named.conf(4tcp)

named.conf -- BIND 8 configuration file for named

Description

In BIND 8, the default named(1Mtcp) configuration file, /etc/inet/named.boot, has been replaced by /etc/inet/named.conf. This file provides entirely new areas of configuration, such as access control lists and categorized logging. Many options that previously applied to all zones can now be used selectively. These features, plus a consideration of future configuration needs led to the creation of a new configuration file format.

The named-bootconf utility is provided to create a named.conf file from an existing named.boot file. As root, enter the following command to perform the conversion:

/usr/sbin/named-bootconf /etc/inet/named.boot > /etc/inet/named.conf

The configuration lines within a named.conf file consist of statements and comments. All statements must be terminated by a semicolon. Many statements contain a block of sub-statements, which are also terminated with a semicolon.

The following statements are supported:

acl defines a named IP address matching list, for access control and other uses
controls declares control channels to be used by the ndc(1Mtcp) command
include includes a file
key specifies key information for use in authentication and authorization
logging specifies what the server logs, and where the log messages are sent
options controls global server configuration options and sets defaults for other statements
server sets certain configuration options on a per-server basis
trusted-keys defines the trusted keys for use with DNSSEC-style security (see RFC 2065).
zone defines a zone

NOTE: The logging and options statements may only occur once per configuration.

Also see the following sections:

``Comments'' for a description of the format of comments in the configuration file
``Address match lists'' for a description of elements which are used to match addresses
``Generic syntactical elements'' for a description of other elements which are used throughout the sections of this manual page

The acl statement

acl name {
  address_match_list
};

The acl statement creates a named address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).

NOTE: An address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed.

The following ACLs are built-in:

any: allow all hosts
none: deny all hosts
localhost: allow the IP addresses of all interfaces on the system
localnets: allow any host on a network for which the system has an interface

The controls statement

controls {
  [ inet ip_addr
    port ip_port
    allow { address_match_list; }; ]
  [ unix path_name
    perm number
    owner number
    group number; ]
};

The controls statement declares control channels that can be used to affect the operation of the local name server. These control channels are used by the ndc(1Mtcp) utility to send commands to, and retrieve non-DNS results from, a name server.

A unix control channel is a UNIX domain socket corresponding to a file within a filesystem. Access to it is controlled by normal file system permissions. It is created by named(1Mtcp) with the specified file mode bits (see chmod(1)), owner, and group. Note that, unlike chmod , the mode bits specified for perm will normally have a leading ``0'' so that the number is interpreted as octal. Also note that the user and group ownership specified by owner and group must be given as numbers, not as names. It is recommended that the permissions be restricted to administrators only. Otherwise, any user on the system may be able to manage the local name server.

An inet control channel is a TCP/IP socket accessible to the Internet, created at the specified IP port, ip_port, on the specified IP address, ip_addr. Most modern telnet(1tcp) clients are capable of speaking directly to these sockets, and the control protocol is ARPAnet-style text. It is recommended that you only configure ``127.0.0.1'' as the ip_addr, and this only if you trust all non-privileged users on the local host to manage your name server.

The include statement

include path_name;

The include statement inserts the specified file at the point at which the include statement is encountered. It cannot be used within another statement, so a line such as the following is not allowed:

acl internal_hosts { "include internal_hosts.acl" }

Use include to break the configuration up into easily-managed chunks, for example:

include "/etc/security/keys.bind";
include "/etc/acls.bind";

This could be used at the top of a named configuration file in order to include any ACL or key information.

WARNING: Be careful not to enter #include as you would in a C program. ``#'' is one way of starting a comment.

The key statement

key key_id {
    algorithm algorithm_id;
    secret secret_string;
};

The key statement defines a key ID which can be used in a server statement to associate an authentication method with a particular name server.

A key ID must be created with the key statement before it can be used in a server definition.

The algorithm_id is a string that specifies a security/authentication algorithm. secret_string is the secret to be used by the algorithm.

The key statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.

The logging statement

logging {
    [ channel channel_name {
        ( file path_name
        [ versions ( number | unlimited ) ]
        [ size size_spec ]
        | syslog ( kern | user | mail | daemon | auth |
                   syslog | lpr | news | uucp | cron |
                   authpriv | ftp | local0 | local1 |
                   local2 | local3 | local4 | local5 |
                   local6 | local7 )
        | null );

        [ severity ( critical | error | warning | notice | info |
                     debug [ level ] | dynamic ); ]
        [ print-category yes_or_no; ]
        [ print-severity yes_or_no; ]
        [ print-time yes_or_no; ]
    }; ]

    [ category category_name {
        channel_name; [ channel_name;...]
    }; ]
...
};

The logging statement configures a wide variety of logging options for the name server. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.

Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there is no logging statement, the logging configuration will be:

logging {
    category default { default_syslog; default_debug; };
    category panic { default_syslog; default_stderr; };
    category packet { default_debug; };
    category eventlib { default_debug; };
};

The channel phrase

All log output goes to one or more ``channels''; you can make as many of them as you want.

Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog(3G) facility, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (default is info), and whether to include a named(1Mtcp) generated time stamp, the category name and/or severity level (default is not to include any).

The word null as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.

The file clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.

The size option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then named will just not write anything more to it until the file is reopened; exceeding the size does not automatically trigger a reopen. The default behavior is to not limit the size of the file.

If you use the versions logfile option, then named will retain that many backup versions of the file by renaming them upon opening. For example, if you choose to keep three old versions of the file lamers.log then just before it is opened, lamers.log.1 is renamed to lamers.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled versions are kept by default. The unlimited keyword is synonymous with 99 in current BIND releases.

The argument for the syslog clause is a syslog facility as described on the syslog(3G) manual page. How syslogd will handle messages sent to this facility is described on the syslog.conf(4bsd) manual page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog function, then this clause is silently ignored.

The severity clause works like syslog's priorities, except that they can also be used if you are writing directly to a file rather than using syslog. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.

If you are using syslog, then the syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.

The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the server with the -d flag followed by a positive integer, or by using ndc trace (see ndc(1Mtcp)). The global debug level can be set to zero, and debugging mode turned off, by using ndc notrace. All debugging messages in the server have a debug level, and higher debug levels give more more detailed output. Channels can specify a specific debug severity, for example:

channel specific_debug_level {
    file "foo";
    severity debug 3;
};

In this example, the channel will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global level to determine what messages to print.

If print-time has been turned on, then the date and time will be logged. print-time may be specified for a syslog channel, but is usually pointless since syslog also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. The following example output, is with all three print- options turned on:

28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.

There are four predefined channels that are used for named's default logging as follows. How they are used is described in The category phrase.

channel default_syslog {
    syslog daemon; # send to syslog's daemon facility
    severity info; # only send priority info and higher
};

channel default_debug {
    file "named.run"; # write to named.run in the working directory
    severity dynamic; # log at the server's current debug level
};

channel default_stderr { # writes to stderr
    file "<stderr>"; # this is illustrative only; there's currently
                     # no way of specifying an internal file
                     # descriptor in the configuration language.
    severity info;   # only send priority info and higher
};

channel null {
    null; # toss anything sent to this channel
};

Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.

The category phrase

There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you do not want. If you do not specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you do not specify a default category, the following ``default default'' is used:

category default { default_syslog; default_debug; };

As an example, let us say you want to log security events to a file, but you also want keep the default logging behavior. You would specify the following:

channel my_security_channel {
    file "my_security_file";
    severity info;
};
category security { my_security_channel; default_syslog; default_debug; };

To discard all messages in a category, specify the null channel:

category lame-servers { null; };
category cname { null; };

The following categories are available:

default

The catch-all. Many things still are not classified into categories, and they all end up here. Also, if you do not specify any channels for a category, the default category is used instead. If you do not define the default category, the following definition is used:

category default { default_syslog; default_debug; };

config

High-level configuration file processing.

parser

Low-level configuration file processing.

queries

A short log message is generated for every query the server receives.

lame-servers

Messages like Lame server on...

statistics

Statistics.

panic

If the server has to shut itself down due to an internal problem, it will log the problem in this category as well as in the problem's native category. If you do not define the panic category, the following definition is used:

category panic { default_syslog; default_stderr; };

update

Dynamic updates.

ncache

Negative caching.

xfer-in

Zone transfers the server is receiving.

xfer-out

Zone transfers the server is sending.

db

All database operations.

eventlib

Debugging information from the event system. Only one channel may be specified for this category, and it must be a file channel. If you do not define the eventlib category, the following definition is used:

category eventlib { default_debug; };

packet

Dumps of packets received and sent. Only one channel may be specified for this category, and it must be a file channel. If you do not define the packet category, the following definition is used:

category packet { default_debug; };

notify

The NOTIFY protocol.

cname

Messages like ...points to a CNAME.

security

Approved/unapproved requests.

os

Operating system problems.

insist

Internal consistency check failures.

maintenance

Periodic maintenance events.

load

Zone loading messages.

response-checks

Messages arising from response checking, such as Malformed response..., wrong ans. name..., unrelated additional info..., invalid RR type..., and bad referral....

The options statement

options {
    [ directory path_name; ]
    [ named-xfer path_name; ]
    [ dump-file path_name; ]
    [ pid-file path_name; ]
    [ statistics-file path_name; ]
    [ auth-nxdomain yes_or_no; ]
    [ fake-iquery yes_or_no; ]
    [ fetch-glue yes_or_no; ]
    [ multiple-cnames yes_or_no; ]
    [ notify yes_or_no; ]
    [ recursion yes_or_no; ]
    [ forward ( only | first ); ]
    [ forwarders { [ in_addr ; [ in_addr ;...] ] }; ]
    [ check-names ( master | slave | response ) ( warn | fail | ignore); ]
    [ allow-query { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ listen-on [ port ip_port ] { address_match_list }; ]
    [ query-source [ address ( ip_addr |  ) ] [ port ( ip_port |  ) ] ; ]
    [ max-transfer-time-in number; ]
    [ transfer-format ( one-answer | many-answers ); ]
    [ transfers-in  number; ]
    [ transfers-out number; ]
    [ transfers-per-ns number; ]
    [ coresize size_spec ; ]
    [ datasize size_spec ; ]
    [ files size_spec ; ]
    [ stacksize size_spec ; ]
    [ cleaning-interval number; ]
    [ interface-interval number; ]
    [ statistics-interval number; ]
    [ topology { address_match_list }; ]
};

The options statement sets up global options to be used by named. This statement may appear only once in a configuration file; if more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there is no options statement, an options block with each option set to its default will be used.

Pathnames

The following options define pathnames (path_name):

directory: The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (for example, named.run) is this directory. If a directory is not specified, the working directory defaults to the directory from which the server was started. The directory specified should be an absolute path.
named-xfer: The pathname to the named-xfer(1Mtcp) program that the server uses for inbound zone transfers. If not specified, the default is operating system dependent: for example, /usr/sbin/named-xfer.
dump-file: The pathname of the file to which the server dumps the database when you run ndc dumpdb (see ndc(1Mtcp)). If not specified, the default is named_dump.db.
pid-file: The pathname of the file the server writes its process ID in. If not specified, the default is /etc/inet/named.pid. This file is used by programs like ndc that want to send signals to the running name server.
statistics-file: The pathname of the file to which the server appends statistics when you run ndc stats (see ndc(1Mtcp)). If not specified, the default is named.stats.

Boolean options

The following options take a boolean argument (yes_or_no):

auth-nxdomain: If ``yes'', then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is ``yes''. Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software will not like it.
fake-iquery: If ``yes'', the server will simulate the obsolete DNS query type IQUERY. The default is ``no''.
fetch-glue: If ``yes'' (the default), the server will fetch ``glue'' resource records it does not have when constructing the additional data section of a response. fetch-glue no can be used in conjunction with recursion no to prevent the server's cache from growing or becoming corrupted (at the cost of requiring more work from the client).
multiple-cnames: If ``yes'', then multiple CNAME resource records will be allowed for a domain name. The default is ``no''. Allowing multiple CNAME records is against standards and is not recommended. Multiple CNAME support is available because previous versions of BIND allowed multiple CNAME records, and these records have been used for load balancing by a number of sites.
notify: If ``yes'' (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes. The use of NOTIFY speeds convergence between the master and its slaves. Slave servers that receive a NOTIFY message and understand it wil contact the master server for the zone and see if they need to do a zone transfer, and if they do, they will initiate it immediately. The notify option may also be specified in the zone statement, in which case it overrides the options notify statement.
recursion: If ``yes'', and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is not on, the server will return a referral to the client if it does not know the answer. The default is ``yes''. See also fetch-glue above.

Forwarding

The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.

forward: This option is only meaningful if the forwarders list is not empty. A value of ``first'' (the default) causes the server to query the forwarders first, and if that does not answer the question the server will then look for the answer itself. If ``only'' is specified, the server will only query the forwarders.
forwarders: This specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).

Future versions of BIND 8 will provide a more powerful forwarding system. The syntax described above will continue to be supported.

Name checking

The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames.

Three checking methods are available:

ignore: No checking is done.
warn: Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally.
fail: Names are checked against their expected client contexts. Invalid names are logged, and the offending data is rejected.

The server can check names three areas: master zone files, slave zone files, and in responses to queries the server has initiated. If check-names response fail has been specified, and answering the client's question would require sending an invalid name to the client, the server will send a REFUSED response code to the client.

The defaults are:

check-names master fail;
check-names slave warn;
check-names response ignore;

check-names may also be specified in the zone statement, in which case it overrides the options check-names statement. When used in a zone statement, the area is not specified (because it can be deduced from the zone type).

Access control

Access to the server can be restricted based on the IP address of the requesting system. See ``Address match lists'' for details of how to specify IP address lists.

allow-query: This specifies which hosts are allowed to ask ordinary questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
allow-transfer: This specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default is to allow transfers from all hosts.

Interfaces

The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes an optional port (ip_port), and an address match list, address_match_list. The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used.

Multiple listen-on statements are allowed. For example:

listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };

If listen-on is not specified, the server will listen on port 53 on all interfaces.

listen-on is used on systems that define many aliased IP addresses on one or more of their network interfaces. By default, named binds to all defined interface addresses. This means that it is possible for named to run out of file descriptors if the system hosts many virtual domains. It is only necessary to specify one IP address for each interface in addition to the loopback address, for example:

listen-on { 192.168.12.1; 127.0.0.1; };

Query address

If the server does not know the answer to a question, it will query other name servers. query-source specifies the address and port used for such queries. If address is ``

'' or is omitted, a wildcard IP address (INADDR_ANY) will be used. If port is ``

'' or is omitted, a random unprivileged port will be used. The default is:

query-source address * port *;

NOTE: query-source currently applies only to UDP queries; TCP queries always use a wildcard IP address and a random unprivileged port.

Zone transfers

The following options control the operation of zone transfers:

max-transfer-time-in: Inbound zone transfers (named-xfer processes; see named-xfer(1Mtcp)) running longer than this many minutes will be terminated. The default is 120 minutes.
transfer-format: The server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched versions of BIND 4.9.5. The default is one-answer. transfer-format may be overridden on a per-server basis by the server statement.
transfers-in: The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system.
transfers-out: This option will be used in the future to limit the number of concurrent outbound zone transfers. It is checked for syntax, but is otherwise ignored.
transfers-per-ns: The maximum number of inbound zone transfers (named-xfer processes) that can be concurrently transferring from a given remote name server. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote name server. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement.

Resource limits

The server's usage of many system resources can be limited. Some operating systems do not support some of the limits and a warning will be generated if an unsupported limit is set in the configuration file.

Scaled values are allowed when specifying resource limits. For example, ``1G'' can be used instead of ``1073741824'' to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See ``Generic syntactical elements'' for more details.

coresize: The maximum size of a core dump. The default is default.
datasize: The maximum amount of data memory the server may use. The default is default.
files: The maximum number of files the server may have open concurrently. The default is unlimited.
stacksize: The maximum amount of stack memory the server may use. The default is default.

Periodic task intervals

The following options control operations that named performs on a period basis:

cleaning-interval: The server will remove expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur.
interface-interval: The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, listeners will be started on any new interfaces (provided they are allowed by the listen-on configuration). Listeners on interfaces that have gone away will be cleaned up.
statistics-interval: Name server statistics will be logged every statistics-interval minutes. The default is 60. If set to 0, no statistics will be logged.

Topology

All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element. For example:

topology {
    10/8;
    !1.2.3/24;
    { 1.2/16; 3/8; };
};

This topology prefers servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.

The default topology is:

topology { localhost; localnets; };

The server statement

server ip_addr {
    [ bogus yes_or_no; ]
    [ transfers number; ]
    [ transfer-format ( one-answer | many-answers ); ]
    [ keys { key_id [key_id...] }; ]
};

The server statement defines the characteristics to be associated with a remote name server.

If you discover that a server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is ``no''.

The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched versions of BIND 4.9.5. You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement will be used.

The transfers will be used in a future release of the server to limit the number of concurrent in-bound zone transfers from the specified server. It is checked for syntax but is otherwise ignored.

The keys statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.

The trusted-keys statement

trusted-keys {
    [ domain_name flags protocol algorithm keystring; ]
};

The trusted-keys statement defines the trusted keys for use with DNSSEC-style security within the specified domain. (DNSSEC provides three distinct services: key distribution, data origin authentication, and transaction and request authentication. See RFC 2065 for more information.)

The attributes of a trusted key are represented by the non-negative integer values flags, protocol, and algorithm, together with a base-64 encoded string that represents the key itself.

A trusted key may be defined in this way when a public key for a non-authoritative zone is known, but it cannot be obtained securely through DNS (as occurs when a signed zone is the child of an unsigned zone). Defining the trusted key here allows data signed by the zone to be considered secure.

The zone statement

zone domain_name [ ( in | hs | hesiod | chaos ) ] {
    type master;
    file path_name;
    [ check-names ( warn | fail | ignore ); ]
    [ allow-update { address_match_list }; ]
    [ allow-query { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ notify yes_or_no; ]
    [ also-notify { ip_addr; [ ip_addr;...] };
};

zone domain_name [ ( in | hs | hesiod | chaos ) ] {
    type ( slave | stub );
    [ file path_name; ]
    masters { ip_addr; [ ip_addr;...] };
    [ check-names ( warn | fail | ignore ); ]
    [ allow-update { address_match_list }; ]
    [ allow-query { address_match_list }; ]
    [ allow-transfer { address_match_list }; ]
    [ max-transfer-time-in number; ]
    [ notify yes_or_no; ]
    [ also-notify { ip_addr; [ ip_addr;...] };
};

zone . [ ( in | hs | hesiod | chaos ) ] {
    type hint;
    file path_name;
    [ check-names ( warn | fail | ignore ); ]
};

Zone types

The following zone types may be defined:

master

The master copy of the data in a zone.

NOTE: Previous releases of BIND used the term ``primary'' for the master zone type.

slave

A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If a file is specified, then the replica will be written to the file. Use of a file is recommended, since it often speeds server startup and eliminates a needless waste of bandwidth.

NOTE: Previous releases of BIND used the term ``secondary'' for the slave zone type.

stub

A stub zone is like a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone.

hint

The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints in the named file to find a root name server and get the most recent list of root name servers.

NOTE: Previous releases of BIND used the term ``cache'' for the hints zone type.

Class

The zone's name may optionally be followed by a class. If a class is not specified, class in is used.

Options

The following options may be specifiable according to the zone type:

check-names: See ``Name checking''.
allow-query: See the description of allow-query in ``Access control''.
allow-update: Specifies which hosts are allowed to submit dynamic DNS updates to the server. The default is to deny updates from all hosts.
allow-transfer: See the description of allow-transfer in ``Access control''.
max-transfer-time-in: See the description of max-transfer-time-in in ``Zone transfers''.
notify: See the description of notify in ``Boolean options''.
also-notify: This option is only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the listed name servers for the zone (other than the primary master) plus any IP addresses specified with also-notify. also-notify is not meaningful for stub zones. The default is the empty list.

Comments

/* This is a BIND comment as in C */

// This is a BIND comment as in C++

# This is a BIND comment as in common Unix shells and perl

Comments may appear anywhere that whitespace may appear in a named configuration file.

C-style comments start with the two characters ``/'' and end with ``/''. Because they are completely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.

C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first ``/'':

/* This is the start of a comment.
   This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
   This is no longer in any comment. */

C++-style comments start with the two characters ``//'' and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the ``//'' pair. For example:

// This is the start of a comment. The next line
// is a new comment, even though it is logically
// part of the previous comment.

Shell-style (or Perl-style, if you prefer) comments start with the character ``#'' (hash) and continue to the end of the physical line, like C++ comments. For example:

# This is the start of a comment. The next line
# is a new comment, even though it is logically
# part of the previous comment.

WARNING: You cannot use a semicolon (;) to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement, so whatever follows it will be interpreted as the start of the next statement.

Address match lists

address_match_list = address_match_element; ...

address_match_element = [!] ip_address|ip_prefix|acl_name|{address_match_list}

Address match lists are lists of elements. The elements can be any of the following:

an IP address (in dotted-decimal notation)
an IP prefix (in network_address/netmask-length notation)
the name of an address match list previously defined with the acl statement
another IP address match list

The ACLs any, none, localhost and localnets are predefined. More information can be found in the description of the acl statement.

Elements can be negated with a leading ``!''.

When a given IP address or prefix is compared to an address match list, the list is traversed in order and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.

When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-query, allow-transfer and allow-update all use address match lists like this. Similarly, the listen-on clause can use negation to define local addresses which should not be used to accept name server connections.

When used with the topology clause, a non-negated match returns a distance based on its position on the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match will be assigned the maximum distance from the server. If there is no match, the address will get a distance which is further than any non-negated list element, and closer than any negated element.

Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example:

1.2.3/24; ! 1.2.3.13;

In the above, the ``1.2.3.13'' element is completely useless, because the algorithm will match any lookup for ``1.2.3.13'' to the ``1.2.3/24'' element. To fix the problem, use:

! 1.2.3.13; 1.2.3/24

In this example, ``1.2.3.13'' is blocked by the negation but all other ``1.2.3.

'' hosts fall through.

Generic syntactical elements

Described below are elements used throughout this manual page. Elements which are only associated with one statement are only described in the section describing that statement.

acl_name

The name of an address match list, as defined by the acl statement.

address_match_list

A list of one or more ip_address, ip_prefix or acl_name elements, as described in ``Address match lists''.

dotted-decimal

One or more integers valued 0 through 255 separated only by dots, such as ``123'' or ``45.67'' or ``89.123.45.67''.

domain_name

A quoted string which will be used as a DNS name, for example ``my.test.domain''.

path_name

A quoted string which will be used as a pathname, such as ``zones/master/my.test.domain''.

ip_addr

An IP address in with exactly four elements in dotted-decimal notation.

ip_port

An IP port number in the range 0 to 65535, with values below 1024 typically restricted to root-owned processes.

ip_prefix

An IP network specified in dotted-decimal form, followed by ``/'' and then the number of bits in the netmask. For example, ``127/8'' is the network 127.0.0.0 with netmask 255.0.0.0. ``1.2.3.0/24'' is network 1.2.3.0 with netmask 255.255.255.0.

number

A non-negative integer with an entire range limited by the range of a C language signed integer (2,147,483,647 on a machine with 32-bit integers). Its acceptable value might further be limited by the context in which it is used.

size_spec

A number, the keyword unlimited, or the keyword default.

The maximum value of size_spec is that of unsigned long integers on the machine. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started.

A number can optionally be followed by a scaling factor:

K or k for kilobytes
M or m for megabytes
G or g for gigabytes

These scale by 1024, 10241024, and 102410241024 respectively.

Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, possibly even negative. Using unlimited is the best way to safely set a really large number.

yes_or_no

Either ``yes'' or ``no''. The words ``true'' and ``false'' are also accepted, as are the numbers ``1'' and ``0''.

Files

/etc/inet/named.conf: named configuration file in BIND 8

References

named(1Mtcp), named.boot(4tcp), named.hosts(4tcp), named.local(4tcp), named.rev(4tcp), ndc(1Mtcp), root.cache(4tcp)

Examples

The following named.conf file is an example of a simple configuration in which a name server is master (primary) for zone nemo.org and slave (secondary) for spartacus.com.

# Configure global options
options {
	# file names are relative to this directory
        directory "/etc/inet/named.d";
};

# Configure logging
logging {
        category lame-servers { null; };
        category cname { null; };
};

# Master for zone nemo.org (network 192.168.16/24)
zone "nemo.org" in {
        type master;
        file "master/nemo.org";
	# disallow dynamic updates from certain hosts on the network
	allow-update { ! 192.168.16.1; ! 192.168.16.2; 192.168.16/24 };
};

# Master for IN-ADDR.ARPA domain for 192.168.16.0
zone "16.168.192.in-addr.arpa" in {
        type master;
        file "master/192.168.16";
	# disallow dynamic updates from certain hosts on the network
	allow-update { ! 192.168.16.1; ! 192.168.16.2; 192.168.16/24 };
};

# Slave for zone spartacus.com
zone "spartacus.com" in {
        type slave;
        file "slave/spartacus.com";
        masters { 10.0.0.53; };
};

# Master for local IN-ADDR.ARPA domain
zone "0.0.127.in-addr.arpa" in {
        type master;
        file "master/127.0.0";
};

# Root cache hints
zone "." in {
        type hint;
        file "root.cache";
};