|
|
The named-bootconf utility is provided to
create a named.conf file from an existing
named.boot file. As root,
enter the following command to perform the conversion:
/usr/sbin/named-bootconf /etc/inet/named.boot > /etc/inet/named.conf
The configuration lines within a named.conf file consist of statements and comments. All statements must be terminated by a semicolon. Many statements contain a block of sub-statements, which are also terminated with a semicolon.
The following statements are supported:
Also see the following sections:
acl name { address_match_list };The acl statement creates a named address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).
The following ACLs are built-in:
controls { [ inet ip_addr port ip_port allow { address_match_list; }; ] [ unix path_name perm number owner number group number; ] };The controls statement declares control channels that can be used to affect the operation of the local name server. These control channels are used by the ndc(1Mtcp) utility to send commands to, and retrieve non-DNS results from, a name server.
A unix control channel is a UNIX domain socket corresponding to a file within a filesystem. Access to it is controlled by normal file system permissions. It is created by named(1Mtcp) with the specified file mode bits (see chmod(1)), owner, and group. Note that, unlike chmod , the mode bits specified for perm will normally have a leading ``0'' so that the number is interpreted as octal. Also note that the user and group ownership specified by owner and group must be given as numbers, not as names. It is recommended that the permissions be restricted to administrators only. Otherwise, any user on the system may be able to manage the local name server.
An inet control channel is a TCP/IP socket accessible to the Internet, created at the specified IP port, ip_port, on the specified IP address, ip_addr. Most modern telnet(1tcp) clients are capable of speaking directly to these sockets, and the control protocol is ARPAnet-style text. It is recommended that you only configure ``127.0.0.1'' as the ip_addr, and this only if you trust all non-privileged users on the local host to manage your name server.
include path_name;The include statement inserts the specified file at the point at which the include statement is encountered. It cannot be used within another statement, so a line such as the following is not allowed:
acl internal_hosts { "include internal_hosts.acl" }Use include to break the configuration up into easily-managed chunks, for example:
include "/etc/security/keys.bind"; include "/etc/acls.bind";This could be used at the top of a named configuration file in order to include any ACL or key information.
#include
as you would in a C program.
``#'' is one way of starting a comment.
key key_id { algorithm algorithm_id; secret secret_string; };The key statement defines a key ID which can be used in a server statement to associate an authentication method with a particular name server.
A key ID must be created with the key statement before it can be used in a server definition.
The algorithm_id is a string that specifies a security/authentication algorithm. secret_string is the secret to be used by the algorithm.
The key statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.
logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog ( kern | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 ) | null );The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.[ severity ( critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes_or_no; ] [ print-severity yes_or_no; ] [ print-time yes_or_no; ] }; ]
[ category category_name { channel_name; [ channel_name;...] }; ] ... };
Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there is no logging statement, the logging configuration will be:
logging { category default { default_syslog; default_debug; }; category panic { default_syslog; default_stderr; }; category packet { default_debug; }; category eventlib { default_debug; }; };
Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog(3G) facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is info), and whether to include a named(1Mtcp) generated time stamp, the category name and/or severity level (default is not to include any).
The word null as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.
The file clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.
The size option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then named will just not write anything more to it until the file is reopened; exceeding the size does not automatically trigger a reopen. The default behavior is to not limit the size of the file.
If you use the versions logfile option, then named will retain that many backup versions of the file by renaming them upon opening. For example, if you choose to keep three old versions of the file lamers.log then just before it is opened, lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled versions are kept by default. The unlimited keyword is synonymous with 99 in current BIND releases.
The argument for the syslog clause is a syslog facility as described on the syslog(3G) manual page. How syslogd will handle messages sent to this facility is described on the syslog.conf(4bsd) manual page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog function, then this clause is silently ignored.
The severity clause works like syslog's priorities, except that they can also be used if you are writing directly to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.
If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.
The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the server with the -d flag followed by a positive integer, or by using ndc trace (see ndc(1Mtcp)). The global debug level can be set to zero, and debugging mode turned off, by using ndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more more detailed output. Channels can specify a specific debug severity, for example:
channel specific_debug_level { file "foo"; severity debug 3; };In this example, the channel will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global level to determine what messages to print.
If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. The following example output, is with all three print- options turned on:
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.There are four predefined channels that are used for named's default logging as follows. How they are used is described in The category phrase.
channel default_syslog { syslog daemon; # send to syslog's daemon facility severity info; # only send priority info and higher };Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.channel default_debug { file "named.run"; # write to named.run in the working directory severity dynamic; # log at the server's current debug level };
channel default_stderr { # writes to stderr file "<stderr>"; # this is illustrative only; there's currently # no way of specifying an internal file # descriptor in the configuration language. severity info; # only send priority info and higher };
channel null { null; # toss anything sent to this channel };
category default { default_syslog; default_debug; };As an example, let us say you want to log security events to a file, but you also want keep the default logging behavior. You would specify the following:
channel my_security_channel { file "my_security_file"; severity info; }; category security { my_security_channel; default_syslog; default_debug; };To discard all messages in a category, specify the null channel:
category lame-servers { null; }; category cname { null; };The following categories are available:
category default { default_syslog; default_debug; };
Lame server on...
category panic { default_syslog; default_stderr; };
category eventlib { default_debug; };
category packet { default_debug; };
...points to a CNAME
.
Malformed response...
,
wrong ans. name...
,
unrelated additional info...
,
invalid RR type...
,
and bad referral...
.
options { [ directory path_name; ] [ named-xfer path_name; ] [ dump-file path_name; ] [ pid-file path_name; ] [ statistics-file path_name; ] [ auth-nxdomain yes_or_no; ] [ fake-iquery yes_or_no; ] [ fetch-glue yes_or_no; ] [ multiple-cnames yes_or_no; ] [ notify yes_or_no; ] [ recursion yes_or_no; ] [ forward ( only | first ); ] [ forwarders { [ in_addr ; [ in_addr ;...] ] }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore); ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ listen-on [ port ip_port ] { address_match_list }; ] [ query-source [ address ( ip_addr | ) ] [ port ( ip_port | ) ] ; ] [ max-transfer-time-in number; ] [ transfer-format ( one-answer | many-answers ); ] [ transfers-in number; ] [ transfers-out number; ] [ transfers-per-ns number; ] [ coresize size_spec ; ] [ datasize size_spec ; ] [ files size_spec ; ] [ stacksize size_spec ; ] [ cleaning-interval number; ] [ interface-interval number; ] [ statistics-interval number; ] [ topology { address_match_list }; ] };The options statement sets up global options to be used by named. This statement may appear only once in a configuration file; if more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there is no options statement, an options block with each option set to its default will be used.
Future versions of BIND 8 will provide a more powerful forwarding system. The syntax described above will continue to be supported.
Three checking methods are available:
The server can check names three areas: master zone files, slave zone files, and in responses to queries the server has initiated. If check-names response fail has been specified, and answering the client's question would require sending an invalid name to the client, the server will send a REFUSED response code to the client.
The defaults are:
check-names master fail; check-names slave warn; check-names response ignore;check-names may also be specified in the zone statement, in which case it overrides the options check-names statement. When used in a zone statement, the area is not specified (because it can be deduced from the zone type).
Multiple listen-on statements are allowed. For example:
listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; };If listen-on is not specified, the server will listen on port 53 on all interfaces.
listen-on is used on systems that define many aliased IP addresses on one or more of their network interfaces. By default, named binds to all defined interface addresses. This means that it is possible for named to run out of file descriptors if the system hosts many virtual domains. It is only necessary to specify one IP address for each interface in addition to the loopback address, for example:
listen-on { 192.168.12.1; 127.0.0.1; };
query-source address * port *;
Scaled values are allowed when specifying resource limits. For example, ``1G'' can be used instead of ``1073741824'' to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See ``Generic syntactical elements'' for more details.
topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; };This topology prefers servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
The default topology is:
topology { localhost; localnets; };
server ip_addr { [ bogus yes_or_no; ] [ transfers number; ] [ transfer-format ( one-answer | many-answers ); ] [ keys { key_id [key_id...] }; ] };The server statement defines the characteristics to be associated with a remote name server.
If you discover that a server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is ``no''.
The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.
The transfers will be used in a future release of the server to limit the number of concurrent in-bound zone transfers from the specified server. It is checked for syntax but is otherwise ignored.
The keys statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.
trusted-keys { [ domain_name flags protocol algorithm keystring; ] };The trusted-keys statement defines the trusted keys for use with DNSSEC-style security within the specified domain. (DNSSEC provides three distinct services: key distribution, data origin authentication, and transaction and request authentication. See RFC 2065 for more information.)
The attributes of a trusted key are represented by the non-negative integer values flags, protocol, and algorithm, together with a base-64 encoded string that represents the key itself.
A trusted key may be defined in this way when a public key for a non-authoritative zone is known, but it cannot be obtained securely through DNS (as occurs when a signed zone is the child of an unsigned zone). Defining the trusted key here allows data signed by the zone to be considered secure.
zone domain_name [ ( in | hs | hesiod | chaos ) ] { type master; file path_name; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr;...] }; };zone domain_name [ ( in | hs | hesiod | chaos ) ] { type ( slave | stub ); [ file path_name; ] masters { ip_addr; [ ip_addr;...] }; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ max-transfer-time-in number; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr;...] }; };
zone . [ ( in | hs | hesiod | chaos ) ] { type hint; file path_name; [ check-names ( warn | fail | ignore ); ] };
/* This is a BIND comment as in C */Comments may appear anywhere that whitespace may appear in a named configuration file.// This is a BIND comment as in C++
# This is a BIND comment as in common Unix shells and perl
C-style comments start with the two characters ``/'' and end with ``/''. Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.
C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first ``/'':
/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */C++-style comments start with the two characters ``//'' and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the ``//'' pair. For example:
// This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment.Shell-style (or Perl-style, if you prefer) comments start with the character ``#'' (hash) and continue to the end of the physical line, like C++ comments. For example:
# This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment.
address_match_list = address_match_element; ...Address match lists are lists of elements. The elements can be any of the following:address_match_element = [!] ip_address|ip_prefix|acl_name|{address_match_list}
Elements can be negated with a leading ``!''.
When a given IP address or prefix is compared to an address match list, the list is traversed in order and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.
When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-query, allow-transfer and allow-update all use address match lists like this. Similarly, the listen-on clause can use negation to define local addresses which should not be used to accept name server connections.
When used with the topology clause, a non-negated match returns a distance based on its position on the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element.
Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example:
1.2.3/24; ! 1.2.3.13;In the above, the ``1.2.3.13'' element is completely useless, because the algorithm will match any lookup for ``1.2.3.13'' to the ``1.2.3/24'' element. To fix the problem, use:
! 1.2.3.13; 1.2.3/24In this example, ``1.2.3.13'' is blocked by the negation but all other ``1.2.3.'' hosts fall through.
The maximum value of size_spec is that of unsigned long integers on the machine. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started.
A number can optionally be followed by a scaling factor:
These scale by 1024, 10241024, and 102410241024 respectively.
Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, possibly even negative. Using unlimited is the best way to safely set a really large number.
# Configure global options options { # file names are relative to this directory directory "/etc/inet/named.d"; };# Configure logging logging { category lame-servers { null; }; category cname { null; }; };
# Master for zone nemo.org (network 192.168.16/24) zone "nemo.org" in { type master; file "master/nemo.org"; # disallow dynamic updates from certain hosts on the network allow-update { ! 192.168.16.1; ! 192.168.16.2; 192.168.16/24 }; };
# Master for IN-ADDR.ARPA domain for 192.168.16.0 zone "16.168.192.in-addr.arpa" in { type master; file "master/192.168.16"; # disallow dynamic updates from certain hosts on the network allow-update { ! 192.168.16.1; ! 192.168.16.2; 192.168.16/24 }; };
# Slave for zone spartacus.com zone "spartacus.com" in { type slave; file "slave/spartacus.com"; masters { 10.0.0.53; }; };
# Master for local IN-ADDR.ARPA domain zone "0.0.127.in-addr.arpa" in { type master; file "master/127.0.0"; };
# Root cache hints zone "." in { type hint; file "root.cache"; };