1 minute 60 seconds
1 hour 3600 seconds
1 day 86400 seconds
7 days 604800 seconds
30 days 2592000 seconds
24855 days 2147472000 seconds
maximum 2147483647 seconds
For convenience, some units can be explicitly specified; you can use for hours, for minutes, and for seconds. For example,
Inverse Mapping in IPv4
Reverse name resolution (that is, translation from an IP address to a domain name) is achieved with the domain and records. Entries in the
domain are made in least-to-most significant order, reading left to right. This is the reverse of the way IP addresses are usually writ-
ten. Thus, a machine with an IP address of 10.1.2.3 would have a corresponding name of This name should have a resource record whose data
field is the domain name of the machine. If the machine has more than one name. it will need multiple records. For example, for IP
address corresponding to host name in the domain:
$ORIGIN 2.1.10.in-addr.arpa
3 IN PTR fred.example.com.
Example
ISI.EDU. MX 10 VENERA.ISI.EDU.
MX 10 VAXA.ISI.EDU.
VENERA.ISI.EDU. A 128.9.0.32
A 10.1.0.52
VAXA.ISI.EDU. A 10.2.0.27
A 128.9.0.33
The RRs have an rrdata section that consists of a 16-bit number followed by a domain name. The address RRs use a standard IP address for-
mat to contain a 32-bit Internet address.
This example shows six RRs, with two RRs at each of three domain names.
AUTHOR
and the directive were developed by the Internet Systems Consortium (ISC).
Zone files were developed by the Internet Engineering Task Force (IETF).
FILES
Default configuration file.
Shell script to convert BIND 4.9.7 configuration files to the BIND 9.3 format.
SEE ALSO
kill(1), hosts_to_named(1M), sig_named(1M), syslogd(1M), signal(2), gethostent(3N), resolver(3N), syslog(3C), resolver(4), host-
name(5).
Requests for Comments (RFC): 822, 974, 1032, 1034, 1035, 1183, 1706, 1712, 1876, 1886, 2163, 2230, 2282, 2308, 2317, 2535, 2538, 2672,
2874, and 2915, available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 named.conf(4)