named.conf(4)named.conf(4)NAMEnamed.conf - configuration file for Internet domain name server
SYNOPSISDESCRIPTION
is the configuration file for the name server daemon. The default path
name is
BIND 9 configuration is broadly similar to BIND 8.x. However, there
are a few new areas of configuration, such as views. BIND 8.x configu‐
ration files should work with few alterations in BIND 9.3, although
more complex configurations need to be reviewed to see if they can be
more efficiently implemented using the new features implemented in BIND
9.3. BIND 4.9.7 configuration files can be converted to the BIND 9.3
format using the shell script,
Syntax Rules
In the syntax descriptions in this manpage, the following typographic
rules apply:
Characters in this font should be entered as is.
variable Characters in this font should be replaced with appro‐
priate values.
( ) Parentheses are metacharacters that enclose required
content. (The brace characters are used in the configu‐
ration syntax as block delimiters.)
[ ] Brackets are metacharacters that enclose optional con‐
tent.
| Bars within parentheses and brackets are metacharacters
that separate alternatives.
token ... [ ]... ( )...
Trailing ellipses are metacharacters that indicate that
the previous token, parenthesized item, or bracketed
item may be repeated.
Configuration File Elements
The following configuration elements are used in the BIND 9.3 configu‐
ration file grammar:
acl_name The name of an address_match_list as defined by an
statement.
address_match_list
A list of one or more ip_addr, ip_prefix, key_id, or
acl_name elements.
dialup_option One of or When used in a zone, and are restricted to
slave and stub zones.
domain_name A quoted string that is used as a DNS name; for example,
.
dotted_decimal One or more integers valued 0 through 255 separated only
by periods such as or
ip4_addr An IPv4 address with exactly four elements in dot‐
ted_decimal notation.
ip6_addr An IPv6 address, such as
ip_addr An ip4_addr or ip6_addr.
ip_port An IP port number. This is limited to 0 through 65535,
with values below 1024 typically restricted to root-
owned processes. In some cases, an asterisk character
can be used as a placeholder to select a random high-
numbered port.
ip_prefix An IP network specified as an ip_addr, followed by a
slash and then the number of bits in the netmask.
Trailing zero elements in ip_addr may be omitted. For
example, is the network with netmask and is the network
with netmask
key_id A domain_name representing the name of a shared key, to
be used for transaction security.
key_list A list of one or more key_ids, separated by semicolons
and ending with a semicolon.
number A nonnegative 32-bit unsigned integer (that is, a number
between 0 and 4294967295, inclusive). Its acceptable
value might further be limited by the context in which
it is used.
path_name A quoted string that is used as a path name, such as .
size_spec One of the following:
number A decimal number, optionally be followed by a
scaling factor: or for kilobytes, or for
megabytes, and or for gigabytes, which scale
by 1024, 1024*1024, and 1024*1024*1024 respec‐
tively. The value must be representable as a
64-bit unsigned integer (0 to
18446744073709551615, inclusive).
Uses the limit that was in force when the server was
started.
Requests unlimited use, or the maximum available amount.
This is the best way to set a really large
number.
yes_or_no Either or The words and and the numbers and are also
accepted, respectively.
Address Match List Syntax
An address_match_list has the format:
address_match_list_element ;
[ address_match_list_element ; ]...
An address_match_list_element has the format:
[ ! ] ( ip_addr
| ip_prefix
| key key_id
| acl_name
| { address_match_list } )
Address Match List Definition and Usage
Address match lists are primarily used to determine access control for
various server operations. They are also used to define priorities for
querying other name servers and to set the addresses on which will lis‐
ten for queries. The elements which constitute an address match list
may be any of the following:
· An IP address (IPv4 or IPv6).
· An IP prefix (in the
· A key ID, as defined by the statement.
· The name of an address match list previously defined with an
statement.
· A nested address match list enclosed in braces.
Elements can be negated with a leading exclamation mark The match
list names of and are predefined. For more information on these
match list names, refer to section. The addition of the clause made
the name of this syntactic element something of a misnomer, since
security keys can be used to validate access without regard to a host
or network address. However, the term is still being used.
When a given IP address or prefix is compared to an address match
list, the list is traversed in order until an element matches. The
interpretation of a match depends on whether the list is being used
for access control, defining ports and whether the element was
negated. When used as an access control list, a nonnegated match
allows access and a negated match denies access. If there is no
match, access is denied.
The clauses and which can be specified in the and/or statements use
the address match lists. Similarly, the option causes the server not
to accept queries on any of the machine's addresses which do not
match the list.
Because of the first-match aspect of the algorithm, an element that
defines a subset of another element in the list should come before
the broader element, regardless of whether either is negated. For
example, in the 1.2.3.13 element is of no use because the algorithm
will match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using
fixes that problem by having 1.2.3.13 blocked by the negation but all
other 1.2.3.* hosts fall through.
Comment Syntax
Comments in the BIND 9.3 configuration file can be written in the fol‐
lowing styles:
C:
C++:
UNIX:
Note: Unlike a zone file, you cannot use a semicolon character to start
a comment in the BIND 9.3 configuration file. The semicolon indicates
the end of a configuration statement.
CONFIGURATION FILE GRAMMAR
A BIND 9.3 configuration file consists of statements and comments.
Statements end with a semicolon. Statements and comments are the only
elements that can appear without enclosing braces. Many statements
contain a block of substatements, which is terminated with a semicolon.
The following statements are supported:
Defines a named IP address matching list,
for access control and other uses.
Declares control channels to be used by the
utility.
Includes a file.
Specifies key information for use in authentication and authorization
using TSIG.
Specifies what data the server logs, and where the log messages are
sent.
Configures the name server to also act as a lightweight resolver
server.
Defines a masters list for inclusion in
clauses of stub and slave statements
Controls global server configuration options
and sets defaults for other statements.
Sets certain configuration options on a per-server basis.
Defines trusted DNSSEC keys.
Defines a view.
Defines a zone.
The and statements may occur only once per configuration.
The acl Statement
acl acl-name {
address_match_list
};
The statement assigns a symbolic name to an address match list. It
gets its name from the primary use of address match lists for Access
Control Lists (ACLs). Note that an address match list's name must be
defined with before it can be used elsewhere; no forward references are
allowed. The following ACL names are built-in:
Matches all hosts.
Matches no hosts.
Matches the IPv4 addresses of all network interfaces on the sys‐
tem.
Matches any host on an IPv4 network for which the system has an
interface.
The and ACLs do not currently support IPv6 (that is, does not match the
host's IPv6 addresses, and does not match the host's attached IPv6 net‐
works) due to the lack of a standard method of determining the complete
set of local IPv6 addresses for a host.
The controls Statement
controls {
( inet ( ip_addr | * ) [ port ip_port ]
allow { address_match_list }
keys { key_list }; )...
};
The statement declares control channels to be used by system adminis‐
trators to control the operation of the local name server. These con‐
trol channels are used by the utility to send commands to and retrieve
non-DNS results from a name server.
An control channel is a TCP/IP socket accessible to the Internet, cre‐
ated at the specified ip_port on the specified ip_addr. If no port is
specified, port 953 is used by default. cannot be used for ip_port.
The and clauses restrict the ability to issue commands over the control
channel. Connections to the control channel are permitted based on the
address permissions in address_match_list. members of the
address_match_list are ignored, and instead are interpreted indepen‐
dently based on the key_list. Each key_id in the key_list is allowed
to be used to authenticate commands and responses given over the con‐
trol channel by digitally signing each message between the server and a
command client. All commands to the control channel must be signed by
one of its specified keys to be honored.
If no statement is present, will set up a default control channel lis‐
tening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1.
In this case, and also when the statement is present but does not have
a clause, will attempt to load the command channel key from the file To
create a file, run The feature was implemented to ease the transition
of systems from BIND 8, which did not have digital signatures on its
command channel messages and thus did not have a clause.
Since the feature is only intended to allow the backward-compatible
usage of BIND 8 configuration files, this feature does not have a high
degree of configurability. You cannot easily change the key name or
the size of the secret, so you should make an with your own key if you
wish to change them. The file also has its permissions set such that
only the owner of the file (the user that is running as) can access it.
If you desire greater flexibility in allowing other users to access
commands, then you need to create an and make it group-readable by a
group that contains the users who should have access.
The UNIX control channel type of BIND 8 is not supported in BIND 9.3,
and is not expected to be added in future releases. If it is present
in the statement from a BIND 8 configuration file, it is ignored and a
warning is logged.
As a special case, to disable the command channel, use an empty state‐
ment:
The include Statement
include filename ;
The statement inserts the specified file at the point where the state‐
ment is encountered. The statement facilitates the administration of
configuration files by permitting the reading or writing of some things
but not others. For example, the statement could include private keys
that are readable only by a name server.
The key Statement
key key_id {
algorithm algoname ;
secret secretstring ;
};
The statement defines a shared secret key for use with TSIG. The
statement can occur at the top level of the configuration file or
inside a statement. Keys defined in top-level key statements can be
used in all views. Keys intended for use in a statement must be
defined at the top level.
key_id A domain name uniquely identifying the key. Also known
as the key name. It can be used in a statement to sign
requests with this key or in address match lists to ver‐
ify that incoming requests have been signed with a key
matching this name, algorithm, and secret.
algoname A string that specifies a security/authentication algo‐
rithm. is the only algorithm which is currently sup‐
ported with TSIG authentication.
secretstring A base-64-encoded secret string to be used by the algo‐
rithm.
The logging Statement
logging {
[ channel channel_name {
( file path name
[ versions ( number | unlimited ) ]
[ size size spec ]
| null
| stderr
| syslog syslog_facility
) ;
[ severity ( critical | error | warning | notice
| info | debug [ level ] | dynamic ) ; ]
[ print-category yes_or_no ; ]
[ print-severity yes_or_no ; ]
[ print-time yes_or_no ; ]
}; ]...
[ category category_name {
( channel_name ; )...
}; ]...
};
The and clauses may be repeated in any order. The statement configures
a wide variety of logging options for the name server. Its phrase as‐
sociates output methods, format options, and severity levels with a
name, channel_name, that can be used with the phrase to select how var‐
ious classes of messages are logged.
Only one statement is used to define any number of channels and cate‐
gories. If there is no statement, the logging configuration defaults
to:
logging {
category "unmatched" { "null"; };
category "default" { "default_syslog"; "default_debug"; };
};
In BIND 9.3, the logging configuration is established only when the
entire configuration file has been parsed. In BIND 8, it was estab‐
lished as soon as the statement was parsed. When the server starts up,
all logging messages related to syntax errors in the configuration file
go to the default channels, or to standard error if the option is spec‐
ified. All log output goes to one or more user-defined or predefined
channels. Every definition must include a destination clause that says
whether messages selected for the channel go to a file, or to a partic‐
ular syslog facility, or to the standard error stream, or are dis‐
carded. It can optionally also limit the message severity level that
will be accepted by the channel (the default is and whether to include
a time stamp, the category name, and/or severity level (the default is
not to include any).
The destination clause directs the channel to a disk file. It can
include limitations on both the file size and the number of versions of
the file that are saved each time the file is opened.
If you use the log file option, then will retain that many backup ver‐
sions of the file by renaming them when opening.
For example, if you choose to keep three old versions of the file then,
just before it is opened:
Use if you do not want to limit the number of versions. If a option is
associated with the log file, then renaming is only done when the file
being opened exceeds the indicated size. No backup versions are kept,
by default; any existing log file is simply appended.
The option for is used to limit log growth. If the file size exceeds
the limit, then will stop writing to the file unless it has a option
associated with it. If backup versions are kept, the files are rolled
as described above and a new file is opened. If there is no option, no
more data will be written to the log until the log file is removed or
truncated (by some external process) to less than the maximum size.
The default behavior is not to limit the size of the file.
Example usage of the and options:
channel "an_example_channel" {
file "example.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
The destination clause directs the channel to the system log. Its
argument is a syslog facility as described in the syslog(3C) manpage.
The syslog(3C) manpage also describes how will handle messages sent to
this facility. If you have a system which uses a very old version of
that uses only two arguments to the function, then the destination
clause is ignored.
The destination clause directs the channel to the server's standard
error stream. This is intended for use when the server is running as a
foreground process, for example when debugging the configuration.
The destination clause discards all message sent to the channel, the
and clauses irrelevant.
The clause works like the priority parameter except that it can also be
used if you are writing straight to a file rather than using Messages
that are not at least of the severity level given will not be selected
for the channel; messages of higher severity levels will be accepted.
If you are using the option, then the priorities will also determine
what eventually passes through (see syslogd(1M)).
For example, defining a channel facility and severity as and but only
logging via will cause messages of severity and to be dropped. If the
situation were reversed, with writing messages of only or higher, then
would print all messages it received from the channel.
The server can supply extensive debugging information when it is in
debugging mode. If the server's global debug level is greater than
zero, then debugging mode will be active. The global debug level is
set either by starting the server with the option followed by a posi‐
tive integer, or by running The global debug level can be set to zero,
and debugging mode turned off, by running All debugging messages in the
server have a debug level, and higher debug levels give more detailed
output. For example:
channel "specific_debug_level" {
file "foo";
severity debug 3;
};
In this example, channels that specify a particular debug severity will
get debugging output of level 3 or less any time the server is in
debugging mode, regardless of the global debugging level. Channels
with severity use the server's global level to determine what messages
to print.
If is then the date and time will be logged. may be specified for a
channel, but that is usually pointless, since also prints the date and
time.
If is then the category of the message is logged as well.
If is then the severity level of the message will be logged.
The options may be used in any combination, and will always be printed
in the order time, category, severity. Here is an example where all
three options are
Time:
Category:
Severity:
Message:
There are four predefined channels that are used for default logging,
as follows:
channel "default_syslog" {
syslog daemon; // send to syslog's daemon
// facility
severity info; // only send priority info
// and higher
};
channel "default_debug" {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel "default_stderr" {
stderr; // writes to stderr
severity info; // only send priority info
// and higher
};
channel "null" {
null; // toss anything sent to
// this channel
};
The channel has the special property that it only produces output when
the server's debug level is nonzero. It normally writes to a file, in
the server's working directory.
For security reasons, when the command-line option is used, the file is
created only after has changed to the new UID, and any debug output
that is generated while is starting up and still running as root is
discarded. If you need to capture this output, you must run the server
with the option and redirect standard error to a file.
Once a channel is defined, it cannot be redefined. Thus you cannot
alter the built-in channels directly, but you can modify the default
logging by pointing categories at channels you have defined. Prede‐
fined categories allow you to fine-tune what messages you want to log
and where you want to log those messages to. If you do not specify a
list of channels for a category, then log messages in that category
will be sent to the category instead. If you do not specify a cate‐
gory, the following category is used:
category "default" { "default_syslog"; "default_debug"; };
For example, if you want to log security events to a file and also want
to keep the default logging behavior, you need to specify the following
in the statement:
channel "my_security_channel" {
file "my_security_file";
severity info;
};
category "security" {
"my_security_channel";
"default_syslog";
"default_debug";
};
To discard all messages in a category, specify the channel, as in the
following:
category "xfer-out" { "null"; };
category "notify" { "null"; };
The following are the available categories and brief descriptions of
the types of log information they contain. More categories may be
added in future BIND releases.
Defines the logging options for categories
where no specific configuration has been defined.
The catch-all. All unclassified categories belong to this category.
Processing of client requests
Configuration file parsing and processing.
Messages relating to the databases used internally by the name
server to store zone and cache data.
Logs queries that have have been forced to NXDOMAIN as the
result of a zone or a in a or zone declaration.
Dispatching of incoming packets to the server modules where they
are to be processed.
DNSSEC and TSIG protocol processing.
Lame servers are misconfigurations in remote servers,
discovered by BIND 9 when trying to query those servers
during resolution.
Network operations.
The NOTIFY protocol.
Enable query logging.
DNS resolution, such as recursive lookups performed on behalf of
clients by a caching name server.
Approval and denial of requests.
Messages that was unable to determine the class of or for which there
was no matching view. A one-line summary is also logged
to the category. This category is best sent to a or by
default, it is sent to the channel.
Dynamic updates
Approval and denial of update requests.
Zone transfers the server is receiving.
Zone transfers the server is sending.
The lwres Statement
lwres {
[ listen-on { ( ip_addr [ port ip_port ] ; )... }; ]
[ ndots number ; ]
[ search { domain_name ; [ domain_name ; ]... }; ]
[ view view_name ; ]
};
The statement configures the name server to also act as a lightweight
resolver server. There may be be multiple statements configuring
lightweight resolver servers with different properties.
The statement specifies a list of addresses and ports that a light‐
weight resolver daemon should accept requests on. If no port is speci‐
fied, port 921 is used. If this statement is omitted, requests will be
accepted on 127.0.0.1, port 921.
The statement is equivalent to the directive in It indicates the mini‐
mum number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
The statement is equivalent to the directive in It provides a list of
domains that are appended to relative names in queries.
The statement binds this instance of a lightweight resolver daemon to a
view in the DNS name space, so that the response will be constructed in
the same manner as a normal DNS query matching this view. If this
statement is omitted, the default view is used, and if there is no
default view, an error is triggered.
The masters Statement
masters name [ port ip_port ] { (
( masters_list | ip_addr [ port ip_port ] [ key key ] ) ;
)... };
A statement defines a masters list. This allows you to include sets of
masters in the clauses of multiple stub and slave statements. See and
in the section.
name The name of the statement.
masters_list The acl_name of an statement that specifies a list of
masters.
The options Statement
options {
// General Options
[ directory path_name ; ]
[ disable-algorithms domain { algorithm ; [ algorithm ; ] }; ]
[ dnssec-lookaside domain trust-anchor domain ; ]
[ dnssec-must-be-secure domain yes_or_no ; ]
[ dump-file path_name ; ]
[ key-directory path_name ; ]
[ memstatistics-file path_name ; ]
[ pid-file path_name ; ]
[ port ip_port ; ]
[ preferred-glue ( A | AAAA | NONE ) ; ]
[ random-device path_name ; ]
[ root-delegation-only [ exclude { namelist } ] ; ]
[ statistics-file path_name ; ]
[ tkey-dhkey key_name key_tag ; ]
[ tkey-domain domainname ; ]
// Boolean Options
[ additional-from-auth yes_or_no ; ]
[ additional-from-cache yes_or_no ; ]
[ auth-nxdomain yes_or_no ; ]
[ check-names ( master | slave | response )
( warn | fail | ignore ) ; ]
[ dialup dialup_option ; ]
[ dnssec-enable yes_or_no ; ]
[ flush-zones-on-shutdown yes_or_no ; ]
[ match-mapped-addresses yes_or_no ; ]
[ minimal-responses yes_or_no ; ]
[ notify ( yes_or_no | explicit ) ; ]
[ provide-ixfr yes_or_no ; ]
[ querylog yes_or_no ; ]
[ recursion yes_or_no ; ]
[ request-ixfr yes_or_no ; ]
[ zone-statistics yes_or_no ; ]
// Access Control Options
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-recursion { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ allow-update-forwarding { address_match_list }; ]
[ blackhole { address_match_list }; ]
// Bad UDP Port List Options
[ avoid-v4-udp-ports { port_list }; ]
[ avoid-v6-udp-ports { port_list }; ]
// Built-In Server Information Zone Options
[ hostname hostname_string ; ]
[ server-id server_id_string ; ]
[ version version_string ; ]
// Dual-Stack Server Option
[ dual-stack-servers [ port ip_port ] { (
( domain_name [ port ip_port ] | ip_addr [ port ip_port ] ) ;
)... }; ]
// Empty Zone Options
[ disable-empty-zone zone_name_string ; ]
[ empty-contact empty_contact_name_string ; ]
[ empty-server empty_server_name_string ; ]
[ empty-zones-enable yes_or_no ; ]
// Forwarding Options
[ forward ( only | first ) ; ]
[ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]
// Interface Options
[ listen-on [ port ip_port ] { address_match_list }; ]
[ listen-on-v6 [ port ip_port ] { address_match_list }; ]
// Obsolete Option
[ allow-v6-synthesis yes_or_no ; ]
// Operating System Resource Limit Options
[ coresize size_spec ; ]
[ datasize size_spec ; ]
[ files size_spec ; ]
[ stacksize size_spec ; ]
// Periodic Task Interval Options
[ cleaning-interval number ; ]
[ heartbeat-interval number ; ]
[ interface-interval number ; ]
// Query Address Options
[ query-source [ address ( ip_addr | * ) ]
[ port ( ip_port | * ) ] ; ]
[ query-source-v6 [ address ( ip_addr | * ) ]
[ port ( ip_port | * ) ] ; ]
// RRset Ordering Option
[ rrset-order { order_spec ; [ order_spec ; ]... }; ]
// Server Resource Limit Options
[ max-cache-size size_spec ; ]
[ max-journal-size size_spec ; ]
[ recursive-clients number ; ]
[ tcp-clients number ; ]
[ tcp-listen-queue number ; ]
// Sorting Option
[ sortlist { address_match_list }; ]
// Tuning Options
[ edns-udp-size number ; ]
[ lame-ttl number ; ]
[ max-cache-ttl number ; ]
[ max-ncache-ttl number ; ]
[ max-refresh-time number ; ]
[ max-retry-time number ; ]
[ min-refresh-time number ; ]
[ min-retry-time number ; ]
[ sig-validity-interval number ; ]
// Zone Transfer Options
[ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
[ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ max-transfer-idle-in number ; ]
[ max-transfer-idle-out number ; ]
[ max-transfer-time-in number ; ]
[ max-transfer-time-out number ; ]
[ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ serial-query-rate number ; ]
[ transfer-format ( one-answer | many-answers ) ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ transfers-in number ; ]
[ transfers-out number ; ]
[ transfers-per-ns number ; ]
[ use-alt-transfer-source yes_or_no ; ]
};
The statement sets up global options to be used by BIND. This state‐
ment may appear only once in a configuration file. If more than one
occurrence is found, the first occurrence determines the actual options
used, and a warning is generated. If there is no statement, an options
block with each option set to its default will be used.
The working directory of the server.
Any nonabsolute path names in the configuration file
will be taken as relative to this directory. The
default location for most server output files (for exam‐
ple, is this directory. If a directory is not speci‐
fied, the working directory defaults to the directory
from which the server was started The directory speci‐
fied should be an absolute path.
Disable the specified DNSSEC algorithms at and below the specified
name.
Multiple statements are allowed. Only the most specific
is applied.
When set, provides the validator with an alternate method to vali‐
date DNSKEY records at the top of a zone. When a DNSKEY
is at or below a domain specified by the deepest and the
normal DNSSEC validation has left the key untrusted, the
will be appended to the key name and a DLV record will
be looked up to see if it can validate the key. If the
DLV record validates a DNSKEY (similar to the way a DS
record does it), the DNSKEY RRset is deemed to be
trusted.
Specify hierarchies which must be or may not be secure (signed and val‐
idated).
If will only accept answers if they are secure. If nor‐
mal DNSSEC validation applies and insecure answers are
accepted. The specified domain must be under a trusted
key, or must be active.
The path name of the file to which the server dumps the database
with The default is
The directory where the public and private key files should be found,
if it is not the working directory. The specified
directory must be an absolute path.
The path name of the file to which
the server writes the memory usage statistics. The
default is
The path name of the file in which the server writes its process ID.
The default path name is The is used by programs that
need to send signals to the running name server.
Specifying disables the use of a PID file; no file is
written and any existing file is removed. Note that is
a keyword, not a file name, and therefore is not
enclosed in quotation marks.
The UDP/TCP port number the server uses for receiving and sending DNS
protocol traffic. The default is 53. This option is
mainly intended for server testing; a server using a
port other than 53 will not be able to communicate with
the global DNS.
If specified, the listed type
or will be emitted before other glue in the additional
section of a query response. The default is not to pre‐
fer any type ("Glue" is a record that is created as part
of a delegation.)
The source of entropy (random data) to be used by the server.
Entropy is primarily needed for DNSSEC operations, This
option specifies the device (or file) from which to read
entropy. If this is a file, operations requiring
entropy will fail when the file has been exhausted. The
default value is (or the equivalent) when present, and
none otherwise. The option takes effect during the ini‐
tial configuration load at server startup time and is
ignored on subsequent reloads.
Turn on enforcement of
in top level domains (TLD) and root zones, with an
optional list.
Note: Some TLDs are (for example, and
options {
root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
};
The path name of the file in which the server appends statistics using
The default is in the server's current directory. The
file format is described in section.
The Diffie-Hellman key
used by the server to generate shared keys with clients
using the Diffie-Hellman mode of TKEY. The server must
be able to load the public and private keys from files
in the working directory. In most cases, the key_name
should be the server's host name. The key_tag is an
integer that is part of the key.
The domain appended to the names of all shared keys generated with
TKEY.
When a client requests a TKEY exchange, it can specify a
preferred name for the key. If the name is present, the
name of the shared key will be Otherwise, the name of
the shared key will be random_hex_digits+tkey-domain.
In most cases, the domain name should be the server's
domain name.
These options control the behavior of an authoritative server when
answering queries which have additional data, or when
following CNAME and DNAME chains.
When both of these options are set to (the default) and
a query is being answered from authoritative data (a
zone configured into the server), the additional data
section of the reply will be filled in using data from
other authoritative zones and from the cache. In some
situations this is undesirable, such as when there is
concern over the correctness of the cache, or in servers
where slave zones may be added and modified by untrusted
third parties. Also, avoiding the search for this addi‐
tional data will speed up server operations at the pos‐
sible expense of additional queries to resolve what
would otherwise be provided in the additional section.
For example, if a query asks for an record for host and
the record found is normally the address records and for
will be provided as well, if known. Set these options
to to disable this behavior.
These options are intended for use in authoritative-only
servers, or in authoritative-only views. Attempts to
set them to without also specifying will cause the
server to ignore the options and log a warning message.
Specifying actually disables the use of the cache not
only for additional data lookups but also when looking
up the answer. This is usually the desired behavior in
an authoritative-only server where the correctness of
the cached data is an issue.
When a name server is nonrecursively queried for a name
that is not below the apex of any served zone, it nor‐
mally answers with an "upwards referral" to the root
servers or the servers of some other known parent of the
query name. Since the data in an upwards referral comes
from the cache, the server will not be able to provide
upwards referrals when has been specified. Instead, it
will respond to such queries with REFUSED. This should
not cause any problems since upwards referrals are not
required for the resolution process.
If then the AA bit is always set on NXDOMAIN responses,
even if the server is not actually authoritative. The
default is If you are using an old version of BIND, you
might need to set this option to
Restrict the character set and syntax
of certain domain names in master files and/or DNS
responses received from the network. The default varies
according to usage area. For master zones, the default
is For slave zones, the default is For answers received
from the network the default is
The rules for legal host names and mail domains are
derived from RFC 952 and RFC 821 as modified by RFC
1123.
applies to the owner names of and records. It also
applies to the domain names in the rrdata of and
records. It also applies to the rrdata of records where
the owner name indicated that it is a reverse lookup of
a host name (the owner name ends in
If then the server treats all zones as if they are doing
zone transfers across a dial-on-demand dialup link,
which can be brought up by traffic originating from this
server. This has different effects according to zone
type and concentrates the zone maintenance so that it
all happens in a short interval, once every and hope‐
fully during the one call. It also suppresses some of
the normal zone maintenance traffic. The default is
The option may also be specified in and statements, in
which case, it overrides the global dialup option.
If the zone is a master zone, then the server will send
out a NOTIFY request to all the slaves. This will trig‐
ger the zone serial number check in the slave (provided
it supports NOTIFY), allowing the slave to verify the
zone while the connection is active.
If the zone is a slave or stub zone, then the server
will suppress the regular "zone up to date" (refresh)
queries and only perform them when the expires in addi‐
tion to sending NOTIFY requests.
Finer control can be achieved by using which only sends
NOTIFY messages; which sends NOTIFY messages and sup‐
presses the normal refresh queries; which suppresses
normal refresh processing and sends refresh queries when
the heartbeat-interval expires; and which just disables
normal refresh processing.
Enable DNSSEC support in
Unless set to behaves as if it does not support DNSSEC.
The default is
If flush any pending zone writes when the name server exits
due to receiving a The default is do not flush on
If then an IPv4-mapped IPv6 address will match any address
match list entries that match the corresponding IPv4
address.
If the server will only add records to the authority when
generating responses and additional data sections when
they are required (for example, delegations, negative
responses). This may improve the performance of the
server. The default is
If (the default), DNS NOTIFY messages are sent when a zone
for which the server is authoritative, changes. The
messages are sent to the servers listed in the zone's NS
records (except the master server identified in the
MNAME field), and to any servers listed in the option.
If is specified, NOTIFY messages are sent only to
servers explicitly listed using If no NOTIFY messages
are sent.
The option may also be specified in the statement, in
which case it overrides the specified in the statement.
It needs to be turned off only when the slaves crash.
Determines whether the local server, acting as master,
will respond with an incremental zone transfer when the
given remote server, a slave, requests it. If an incre‐
mental transfer will be provided whenever possible. If
all transfers to the remote server will be nonincremen‐
tal. If not set in a statement, the value of the option
in the or global statement is used as a default.
If start query logging when starts. If do not start query
logging when starts. If is not specified, query logging
is determined from the presence of the logging category
If and a DNS query requests recursion, then the server will
attempt to answer the query. If and the server does not
know the answer, it will return a referral response.
The default is
Note that setting to does not prevent clients from get‐
ting data from the server's cache; it only prevents new
data from being cached as an effect of client queries.
Caching may still occur as an effect of the server's
internal operation, such as NOTIFY address lookups.
Determines whether the local server, acting as a slave,
will request incremental zone transfers from the given
remote server, a master. If not set in a statement, the
value of the option in the or global statement is used
as a default.
If the server will, by default, collect statistical data on
all zones in the server. These statistics may be
accessed using the command, which will dump them to the
file listed in the option.
Access to the server can be restricted based on the IP address of the
requesting system.
Specifies which hosts are allowed to notify slaves of a zone change in
addition to the zone masters. may also be specified in
the statement, in which case it overrides the statement.
It is only meaningful for a slave zone. If not speci‐
fied, the default is to process notify messages only
from a zone's master.
Specifies which hosts are allowed to ask ordinary questions.
may also be specified in the statement, in which case it
overrides the statement. If not specified, the default
is to allow queries from all hosts.
Specifies which hosts are allowed to make recursive queries through
this server. If not specified, the default is to allow
recursive queries from all hosts. Note that disallowing
recursive queries for a host does not prevent the host
from retrieving data that is already in the server's
cache.
Specifies which hosts are allowed to submit Dynamic DNS updates to
slave zones to be forwarded to the master. The default
is which means that no update forwarding will be per‐
formed. To enable update forwarding, specify Specifying
values other than or is usually counterproductive, since
the responsibility for update access control should rest
with the master server, not the slaves.
Note that enabling the update forwarding feature on a
slave server may expose master servers relying on inse‐
cure IP-address-based access control to attacks.
Specifies the hosts that are allowed to receive zone transfers from
the server. may also be specified in the statement, in
which case it overrides the statement. If not speci‐
fied, the default is to allow transfers from all hosts.
Specifies a list of addresses that the server will not accept queries
from or use to resolve a query. Queries from these
addresses will not be responded to. The default is
Specify a list of IPv4 and IPv6 UDP ports that will not be used as sys‐
tem
assigned source ports for UDP sockets. These lists pre‐
vent from choosing as its random source port a port that
is blocked by your firewall. If a query went out with
such a source port, the answer would not get by the
firewall and the name server would have to query again.
The server provides some helpful diagnostic information through a num‐
ber of built-in zones under the pseudo-top-level-domain bind in the
class. These zones are part of a built-in view of class which is sepa‐
rate from the default view of class therefore, any global server
options such as do not apply the these zones. If you feel the need to
disable these zones, use the options below, or hide the built-in view
by defining an explicit view of class that matches all clients.
The host name the server should report via a query of the name
with type class This defaults to the host name of the
machine hosting the name server as found by (see geth‐
ostname(2)). The primary purpose of such queries is to
identify which of a group of servers is actually answer‐
ing your queries. Specifying disables processing of the
queries.
The ID the server should report via a query of the name
with type class The primary purpose of such queries is
to identify which of a group of anycast servers is actu‐
ally answering your queries. Specifying disables pro‐
cessing of the queries. Specifying causes to use the
host name as found by The default is
The version the server should report via a query of the name
with type and class The default is the real version num‐
ber of this server. Specifying disables processing of
the queries.
Dual-stack servers are used as a last resort to workaround reachability
problems due to the lack of support for either IPv4 or IPv6 on the host
machine.
Specifies host names or addresses of machines
with access to both IPv4 and IPv6 transports. If a host
name is used, the server must be able to resolve the
name using only the transport it has. If the machine is
dual-stacked then the have no effect unless access to a
transport has been disabled on the command line (for
example, with
By default, a reverse lookup query for an address in the following zone
will not be to the root server for resolution.
Please note that right now we have only one zone in this list. Addi‐
tional zones may be added to at later point of time.
By default, BIND is the authoritative server for the and returns for
any queries to addresses in these zones. This feature can be overrid‐
den by manually configuring named(1M) to be authoritative for these
zones.
Disables an individual
By default, none of the empty-zones are disabled. If
more than one needs to be disabled, use this option mul‐
tiple number of times.
Specifies the contact name that must appear in the returned
SOA record for empty zones. If this option is not spec‐
ified, then a period is used.
Specifies the server name that appears in the returned
SOA record for empty zones. If this option is not spec‐
ified, then the zone name is used.
Enables or disables all empty zones. By default, the
are enabled.
The forwarding facility can be used to create a large site-wide cache
on a few servers, reducing traffic over links to external name servers.
It can also be used to allow queries by servers that do not have direct
access to the Internet, but wish to look up exterior names anyway.
Forwarding occurs only on those queries for which the server is not
authoritative and does not have the answer in its cache.
This option is useful only if the
list is not empty. The default value causes the server
to query the forwarders first, and if that is unable to
answer the question, the server will then look for the
answer itself. If is specified, the server will only
query the forwarders.
Specifies the IP addresses to be used for forwarding.
The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, allowing for
the global forwarding options to be overridden in a variety of ways.
You can set a particular domain to use different forwarders, or have a
different or behavior, or not forward at all; see section.
The interfaces and ports that the server will answer queries from, may
be specified using the option.
The server listens on all interfaces allowed by the
address match list. If a port is not specified, port 53
is used.
Multiple statements are allowed. For example,
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
will enable the name server on port 53 for the IP
address 5.6.7.8, and on port 1234 of an address on the
machine in net 1.2 that is not 1.2.3.4. If no is speci‐
fied, the server will listen on port 53 on all inter‐
faces.
Specifies the ports on which the server will
listen for incoming queries sent using IPv6.
The server does not bind a separate socket to each IPv6
interface address as it does for IPv4. Instead, it
always listens on the IPv6 wildcard address. Therefore,
the only values allowed for the address_match_list argu‐
ment of the statement are: and
Multiple options can be used to listen on multiple
ports:
listen-on-v6 port 53 { any; };
listen-on-v6 port 1234 { any; };
To make the server not to listen on any IPv6 address,
use
listen-on-v6 { none; };
If no statement is specified, the server will not listen
on any IPv6 address.
This option was introduced for the smooth transition from
to and from "nibble labels" to binary labels. However,
since both and binary labels were then deprecated, this
option was also deprecated. It is now ignored with some
warning messages.
The server's usage of many system resources can be limited. Scaled
values are allowed when specifying resource limits. For example, can
be used instead of 1073741824 to specify a limit of one gigabyte. An
size_spec requests unlimited use, or the maximum available amount.
uses the limit that was in force when the server was started.
The following options set operating system resource limits for the name
server process. A warning will be issued if an unsupported limit is
used.
The maximum size of a core dump.
The default is
The maximum amount of data memory the server may use.
The default is This is a hard limit on server memory
usage. If the server attempts to allocate memory in
excess of this limit, the allocation will fail, which
may in turn leave the server unable to perform DNS ser‐
vice. Therefore, this option is rarely useful as a way
of limiting the amount of memory used by the server, but
it can be used to raise an operating system data size
limit that is too small by default. If you wish to
limit the amount of memory used by the server, use the
and options instead; see the section.
The maximum number of files the server may have open concurrently.
The default is
The maximum amount of stack memory the server may use.
The default is
The server will remove expired resource records from the cache every
minutes. The default is 60 minutes. The maximum value
is 28 days (40320 minutes). If set to 0, no periodic
cleaning will occur.
The server will perform zone maintenance tasks for all zones marked as
whenever this interval expires. The default is 60 min‐
utes. The maximum value is 28 days (40320 minutes).
Reasonable values are up to 1 day (1440 minutes). If
set to 0, no zone maintenance for these zones will
occur.
The server will scan the network interface list every
minutes. The default is 60 minutes. The maximum value
is 28 days (40320 minutes). If set to 0, interface
scanning will only occur when the configuration file is
loaded. After the scan, listeners will be started on
any new interfaces (provided they are allowed by the
configuration). Listeners on interfaces that have gone
away will be cleaned up.
If the server is unable to answer a question, it will query other name
servers.
Specifies the address and port used for such queries.
Specifies the address and port used
for queries sent over IPv6.
If address is or is omitted, a wildcard IP address is used. If port is
or is omitted, a random unprivileged port will be used. The default
address and port are:
query-source address * port * ;
query-source-v6 address * port * ;
Note: The address specified in the option is used for both UDP and TCP
queries, but the port applies only to UDP queries. TCP queries always
use a random unprivileged port. When multiple records are returned in
an answer, it may be useful to configure the order of the records
placed into the response.
The option permits the configuration of the ordering of the records in
a multiple record response.
order_spec is defined as:
[ class class_name ] [ type type_name ] [ name "domain_name" ]
order ordering
If no is specified, the default is If no is specified, the
default is If no is specified, the default is
The values for ordering are:
Records are returned in the order they are defined in the zone
file.
Records are returned in some random order.
Records are returned in a round-robin order.
In this example, any responses for type records in class that have as a
suffix, are always returned in order. All other records are returned
in order.
rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
If multiple statements appear, they are not combined; the last one
applies. The following options set limits on the server's resource
consumption that are enforced internally by the server rather than the
operating system.
The maximum amount of memory to use for the server's cache, in bytes.
When the amount of data in the cache reaches this limit,
the server will cause records to expire prematurely so
that the limit is not exceeded. In a server with multi‐
ple views, the limit applies separately to the cache of
each view. The default is meaning that records are
purged from the cache only when their TTLs expire.
Sets a maximum size for each journal file.
When the journal file approaches the specified size,
some of the oldest transactions in the journal will be
automatically removed. The default is
The maximum number of simultaneous recursive lookups the server will
perform on behalf of clients. The default is 1000.
Because each recursing client uses a fair bit of memory,
on the order of 20 kilobytes, the value of the option
may have to be decreased on hosts with limited memory.
The maximum number of simultaneous client TCP connections that the
server will accept. The default is 100.
The listen queue depth.
The default and minimum is 3. If the kernel supports
the accept filter "dataready", this also controls how
many TCP connections that will be queued in kernel space
waiting for some data before being passed to accept.
Values less than 3 are silently raised.
The response to a DNS query may consist of multiple resource records
(RRs) forming a resource records set (RRset). The name server will
normally return the RRs within the RRset in an indeterminate order (but
see the statement in the section). The client resolver code should
rearrange the RRs as appropriate, that is, using any addresses on the
local net in preference to other addresses. However, not all resolvers
can do this or are correctly configured. When a client is using a
local server, the sorting can be performed in the server, based on the
client's address. This only requires configuring the name servers, not
all the clients.
The option takes an address_match_list and interprets it. Each top
level statement in the must itself be an explicit address_match_list
with one or two elements. The first element (which may be an IP
address, an IP prefix, an ACL name, or a nested address_match_list) of
each top level list is checked against the source address of the query
until a match is found.
Once the source address of the query has been matched, if the top level
statement contains only one element, the actual primitive element that
matched the source address is used to select the address in the
response to move to the beginning of the response. If the statement is
a list of two elements, then the second element is interpreted in a
special way. Each top level element is assigned a distance and the
address in the response with the minimum distance is moved to the
beginning of the response.
In the following example, any queries received from any of the
addresses of the host itself will get responses preferring addresses on
any of the locally connected networks. Next will be addresses on the
192.168.1/24 network, and after that either the 192.168.2/24 or
192.168.3/24 network with no preference shown between these two net‐
works. Queries received from a host on the 192.168.1/24 network will
prefer other addresses on that network to the 192.168.2/24 and
192.168.3/24 networks. Queries received from a host on the
192.168.4/24 or the 192.168.5/24 network will only prefer other
addresses on their directly connected networks.
sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
192.168.1/24; // following nets
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.1/24; // IF on class C 192.168.1
{ 192.168.1/24; // THEN use .1, or .2 or .3
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.2/24; // IF on class C 192.168.2
{ 192.168.2/24; // THEN use .2, or .1 or .3
{ 192.168.1/24; 192.168.3/24; }; }; };
{ 192.168.3/24; // IF on class C 192.168.3
{ 192.168.3/24; // THEN use .3, or .1 or .2
{ 192.168.1/24; 192.168.2/24; }; }; };
{ // IF .4 or .5, prefer that net
{ 192.168.4/24; 192.168.5/24; }; };
};
The following example gives reasonable behavior for the local host and
hosts on directly connected networks. It is similar to the behavior of
the address sort in BIND 4.9.x. Responses sent to queries from the
local host will favor any of the directly connected networks.
Responses sent to queries from any other hosts on a directly connected
network will prefer addresses on that same network. Responses to other
queries will not be sorted.
sortlist {
{ localhost; localnets; };
{ localnets; };
};
Sets the advertised Extended DNS (EDNS) UDP buffer size in bytes.
Valid values are 512 to 4096 (values outside this range
will be silently adjusted). The default value is 4096.
The usual reason for setting to a nondefault value is to
get UDP answers to pass through broken firewalls that
block fragmented packets and/or block UDP packets that
are greater than 512 bytes.
Sets the number of seconds to cache a lame server indication.
0 disables caching. (This is recommended.) The default
is 600 (10 minutes). The maximum value is 1800 (30 min‐
utes). (See the keyword in section.)
Sets the maximum time in seconds for which the server will cache ordi‐
nary
(positive) answers. The default is one week (7 days).
To reduce network traffic and increase performance,
the server stores negative answers. is used to set a
maximum retention time for these answers in the server
in seconds. The default is 10800 seconds (3 hours).
The maximum is 7 days and will be truncated to 7 days if
set to a greater value.
These options control the server's behavior on refreshing a zone
(querying for SOA changes) or retrying failed transfers.
Usually the SOA values for the zone are used, but these
values are set by the master, giving slave server admin‐
istrators little control over their contents.
These options allow the administrator to set a minimum
and maximum refresh and retry time either per-zone, per-
view, or per-server. These options are valid for mas‐
ter, slave and stub zones, and clamp the SOA refresh and
retry times to the specified values.
Specifies the number of days into the future when DNSSEC signatures
that were automatically generated as a result of dynamic
updates will expire. The default is 30 days. The maxi‐
mum is 10 years (3660 days). The signature inception
time is unconditionally set to one hour before the cur‐
rent time to allow for a limited amount of clock skew.
BIND has mechanisms in place to facilitate zone transfers and set lim‐
its on the amount of load that transfers place on the system. The fol‐
lowing options apply to zone transfers.
Defines a global list of IP addresses of name servers that are also
sent
NOTIFY messages whenever a fresh copy of the zone is
loaded, in addition to the servers listed in the zone's
NS records. This helps to ensure that copies of the
zones will quickly converge on stealth servers. If an
list is given in a statement, it will override the
statement. When a statement is set to the IP addresses
in the global list will not be sent NOTIFY messages for
that zone. The default is the empty list (no global
notification list).
An alternate transfer source if the one listed in
fails and is set.
An alternate transfer source if the one listed in
fails and is set.
Inbound zone transfers making no progress in this many minutes will be
terminated. The default is 60 minutes (1 hour). The
maximum value is 28 days (40320 minutes).
Outbound zone transfers making no progress in this many minutes will be
terminated. The default is 60 minutes (1 hour). The
maximum value is 28 days (40320 minutes).
Inbound zone transfers running longer than this many minutes will be
terminated. The default is 120 minutes (2 hours). The
maximum value is 28 days (40320 minutes).
Outbound zone transfers running longer than this many minutes will be
terminated. The default is 120 minutes (2 hours). The
maximum value is 28 days (40320 minutes).
Determines which local source address, and optionally UDP port,
will be used to send NOTIFY messages. This address must
appear in the slave server's clause or in an clause.
This statement sets the for all zones, but can be over‐
ridden on a per-zone or per-view basis by including a
statement within the or statement in the configuration
file.
The same as but applies to NOTIFY messages sent to IPv6 addresses.
Slave servers will periodically query master servers to find out if
zone serial numbers have changed. Each such query uses
a minute amount of the slave server's network bandwidth.
To limit the amount of bandwidth used, BIND 9.3 limits
the rate at which queries are sent. The value of the
option, an integer, is the maximum number of queries
sent per second. The default is 20.
Zone transfers can be sent using two different formats,
and The option is used on the master server to determine
which format it sends. uses one DNS message per
resource record transferred. packs as many resource
records as possible into a message. is more efficient,
but is only supported by relatively new slave servers,
such as BIND 9.3, BIND 8.x, and patched versions of BIND
4.9.x. The default is may be overridden on a per-server
basis by using the statement.
Determines which local address will be bound to IPv4 TCP
connections used to fetch zones transferred inbound by
the server. It also determines the source IPv4 address,
and optionally the UDP port, used for the refresh
queries and forwarded dynamic updates. If not set, it
defaults to a system-controlled value which will usually
be the address of the interface "closest to" the remote
end. This address must appear in the remote end's
option for the zone being transferred, if one is speci‐
fied. This statement sets the for all zones, but can be
overridden on a per-view or per-zone basis by including
a statement within the or block in the configuration
file.
The same as except that zone transfers are performed using IPv6.
The maximum number of concurrently running inbound zone transfers.
The default value is 10. The maximum value is 28 days
(40320 minutes). Increasing may speed up the conver‐
gence of slave zones, but it may also increase the load
on the local system.
The maximum number of concurrently running outbound zone transfers.
Zone transfer requests in excess of the limit will be
refused. The default value is 10.
The maximum number of concurrently running inbound zone transfers
from a given remote name server. The default value is
2. Increasing may speed up the convergence of slave
zones, but it also may increase the load on the remote
name server. may be overridden on a per-server basis by
using the phrase of the statement.
Use the alternate transfer sources or not.
If views are specified, this defaults to otherwise, it
defaults to (for BIND 8 compatibility).
The server Statement
server ip_addr {
[ bogus yes_or_no ; ]
[ edns yes_or_no ; ]
[ keys { string ; [ string ; ]... }; ]
[ provide-ixfr yes_or_no ; ]
[ request-ixfr yes_or_no ; ]
[ transfer-format ( one-answer | many-answers ) ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ transfers number ; ]
};
The statement defines characteristics to be associated with a remote
name server. The statement can occur at the top level of the configu‐
ration file or inside a statement. If a statement contains one or more
statements, only those apply to the view and any top-level ones are
ignored. If a statement contains no statements, any top-level state‐
ments are used as defaults.
If you discover that a remote server is giving out bad data,
marking it as will prevent further queries to it. The
default value is
(Extended DNS) Determines whether the local server will attempt to use
EDNS when communicating with the remote server. The
default is
Identifies a key_id defined by a statement, to be used for transac‐
tion security when talking to the remote server. The
statement must come before the statement that references
it. When a request is sent to the remote server, a
request signature will be generated using the key speci‐
fied here, and appended to the message. A request orig‐
inating from the remote server is not required to be
signed by this key. Although the grammar of the clause
allows for multiple keys, only a single key per server
is currently supported.
Determines whether the local server, acting as master,
will respond with an incremental zone transfer when the
given remote server, a slave, requests it. If set to
incremental transfer will be provided whenever possible.
If set to all transfers to the remote server will be
nonincremental. If not set, the value of the option in
the or global statement is used as a default.
Determines whether the local server, acting as a slave,
will request incremental zone transfers from the given
remote server, a master. If not set, the value of the
option in the or global statement is used as a default.
IXFR requests to servers that do not support IXFR will
automatically fall back to AXFR. Therefore, there is no
need to manually list which servers support IXFR and
which ones do not; the global default of should always
work. The purpose of the and clauses is to make it pos‐
sible to disable the use of IXFR even when both master
and slave claim to support it; for example, if one of
the servers is defective and crashes or corrupts data
when IXFR is used.
The server supports two zone transfer methods.
uses one DNS message per resource record transferred.
packs as many resource records as possible into a mes‐
sage. is more efficient, but is only known to be under‐
stood by BIND 9, BIND 8.x, and patched versions of BIND
4.9.5. You can specify which method to use for a server
with the option. If is not specified, the specified by
the statement is used.
Specify the IPv4 and IPv6 source address to be used for zone transfer
with the remote server, respectively. For an IPv4
remote server, only can be specified. Similarly, for an
IPv6 remote server, only can be specified.
Limits the number of concurrent inbound zone transfers
from the specified server. If no clause is specified,
the limit is set according to the option.
The trusted-keys Statement
trusted-keys {
( domain_name flags protocol algorithm key_data ; )...
};
The statement defines DNSSEC security roots. A security root is
defined when the public key for a nonauthoritative zone is known, but
cannot be securely obtained through DNS, either because it is the DNS
root zone or its parent zone is unsigned. Once a key has been config‐
ured as a trusted key, it is treated as if it had been validated and
proven secure. The resolver attempts DNSSEC validation on all DNS data
in subdomains of a security root.
The statement can contain multiple key entries, each consisting of the
key's five parameters: domain_name (string), flags (number), protocol
(number), algorithm (number), and the base-64 representation of the
key_data (string).
The view Statement
view view_name [ class ] {
[ match-clients { address_match_list } ; ]
[ match-destinations { address_match_list } ; ]
[ match-recursive-only { yes_or_no } ; ]
[ view_option ; ]...
[ zone_statement ; ]...
};
The statement lets a name server answer a DNS query differently depend‐
ing on who is asking. It is particularly useful for implementing split
DNS setups without having to run multiple servers. Each statement
defines a view of the DNS name space that will be seen by a subset of
clients. The order of the statements is significant; a client request
will be resolved in the context of the first view that it matches.
view_name A name for the view.
class Views are class-specific. If no class is given, class
is assumed. Note that all views must contain a hint
zone, since only the class has compiled-in default
hints.
A client matches a view if its source IP address matches the
address_match_list of the statement's clause and its
destination IP address matches the address_match_list of
the statement's clause.
If not specified, and each default to matching all
addresses.
Means that only recursive requests from matching clients match that
view.
view_option Many of the options given in the statement can also be
used within a statement, and then apply only when
resolving queries with that view. When no view-specific
value is given, the value in the statement is used as a
default. Also, zone options can have default values
specified in the statement; these view-specific defaults
take precedence over those in the statement. See sec‐
tion.
zone_statement Zones defined within a statement will only be accessible
to clients that match the view. By defining a zone of
the same name in multiple views, different zone data can
be given to different clients; for example, and clients
in a split DNS setup. See section.
If there are no statements in the configuration file, a default view
that matches any client is automatically created in class and any
statements specified on the top level of the configuration file are
considered to be part of this default view. If any explicit statements
are present, all statements must occur inside statements.
Here is an example of a typical split DNS setup, implemented with
statements.
view "internal" {
// This should match our internal networks.
match-clients { 10.0.0.0/8; };
// Provide recursive service to internal clients only.
recursion yes;
// Provide a complete view of the example.com zone
// including addresses of internal hosts.
zone "example.com" {
type master;
file "example-internal.db";
};
};
view "external" {
match-clients { any; };
// Refuse recursive service to external clients.
recursion no;
// Provide a restricted view of the example.com zone
// containing only publicly accessible hosts.
zone "example.com" {
type master;
file "example-external.db";
};
};
The zone Statement
zone zone_name [ class ] [ {
type ( master | slave | hint
| stub | forward | delegation-only ) ;
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ allow-update { address_match_list }; ]
[ allow-update-forwarding { address_match_list }; ]
[ also-notify { ( ip_addr [ port ip_port ] ; )... }; ]
[ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ check-names ( warn | fail | ignore ) ; ]
[ database string ; ]
[ delegation-only yes_or_no ; ]
[ dialup dialup_option ; ]
[ file string ; ]
[ forward ( only | first ) ; ]
[ forwarders { ( ip_addr [ port ip_port ] ; )... }; ]
[ ixfr-from-differences yes_or_no ; ]
[ key-directory path_name ; ]
[ masters [ port ip_port ] { (
( masters_name | ip_addr [ port ip_port ] [ key key ] ) ;
)... }; ]
[ max-refresh-time number ; ]
[ max-retry-time number ; ]
[ max-transfer-idle-in number ; ]
[ max-transfer-idle-out number ; ]
[ max-transfer-time-in number ; ]
[ max-transfer-time-out number ; ]
[ min-refresh-time number ; ]
[ min-retry-time number ; ]
[ multi-master yes_or_no ; ]
[ notify yes_or_no | explicit ; ]
[ notify-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ sig-validity-interval number ; ]
[ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ]
[ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ]
[ update-policy { update_policy_rule }; ]...
[ use-alt-transfer-source yes_or_no ; ]
[ zone-statistics yes_or_no ; ]
} ] ;
zone_name A name for the zone.
class The class of the zone; one of the following:
The Internet class.
This is the default. is correct for the
vast majority of cases.
This class is named for an information service from
MIT's Project Athena.
It is used to share information about
various systems databases, such as users,
groups, printers and so on.
Another MIT development is Chaosnet, a LAN protocol cre‐
ated in the mid-1970s.
The type of the zone.
The server has a master copy of the data for the zone and will be
able to provide authoritative answers for it.
A slave zone is a replica of a master zone.
The list specifies one or more IP addresses of master
servers that the slave contacts to update its copy of
the zone.
By default, transfers are made from port 53 on the
servers; this can be changed for all servers by specify‐
ing a port number before the list of IP addresses, or on
a per-server basis after the IP address. Authentication
to the master can also be done with per-server TSIG
keys.
If a file is specified, then the replica will be written
to this file whenever the zone is changed, and reloaded
from this file on a server restart. Use of a file is
recommended, since it often speeds server start-up and
eliminates a needless waste of bandwidth. If the data‐
base files are very large, it is recommended to place
them in different directories.
A stub zone is similar to a slave zone,
except that it replicates only the NS records of a mas‐
ter zone instead of the entire zone.
Stub zones are not a standard part of the DNS; they are
a feature specific to the BIND implementation. Stub
zones can be used to eliminate the need for glue NS
records in a parent zone at the expense of maintaining a
stub zone entry and a set of name server addresses in
This usage is not recommended for new configurations,
and BIND 9.3 supports it only in a limited way. In BIND
4/8, zone transfers of a parent zone included the NS
records from stub children of that zone. This meant
that, in some cases, users could get away with configur‐
ing child stubs only in the master server for the parent
zone. BIND 9 never mixes together zone data from dif‐
ferent zones in this way. Therefore, if a BIND 9 master
serving a parent zone has child stub zones configured,
all the slave servers for the parent zone also need to
have the same child stub zones configured.
Stub zones can also be used to force the resolution of a
given domain to use a particular set of authoritative
servers. For example, the caching name servers on a
private network using RFC 2157 addressing may be config‐
ured with stub zones for to use a set of internal name
servers as the authoritative servers for that domain.
A forward zone can be used to configure forwarding on a per-domain
basis. A zone statement of type can contain a and/or
statement, which will apply to queries within the domain
given by the zone name. If no statement is present or
an empty list of forwarders is given, then no forwarding
will be done for the domain, canceling the effects of
any forwarders in the statement. Thus, if you want to
use this type of zone to change the behavior of the
global option (that is, then or vice versa, but want to
use the same servers as set globally), you need to
respecify the global forwarders.
The initial set of root name servers is specified using a hint zone.
When the server starts up, it uses the root hints to
find a root name server and get the most recent list of
root name servers. If no hint zone is specified for
class the server uses a compiled-in default set of root
servers hints. Classes other than have no built-in
defaults hints.
This is used to enforce the delegation-only status of infrastructure
zones
(for example, Any answer that is received without a
explicit or implicit delegation in the authority section
will be treated as NXDOMAIN. This does not apply to the
zone apex. This be applied to leaf zones. has no
effect on answers received from forwarders.
See the description in
section.
See the description in
section.
See the description in
section.
Specifies which hosts are allowed to submit Dynamic DNS updates for
master zones. The default is to deny updates from all
hosts. Please note that this option is not applicable
for slave zones. See the section for more details.
Specifies which hosts are allowed to submit Dynamic DNS updates to
slave zones to be forwarded to the master. The default
is which means that no update forwarding will be per‐
formed. To enable update forwarding, specify Specifying
values other than or is usually counterproductive, since
the responsibility for update access control should rest
with the master server, not the slaves. Note that
enabling the update forwarding feature on a slave server
may expose master servers that rely on insecure IP-
address-based access control to attacks.
Only meaningful if
is active for this zone. The set of machines that will
receive a DNS NOTIFY message for this zone is made up of
all the listed name servers (other than the primary mas‐
ter) for the zone plus any IP addresses specified with A
port may be specified with each address to send the
notify messages to a port other than the default of 53.
is not meaningful for stub zones. The default is the
empty list.
See the description in
section.
See the description in
section.
Restrict the character set and syntax of certain
domain names in master files and/or DNS responses
received from the network. The default varies according
to zone type. For zones, the default is For zones, the
default is
Specify the type of database to be used for storing the zone data.
The string following the keyword is interpreted as a
list of whitespace-delimited words. The first word
identifies the database type, and any subsequent words
are passed as arguments to the database to be inter‐
preted in a way specific to the database type. The
default is BIND 9's native in-memory red-black-tree
database. This database does not take arguments. Other
values are possible if additional database drivers have
been linked into the server.
The flag only applies to
and zones. If set to then the zone is also treated as
if it is also a type zone.
See the description in
section.
A zone file designates a domain name
with all of its associated subdomains, IP addresses, and
mail server. A zone file contains resource records and
so on).
Only meaningful if the zone has a
list. The value causes the lookup to fail after trying
the forwarders and getting no answer, while allows a
normal lookup to be tried.
Used to override the list of global forwarders.
If it is not specified in a zone of type no forwarding
is done for the zone; the global options are not used.
If and the server loads a new version of a master zone from
its zone file or receives a new version of a slave file
by a nonincremental zone transfer, it will compare the
new version to the previous one and calculate a set of
differences. The differences are then logged in the
zone's journal file such that the changes can be trans‐
mitted to downstream slaves as an incremental zone
transfer.
By allowing incremental zone transfers to be used for
nondynamic zones, this option saves bandwidth at the
expense of increased CPU and memory consumption at the
master. In particular, if the new version of a zone is
completely different from the previous one, the set of
differences will be of a size comparable to the combined
size of the old and new zone version, and the server
will need to temporarily allocate memory to hold this
complete difference set.
See the description in
section.
See the and descriptions at the beginning of this section, and
the description in section.
masters_name
The name of a statement.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
This should be set when you have multiple masters for a zone and the
addresses
refer to different machines. If will not log when the
serial number on the master is less than what currently
has. The default is
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
See the description in
section.
Specifies a "Simple Secure Update" policy.
See the section for more details.
See the description in
section.
If the server will keep statistical information for this
zone, which can be dumped to the defined in the options.
BIND 9.3 supports two alternative methods of granting clients the right
to perform dynamic updates to a zone, configured by the and options,
respectively.
The clause works the same way as in previous versions of BIND. It
grants given clients the permission to update any record of any name in
the zone.
The clause is new in BIND 9.3 and allows more fine-grained control over
what updates are allowed. A set of rules is specified, where each rule
either grants or denies permissions for one or more names to be updated
by one or more identities. If the dynamic update request message is
signed (that is, it includes either a TSIG or SIG(0) record), the iden‐
tity of the signer can be determined.
Rules are specified in the zone option, and are only meaningful for
master zones. When the statement is present, it is a configuration
error for the statement to be present. The statement only examines the
signer of a message; the source address is not relevant.
A sample rule definition is as shown below:
( grant | deny ) identity nametype name [ types ]
Each rule grants or denies privileges. Once a message has successfully
matched a rule, the operation is immediately granted or denied and no
further rules are examined. A rule is matched when the signer matches
the identity field, the name matches the name field, and the type is
specified in the list in the types field.
The identity field specifies a name or a wildcard name. Normally, this
is the name of the TSIG or SIG(0) key used to sign the update request.
When a TKEY exchange has been used to create a shared secret, the iden‐
tity of the shared secret is the same as the identity of the key used
to authenticate the TKEY exchange. When the identity field specifies a
wildcard name, it is subject to DNS wildcard expansion, so the rule
will apply to multiple identities. The identity field must contain a
fully qualified domain name.
The nametype field has four possible values:
Exact-match semantics.
This rule matches when the name being updated is identi‐
cal to the contents of the name field.
This rule matches when the name being updated is a subdomain of, or
identical
to, the contents of the name field.
The name field is subject to DNS wildcard expansion, and
this rule matches when the name being updated is a valid
expansion of the wildcard.
This rule matches when the name being updated matches the contents of
the
identity field. The name field is ignored, but should
be the same as the identity field. The nametype is most
useful when allowing the use of one key per name to
update, where the key has the same name as the name to
be updated. The identity would be specified as in this
case.
In all cases, the name field must specify a fully qualified domain
name.
If no types are explicitly specified, this rule matches all types
except and A type may be specified by name, including (which matches
all types except which can never be updated). Note that when an
attempt is made to delete all records associated with a name, the rules
are checked for each existing record type.
The Statistics File
The statistics file generated by BIND 9.3 is similar, but not identi‐
cal, to that generated by BIND 8. The statistics dump begins with the
line
where the number in parentheses is a standard UNIX-style time stamp,
measured as seconds since January 1, 1970. Following that line are a
series of lines containing a counter type, the value of the counter,
optionally a zone name, and optionally a view name. The lines without
view and zone listed are global statistics for the entire server.
Lines with a zone and view name are for the given view and zone (the
view name is omitted for the default view). The statistics dump ends
with the line
where the number is identical to the number in the beginning line.
The following statistics counters are maintained:
The number of successful queries made to the server or zone.
A successful query is defined as query which returns a
NOERROR response other than a referral response.
The number of queries which resulted in referral responses.
The number of queries which resulted in NOERROR responses with no data.
The number of queries which resulted in NXDOMAIN responses.
The number of queries which caused the server to perform
recursion in order to find the final answer.
The number of queries which resulted in a failure response other
than those above.
ZONE FILES
A is a text file that defines a zone, designating a domain name, with
all of its associated subdomains, IP addresses, and mail servers. It
may contain directives, resource records, and comments. Blank lines
may be included for readability. A zone definition starts with an
resource record. The zone file name is used in the substatement of a
statement in the configuration file,
A consists of those contiguous parts of the domain tree for which a
domain server has complete information and over which it has authority.
A domain server may be authoritative for more than one zone.
An or fully qualified domain name (FQDN) in a zone file is one that
ends in a period For example, is an absolute domain name.
A in a zone file does not end in a period. For example, is a relative
domain name.
An in a zone file is an absolute domain name that is appended to a rel‐
ative domain name to complete it. For example, if is the origin and is
a relative domain name, they would combine to form the absolute domain
name,
A starts with a semicolon and continues to the end of the line. A com‐
ment can appear on a line by itself or at the end of any directive or
resource record line, including lines that are continued. For example,
in the following record, is a comment.
Records normally end at the end of a line. However, they may be con‐
tinued across lines if the text is enclosed in parentheses, See the
example in the section.
Zone File Directives
Zone file directives help to simplify resource records. The directives
include and The directive sets the origin that will be appended to any
subsequent relative domain names. This provides a convenient shorthand
for writing resource records.
Syntax
origin A domain name that serves as the suffix for subsequent
relative domain names.
When starts, the default origin is the zone_name in the statement of
the configuration file,
If the new origin is not absolute (does not have a terminating period),
the old origin is appended to it.
For example,
$ORIGIN com.
$ORIGIN example
WWW CNAME MAIN-SERVER
is equivalent to:
$ORIGIN example.com.
WWW CNAME MAIN-SERVER
is equivalent to:
WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
The directive reads and processes a file as if it were included into
the file at this point.
Syntax
filename The name of the file to be included.
origin The origin for the data in the included file. The
default is the current origin of the including (par‐
ent) file.
Neither the origin field nor statements in the included file affect the
origin of the parent file.
Once the included file has been processed, the origin and the current
record owner name revert to the values they had prior to the directive.
Note: RFC 1035 specifies that the current origin should be restored
after an but it is silent on whether the current record owner name
should also be restored. BIND 9 restores both of them. This could be
construed as a deviation from RFC 1035, a feature, or both.
The directive sets the default Time to Live (TTL) value for subsequent
RRs that have undefined TTLs.
Syntax
default-ttl
The default TTL value for subsequent RRs. See the and
sections for more detail.
The directive creates a series of resource records that differ from
each other only by an iterator value.
is a BIND extension and not part of the standard DNS zone file format.
Syntax
(ttl and class may be entered in either order.)
range The range of the iterator value. range can be in
either of the forms: or If the first form is used,
then step is set to 1. All of start, stop, and step
must be positive.
lhs An expression that evaluates to the owner_name for
each resource record that is created. If lhs is not
an absolute domain name, the current origin is
appended to it.
Any single symbols within lhs are replaced by the
iterator value.
The may optionally be followed by modifiers that
change the offset from the iterator, the field width,
and the base. Modifiers are introduced by a immedi‐
ately following the in the format For example, which
subtracts 20 from the current value and prints the
result as a decimal in a zero-padded field of 3 char‐
acters. The available base values are (decimal),
(octal), (lowercase hexadecimal), and (uppercase hexa‐
decimal). The default modifier is
To get a in the output, escape the with a backslash
for example, For compatibility with earlier versions,
is still recognized as indicating a literal in the
output.
ttl The TTL for the generated records. If it is omitted,
the normal TTL inheritance rules apply. See the and
sections for more detail.
class The class of the generated records. This must match
the zone class, if it is specified.
type At present, the only supported types are and
rhs An expression that evaluates to the rrdata for each
resource record that is created. At present, this
must be a domain name. It uses the same processing as
lhs.
Example
easily generates the sets of records required to support the sub
reverse delegations described in RFC 2317, "Classless IN-ADDR.ARPA del‐
egation".
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
$GENERATE 1-127 $ CNAME $.0
is equivalent to:
0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
...
127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
Resource Records (RRs)
This section, based on RFC 1034, describes the concept of a resource
record, known as an RR, and when an RR is used. Since the publication
of RFC 1034, several new RRs have been identified and implemented in
the DNS. These are also included.
A domain name identifies a node. Each node has a set of resource
information, which may be empty. The set of resource information asso‐
ciated with a particular name is composed of separate RRs. The order
of RRs in a set is not significant and need not be preserved by name
servers, resolvers, or other parts of the DNS. However, the sorting of
multiple RRs is permitted for optimization purposes, for example, to
specify that a particular nearby server be tried first.
Domain servers store information as a series of resource records, each
of which contains a particular piece of information about a given
domain name (which is usually, but not always, a host). The simplest
way to think of a RR is as a typed pair of data, a domain name matched
with relevant data, and stored with some additional type information to
help systems determine when the RR is relevant.
Note: RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
when stored in a name server or resolver. The binary format
is defined in the RFCs that are listed with the RR type key‐
words in the following section. The owner_name is often
implicit, rather than forming an integral part of the RR.
For example, many name servers internally form tree or hash
structures for the name space, and chain RRs off nodes.
Syntax
owner_name [ ttl ] [ class ] type rrdata
(ttl and class may be entered in either order. The class and
ttl values are often omitted from examples in the interests of
clarity.)
owner_name
The domain name of the owner of the information in the
RR. This can be one of:
The domain name of the DNS root name server.
The current origin.
domain_name
A standard domain name. If domain_name does
not end with a period it is relative and the
current origin is appended to it. If
domain_name ends with a period it is abso‐
lute.
blank If the first character of the record is
blank, the previous owner_name is used.
ttl The Time to Live (TTL) of the RR. This field is a
32-bit integer in units of seconds and is primarily
used by resolvers when they cache RRs. The ttl
defines how long a RR can be cached before it should
be discarded. See the and sections for more detail.
class A keyword, encoded as a 16-bit value, that identifies
a protocol family or an instance of a protocol. The
following keywords are supported:
The Internet system, the default.
Chaosnet, a LAN protocol created at MIT in the
mid-1970s.
Rarely used for its historical purpose, but
reused for BIND's built-in server informa‐
tion zones, for example,
Hesiod, an information service developed by MIT's
Project Athena.
It is used to share information about vari‐
ous systems databases, such as users,
groups, printers, and so on.
All records in a zone file must be of the same class.
type A keyword, encoded as a 16-bit value, that specifies
the type of the resource in this resource record.
Types refer to abstract resources.
The following keywords are supported. Some of these
listed, although not obsolete, are experimental or
historical and not in general use.
Defines an IPv4 host address.
In the class, this is a 32-bit IP address.
Described in RFC 1035.
Defines an IPv6 host address.
This can be a partial address (a suffix) and
an indirection to the name where the rest of
the address (the prefix) can be found.
Experimental. Obsoleted/deprecated. Use
instead. Described in RFC 2874.
Defines an IPv6 address.
Described in RFC 1886.
Holds a digital certificate.
Described in RFC 2538.
The canonical name of an alias.
Described in RFC 1035.
Delegates reverse addresses.
Replaces the domain name specified with
another name to be looked up. Described in
RFC 2672.
Specifies the global position.
Described in RFC 1712.
Identifies the CPU and OS used by a host.
Described in RFC 1035.
Stores a public key associated with a DNS name.
Described in RFC 2535.
Identifies a key exchanger for this DNS name.
Described in RFC 2230.
Identifies a mail exchange for the domain.
A 16-bit preference value (lower is better)
followed by the host name of the mail
exchange. See the section. Described in
RFC 974 and RFC 1035.
Name authority pointer.
Described in RFC 2915.
A network service access point.
Described in RFC 1706.
An authoritative name server for the domain.
Described in RFC 1035.
Used in DNSSEC to securely indicate that RRs with an
owner name
in a certain name interval do not exist in a
zone and indicate what RR types are present
for an existing name. Described in RFC
2535.
Domain name pointer.
A pointer to another part of the domain name
space. Often user to associate an IP
address with a domain name. Described in
RFC 1035.
Provides mappings between RFC 822 and X.400 addresses.
Described in RFC 2163.
Contains data authenticated in the secure DNS.
Described in RFC 2535.
Identifies the start of a zone of authority in a zone
file.
See the section. Described in RFC 1035.
Information about the well-known network services,
such as SMTP, that a domain supports.
Supersedes Described in RFC 2282.
Text records.
Described in RFC 1035.
Information about well known network services.
Historical. Superseded by Described in RFC
1035.
rrdata The type-dependent and sometimes class-dependent data
that describes the resource. This data is defined in
the RFCs that are specified with each type keyword.
MX Resource Records
records control the delivery of e-mail. Described in RFC 974 and RFC
1035.
Syntax
priority host_domain_name
... The owner_name, ttl, and class have been omitted for
clarity.
priority The priority controls the order in which e-mail deliv‐
ery is attempted, with the lowest number first. If
two priorities are the same, a server is chosen ran‐
domly. If no servers at a given priority are respond‐
ing, the mail transport agent will fall back to the
next largest priority. Priority numbers do not have
any absolute meaning: they are relevant only respec‐
tive to other records for that domain name.
host_domain_name
The domain name of the machine to which the mail
should be delivered.
An record must have an associated record; a is not sufficient. For a
given domain, if there is both a record and an record, the record is in
error and will be ignored. Instead, the mail will be delivered to the
server specified in the record pointed to by the
Example
example.com. IN MX 10 mail.example.com.
IN MX 10 mail2.example.com.
IN MX 20 mail.backup.org.
mail.example.com. IN A 10.0.0.1
mail2.example.com. IN A 10.0.0.2
Mail delivery will be attempted to and (in any order), and if neither
of those succeed, delivery to will be attempted.
SOA Resource Records
Each zone file begins with an record for the zone. All records in a
zone file must be of the same class. Described in RFC 1035.
Syntax
mname rname serial refresh retry expire minimum
... The owner_name, ttl, and class have been omitted for
clarity.
mname The domain name of the name server that is the source
of data for this zone.
rname A domain name that specifies the mailbox of the person
responsible for this zone. The first period repre‐
sents the in the e-mail address. If the mailbox user
name contains a period, you can escape it with a back‐
slash See the example.
serial An arbitrary unsigned 32-bit integer serial number for
the zone. The range is 0 to 4294967295 (2^32-1).
refresh A 32-bit integer time interval in seconds to refresh
the zone. See the section for more detail.
retry A 32-bit integer time to wait in seconds before retry‐
ing a failed refresh. See the section for more
detail.
expire A 32-bit integer time interval in seconds after which
the zone is no longer authoritative. See the section
for more detail.
minimum The TTL in seconds for resolvers that cache negative
responses. See the and sections for more detail.
The specifies a serial number, which should be changed each time the
zone file is changed. Note that it is not advisable to give the serial
number as a dotted number, since the translation to normal integers is
via concatenation rather than multiplication and addition. You can
represent the year, month, day of month, and a 0..99 version number
(yyyymmddvv) and still fit inside the unsigned 32-bit size of this
field. (It's true that we will have to rethink this strategy in the
year 4294.)
Secondary servers check the serial number at intervals specified by the
refresh time in seconds; if the serial number changes, a zone transfer
will be done to load the new data. If a master server cannot be con‐
tacted when a refresh is due, the retry time specifies the interval at
which refreshes should be attempted. If a master server cannot be con‐
tacted within the interval given by the expire time, all data from the
zone is discarded by secondary servers.
Example
@ IN SOA ucbvax.Berkeley.EDU. Jane\.Doe.ucbvax.Berkeley.EDU. (
1989020501 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
Time to Live (TTL)
The TTL field of an RR is a 32-bit integer representing time in sec‐
onds. It is primarily used by resolvers when they cache RRs. The TTL
describes how long a RR can be cached before it should be discarded.
This limit does not apply to authoritative data in zones; it is also
timed out, but by the refreshing policies for the zone. The TTL is
assigned by the administrator for the zone where the data originates.
While short TTLs can be used to minimize caching, and a zero TTL pro‐
hibits caching, the realities of Internet performance suggest that
these times should be on the order of days for the typical host. If a
change can be anticipated, the TTL can be reduced prior to the change
to minimize inconsistency during the change, and then increased back to
its former value following the change.
The following three types of TTL are currently used in a zone file.
The minimum field in an RR is the negative-caching TTL.
This controls how long other servers will cache
responses from you. The maximum time for negative
caching is 3 hours
Note: This use of the minimum field was implemented in
RFC 2308, largely superseding the usage specified in
RFC 1034 (but see the default calculation for the ttl
field below).
A directive at the top of the zone file (before the pro‐
vides a default TTL for subsequent RRs.
Note: The directive, defined in RFC 2308, supersedes
the original use of the minimum field specified in RFC
1034.
ttl The ttl field in an RR specifies the TTL for the
record. If it is omitted, the value specified by the
previous directive is used. If there is no previous
directive, the minimum field in the resource record is
used.
Time Specification
All the TTLs and and the time fields are specified in seconds, as a
32-bit integer value in the range 0 to 2147483647 (2^31-1).
Here's a table of convenient values:
Seconds in an Integer Value
minimum 0 seconds
1 minute 60 seconds
1 hour 3600 seconds
1 day 86400 seconds
7 days 604800 seconds
30 days 2592000 seconds
24855 days 2147472000 seconds
maximum 2147483647 seconds
For convenience, some units can be explicitly specified; you can use
for hours, for minutes, and for seconds. For example,
Inverse Mapping in IPv4
Reverse name resolution (that is, translation from an IP address to a
domain name) is achieved with the domain and records. Entries in the
domain are made in least-to-most significant order, reading left to
right. This is the reverse of the way IP addresses are usually writ‐
ten. Thus, a machine with an IP address of 10.1.2.3 would have a cor‐
responding name of This name should have a resource record whose data
field is the domain name of the machine. If the machine has more than
one name. it will need multiple records. For example, for IP address
corresponding to host name in the domain:
$ORIGIN 2.1.10.in-addr.arpa
3 IN PTR fred.example.com.
Example
ISI.EDU. MX 10 VENERA.ISI.EDU.
MX 10 VAXA.ISI.EDU.
VENERA.ISI.EDU. A 128.9.0.32
A 10.1.0.52
VAXA.ISI.EDU. A 10.2.0.27
A 128.9.0.33
The RRs have an rrdata section that consists of a 16-bit number fol‐
lowed by a domain name. The address RRs use a standard IP address for‐
mat to contain a 32-bit Internet address.
This example shows six RRs, with two RRs at each of three domain names.
AUTHOR
and the directive were developed by the Internet Systems Consortium
(ISC).
Zone files were developed by the Internet Engineering Task Force
(IETF).
FILES
Default configuration file.
Shell script to convert BIND 4.9.7 configuration
files to the BIND 9.3 format.
SEE ALSO
kill(1), hosts_to_named(1M), sig_named(1M),
syslogd(1M), signal(2), gethostent(3N),
resolver(3N), syslog(3C), resolver(4),
hostname(5).
Requests for Comments (RFC): 822, 974, 1032, 1034,
1035, 1183, 1706, 1712, 1876, 1886, 2163, 2230,
2282, 2308, 2317, 2535, 2538, 2672, 2874, and
2915, available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 named.conf(4)