named.conf man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

named.conf(4)							 named.conf(4)

NAME
       named.conf - configuration file for Internet domain name server

SYNOPSIS
DESCRIPTION
       is the configuration file for the name server daemon.  The default path
       name is

       BIND 9 configuration is broadly similar to BIND	8.x.   However,	 there
       are a few new areas of configuration, such as views.  BIND 8.x configu‐
       ration files should work with few alterations  in  BIND	9.3,  although
       more  complex  configurations need to be reviewed to see if they can be
       more efficiently implemented using the new features implemented in BIND
       9.3.   BIND  4.9.7 configuration files can be converted to the BIND 9.3
       format using the shell script,

   Syntax Rules
       In the syntax descriptions in this manpage, the	following  typographic
       rules apply:

       Characters in this font should be entered as is.

       variable	      Characters  in  this font should be replaced with appro‐
		      priate values.

       ( )	      Parentheses are  metacharacters  that  enclose  required
		      content.	(The brace characters are used in the configu‐
		      ration syntax as block delimiters.)

       [ ]	      Brackets are metacharacters that enclose	optional  con‐
		      tent.

       |	      Bars  within parentheses and brackets are metacharacters
		      that separate alternatives.

       token ...  [ ]...  ( )...
		      Trailing ellipses are metacharacters that indicate  that
		      the  previous  token,  parenthesized  item, or bracketed
		      item may be repeated.

   Configuration File Elements
       The following configuration elements are used in the BIND 9.3  configu‐
       ration file grammar:

       acl_name	      The  name	 of  an	 address_match_list  as	 defined by an
		      statement.

       address_match_list
		      A list of one or more  ip_addr,  ip_prefix,  key_id,  or
		      acl_name elements.

       dialup_option  One  of  or  When	 used in a zone, and are restricted to
		      slave and stub zones.

       domain_name    A quoted string that is used as a DNS name; for example,
		      .

       dotted_decimal One or more integers valued 0 through 255 separated only
		      by periods such as or

       ip4_addr	      An IPv4 address  with  exactly  four  elements  in  dot‐
		      ted_decimal notation.

       ip6_addr	      An IPv6 address, such as

       ip_addr	      An ip4_addr or ip6_addr.

       ip_port	      An  IP port number.  This is limited to 0 through 65535,
		      with values below 1024  typically	 restricted  to	 root-
		      owned  processes.	  In some cases, an asterisk character
		      can be used as a placeholder to select  a	 random	 high-
		      numbered port.

       ip_prefix      An  IP  network  specified  as an ip_addr, followed by a
		      slash and then  the  number  of  bits  in	 the  netmask.
		      Trailing	zero  elements in ip_addr may be omitted.  For
		      example, is the network with netmask and is the  network
		      with netmask

       key_id	      A	 domain_name representing the name of a shared key, to
		      be used for transaction security.

       key_list	      A list of one or more key_ids, separated	by  semicolons
		      and ending with a semicolon.

       number	      A nonnegative 32-bit unsigned integer (that is, a number
		      between 0 and 4294967295,	 inclusive).   Its  acceptable
		      value  might  further be limited by the context in which
		      it is used.

       path_name      A quoted string that is used as a path name, such as .

       size_spec      One of the following:

		      number	A decimal number, optionally be followed by  a
				scaling	 factor:  or  for  kilobytes,  or  for
				megabytes, and or for gigabytes,  which	 scale
				by 1024, 1024*1024, and 1024*1024*1024 respec‐
				tively.	 The value must be representable as  a
				64-bit	    unsigned	 integer     (0	    to
				18446744073709551615, inclusive).

		      Uses the limit that was in force	when  the  server  was
		      started.

		      Requests unlimited use, or the maximum available amount.
				This  is  the  best  way to set a really large
				number.

       yes_or_no      Either or The words and and the  numbers	and  are  also
		      accepted, respectively.

   Address Match List Syntax
       An address_match_list has the format:

	      address_match_list_element ;
		   [ address_match_list_element ; ]...

       An address_match_list_element has the format:

	      [ ! ] ( ip_addr
		    | ip_prefix
		    | key key_id
		    | acl_name
		    | { address_match_list } )

   Address Match List Definition and Usage
       Address	match lists are primarily used to determine access control for
       various server operations.  They are also used to define priorities for
       querying other name servers and to set the addresses on which will lis‐
       ten for queries.	 The elements which constitute an address  match  list
       may be any of the following:

	 ·  An IP address (IPv4 or IPv6).

	 ·  An IP prefix (in the

	 ·  A key ID, as defined by the statement.

	 ·  The	 name  of  an  address	match  list previously defined with an
	    statement.

	 ·  A nested address match list enclosed in braces.

	 Elements can be negated with a leading	 exclamation  mark  The	 match
	 list  names  of  and  are  predefined.	 For more information on these
	 match list names, refer to section.  The addition of the clause  made
	 the  name  of	this  syntactic element something of a misnomer, since
	 security keys can be used to validate access without regard to a host
	 or network address.  However, the term is still being used.

	 When  a  given	 IP  address or prefix is compared to an address match
	 list, the list is traversed in order until an element	matches.   The
	 interpretation	 of  a match depends on whether the list is being used
	 for access control,  defining	ports  and  whether  the  element  was
	 negated.   When  used	as  an access control list, a nonnegated match
	 allows access and a negated match denies  access.   If	 there	is  no
	 match, access is denied.

	 The  clauses  and which can be specified in the and/or statements use
	 the address match lists.  Similarly, the option causes the server not
	 to  accept  queries  on  any  of the machine's addresses which do not
	 match the list.

	 Because of the first-match aspect of the algorithm, an	 element  that
	 defines  a  subset  of another element in the list should come before
	 the broader element, regardless of whether either  is	negated.   For
	 example,  in  the 1.2.3.13 element is of no use because the algorithm
	 will match any lookup for 1.2.3.13 to the  1.2.3/24  element.	 Using
	 fixes that problem by having 1.2.3.13 blocked by the negation but all
	 other 1.2.3.* hosts fall through.

   Comment Syntax
       Comments in the BIND 9.3 configuration file can be written in the  fol‐
       lowing styles:

	      C:

	      C++:

	      UNIX:

       Note: Unlike a zone file, you cannot use a semicolon character to start
       a comment in the BIND 9.3 configuration file.  The semicolon  indicates
       the end of a configuration statement.

CONFIGURATION FILE GRAMMAR
       A  BIND	9.3  configuration  file  consists of statements and comments.
       Statements end with a semicolon.	 Statements and comments are the  only
       elements	 that  can  appear  without enclosing braces.  Many statements
       contain a block of substatements, which is terminated with a semicolon.
       The following statements are supported:

       Defines a named IP address matching list,
		      for access control and other uses.

       Declares control channels to be used by the
		      utility.

       Includes a file.

       Specifies key information for use in authentication and authorization
		      using TSIG.

       Specifies  what	data  the  server logs, and where the log messages are
       sent.

       Configures the name server  to  also  act  as  a	 lightweight  resolver
       server.

       Defines a masters list for inclusion in
		      clauses of stub and slave statements

       Controls global server configuration options
		      and sets defaults for other statements.

       Sets certain configuration options on a per-server basis.

       Defines trusted DNSSEC keys.

       Defines a view.

       Defines a zone.

       The and statements may occur only once per configuration.

   The acl Statement
       acl acl-name {
	    address_match_list
       };
       The  statement  assigns	a  symbolic name to an address match list.  It
       gets its name from the primary use of address match  lists  for	Access
       Control	Lists  (ACLs).	Note that an address match list's name must be
       defined with before it can be used elsewhere; no forward references are
       allowed.	 The following ACL names are built-in:

	      Matches all hosts.

	      Matches no hosts.

	      Matches the IPv4 addresses of all network interfaces on the sys‐
	      tem.

	      Matches any host on an IPv4 network for which the system has  an
	      interface.

       The and ACLs do not currently support IPv6 (that is, does not match the
       host's IPv6 addresses, and does not match the host's attached IPv6 net‐
       works) due to the lack of a standard method of determining the complete
       set of local IPv6 addresses for a host.

   The controls Statement
       controls {
	    ( inet ( ip_addr | * ) [ port ip_port ]
	      allow { address_match_list }
	      keys { key_list }; )...
       };
       The statement declares control channels to be used by  system  adminis‐
       trators	to control the operation of the local name server.  These con‐
       trol channels are used by the utility to send commands to and  retrieve
       non-DNS results from a name server.

       An  control channel is a TCP/IP socket accessible to the Internet, cre‐
       ated at the specified ip_port on the specified ip_addr.	If no port  is
       specified, port 953 is used by default.	cannot be used for ip_port.

       The and clauses restrict the ability to issue commands over the control
       channel.	 Connections to the control channel are permitted based on the
       address	  permissions	in   address_match_list.    members   of   the
       address_match_list are ignored, and instead  are	 interpreted  indepen‐
       dently  based  on the key_list.	Each key_id in the key_list is allowed
       to be used to authenticate commands and responses given over  the  con‐
       trol channel by digitally signing each message between the server and a
       command client.	All commands to the control channel must be signed  by
       one of its specified keys to be honored.

       If  no statement is present, will set up a default control channel lis‐
       tening on the loopback address 127.0.0.1 and its IPv6 counterpart  ::1.
       In  this case, and also when the statement is present but does not have
       a clause, will attempt to load the command channel key from the file To
       create  a  file, run The feature was implemented to ease the transition
       of systems from BIND 8, which did not have digital  signatures  on  its
       command channel messages and thus did not have a clause.

       Since  the  feature  is	only intended to allow the backward-compatible
       usage of BIND 8 configuration files, this feature does not have a  high
       degree  of  configurability.   You cannot easily change the key name or
       the size of the secret, so you should make an with your own key if  you
       wish  to	 change them.  The file also has its permissions set such that
       only the owner of the file (the user that is running as) can access it.
       If  you	desire	greater	 flexibility in allowing other users to access
       commands, then you need to create an and make it	 group-readable	 by  a
       group that contains the users who should have access.

       The  UNIX  control channel type of BIND 8 is not supported in BIND 9.3,
       and is not expected to be added in future releases.  If it  is  present
       in  the statement from a BIND 8 configuration file, it is ignored and a
       warning is logged.

       As a special case, to disable the command channel, use an empty	state‐
       ment:

   The include Statement
       include filename ;
       The  statement inserts the specified file at the point where the state‐
       ment is encountered.  The statement facilitates the  administration  of
       configuration files by permitting the reading or writing of some things
       but not others.	For example, the statement could include private  keys
       that are readable only by a name server.

   The key Statement
       key key_id {
	    algorithm algoname ;
	    secret secretstring ;
       };
       The  statement  defines	a  shared  secret  key for use with TSIG.  The
       statement can occur at the top  level  of  the  configuration  file  or
       inside  a  statement.   Keys defined in top-level key statements can be
       used in all views.  Keys intended for  use  in  a  statement   must  be
       defined at the top level.

       key_id	      A	 domain name uniquely identifying the key.  Also known
		      as the key name.	It can be used in a statement to  sign
		      requests with this key or in address match lists to ver‐
		      ify that incoming requests have been signed with	a  key
		      matching this name, algorithm, and secret.

       algoname	      A	 string that specifies a security/authentication algo‐
		      rithm.  is the only algorithm which  is  currently  sup‐
		      ported with TSIG authentication.

       secretstring   A	 base-64-encoded secret string to be used by the algo‐
		      rithm.

   The logging Statement
       logging {
	    [ channel channel_name {
		 ( file path name
		      [ versions ( number | unlimited ) ]
		      [ size size spec ]
		 | null
		 | stderr
		 | syslog syslog_facility
		 ) ;
		 [ severity ( critical | error | warning | notice
			      | info | debug [ level ] | dynamic ) ; ]
		 [ print-category yes_or_no ; ]
		 [ print-severity yes_or_no ; ]
		 [ print-time yes_or_no ; ]
	    }; ]...

	    [ category category_name {
		 ( channel_name ; )...
	    }; ]...
       };

       The and clauses may be repeated in any order.  The statement configures
       a  wide variety of logging options for the name server.	Its phrase as‐
       sociates output methods, format options, and  severity  levels  with  a
       name, channel_name, that can be used with the phrase to select how var‐
       ious classes of messages are logged.

       Only one statement is used to define any number of channels  and	 cate‐
       gories.	 If  there is no statement, the logging configuration defaults
       to:

	      logging {
		   category "unmatched" { "null"; };
		   category "default" { "default_syslog"; "default_debug"; };
	      };

       In BIND 9.3, the logging configuration is  established  only  when  the
       entire  configuration  file  has been parsed.  In BIND 8, it was estab‐
       lished as soon as the statement was parsed.  When the server starts up,
       all logging messages related to syntax errors in the configuration file
       go to the default channels, or to standard error if the option is spec‐
       ified.	All  log output goes to one or more user-defined or predefined
       channels.  Every definition must include a destination clause that says
       whether messages selected for the channel go to a file, or to a partic‐
       ular syslog facility, or to the standard	 error	stream,	 or  are  dis‐
       carded.	 It  can optionally also limit the message severity level that
       will be accepted by the channel (the default is and whether to  include
       a  time stamp, the category name, and/or severity level (the default is
       not to include any).

       The destination clause directs the channel to  a	 disk  file.   It  can
       include limitations on both the file size and the number of versions of
       the file that are saved each time the file is opened.

       If you use the log file option, then will retain that many backup  ver‐
       sions of the file by renaming them when opening.

       For example, if you choose to keep three old versions of the file then,
       just before it is opened:

       Use if you do not want to limit the number of versions.	If a option is
       associated  with the log file, then renaming is only done when the file
       being opened exceeds the indicated size.	 No backup versions are	 kept,
       by default; any existing log file is simply appended.

       The  option  for is used to limit log growth.  If the file size exceeds
       the limit, then will stop writing to the file unless it	has  a	option
       associated  with it.  If backup versions are kept, the files are rolled
       as described above and a new file is opened.  If there is no option, no
       more  data  will be written to the log until the log file is removed or
       truncated (by some external process) to less  than  the	maximum	 size.
       The default behavior is not to limit the size of the file.

       Example usage of the and options:

	      channel "an_example_channel" {
		   file "example.log" versions 3 size 20m;
		   print-time yes;
		   print-category yes;
	      };

       The  destination	 clause	 directs  the  channel to the system log.  Its
       argument is a syslog facility as described in the  syslog(3C)  manpage.
       The  syslog(3C) manpage also describes how will handle messages sent to
       this facility.  If you have a system which uses a very old  version  of
       that  uses  only	 two  arguments	 to the function, then the destination
       clause is ignored.

       The destination clause directs the channel  to  the  server's  standard
       error stream.  This is intended for use when the server is running as a
       foreground process, for example when debugging the configuration.

       The destination clause discards all message sent to  the	 channel,  the
       and clauses irrelevant.

       The clause works like the priority parameter except that it can also be
       used if you are writing straight to a file rather than  using  Messages
       that  are not at least of the severity level given will not be selected
       for the channel; messages of higher severity levels will	 be  accepted.
       If  you	are  using the option, then the priorities will also determine
       what eventually passes through (see syslogd(1M)).

       For example, defining a channel facility and severity as and  but  only
       logging	via will cause messages of severity and to be dropped.	If the
       situation were reversed, with writing messages of only or higher,  then
       would print all messages it received from the channel.

       The  server  can	 supply	 extensive debugging information when it is in
       debugging mode.	If the server's global debug  level  is	 greater  than
       zero,  then  debugging  mode will be active.  The global debug level is
       set either by starting the server with the option followed by  a	 posi‐
       tive  integer, or by running The global debug level can be set to zero,
       and debugging mode turned off, by running All debugging messages in the
       server  have  a debug level, and higher debug levels give more detailed
       output.	For example:

	      channel "specific_debug_level" {
		   file "foo";
		   severity debug 3;
	      };

       In this example, channels that specify a particular debug severity will
       get  debugging  output  of  level  3  or less any time the server is in
       debugging mode, regardless of the  global  debugging  level.   Channels
       with  severity use the server's global level to determine what messages
       to print.

       If is then the date and time will be logged.  may be  specified	for  a
       channel,	 but that is usually pointless, since also prints the date and
       time.

       If is then the category of the message is logged as well.

       If is then the severity level of the message will be logged.

       The options may be used in any combination, and will always be  printed
       in  the	order  time, category, severity.  Here is an example where all
       three options are

	      Time:

	      Category:

	      Severity:

	      Message:

       There are four predefined channels that are used for  default  logging,
       as follows:

	      channel "default_syslog" {
		   syslog daemon;	       // send to syslog's daemon
					       // facility
		   severity info;	       // only send priority info
					       // and higher
	      };

	      channel "default_debug" {
		   file "named.run";	       // write to named.run in
					       // the working directory
					       // Note: stderr is used instead
					       // of "named.run"
					       // if the server is started
					       // with the '-f' option.
		   severity dynamic;	       // log at the server's
					       // current debug level
	      };

	      channel "default_stderr" {
		   stderr;		       // writes to stderr
		   severity info;	       // only send priority info
					       // and higher
	      };

	      channel "null" {
		  null;			       // toss anything sent to
					       // this channel
	      };

       The  channel has the special property that it only produces output when
       the server's debug level is nonzero.  It normally writes to a file,  in
       the server's working directory.

       For security reasons, when the command-line option is used, the file is
       created only after has changed to the new UID,  and  any	 debug	output
       that  is	 generated  while  is starting up and still running as root is
       discarded.  If you need to capture this output, you must run the server
       with the option and redirect standard error to a file.

       Once  a	channel	 is  defined, it cannot be redefined.  Thus you cannot
       alter the built-in channels directly, but you can  modify  the  default
       logging	by  pointing  categories at channels you have defined.	Prede‐
       fined categories allow you to fine-tune what messages you want  to  log
       and  where  you want to log those messages to.  If you do not specify a
       list of channels for a category, then log  messages  in	that  category
       will  be	 sent  to the category instead.	 If you do not specify a cate‐
       gory, the following category is used:

	      category "default" { "default_syslog"; "default_debug"; };

       For example, if you want to log security events to a file and also want
       to keep the default logging behavior, you need to specify the following
       in the statement:

	      channel "my_security_channel" {
		   file "my_security_file";
		   severity info;
	      };

	      category "security" {
		   "my_security_channel";
		   "default_syslog";
		   "default_debug";
	      };

       To discard all messages in a category, specify the channel, as  in  the
       following:

	      category "xfer-out" { "null"; };
	      category "notify" { "null"; };

       The  following  are  the available categories and brief descriptions of
       the types of log information they  contain.   More  categories  may  be
       added in future BIND releases.

       Defines the logging options for categories
		      where no specific configuration has been defined.

       The catch-all. All unclassified categories belong to this category.

       Processing of client requests

       Configuration file parsing and processing.

       Messages relating to the databases used internally by the name
		      server to store zone and cache data.

       Logs queries that have have been forced to NXDOMAIN as the
		      result of a zone or a in a or zone declaration.

       Dispatching of incoming packets to the server modules where they
		      are to be processed.

       DNSSEC and TSIG protocol processing.

       Lame servers are misconfigurations in remote servers,
		      discovered  by BIND 9 when trying to query those servers
		      during resolution.

       Network operations.

       The NOTIFY protocol.

       Enable query logging.

       DNS resolution, such as recursive lookups performed on behalf of
		      clients by a caching name server.

       Approval and denial of requests.

       Messages that  was unable to determine the class of or for which	 there
		      was no matching view.  A one-line summary is also logged
		      to the category.	This category is best sent to a or  by
		      default, it is sent to the channel.

       Dynamic updates

       Approval and denial of update requests.

       Zone transfers the server is receiving.

       Zone transfers the server is sending.

   The lwres Statement
       lwres {
	    [ listen-on { ( ip_addr [ port ip_port ] ; )... }; ]
	    [ ndots number ; ]
	    [ search { domain_name ; [ domain_name ; ]... }; ]
	    [ view view_name ; ]
       };
       The  statement  configures the name server to also act as a lightweight
       resolver server.	 There	may  be	 be  multiple  statements  configuring
       lightweight resolver servers with different properties.

       The  statement  specifies  a  list of addresses and ports that a light‐
       weight resolver daemon should accept requests on.  If no port is speci‐
       fied, port 921 is used.	If this statement is omitted, requests will be
       accepted on 127.0.0.1, port 921.

       The statement is equivalent to the directive in It indicates the	 mini‐
       mum  number  of dots in a relative domain name that should result in an
       exact match lookup before search path elements are appended.

       The statement is equivalent to the directive in It provides a  list  of
       domains that are appended to relative names in queries.

       The statement binds this instance of a lightweight resolver daemon to a
       view in the DNS name space, so that the response will be constructed in
       the  same  manner  as  a	 normal DNS query matching this view.  If this
       statement is omitted, the default view is used,	and  if	 there	is  no
       default view, an error is triggered.

   The masters Statement
       masters name [ port ip_port ] { (
	    ( masters_list | ip_addr [ port ip_port ] [ key key ] ) ;
       )... };
       A statement defines a masters list.  This allows you to include sets of
       masters in the clauses of multiple stub and slave statements.  See  and
       in the section.

       name	      The name of the statement.

       masters_list   The  acl_name  of	 an statement that specifies a list of
		      masters.

   The options Statement
       options {

       // General Options
	    [ directory path_name ; ]
	    [ disable-algorithms domain { algorithm ; [ algorithm ; ] }; ]
	    [ dnssec-lookaside domain trust-anchor domain ; ]
	    [ dnssec-must-be-secure domain yes_or_no ; ]
	    [ dump-file path_name ; ]
	    [ key-directory path_name ; ]
	    [ memstatistics-file path_name ; ]
	    [ pid-file path_name ; ]
	    [ port ip_port ; ]
	    [ preferred-glue ( A | AAAA | NONE ) ; ]
	    [ random-device path_name ; ]
	    [ root-delegation-only [ exclude { namelist } ] ; ]
	    [ statistics-file path_name ; ]
	    [ tkey-dhkey key_name key_tag ; ]
	    [ tkey-domain domainname ; ]

       // Boolean Options
	    [ additional-from-auth yes_or_no ; ]
	    [ additional-from-cache yes_or_no ; ]
	    [ auth-nxdomain yes_or_no ; ]
	    [ check-names ( master | slave | response )
			  ( warn | fail | ignore ) ; ]
	    [ dialup dialup_option ; ]
	    [ dnssec-enable yes_or_no ; ]
	    [ flush-zones-on-shutdown yes_or_no ; ]
	    [ match-mapped-addresses yes_or_no ; ]
	    [ minimal-responses yes_or_no ; ]
	    [ notify ( yes_or_no | explicit ) ; ]
	    [ provide-ixfr yes_or_no ; ]
	    [ querylog yes_or_no ; ]
	    [ recursion yes_or_no ; ]
	    [ request-ixfr yes_or_no ; ]
	    [ zone-statistics yes_or_no ; ]

       // Access Control Options
	    [ allow-notify { address_match_list }; ]
	    [ allow-query { address_match_list }; ]
	    [ allow-recursion { address_match_list }; ]
	    [ allow-transfer { address_match_list }; ]
	    [ allow-update-forwarding { address_match_list }; ]
	    [ blackhole { address_match_list }; ]

       // Bad UDP Port List Options
	    [ avoid-v4-udp-ports { port_list }; ]
	    [ avoid-v6-udp-ports { port_list }; ]

       // Built-In Server Information Zone Options
	    [ hostname hostname_string ; ]
	    [ server-id server_id_string ; ]
	    [ version version_string ; ]

       // Dual-Stack Server Option
	    [ dual-stack-servers [ port ip_port ] { (
		 ( domain_name [ port ip_port ] | ip_addr [ port ip_port ] ) ;
	    )... }; ]

       // Empty Zone Options
	    [ disable-empty-zone zone_name_string ;  ]
	    [ empty-contact empty_contact_name_string ; ]
	    [ empty-server empty_server_name_string ; ]
	    [ empty-zones-enable yes_or_no ; ]

       // Forwarding Options
	    [ forward ( only | first ) ; ]
	    [ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]

       // Interface Options
	    [ listen-on [ port ip_port ] { address_match_list }; ]
	    [ listen-on-v6 [ port ip_port ] { address_match_list }; ]

       // Obsolete Option
	    [ allow-v6-synthesis yes_or_no ; ]

       // Operating System Resource Limit Options
	    [ coresize size_spec ; ]
	    [ datasize size_spec ; ]
	    [ files size_spec ; ]
	    [ stacksize size_spec ; ]

       // Periodic Task Interval Options
	    [ cleaning-interval number ; ]
	    [ heartbeat-interval number ; ]
	    [ interface-interval number ; ]

       // Query Address Options
	    [ query-source [ address ( ip_addr | * ) ]
			   [ port ( ip_port | * ) ] ; ]
	    [ query-source-v6 [ address ( ip_addr | * ) ]
			      [ port ( ip_port | * ) ] ; ]

       // RRset Ordering Option
	    [ rrset-order { order_spec ; [ order_spec ; ]... }; ]

       // Server Resource Limit Options
	    [ max-cache-size size_spec ; ]
	    [ max-journal-size size_spec ; ]
	    [ recursive-clients number ; ]
	    [ tcp-clients number ; ]
	    [ tcp-listen-queue number ; ]

       // Sorting Option
	    [ sortlist { address_match_list }; ]

       // Tuning Options
	    [ edns-udp-size number ; ]
	    [ lame-ttl number ; ]
	    [ max-cache-ttl number ; ]
	    [ max-ncache-ttl number ; ]
	    [ max-refresh-time number ; ]
	    [ max-retry-time number ; ]
	    [ min-refresh-time number ; ]
	    [ min-retry-time number ; ]
	    [ sig-validity-interval number ; ]

       // Zone Transfer Options
	    [ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
	    [ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ max-transfer-idle-in number ; ]
	    [ max-transfer-idle-out number ; ]
	    [ max-transfer-time-in number ; ]
	    [ max-transfer-time-out number ; ]
	    [ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ serial-query-rate number ; ]
	    [ transfer-format ( one-answer | many-answers ) ; ]
	    [ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ transfers-in number ; ]
	    [ transfers-out number ; ]
	    [ transfers-per-ns number ; ]
	    [ use-alt-transfer-source yes_or_no ; ]
       };
       The statement sets up global options to be used by BIND.	  This	state‐
       ment  may  appear  only once in a configuration file.  If more than one
       occurrence is found, the first occurrence determines the actual options
       used, and a warning is generated.  If there is no statement, an options
       block with each option set to its default will be used.

       The working directory of the server.
		      Any nonabsolute path names  in  the  configuration  file
		      will  be	taken  as  relative  to	 this  directory.  The
		      default location for most server output files (for exam‐
		      ple,  is	this  directory.  If a directory is not speci‐
		      fied, the working directory defaults  to	the  directory
		      from  which  the server was started The directory speci‐
		      fied should be an absolute path.

       Disable the specified DNSSEC algorithms	at  and	 below	the  specified
       name.
		      Multiple statements are allowed.	Only the most specific
		      is applied.

       When set,      provides the validator with an alternate method to vali‐
		      date DNSKEY records at the top of a zone.	 When a DNSKEY
		      is at or below a domain specified by the deepest and the
		      normal DNSSEC validation has left the key untrusted, the
		      will be appended to the key name and a DLV  record  will
		      be  looked up to see if it can validate the key.	If the
		      DLV record validates a DNSKEY (similar to the way	 a  DS
		      record  does  it),  the  DNSKEY  RRset  is  deemed to be
		      trusted.

       Specify hierarchies which must be or may not be secure (signed and val‐
       idated).
		      If will only accept answers if they are secure.  If nor‐
		      mal DNSSEC validation applies and insecure  answers  are
		      accepted.	  The specified domain must be under a trusted
		      key, or must be active.

       The path name of the file to which the server dumps the database
		      with The default is

       The directory where the public and private key files should be found,
		      if it is	not  the  working  directory.	The  specified
		      directory must be an absolute path.

       The path name of the file to which
		      the  server  writes  the	memory	usage statistics.  The
		      default is

       The path name of the file in which the server writes its process ID.
		      The default path name is The is used  by	programs  that
		      need to send signals to the running name server.

		      Specifying  disables  the	 use of a PID file; no file is
		      written and any existing file is removed.	 Note that  is
		      a	 keyword,  not	a  file	 name,	and  therefore	is not
		      enclosed in quotation marks.

       The UDP/TCP port number the server uses for receiving and sending DNS
		      protocol traffic.	 The default is 53.   This  option  is
		      mainly  intended	for  server  testing; a server using a
		      port other than 53 will not be able to communicate  with
		      the global DNS.

       If specified, the listed type
		      or  will	be emitted before other glue in the additional
		      section of a query response.  The default is not to pre‐
		      fer any type ("Glue" is a record that is created as part
		      of a delegation.)

       The source of entropy (random data) to be used by the server.
		      Entropy is primarily needed for DNSSEC operations,  This
		      option specifies the device (or file) from which to read
		      entropy.	 If  this  is  a  file,	 operations  requiring
		      entropy will fail when the file has been exhausted.  The
		      default value is (or the equivalent) when	 present,  and
		      none otherwise.  The option takes effect during the ini‐
		      tial configuration load at server startup	 time  and  is
		      ignored on subsequent reloads.

       Turn on enforcement of
		      in  top  level  domains  (TLD)  and  root zones, with an
		      optional list.

		      Note: Some TLDs are (for example, and

		      options {
			root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
		      };

       The path name of the file in which the server appends statistics using
		      The default is in the server's current  directory.   The
		      file format is described in section.

       The Diffie-Hellman key
		      used  by the server to generate shared keys with clients
		      using the Diffie-Hellman mode of TKEY.  The server  must
		      be  able	to load the public and private keys from files
		      in the working directory.	 In most cases,	 the  key_name
		      should  be  the  server's	 host name.  The key_tag is an
		      integer that is part of the key.

       The domain appended to the names of  all	 shared	 keys  generated  with
       TKEY.
		      When a client requests a TKEY exchange, it can specify a
		      preferred name for the key.  If the name is present, the
		      name  of	the  shared key will be Otherwise, the name of
		      the shared key  will  be	random_hex_digits+tkey-domain.
		      In  most	cases,	the domain name should be the server's
		      domain name.

       These options control the behavior of an authoritative server when
		      answering queries which have additional  data,  or  when
		      following CNAME and DNAME chains.

		      When  both of these options are set to (the default) and
		      a query is being answered	 from  authoritative  data  (a
		      zone  configured	into  the server), the additional data
		      section of the reply will be filled in using  data  from
		      other  authoritative  zones and from the cache.  In some
		      situations this is undesirable, such as  when  there  is
		      concern over the correctness of the cache, or in servers
		      where slave zones may be added and modified by untrusted
		      third parties.  Also, avoiding the search for this addi‐
		      tional data will speed up server operations at the  pos‐
		      sible  expense  of  additional  queries  to resolve what
		      would otherwise be provided in the additional section.

		      For example, if a query asks for an record for host  and
		      the record found is normally the address records and for
		      will be provided as well, if known.  Set	these  options
		      to to disable this behavior.

		      These options are intended for use in authoritative-only
		      servers, or in authoritative-only	 views.	  Attempts  to
		      set  them	 to  without  also  specifying	will cause the
		      server to ignore the options and log a warning message.

		      Specifying actually disables the use of  the  cache  not
		      only  for	 additional data lookups but also when looking
		      up the answer.  This is usually the desired behavior  in
		      an  authoritative-only  server  where the correctness of
		      the cached data is an issue.

		      When a name server is nonrecursively queried for a  name
		      that  is	not below the apex of any served zone, it nor‐
		      mally answers with an "upwards  referral"	 to  the  root
		      servers or the servers of some other known parent of the
		      query name.  Since the data in an upwards referral comes
		      from  the	 cache, the server will not be able to provide
		      upwards referrals when has been specified.  Instead,  it
		      will  respond to such queries with REFUSED.  This should
		      not cause any problems since upwards referrals  are  not
		      required for the resolution process.

       If	      then  the	 AA  bit  is always set on NXDOMAIN responses,
		      even if the server is not actually  authoritative.   The
		      default  is If you are using an old version of BIND, you
		      might need to set this option to

       Restrict the character set and syntax
		      of certain domain	 names	in  master  files  and/or  DNS
		      responses received from the network.  The default varies
		      according to usage area.	For master zones, the  default
		      is  For slave zones, the default is For answers received
		      from the network the default is

		      The rules for legal host	names  and  mail  domains  are
		      derived  from  RFC  952  and  RFC 821 as modified by RFC
		      1123.

		      applies to the owner names  of  and  records.   It  also
		      applies  to  the	domain	names  in  the	rrdata	of and
		      records.	It also applies to the rrdata of records where
		      the  owner name indicated that it is a reverse lookup of
		      a host name (the owner name ends in

       If	      then the server treats all zones as if  they  are	 doing
		      zone  transfers  across  a  dial-on-demand  dialup link,
		      which can be brought up by traffic originating from this
		      server.	This  has  different effects according to zone
		      type and concentrates the zone maintenance  so  that  it
		      all  happens  in	a short interval, once every and hope‐
		      fully during the one call.  It also suppresses  some  of
		      the normal zone maintenance traffic.  The default is

		      The  option  may also be specified in and statements, in
		      which case, it overrides the global dialup option.

		      If the zone is a master zone, then the server will  send
		      out a NOTIFY request to all the slaves.  This will trig‐
		      ger the zone serial number check in the slave  (provided
		      it  supports  NOTIFY),  allowing the slave to verify the
		      zone while the connection is active.

		      If the zone is a slave or stub  zone,  then  the	server
		      will  suppress  the  regular "zone up to date" (refresh)
		      queries and only perform them when the expires in	 addi‐
		      tion to sending NOTIFY requests.

		      Finer  control can be achieved by using which only sends
		      NOTIFY messages; which sends NOTIFY  messages  and  sup‐
		      presses  the  normal  refresh  queries; which suppresses
		      normal refresh processing and sends refresh queries when
		      the  heartbeat-interval expires; and which just disables
		      normal refresh processing.

       Enable DNSSEC support in
		      Unless set to behaves as if it does not support  DNSSEC.
		      The default is

       If	      flush any pending zone writes when the name server exits
		      due to receiving a The default is do not flush on

       If	      then an IPv4-mapped IPv6 address will match any  address
		      match  list  entries  that  match the corresponding IPv4
		      address.

       If	      the server will only add records to the  authority  when
		      generating  responses  and additional data sections when
		      they are required (for  example,	delegations,  negative
		      responses).   This  may  improve	the performance of the
		      server.  The default is

       If	      (the default), DNS NOTIFY messages are sent when a  zone
		      for  which  the  server  is authoritative, changes.  The
		      messages are sent to the servers listed in the zone's NS
		      records  (except	the  master  server  identified in the
		      MNAME field), and to any servers listed in  the  option.
		      If  is  specified,  NOTIFY  messages  are	 sent  only to
		      servers explicitly listed using If  no  NOTIFY  messages
		      are sent.

		      The  option  may	also be specified in the statement, in
		      which case it overrides the specified in the  statement.
		      It needs to be turned off only when the slaves crash.

       Determines whether the local server, acting as master,
		      will  respond with an incremental zone transfer when the
		      given remote server, a slave, requests it.  If an incre‐
		      mental  transfer will be provided whenever possible.  If
		      all transfers to the remote server will be  nonincremen‐
		      tal.  If not set in a statement, the value of the option
		      in the or global statement is used as a default.

       If	      start query logging when starts.	If do not start	 query
		      logging when starts.  If is not specified, query logging
		      is determined from the presence of the logging category

       If	      and a DNS query requests recursion, then the server will
		      attempt to answer the query.  If and the server does not
		      know the answer, it will	return	a  referral  response.
		      The default is

		      Note  that setting to does not prevent clients from get‐
		      ting data from the server's cache; it only prevents  new
		      data  from  being cached as an effect of client queries.
		      Caching may still occur as an  effect  of	 the  server's
		      internal operation, such as NOTIFY address lookups.

       Determines whether the local server, acting as a slave,
		      will  request  incremental zone transfers from the given
		      remote server, a master.	If not set in a statement, the
		      value  of	 the option in the or global statement is used
		      as a default.

       If	      the server will, by default, collect statistical data on
		      all  zones  in  the  server.   These  statistics	may be
		      accessed using the command, which will dump them to  the
		      file listed in the option.
       Access  to  the server can be restricted based on the IP address of the
       requesting system.

       Specifies which hosts are allowed to notify slaves of a zone change in
		      addition to the zone masters.  may also be specified  in
		      the statement, in which case it overrides the statement.
		      It is only meaningful for a slave zone.  If  not	speci‐
		      fied,  the  default  is  to process notify messages only
		      from a zone's master.

       Specifies which hosts are allowed to ask ordinary questions.
		      may also be specified in the statement, in which case it
		      overrides	 the statement.	 If not specified, the default
		      is to allow queries from all hosts.

       Specifies which hosts are allowed to make recursive queries through
		      this server.  If not specified, the default is to	 allow
		      recursive queries from all hosts.	 Note that disallowing
		      recursive queries for a host does not prevent  the  host
		      from  retrieving	data  that  is already in the server's
		      cache.

       Specifies which hosts are allowed to submit Dynamic DNS updates to
		      slave zones to be forwarded to the master.  The  default
		      is  which	 means	that no update forwarding will be per‐
		      formed.  To enable update forwarding, specify Specifying
		      values other than or is usually counterproductive, since
		      the responsibility for update access control should rest
		      with the master server, not the slaves.

		      Note  that  enabling  the update forwarding feature on a
		      slave server may expose master servers relying on	 inse‐
		      cure IP-address-based access control to attacks.

       Specifies the hosts that are allowed to receive zone transfers from
		      the  server.  may also be specified in the statement, in
		      which case it overrides the statement.   If  not	speci‐
		      fied, the default is to allow transfers from all hosts.

       Specifies a list of addresses that the server will not accept queries
		      from  or	use  to	 resolve  a query.  Queries from these
		      addresses will not be responded to.  The default is

       Specify a list of IPv4 and IPv6 UDP ports that will not be used as sys‐
       tem
		      assigned source ports for UDP sockets.  These lists pre‐
		      vent from choosing as its random source port a port that
		      is  blocked  by your firewall.  If a query went out with
		      such a source port, the answer  would  not  get  by  the
		      firewall and the name server would have to query again.
       The  server provides some helpful diagnostic information through a num‐
       ber of built-in zones under the	pseudo-top-level-domain	 bind  in  the
       class.  These zones are part of a built-in view of class which is sepa‐
       rate from the default  view  of	class  therefore,  any	global	server
       options	such as do not apply the these zones.  If you feel the need to
       disable these zones, use the options below, or hide the	built-in  view
       by defining an explicit view of class that matches all clients.

       The host name the server should report via a query of the name
		      with  type  class	 This defaults to the host name of the
		      machine hosting the name server as found by  (see	 geth‐
		      ostname(2)).   The primary purpose of such queries is to
		      identify which of a group of servers is actually answer‐
		      ing your queries.	 Specifying disables processing of the
		      queries.

       The ID the server should report via a query of the name
		      with type class The primary purpose of such  queries  is
		      to identify which of a group of anycast servers is actu‐
		      ally answering your queries.  Specifying	disables  pro‐
		      cessing  of  the	queries.  Specifying causes to use the
		      host name as found by The default is

       The version the server should report via a query of the name
		      with type and class The default is the real version num‐
		      ber  of  this server.  Specifying disables processing of
		      the queries.
       Dual-stack servers are used as a last resort to workaround reachability
       problems due to the lack of support for either IPv4 or IPv6 on the host
       machine.

       Specifies host names or addresses of machines
		      with access to both IPv4 and IPv6 transports.  If a host
		      name  is	used,  the  server must be able to resolve the
		      name using only the transport it has.  If the machine is
		      dual-stacked  then the have no effect unless access to a
		      transport has been disabled on  the  command  line  (for
		      example, with
       By default, a reverse lookup query for an address in the following zone
       will not be to the root server for resolution.

       Please note that right now we have only one zone in this	 list.	 Addi‐
       tional zones may be added to at later point of time.

       By  default,  BIND  is the authoritative server for the and returns for
       any queries to addresses in these zones.	 This feature can be  overrid‐
       den  by	manually  configuring  named(1M) to be authoritative for these
       zones.

       Disables an individual
		      By default, none of the empty-zones  are	disabled.   If
		      more than one needs to be disabled, use this option mul‐
		      tiple number of times.

       Specifies the contact name that must appear in the returned
		      SOA record for empty zones.  If this option is not spec‐
		      ified, then a period is used.

       Specifies the server name that appears in the returned
		      SOA record for empty zones.  If this option is not spec‐
		      ified, then the zone name is used.

       Enables or disables all empty zones.  By default, the
		      are enabled.
       The forwarding facility can be used to create a large  site-wide	 cache
       on a few servers, reducing traffic over links to external name servers.
       It can also be used to allow queries by servers that do not have direct
       access  to  the	Internet,  but	wish to look up exterior names anyway.
       Forwarding occurs only on those queries for which  the  server  is  not
       authoritative and does not have the answer in its cache.

       This option is useful only if the
		      list  is not empty.  The default value causes the server
		      to query the forwarders first, and if that is unable  to
		      answer  the  question, the server will then look for the
		      answer itself.  If is specified, the  server  will  only
		      query the forwarders.

       Specifies the IP addresses to be used for forwarding.
		      The default is the empty list (no forwarding).

       Forwarding  can	also be configured on a per-domain basis, allowing for
       the global forwarding options to be overridden in a  variety  of	 ways.
       You  can set a particular domain to use different forwarders, or have a
       different or behavior, or not forward at all; see section.
       The interfaces and ports that the server will answer queries from,  may
       be specified using the option.

       The server listens on all interfaces allowed by the
		      address match list.  If a port is not specified, port 53
		      is used.

		      Multiple statements are allowed.	For example,

		      listen-on { 5.6.7.8; };
		      listen-on port 1234 { !1.2.3.4; 1.2/16; };

		      will enable the name  server  on	port  53  for  the  IP
		      address  5.6.7.8,	 and on port 1234 of an address on the
		      machine in net 1.2 that is not 1.2.3.4.  If no is speci‐
		      fied,  the  server  will listen on port 53 on all inter‐
		      faces.

       Specifies the ports on which the server will
		      listen for incoming queries sent using IPv6.

		      The server does not bind a separate socket to each  IPv6
		      interface	 address  as  it  does	for IPv4.  Instead, it
		      always listens on the IPv6 wildcard address.  Therefore,
		      the only values allowed for the address_match_list argu‐
		      ment of the statement are: and

		      Multiple options can  be	used  to  listen  on  multiple
		      ports:

		      listen-on-v6 port 53 { any; };
		      listen-on-v6 port 1234 { any; };

		      To  make	the  server not to listen on any IPv6 address,
		      use

		      listen-on-v6 { none; };

		      If no statement is specified, the server will not listen
		      on any IPv6 address.

       This option was introduced for the smooth transition from
		      to  and from "nibble labels" to binary labels.  However,
		      since both and binary labels were then deprecated,  this
		      option was also deprecated.  It is now ignored with some
		      warning messages.
       The server's usage of many system resources  can	 be  limited.	Scaled
       values  are  allowed when specifying resource limits.  For example, can
       be used instead of 1073741824 to specify a limit of one	gigabyte.   An
       size_spec  requests  unlimited  use,  or	 the maximum available amount.
       uses the limit that was in force when the server was started.

       The following options set operating system resource limits for the name
       server  process.	  A  warning will be issued if an unsupported limit is
       used.

       The maximum size of a core dump.
		      The default is

       The maximum amount of data memory the server may use.
		      The default is This is a hard  limit  on	server	memory
		      usage.   If  the	server	attempts to allocate memory in
		      excess of this limit, the allocation  will  fail,	 which
		      may  in turn leave the server unable to perform DNS ser‐
		      vice.  Therefore, this option is rarely useful as a  way
		      of limiting the amount of memory used by the server, but
		      it can be used to raise an operating  system  data  size
		      limit  that  is  too  small  by default.	If you wish to
		      limit the amount of memory used by the server,  use  the
		      and options instead; see the section.

       The maximum number of files the server may have open concurrently.
		      The default is

       The maximum amount of stack memory the server may use.
		      The default is

       The server will remove expired resource records from the cache every
		      minutes.	 The default is 60 minutes.  The maximum value
		      is 28 days (40320 minutes).  If set to  0,  no  periodic
		      cleaning will occur.

       The server will perform zone maintenance tasks for all zones marked as
		      whenever	this interval expires.	The default is 60 min‐
		      utes.  The maximum value is  28  days  (40320  minutes).
		      Reasonable  values  are  up to 1 day (1440 minutes).  If
		      set to 0, no  zone  maintenance  for  these  zones  will
		      occur.

       The server will scan the network interface list every
		      minutes.	 The default is 60 minutes.  The maximum value
		      is 28 days (40320 minutes).   If	set  to	 0,  interface
		      scanning	will only occur when the configuration file is
		      loaded.  After the scan, listeners will  be  started  on
		      any  new	interfaces  (provided  they are allowed by the
		      configuration).  Listeners on interfaces that have  gone
		      away will be cleaned up.
       If  the server is unable to answer a question, it will query other name
       servers.

       Specifies the address and port used for such queries.

       Specifies the address and port used
		      for queries sent over IPv6.

       If address is or is omitted, a wildcard IP address is used.  If port is
       or  is  omitted,	 a random unprivileged port will be used.  The default
       address and port are:

	      query-source address * port * ;
	      query-source-v6 address * port * ;

       Note: The address specified in the option is used for both UDP and  TCP
       queries,	 but the port applies only to UDP queries.  TCP queries always
       use a random unprivileged port.	When multiple records are returned  in
       an  answer,  it	may  be	 useful	 to configure the order of the records
       placed into the response.

       The option permits the configuration of the ordering of the records  in
       a multiple record response.

       order_spec is defined as:

	      [ class class_name ] [ type type_name ] [ name "domain_name" ]
		   order ordering

	      If  no  is  specified,  the  default  is If no is specified, the
	      default is If no is specified, the default is

	      The values for ordering are:

	      Records are returned in the order they are defined in  the  zone
	      file.

	      Records are returned in some random order.

	      Records are returned in a round-robin order.

       In this example, any responses for type records in class that have as a
       suffix, are always returned in order.  All other records	 are  returned
       in order.

	      rrset-order {
		  class IN type A name "host.example.com" order random;
		  order cyclic;
	      };

       If  multiple  statements	 appear,  they	are not combined; the last one
       applies.	 The following options set limits  on  the  server's  resource
       consumption  that are enforced internally by the server rather than the
       operating system.

       The maximum amount of memory to use for the server's cache, in bytes.
		      When the amount of data in the cache reaches this limit,
		      the  server  will cause records to expire prematurely so
		      that the limit is not exceeded.  In a server with multi‐
		      ple  views, the limit applies separately to the cache of
		      each view.  The default  is  meaning  that  records  are
		      purged from the cache only when their TTLs expire.

       Sets a maximum size for each journal file.
		      When  the	 journal  file	approaches the specified size,
		      some of the oldest transactions in the journal  will  be
		      automatically removed.  The default is

       The maximum number of simultaneous recursive lookups the server will
		      perform  on  behalf  of  clients.	  The default is 1000.
		      Because each recursing client uses a fair bit of memory,
		      on  the  order  of 20 kilobytes, the value of the option
		      may have to be decreased on hosts with limited memory.

       The maximum number of simultaneous client TCP connections that the
		      server will accept.  The default is 100.

       The listen queue depth.
		      The default and minimum is 3.  If	 the  kernel  supports
		      the  accept  filter  "dataready", this also controls how
		      many TCP connections that will be queued in kernel space
		      waiting  for  some  data	before being passed to accept.
		      Values less than 3 are silently raised.
       The response to a DNS query may consist of  multiple  resource  records
       (RRs)  forming  a  resource  records set (RRset).  The name server will
       normally return the RRs within the RRset in an indeterminate order (but
       see  the	 statement  in	the section).  The client resolver code should
       rearrange the RRs as appropriate, that is, using any addresses  on  the
       local net in preference to other addresses.  However, not all resolvers
       can do this or are correctly configured.	 When  a  client  is  using  a
       local  server, the sorting can be performed in the server, based on the
       client's address.  This only requires configuring the name servers, not
       all the clients.

       The  option  takes  an  address_match_list and interprets it.  Each top
       level statement in the must itself be  an  explicit  address_match_list
       with  one  or  two  elements.   The  first  element (which may be an IP
       address, an IP prefix, an ACL name, or a nested address_match_list)  of
       each  top level list is checked against the source address of the query
       until a match is found.

       Once the source address of the query has been matched, if the top level
       statement  contains only one element, the actual primitive element that
       matched the source address  is  used  to	 select	 the  address  in  the
       response to move to the beginning of the response.  If the statement is
       a list of two elements, then the second element	is  interpreted	 in  a
       special	way.   Each  top  level element is assigned a distance and the
       address in the response with the	 minimum  distance  is	moved  to  the
       beginning of the response.

       In  the	following  example,  any  queries  received  from  any	of the
       addresses of the host itself will get responses preferring addresses on
       any  of	the locally connected networks.	 Next will be addresses on the
       192.168.1/24  network,  and  after  that	 either	 the  192.168.2/24  or
       192.168.3/24  network  with  no preference shown between these two net‐
       works.  Queries received from a host on the 192.168.1/24	 network  will
       prefer  other  addresses	 on  that  network  to	the  192.168.2/24  and
       192.168.3/24  networks.	 Queries  received  from   a   host   on   the
       192.168.4/24  or	 the  192.168.5/24  network  will  only	 prefer	 other
       addresses on their directly connected networks.

	      sortlist {
		   { localhost;			   // IF   the local host
			{ localnets;		   // THEN first fit on the
			     192.168.1/24;	   //	   following nets
			     { 192.168.2/24; 192.168.3/24; }; }; };

		   { 192.168.1/24;		   // IF   on class C 192.168.1
			{ 192.168.1/24;		   // THEN use .1, or .2 or .3
			     { 192.168.2/24; 192.168.3/24; }; }; };

		   { 192.168.2/24;		   // IF   on class C 192.168.2
			{ 192.168.2/24;		   // THEN use .2, or .1 or .3
			     { 192.168.1/24; 192.168.3/24; }; }; };

		   { 192.168.3/24;		   // IF   on class C 192.168.3
			{ 192.168.3/24;		   // THEN use .3, or .1 or .2
			     { 192.168.1/24; 192.168.2/24; }; }; };

		   {				   // IF .4 or .5, prefer that net
				{ 192.168.4/24; 192.168.5/24; }; };
	      };

       The following example gives reasonable behavior for the local host  and
       hosts on directly connected networks.  It is similar to the behavior of
       the address sort in BIND 4.9.x.	Responses sent	to  queries  from  the
       local   host  will  favor  any  of  the	directly  connected  networks.
       Responses sent to queries from any other hosts on a directly  connected
       network will prefer addresses on that same network.  Responses to other
       queries will not be sorted.

	      sortlist {
			 { localhost; localnets; };
			 { localnets; };
	      };

       Sets the advertised Extended DNS (EDNS) UDP buffer size in bytes.
		      Valid values are 512 to 4096 (values outside this	 range
		      will  be silently adjusted).  The default value is 4096.
		      The usual reason for setting to a nondefault value is to
		      get  UDP	answers	 to pass through broken firewalls that
		      block fragmented packets and/or block UDP	 packets  that
		      are greater than 512 bytes.

       Sets the number of seconds to cache a lame server indication.
		      0 disables caching.  (This is recommended.)  The default
		      is 600 (10 minutes).  The maximum value is 1800 (30 min‐
		      utes).  (See the keyword in section.)

       Sets  the maximum time in seconds for which the server will cache ordi‐
       nary
		      (positive) answers.  The default is one week (7 days).

       To reduce network traffic and increase performance,
		      the server stores negative answers.  is used  to	set  a
		      maximum  retention  time for these answers in the server
		      in seconds.  The default is  10800  seconds  (3  hours).
		      The maximum is 7 days and will be truncated to 7 days if
		      set to a greater value.

       These options control the server's behavior on refreshing a zone
		      (querying for SOA changes) or retrying failed transfers.
		      Usually  the SOA values for the zone are used, but these
		      values are set by the master, giving slave server admin‐
		      istrators little control over their contents.

		      These  options  allow the administrator to set a minimum
		      and maximum refresh and retry time either per-zone, per-
		      view,  or	 per-server.  These options are valid for mas‐
		      ter, slave and stub zones, and clamp the SOA refresh and
		      retry times to the specified values.

       Specifies the number of days into the future when DNSSEC signatures
		      that were automatically generated as a result of dynamic
		      updates will expire.  The default is 30 days.  The maxi‐
		      mum  is  10  years (3660 days).  The signature inception
		      time is unconditionally set to one hour before the  cur‐
		      rent time to allow for a limited amount of clock skew.
       BIND  has mechanisms in place to facilitate zone transfers and set lim‐
       its on the amount of load that transfers place on the system.  The fol‐
       lowing options apply to zone transfers.

       Defines	a  global  list	 of IP addresses of name servers that are also
       sent
		      NOTIFY messages whenever a fresh copy  of	 the  zone  is
		      loaded,  in addition to the servers listed in the zone's
		      NS records.  This helps to ensure	 that  copies  of  the
		      zones  will  quickly converge on stealth servers.	 If an
		      list is given in	a  statement,  it  will	 override  the
		      statement.   When a statement is set to the IP addresses
		      in the global list will not be sent NOTIFY messages  for
		      that  zone.   The	 default  is the empty list (no global
		      notification list).

       An alternate transfer source if the one listed in
		      fails and is set.

       An alternate transfer source if the one listed in
		      fails and is set.

       Inbound zone transfers making no progress in this many minutes will be
		      terminated.  The default is 60 minutes  (1  hour).   The
		      maximum value is 28 days (40320 minutes).

       Outbound zone transfers making no progress in this many minutes will be
		      terminated.   The	 default  is 60 minutes (1 hour).  The
		      maximum value is 28 days (40320 minutes).

       Inbound zone transfers running longer than this many minutes will be
		      terminated.  The default is 120 minutes (2 hours).   The
		      maximum value is 28 days (40320 minutes).

       Outbound zone transfers running longer than this many minutes will be
		      terminated.   The default is 120 minutes (2 hours).  The
		      maximum value is 28 days (40320 minutes).

       Determines which local source address, and optionally UDP port,
		      will be used to send NOTIFY messages.  This address must
		      appear  in  the  slave  server's clause or in an clause.
		      This statement sets the for all zones, but can be	 over‐
		      ridden  on  a  per-zone or per-view basis by including a
		      statement within the or statement in  the	 configuration
		      file.

       The same as    but applies to NOTIFY messages sent to IPv6 addresses.

       Slave servers will periodically query master servers to find out if
		      zone  serial numbers have changed.  Each such query uses
		      a minute amount of the slave server's network bandwidth.
		      To  limit	 the amount of bandwidth used, BIND 9.3 limits
		      the rate at which queries are sent.  The	value  of  the
		      option,  an  integer,  is	 the maximum number of queries
		      sent per second.	The default is 20.

       Zone transfers can be sent using two different formats,
		      and The option is used on the master server to determine
		      which  format  it	 sends.	  uses	one  DNS  message  per
		      resource record transferred.   packs  as	many  resource
		      records  as possible into a message.  is more efficient,
		      but is only supported by relatively new  slave  servers,
		      such as BIND 9.3, BIND 8.x, and patched versions of BIND
		      4.9.x.  The default is may be overridden on a per-server
		      basis by using the statement.

       Determines which local address will be bound to IPv4 TCP
		      connections  used	 to fetch zones transferred inbound by
		      the server.  It also determines the source IPv4 address,
		      and  optionally  the  UDP	 port,	used  for  the refresh
		      queries and forwarded dynamic updates.  If not  set,  it
		      defaults to a system-controlled value which will usually
		      be the address of the interface "closest to" the	remote
		      end.   This  address  must  appear  in  the remote end's
		      option for the zone being transferred, if one is	speci‐
		      fied.  This statement sets the for all zones, but can be
		      overridden on a per-view or per-zone basis by  including
		      a	 statement  within  the	 or block in the configuration
		      file.

       The same as    except that zone transfers are performed using IPv6.

       The maximum number of concurrently running inbound zone transfers.
		      The default value is 10.	The maximum value is  28  days
		      (40320  minutes).	  Increasing  may speed up the conver‐
		      gence of slave zones, but it may also increase the  load
		      on the local system.

       The maximum number of concurrently running outbound zone transfers.
		      Zone  transfer  requests	in excess of the limit will be
		      refused.	The default value is 10.

       The maximum number of concurrently running inbound zone transfers
		      from a given remote name server.	The default  value  is
		      2.   Increasing  may  speed  up the convergence of slave
		      zones, but it also may increase the load on  the	remote
		      name server.  may be overridden on a per-server basis by
		      using the phrase of the statement.

       Use the alternate transfer sources or not.
		      If views are specified, this defaults to	otherwise,  it
		      defaults to (for BIND 8 compatibility).

   The server Statement
       server ip_addr {
	    [ bogus yes_or_no ; ]
	    [ edns yes_or_no ; ]
	    [ keys { string ; [ string ; ]... }; ]
	    [ provide-ixfr yes_or_no ; ]
	    [ request-ixfr yes_or_no ; ]
	    [ transfer-format ( one-answer | many-answers ) ; ]
	    [ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ transfers number ; ]
       };
       The  statement  defines	characteristics to be associated with a remote
       name server.  The statement can occur at the top level of the  configu‐
       ration file or inside a statement.  If a statement contains one or more
       statements, only those apply to the view and  any  top-level  ones  are
       ignored.	  If  a statement contains no statements, any top-level state‐
       ments are used as defaults.

       If you discover that a remote server is giving out bad data,
		      marking it as will prevent further queries to  it.   The
		      default value is

       (Extended DNS) Determines  whether the local server will attempt to use
		      EDNS when communicating with  the	 remote	 server.   The
		      default is

       Identifies a   key_id  defined  by a statement, to be used for transac‐
		      tion security when talking to the	 remote	 server.   The
		      statement must come before the statement that references
		      it.  When a request is sent  to  the  remote  server,  a
		      request signature will be generated using the key speci‐
		      fied here, and appended to the message.  A request orig‐
		      inating  from  the  remote  server is not required to be
		      signed by this key.  Although the grammar of the	clause
		      allows  for  multiple keys, only a single key per server
		      is currently supported.

       Determines whether the local server, acting as master,
		      will respond with an incremental zone transfer when  the
		      given  remote  server,  a slave, requests it.  If set to
		      incremental transfer will be provided whenever possible.
		      If  set  to  all	transfers to the remote server will be
		      nonincremental.  If not set, the value of the option  in
		      the or global statement is used as a default.

       Determines whether the local server, acting as a slave,
		      will  request  incremental zone transfers from the given
		      remote server, a master.	If not set, the value  of  the
		      option in the or global statement is used as a default.

		      IXFR  requests  to servers that do not support IXFR will
		      automatically fall back to AXFR.	Therefore, there is no
		      need  to	manually  list	which servers support IXFR and
		      which ones do not; the global default of	should	always
		      work.  The purpose of the and clauses is to make it pos‐
		      sible to disable the use of IXFR even when  both	master
		      and  slave  claim	 to support it; for example, if one of
		      the servers is defective and crashes  or	corrupts  data
		      when IXFR is used.

       The server supports two zone transfer methods.
		      uses  one	 DNS  message per resource record transferred.
		      packs as many resource records as possible into  a  mes‐
		      sage.  is more efficient, but is only known to be under‐
		      stood by BIND 9, BIND 8.x, and patched versions of  BIND
		      4.9.5.  You can specify which method to use for a server
		      with the option.	If is not specified, the specified  by
		      the statement is used.

       Specify the IPv4 and IPv6 source address to be used for zone transfer
		      with  the	 remote	 server,  respectively.	  For  an IPv4
		      remote server, only can be specified.  Similarly, for an
		      IPv6 remote server, only can be specified.

       Limits the number of concurrent inbound zone transfers
		      from  the	 specified server.  If no clause is specified,
		      the limit is set according to the option.

   The trusted-keys Statement
       trusted-keys {
	    ( domain_name flags protocol algorithm key_data ; )...
       };
       The statement defines  DNSSEC  security	roots.	 A  security  root  is
       defined	when  the public key for a nonauthoritative zone is known, but
       cannot be securely obtained through DNS, either because it is  the  DNS
       root  zone or its parent zone is unsigned.  Once a key has been config‐
       ured as a trusted key, it is treated as if it had  been	validated  and
       proven secure.  The resolver attempts DNSSEC validation on all DNS data
       in subdomains of a security root.

       The statement can contain multiple key entries, each consisting of  the
       key's  five  parameters: domain_name (string), flags (number), protocol
       (number), algorithm (number), and the  base-64  representation  of  the
       key_data (string).

   The view Statement
       view view_name [ class ] {
	    [ match-clients { address_match_list } ; ]
	    [ match-destinations { address_match_list } ; ]
	    [ match-recursive-only { yes_or_no } ; ]
	    [ view_option ; ]...
	    [ zone_statement ; ]...
       };

       The statement lets a name server answer a DNS query differently depend‐
       ing on who is asking.  It is particularly useful for implementing split
       DNS  setups  without  having  to	 run multiple servers.	Each statement
       defines a view of the DNS name space that will be seen by a  subset  of
       clients.	  The order of the statements is significant; a client request
       will be resolved in the context of the first view that it matches.

       view_name      A name for the view.

       class	      Views are class-specific.	 If no class is	 given,	 class
		      is  assumed.   Note  that	 all views must contain a hint
		      zone, since  only	 the  class  has  compiled-in  default
		      hints.

       A client matches a view if its source IP address matches the
		      address_match_list  of  the  statement's	clause and its
		      destination IP address matches the address_match_list of
		      the statement's clause.

		      If  not  specified,  and	each  default  to matching all
		      addresses.

       Means that only recursive requests from	matching  clients  match  that
       view.

       view_option    Many  of	the options given in the statement can also be
		      used within  a  statement,  and  then  apply  only  when
		      resolving queries with that view.	 When no view-specific
		      value is given, the value in the statement is used as  a
		      default.	 Also,	zone  options  can have default values
		      specified in the statement; these view-specific defaults
		      take  precedence	over those in the statement.  See sec‐
		      tion.

       zone_statement Zones defined within a statement will only be accessible
		      to  clients  that match the view.	 By defining a zone of
		      the same name in multiple views, different zone data can
		      be  given to different clients; for example, and clients
		      in a split DNS setup.  See section.

       If there are no statements in the configuration file,  a	 default  view
       that  matches  any  client  is  automatically  created in class and any
       statements specified on the top level of	 the  configuration  file  are
       considered to be part of this default view.  If any explicit statements
       are present, all statements must occur inside statements.

       Here is an example of a	typical	 split	DNS  setup,  implemented  with
       statements.

	      view "internal" {
			   // This should match our internal networks.
		   match-clients { 10.0.0.0/8; };
			   // Provide recursive service to internal clients only.
		   recursion yes;
			   // Provide a complete view of the example.com zone
			   // including addresses of internal hosts.
		   zone "example.com" {
			type master;
			file "example-internal.db";
		   };
	      };

	      view "external" {
		   match-clients { any; };
			   // Refuse recursive service to external clients.
		   recursion no;
			   // Provide a restricted view of the example.com zone
			   // containing only publicly accessible hosts.
		   zone "example.com" {
			type master;
			file "example-external.db";
		   };
	      };

   The zone Statement
       zone zone_name [ class ] [ {
	    type ( master | slave | hint
		   | stub | forward | delegation-only ) ;
	    [ allow-notify { address_match_list }; ]
	    [ allow-query { address_match_list }; ]
	    [ allow-transfer { address_match_list }; ]
	    [ allow-update { address_match_list }; ]
	    [ allow-update-forwarding { address_match_list }; ]
	    [ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
	    [ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ check-names ( warn | fail | ignore ) ; ]
	    [ database string ; ]
	    [ delegation-only yes_or_no ; ]
	    [ dialup dialup_option ; ]
	    [ file string ; ]
	    [ forward ( only | first ) ; ]
	    [ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]
	    [ ixfr-from-differences yes_or_no ; ]
	    [ key-directory path_name ; ]
	    [ masters [ port ip_port ] { (
		 ( masters_name | ip_addr [ port ip_port ] [ key key ] ) ;
	    )... }; ]
	    [ max-refresh-time number ; ]
	    [ max-retry-time number ; ]
	    [ max-transfer-idle-in number ; ]
	    [ max-transfer-idle-out number ; ]
	    [ max-transfer-time-in number ; ]
	    [ max-transfer-time-out number ; ]
	    [ min-refresh-time number ; ]
	    [ min-retry-time number ; ]
	    [ multi-master yes_or_no ; ]
	    [ notify yes_or_no | explicit ; ]
	    [ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ sig-validity-interval number ; ]
	    [ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
	    [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
	    [ update-policy { update_policy_rule }; ]...
	    [ use-alt-transfer-source yes_or_no ; ]
	    [ zone-statistics yes_or_no ; ]
       } ] ;

       zone_name      A name for the zone.

       class	      The class of the zone; one of the following:

		      The Internet class.
				     This  is the default.  is correct for the
				     vast majority of cases.

		      This class is named  for	an  information	 service  from
		      MIT's Project Athena.
				     It	 is  used  to  share information about
				     various systems databases, such as users,
				     groups, printers and so on.

		      Another MIT development is Chaosnet, a LAN protocol cre‐
		      ated in the mid-1970s.

       The type of the zone.

       The server has a master copy of the data for the zone and will be
		      able to provide authoritative answers for it.

       A slave zone is a replica of a master zone.

		      The list specifies one or more IP	 addresses  of	master
		      servers  that  the  slave contacts to update its copy of
		      the zone.

		      By default, transfers are	 made  from  port  53  on  the
		      servers; this can be changed for all servers by specify‐
		      ing a port number before the list of IP addresses, or on
		      a per-server basis after the IP address.	Authentication
		      to the master can also  be  done	with  per-server  TSIG
		      keys.

		      If a file is specified, then the replica will be written
		      to this file whenever the zone is changed, and  reloaded
		      from  this  file	on a server restart.  Use of a file is
		      recommended, since it often speeds server	 start-up  and
		      eliminates  a needless waste of bandwidth.  If the data‐
		      base files are very large, it is	recommended  to	 place
		      them in different directories.

       A stub zone is similar to a slave zone,
		      except  that it replicates only the NS records of a mas‐
		      ter zone instead of the entire zone.

		      Stub zones are not a standard part of the DNS; they  are
		      a	 feature  specific  to	the BIND implementation.  Stub
		      zones can be used to eliminate  the  need	 for  glue  NS
		      records in a parent zone at the expense of maintaining a
		      stub zone entry and a set of name server addresses in

		      This usage is not recommended  for  new  configurations,
		      and BIND 9.3 supports it only in a limited way.  In BIND
		      4/8, zone transfers of a parent  zone  included  the  NS
		      records  from  stub  children  of that zone.  This meant
		      that, in some cases, users could get away with configur‐
		      ing child stubs only in the master server for the parent
		      zone.  BIND 9 never mixes together zone data  from  dif‐
		      ferent zones in this way.	 Therefore, if a BIND 9 master
		      serving a parent zone has child stub  zones  configured,
		      all  the	slave servers for the parent zone also need to
		      have the same child stub zones configured.

		      Stub zones can also be used to force the resolution of a
		      given  domain  to	 use a particular set of authoritative
		      servers.	For example, the caching  name	servers	 on  a
		      private network using RFC 2157 addressing may be config‐
		      ured with stub zones for to use a set of	internal  name
		      servers as the authoritative servers for that domain.

       A forward zone can  be  used  to	 configure  forwarding on a per-domain
		      basis.  A zone statement of type can  contain  a	and/or
		      statement, which will apply to queries within the domain
		      given by the zone name.  If no statement is  present  or
		      an empty list of forwarders is given, then no forwarding
		      will be done for the domain, canceling  the  effects  of
		      any  forwarders  in the statement.  Thus, if you want to
		      use this type of zone to	change	the  behavior  of  the
		      global  option (that is, then or vice versa, but want to
		      use the same servers  as	set  globally),	 you  need  to
		      respecify the global forwarders.

       The initial set of root name servers is specified using a hint zone.
		      When  the	 server	 starts	 up, it uses the root hints to
		      find a root name server and get the most recent list  of
		      root  name  servers.   If	 no hint zone is specified for
		      class the server uses a compiled-in default set of  root
		      servers  hints.	Classes	 other	than  have no built-in
		      defaults hints.

       This is used to enforce the delegation-only  status  of	infrastructure
       zones
		      (for  example,  Any  answer  that	 is received without a
		      explicit or implicit delegation in the authority section
		      will be treated as NXDOMAIN.  This does not apply to the
		      zone apex.  This be  applied  to	leaf  zones.   has  no
		      effect on answers received from forwarders.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       Specifies which hosts are allowed to submit Dynamic DNS updates for
		      master  zones.   The default is to deny updates from all
		      hosts.  Please note that this option is  not  applicable
		      for slave zones.	See the section for more details.

       Specifies which hosts are allowed to submit Dynamic DNS updates to
		      slave  zones to be forwarded to the master.  The default
		      is which means that no update forwarding	will  be  per‐
		      formed.  To enable update forwarding, specify Specifying
		      values other than or is usually counterproductive, since
		      the responsibility for update access control should rest
		      with the master  server,	not  the  slaves.   Note  that
		      enabling the update forwarding feature on a slave server
		      may expose master servers	 that  rely  on	 insecure  IP-
		      address-based access control to attacks.

       Only meaningful if
		      is  active for this zone.	 The set of machines that will
		      receive a DNS NOTIFY message for this zone is made up of
		      all the listed name servers (other than the primary mas‐
		      ter) for the zone plus any IP addresses specified with A
		      port  may	 be  specified	with  each address to send the
		      notify messages to a port other than the default of  53.
		      is  not  meaningful  for stub zones.  The default is the
		      empty list.

       See the description in
		      section.

       See the description in
		      section.

       Restrict the character set and syntax of certain
		      domain  names  in	 master	 files	and/or	DNS  responses
		      received from the network.  The default varies according
		      to zone type.  For zones, the default is For zones,  the
		      default is

       Specify the type of database to be used for storing the zone data.
		      The  string  following  the  keyword is interpreted as a
		      list of  whitespace-delimited  words.   The  first  word
		      identifies  the  database type, and any subsequent words
		      are passed as arguments to the  database	to  be	inter‐
		      preted  in  a  way  specific  to the database type.  The
		      default is  BIND	9's  native  in-memory	red-black-tree
		      database.	 This database does not take arguments.	 Other
		      values are possible if additional database drivers  have
		      been linked into the server.

       The flag only applies to
		      and  zones.   If set to then the zone is also treated as
		      if it is also a type zone.

       See the description in
		      section.

       A zone file designates a domain name
		      with all of its associated subdomains, IP addresses, and
		      mail  server.  A zone file contains resource records and
		      so on).

       Only meaningful if the zone has a
		      list.  The value causes the lookup to fail after	trying
		      the  forwarders  and  getting  no answer, while allows a
		      normal lookup to be tried.

       Used to override the list of global forwarders.
		      If it is not specified in a zone of type	no  forwarding
		      is done for the zone; the global options are not used.

       If	      and the server loads a new version of a master zone from
		      its zone file or receives a new version of a slave  file
		      by  a  nonincremental zone transfer, it will compare the
		      new version to the previous one and calculate a  set  of
		      differences.   The  differences  are  then logged in the
		      zone's journal file such that the changes can be	trans‐
		      mitted  to  downstream  slaves  as  an  incremental zone
		      transfer.

		      By allowing incremental zone transfers to	 be  used  for
		      nondynamic  zones,  this	option	saves bandwidth at the
		      expense of increased CPU and memory consumption  at  the
		      master.	In particular, if the new version of a zone is
		      completely different from the previous one, the  set  of
		      differences will be of a size comparable to the combined
		      size of the old and new zone  version,  and  the	server
		      will  need  to  temporarily allocate memory to hold this
		      complete difference set.

       See the description in
		      section.

       See the	      and descriptions at the beginning of this	 section,  and
		      the description in section.

		      masters_name
			     The name of a statement.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       This  should  be	 set when you have multiple masters for a zone and the
       addresses
		      refer to different machines.  If will not log  when  the
		      serial  number on the master is less than what currently
		      has.  The default is

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       See the description in
		      section.

       Specifies a "Simple Secure Update" policy.
		      See the section for more details.

       See the description in
		      section.

       If	      the server will keep statistical	information  for  this
		      zone, which can be dumped to the defined in the options.
       BIND 9.3 supports two alternative methods of granting clients the right
       to perform dynamic updates to a zone, configured by  the	 and  options,
       respectively.

       The  clause  works  the	same  way as in previous versions of BIND.  It
       grants given clients the permission to update any record of any name in
       the zone.

       The clause is new in BIND 9.3 and allows more fine-grained control over
       what updates are allowed.  A set of rules is specified, where each rule
       either grants or denies permissions for one or more names to be updated
       by one or more identities.  If the dynamic update  request  message  is
       signed (that is, it includes either a TSIG or SIG(0) record), the iden‐
       tity of the signer can be determined.

       Rules are specified in the zone option, and  are	 only  meaningful  for
       master  zones.	When  the  statement is present, it is a configuration
       error for the statement to be present.  The statement only examines the
       signer of a message; the source address is not relevant.

       A sample rule definition is as shown below:

	    ( grant | deny ) identity nametype name [ types ]

       Each rule grants or denies privileges.  Once a message has successfully
       matched a rule, the operation is immediately granted or denied  and  no
       further	rules are examined.  A rule is matched when the signer matches
       the identity field, the name matches the name field, and	 the  type  is
       specified in the list in the types field.

       The identity field specifies a name or a wildcard name.	Normally, this
       is the name of the TSIG or SIG(0) key used to sign the update  request.
       When a TKEY exchange has been used to create a shared secret, the iden‐
       tity of the shared secret is the same as the identity of the  key  used
       to authenticate the TKEY exchange.  When the identity field specifies a
       wildcard name, it is subject to DNS wildcard  expansion,	 so  the  rule
       will  apply  to multiple identities.  The identity field must contain a
       fully qualified domain name.

       The nametype field has four possible values:

       Exact-match semantics.
		      This rule matches when the name being updated is identi‐
		      cal to the contents of the name field.

       This  rule  matches  when  the name being updated is a subdomain of, or
       identical
		      to, the contents of the name field.

       The	      name field is subject to	DNS  wildcard  expansion,  and
		      this rule matches when the name being updated is a valid
		      expansion of the wildcard.

       This rule matches when the name being updated matches the  contents  of
       the
		      identity	field.	 The name field is ignored, but should
		      be the same as the identity field.  The nametype is most
		      useful  when  allowing  the  use	of one key per name to
		      update, where the key has the same name as the  name  to
		      be  updated.  The identity would be specified as in this
		      case.

       In all cases, the name field must  specify  a  fully  qualified	domain
       name.

       If  no  types  are  explicitly  specified,  this rule matches all types
       except and A type may be specified by name,  including  (which  matches
       all  types  except  which  can  never  be  updated).  Note that when an
       attempt is made to delete all records associated with a name, the rules
       are checked for each existing record type.

   The Statistics File
       The  statistics	file generated by BIND 9.3 is similar, but not identi‐
       cal, to that generated by BIND 8.  The statistics dump begins with  the
       line

       where  the  number  in parentheses is a standard UNIX-style time stamp,
       measured as seconds since January 1, 1970.  Following that line	are  a
       series  of  lines  containing a counter type, the value of the counter,
       optionally a zone name, and optionally a view name.  The lines  without
       view  and  zone	listed	are  global  statistics for the entire server.
       Lines with a zone and view name are for the given view  and  zone  (the
       view  name  is omitted for the default view).  The statistics dump ends
       with the line

       where the number is identical to the number in the beginning line.

       The following statistics counters are maintained:

       The number of successful queries made to the server or zone.
		      A successful query is defined as query which  returns  a
		      NOERROR response other than a referral response.

       The number of queries which resulted in referral responses.

       The number of queries which resulted in NOERROR responses with no data.

       The number of queries which resulted in NXDOMAIN responses.

       The number of queries which caused the server to perform
		      recursion in order to find the final answer.

       The number of queries which resulted in a failure response other
		      than those above.

ZONE FILES
       A  is  a text file that defines a zone, designating a domain name, with
       all of its associated subdomains, IP addresses, and mail	 servers.   It
       may  contain  directives,  resource records, and comments.  Blank lines
       may be included for readability.	 A  zone  definition  starts  with  an
       resource	 record.   The zone file name is used in the substatement of a
       statement in the configuration file,

       A consists of those contiguous parts of the domain  tree	 for  which  a
       domain server has complete information and over which it has authority.
       A domain server may be authoritative for more than one zone.

       An or fully qualified domain name (FQDN) in a zone  file	 is  one  that
       ends in a period For example, is an absolute domain name.

       A  in a zone file does not end in a period.  For example, is a relative
       domain name.

       An in a zone file is an absolute domain name that is appended to a rel‐
       ative domain name to complete it.  For example, if is the origin and is
       a relative domain name, they would combine to form the absolute	domain
       name,

       A starts with a semicolon and continues to the end of the line.	A com‐
       ment can appear on a line by itself or at the end of any	 directive  or
       resource record line, including lines that are continued.  For example,
       in the following record, is a comment.

       Records normally end at the end of a line.  However, they may  be  con‐
       tinued  across  lines  if  the text is enclosed in parentheses, See the
       example in the section.

   Zone File Directives
       Zone file directives help to simplify resource records.	The directives
       include	and The directive sets the origin that will be appended to any
       subsequent relative domain names.  This provides a convenient shorthand
       for writing resource records.

       Syntax

	      origin	A domain name that serves as the suffix for subsequent
			relative domain names.

       When starts, the default origin is the zone_name in  the	 statement  of
       the configuration file,

       If the new origin is not absolute (does not have a terminating period),
       the old origin is appended to it.

       For example,

	      $ORIGIN	 com.
	      $ORIGIN	 example
	      WWW	 CNAME	  MAIN-SERVER

       is equivalent to:

	      $ORIGIN	 example.com.
	      WWW	 CNAME	  MAIN-SERVER

       is equivalent to:

	      WWW.EXAMPLE.COM.	  CNAME	   MAIN-SERVER.EXAMPLE.COM.

       The directive reads and processes a file as if it  were	included  into
       the file at this point.

       Syntax

	      filename	The name of the file to be included.

	      origin	The  origin  for  the  data in the included file.  The
			default is the current origin of the  including	 (par‐
			ent) file.

       Neither the origin field nor statements in the included file affect the
       origin of the parent file.

       Once the included file has been processed, the origin and  the  current
       record owner name revert to the values they had prior to the directive.

       Note:  RFC  1035	 specifies  that the current origin should be restored
       after an but it is silent on whether  the  current  record  owner  name
       should  also be restored.  BIND 9 restores both of them.	 This could be
       construed as a deviation from RFC 1035, a feature, or both.

       The directive sets the default Time to Live (TTL) value for  subsequent
       RRs that have undefined TTLs.

       Syntax

	      default-ttl
			The default TTL value for subsequent RRs.  See the and
			sections for more detail.

       The directive creates a series of resource  records  that  differ  from
       each other only by an iterator value.

       is a BIND extension and not part of the standard DNS zone file format.

       Syntax

	      (ttl and class may be entered in either order.)

	      range	The  range  of	the  iterator  value.  range can be in
			either of the forms: or If the	first  form  is	 used,
			then  step  is set to 1.  All of start, stop, and step
			must be positive.

	      lhs	An expression that evaluates  to  the  owner_name  for
			each  resource	record that is created.	 If lhs is not
			an  absolute  domain  name,  the  current  origin   is
			appended to it.

			Any  single  symbols  within  lhs  are replaced by the
			iterator value.

			The may	 optionally  be	 followed  by  modifiers  that
			change	the offset from the iterator, the field width,
			and the base.  Modifiers are introduced by  a  immedi‐
			ately  following  the in the format For example, which
			subtracts 20 from the current  value  and  prints  the
			result	as a decimal in a zero-padded field of 3 char‐
			acters.	 The  available	 base  values  are  (decimal),
			(octal), (lowercase hexadecimal), and (uppercase hexa‐
			decimal).  The default modifier is

			To get a in the output, escape the  with  a  backslash
			for  example, For compatibility with earlier versions,
			is still recognized as indicating  a  literal  in  the
			output.

	      ttl	The  TTL for the generated records.  If it is omitted,
			the normal TTL inheritance rules apply.	 See  the  and
			sections for more detail.

	      class	The  class  of the generated records.  This must match
			the zone class, if it is specified.

	      type	At present, the only supported types are and

	      rhs	An expression that evaluates to the  rrdata  for  each
			resource  record  that	is  created.  At present, this
			must be a domain name.	It uses the same processing as
			lhs.

       Example

       easily  generates  the  sets  of	 records  required  to support the sub
       reverse delegations described in RFC 2317, "Classless IN-ADDR.ARPA del‐
       egation".

	      $ORIGIN 0.0.192.IN-ADDR.ARPA.
	      $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
	      $GENERATE 1-127 $ CNAME $.0

       is equivalent to:

	      0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
	      0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
	      1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
	      2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
	       ...
	      127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.

   Resource Records (RRs)
       This  section,  based  on RFC 1034, describes the concept of a resource
       record, known as an RR, and when an RR is used.	Since the  publication
       of  RFC	1034,  several new RRs have been identified and implemented in
       the DNS.	 These are also included.

       A domain name identifies a node.	 Each  node  has  a  set  of  resource
       information, which may be empty.	 The set of resource information asso‐
       ciated with a particular name is composed of separate RRs.   The	 order
       of  RRs	in  a set is not significant and need not be preserved by name
       servers, resolvers, or other parts of the DNS.  However, the sorting of
       multiple	 RRs  is  permitted for optimization purposes, for example, to
       specify that a particular nearby server be tried first.

       Domain servers store information as a series of resource records,  each
       of  which  contains  a  particular  piece  of information about a given
       domain name (which is usually, but not always, a host).	 The  simplest
       way  to think of a RR is as a typed pair of data, a domain name matched
       with relevant data, and stored with some additional type information to
       help systems determine when the RR is relevant.

       Note:	 RRs  are represented in binary form in the packets of the DNS
		 protocol, and are usually represented in highly encoded  form
		 when  stored in a name server or resolver.  The binary format
		 is defined in the RFCs that are listed with the RR type  key‐
		 words	in  the	 following  section.   The owner_name is often
		 implicit, rather than forming an integral  part  of  the  RR.
		 For  example,	many name servers internally form tree or hash
		 structures for the name space, and chain RRs off nodes.

       Syntax

       owner_name [ ttl ] [ class ] type rrdata

	      (ttl and class may be entered in either order.   The  class  and
	      ttl  values  are often omitted from examples in the interests of
	      clarity.)

	      owner_name
			The domain name of the owner of the information in the
			RR.  This can be one of:

			The domain name of the DNS root name server.

			The current origin.

			domain_name
				  A standard domain name.  If domain_name does
				  not end with a period it is relative and the
				  current   origin  is	appended  to  it.   If
				  domain_name ends with a period it  is	 abso‐
				  lute.

			blank	  If  the  first  character  of	 the record is
				  blank, the previous owner_name is used.

	      ttl	The Time to Live (TTL) of the RR.   This  field	 is  a
			32-bit	integer	 in  units of seconds and is primarily
			used by	 resolvers  when  they	cache  RRs.   The  ttl
			defines	 how  long a RR can be cached before it should
			be discarded.  See the and sections for more detail.

	      class	A keyword, encoded as a 16-bit value, that  identifies
			a  protocol  family or an instance of a protocol.  The
			following keywords are supported:

			The Internet system, the default.

			Chaosnet,  a  LAN  protocol  created  at  MIT  in  the
			mid-1970s.
				  Rarely  used for its historical purpose, but
				  reused for BIND's built-in  server  informa‐
				  tion zones, for example,

			Hesiod,	 an  information  service  developed  by MIT's
			Project Athena.
				  It is used to share information about	 vari‐
				  ous	systems	  databases,  such  as	users,
				  groups, printers, and so on.

			All records in a zone file must be of the same class.

	      type	A keyword, encoded as a 16-bit value,  that  specifies
			the  type  of  the  resource  in this resource record.
			Types refer to abstract resources.

			The following keywords are supported.  Some  of	 these
			listed,	 although  not	obsolete,  are experimental or
			historical and not in general use.

			Defines an IPv4 host address.
				  In the class, this is a 32-bit  IP  address.
				  Described in RFC 1035.

			Defines an IPv6 host address.
				  This can be a partial address (a suffix) and
				  an indirection to the name where the rest of
				  the  address	(the  prefix)  can  be	found.
				  Experimental.	  Obsoleted/deprecated.	   Use
				  instead.  Described in RFC 2874.

			Defines an IPv6 address.
				  Described in RFC 1886.

			Holds a digital certificate.
				  Described in RFC 2538.

			The canonical name of an alias.
				  Described in RFC 1035.

			Delegates reverse addresses.
				  Replaces  the	 domain	 name  specified  with
				  another name to be looked up.	 Described  in
				  RFC 2672.

			Specifies the global position.
				  Described in RFC 1712.

			Identifies the CPU and OS used by a host.
				  Described in RFC 1035.

			Stores a public key associated with a DNS name.
				  Described in RFC 2535.

			Identifies a key exchanger for this DNS name.
				  Described in RFC 2230.

			Identifies a mail exchange for the domain.
				  A  16-bit preference value (lower is better)
				  followed  by	the  host  name	 of  the  mail
				  exchange.   See  the	section.  Described in
				  RFC 974 and RFC 1035.

			Name authority pointer.
				  Described in RFC 2915.

			A network service access point.
				  Described in RFC 1706.

			An authoritative name server for the domain.
				  Described in RFC 1035.

			Used in DNSSEC to securely indicate that RRs  with  an
			owner name
				  in a certain name interval do not exist in a
				  zone and indicate what RR types are  present
				  for  an  existing  name.   Described	in RFC
				  2535.

			Domain name pointer.
				  A pointer to another part of the domain name
				  space.    Often  user	 to  associate	an  IP
				  address with a domain	 name.	 Described  in
				  RFC 1035.

			Provides mappings between RFC 822 and X.400 addresses.
				  Described in RFC 2163.

			Contains data authenticated in the secure DNS.
				  Described in RFC 2535.

			Identifies  the start of a zone of authority in a zone
			file.
				  See the section.  Described in RFC 1035.

			Information about the well-known network services,
				  such	as  SMTP,  that	 a  domain   supports.
				  Supersedes Described in RFC 2282.

			Text records.
				  Described in RFC 1035.

			Information about well known network services.
				  Historical.	Superseded by Described in RFC
				  1035.

	      rrdata	The type-dependent and sometimes class-dependent  data
			that  describes the resource.  This data is defined in
			the RFCs that are specified with each type keyword.

   MX Resource Records
       records control the delivery of e-mail.	Described in RFC 974  and  RFC
       1035.

       Syntax

       priority host_domain_name

	      ...	The  owner_name,  ttl, and class have been omitted for
			clarity.

	      priority	The priority controls the order in which e-mail deliv‐
			ery  is	 attempted,  with the lowest number first.  If
			two priorities are the same, a server is  chosen  ran‐
			domly.	If no servers at a given priority are respond‐
			ing, the mail transport agent will fall	 back  to  the
			next  largest  priority.  Priority numbers do not have
			any absolute meaning: they are relevant	 only  respec‐
			tive to other records for that domain name.

	      host_domain_name
			The  domain  name  of  the  machine  to which the mail
			should be delivered.

       An record must have an associated record; a is not sufficient.	For  a
       given domain, if there is both a record and an record, the record is in
       error and will be ignored.  Instead, the mail will be delivered to  the
       server specified in the record pointed to by the

       Example

	      example.com.	    IN	 MX   10 mail.example.com.
				    IN	 MX   10 mail2.example.com.
				    IN	 MX   20 mail.backup.org.
	      mail.example.com.	    IN	 A    10.0.0.1
	      mail2.example.com.    IN	 A    10.0.0.2

       Mail  delivery  will be attempted to and (in any order), and if neither
       of those succeed, delivery to will be attempted.

   SOA Resource Records
       Each zone file begins with an record for the zone.  All	records	 in  a
       zone file must be of the same class.  Described in RFC 1035.

       Syntax

       mname rname serial refresh retry expire minimum

	      ...	The  owner_name,  ttl, and class have been omitted for
			clarity.

	      mname	The domain name of the name server that is the	source
			of data for this zone.

	      rname	A domain name that specifies the mailbox of the person
			responsible for this zone.  The	 first	period	repre‐
			sents  the in the e-mail address.  If the mailbox user
			name contains a period, you can escape it with a back‐
			slash See the example.

	      serial	An arbitrary unsigned 32-bit integer serial number for
			the zone.  The range is 0 to 4294967295 (2^32-1).

	      refresh	A 32-bit integer time interval in seconds  to  refresh
			the zone.  See the section for more detail.

	      retry	A 32-bit integer time to wait in seconds before retry‐
			ing a  failed  refresh.	  See  the  section  for  more
			detail.

	      expire	A  32-bit integer time interval in seconds after which
			the zone is no longer authoritative.  See the  section
			for more detail.

	      minimum	The  TTL  in seconds for resolvers that cache negative
			responses.  See the and sections for more detail.

       The specifies a serial number, which should be changed  each  time  the
       zone file is changed.  Note that it is not advisable to give the serial
       number as a dotted number, since the translation to normal integers  is
       via  concatenation  rather  than	 multiplication and addition.  You can
       represent the year, month, day of month, and  a	0..99  version	number
       (yyyymmddvv)  and  still	 fit  inside  the unsigned 32-bit size of this
       field.  (It's true that we will have to rethink this  strategy  in  the
       year 4294.)

       Secondary servers check the serial number at intervals specified by the
       refresh time in seconds; if the serial number changes, a zone  transfer
       will  be	 done to load the new data.  If a master server cannot be con‐
       tacted when a refresh is due, the retry time specifies the interval  at
       which refreshes should be attempted.  If a master server cannot be con‐
       tacted within the interval given by the expire time, all data from  the
       zone is discarded by secondary servers.

       Example

       @  IN  SOA  ucbvax.Berkeley.EDU.	 Jane\.Doe.ucbvax.Berkeley.EDU.	 (
				     1989020501	     ; serial
				     10800	     ; refresh
				     3600	     ; retry
				     3600000	     ; expire
				     86400 )	     ; minimum

   Time to Live (TTL)
       The  TTL	 field	of an RR is a 32-bit integer representing time in sec‐
       onds.  It is primarily used by resolvers when they cache RRs.  The  TTL
       describes  how  long  a RR can be cached before it should be discarded.
       This limit does not apply to authoritative data in zones;  it  is  also
       timed  out,  but	 by  the refreshing policies for the zone.  The TTL is
       assigned by the administrator for the zone where the data originates.

       While short TTLs can be used to minimize caching, and a zero  TTL  pro‐
       hibits  caching,	 the  realities	 of  Internet performance suggest that
       these times should be on the order of days for the typical host.	 If  a
       change  can  be anticipated, the TTL can be reduced prior to the change
       to minimize inconsistency during the change, and then increased back to
       its former value following the change.

       The following three types of TTL are currently used in a zone file.

	      The	minimum	 field	in  an RR is the negative-caching TTL.
			This  controls	how  long  other  servers  will	 cache
			responses  from	 you.	The  maximum time for negative
			caching is 3 hours

			Note: This use of the minimum field was implemented in
			RFC  2308,  largely superseding the usage specified in
			RFC 1034 (but see the default calculation for the  ttl
			field below).

	      A		directive at the top of the zone file (before the pro‐
			vides a default TTL for subsequent RRs.

			Note: The directive, defined in RFC  2308,  supersedes
			the original use of the minimum field specified in RFC
			1034.

	      ttl	The ttl field in an  RR	 specifies  the	 TTL  for  the
			record.	  If it is omitted, the value specified by the
			previous directive is used.  If there is  no  previous
			directive, the minimum field in the resource record is
			used.

   Time Specification
       All the TTLs and and the time fields are specified  in  seconds,	 as  a
       32-bit integer value in the range 0 to 2147483647 (2^31-1).

       Here's a table of convenient values:

		 Seconds in an Integer Value
		minimum		      0 seconds
		  1 minute	     60 seconds
		  1 hour	   3600 seconds
		  1 day		  86400 seconds
		  7 days	 604800 seconds
		 30 days	2592000 seconds
	      24855 days     2147472000 seconds
		maximum	     2147483647 seconds

       For  convenience,  some	units can be explicitly specified; you can use
       for hours, for minutes, and for seconds.	 For example,

   Inverse Mapping in IPv4
       Reverse name resolution (that is, translation from an IP address	 to  a
       domain  name)  is achieved with the domain and records.	Entries in the
       domain are made in least-to-most significant  order,  reading  left  to
       right.	This  is the reverse of the way IP addresses are usually writ‐
       ten.  Thus, a machine with an IP address of 10.1.2.3 would have a  cor‐
       responding  name	 of This name should have a resource record whose data
       field is the domain name of the machine.	 If the machine has more  than
       one  name.  it will need multiple records.  For example, for IP address
       corresponding to host name in the domain:

	      $ORIGIN  2.1.10.in-addr.arpa
	      3	 IN  PTR  fred.example.com.

   Example
	      ISI.EDU.	       MX   10	VENERA.ISI.EDU.
			       MX   10	VAXA.ISI.EDU.
	      VENERA.ISI.EDU.  A    128.9.0.32
			       A    10.1.0.52
	      VAXA.ISI.EDU.    A    10.2.0.27
			       A    128.9.0.33

       The RRs have an rrdata section that consists of a  16-bit  number  fol‐
       lowed by a domain name.	The address RRs use a standard IP address for‐
       mat to contain a 32-bit Internet address.

       This example shows six RRs, with two RRs at each of three domain names.

AUTHOR
       and the directive were developed by  the	 Internet  Systems  Consortium
       (ISC).

       Zone  files  were  developed  by	 the  Internet	Engineering Task Force
       (IETF).

FILES
       Default			     configuration file.

       Shell script to convert BIND  4.9.7  configuration
       files to the BIND 9.3 format.

       SEE ALSO
	      kill(1), hosts_to_named(1M), sig_named(1M),
	      syslogd(1M),   signal(2),	  gethostent(3N),
	      resolver(3N),    syslog(3C),   resolver(4),
	      hostname(5).

       Requests for Comments (RFC): 822, 974, 1032, 1034,
       1035,  1183,  1706,  1712, 1876, 1886, 2163, 2230,
       2282, 2308, 2317,  2535,	 2538,	2672,  2874,  and
       2915, available online at

       available online at

       available from the Internet Systems Consortium at

				   BIND 9.3			 named.conf(4)
[top]

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net