named.conf(4CC)
NAME | OVERVIEW | DOCUMENTATION DEFINITIONS | ADDRESS MATCH LISTS | THE LOGGING STATEMENT | THE OPTIONS STATEMENT | THE ZONE STATEMENT | THE ACL STATEMENT | THE KEY STATEMENT | THE TRUSTED-KEYS STATEMENT | THE SERVER STATEMENT | THE CONTROLS STATEMENT | THE INCLUDE STATEMENT | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO
NAME
-
named.conf- configuration
file for named(1M)
OVERVIEW
- logging
-
specifies what the server logs, and where the log messages are sent
- options
-
controls global server configuration options and sets defaults for other statements
- zone
-
defines a zone
- acl
-
defines a designated IP address matching list, for access control and other uses
- key
-
specifies key information for use in authentication and authorization
- trusted-keys
-
defines DNSSEC keys that are pre-configured in the server and implicitly trusted
- server
-
sets certain configuration options for individual remote servers
- controls
-
declares control channels to be used by the ndc utility
- include
-
includes another file
is more configurable than previous releases of BIND. There are entirely new areas of configuration, such as access control lists and categorized logging. Many options that previously applied to all zones can now be used selectively. These features, plus a consideration of future configuration needs led to the creation of a new configuration file format.
General Syntax
A configuration consists of two general features, statements and comments. All statements end with a semicolon. Many statements can contain substatements, which are each also terminated with a semicolon.
The following statements are supported:
The logging and options statements only occur once per configuration, the rest appear numerous times. Further detail on each statement is provided in individual sections below.
Comments appear anywhere that white space can appear in a BIND configuration file. To appeal to programmers of all kinds, comments can be written in C, C++, or shell/perl constructs.
C-style comments start with the two characters /* (slash, asterisk) and end with */ (asterisk, slash). Because they are entirely delimited with these characters, they can be used either to comment a portion of a line or multiple lines.
C-style comments cannot be nested. For example, the following is not valid because the entire comment ends with the first */:
/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment.*/
C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines. To have one logical comment span multiple lines, each line must use the // pair. For example:
// This is the start of a comment. The next line // is a new comment, even though it is logically // part of the previous comment.
Shell-style (or perl-style) comments start with the character # (hash / pound / number) and continue to the end of the physical line, in the same way as C++ comments. For example:
# This is the start of a comment. The next line # is a new comment, even though it is logically # part of the previous comment.
Caution - you cannot use the semicolon (;) character to start a comment as you would in a zone file. The semicolon indicates the end of a configuration statement, so whatever follows it is interpreted as the start of the next statement.
DOCUMENTATION DEFINITIONS
- acl_name
-
The name of an address_match_list as defined by the acl statement.
- address_match_list
-
A list of one or more ip_addr, ip_prefix, key_id, or acl_name elements, as described in the ADDRESS MATCH LISTS section.
- dotted-decimal
-
One or more integers valued from 0 to 255 separated only by dots ("."), such as 123, 45.67 or 89.123.45.67.
- domain_name
-
A quoted string is used as a DNS name, for example my.test.domain.
- path_name
-
A quoted string is used as a pathname, such as zones/master/my.test.domain.
- ip_addr
-
An IP address with exactly four elements in dotted-decimal notation.
- ip_port
-
An IP port number. The number is limited to between 0 and 65535, with values below 1024 typically restricted to root-owned processes. In some cases an asterisk (*) character can be used as a placeholder to select a random high-numbered port.
- ip_prefix
-
An IP network specified in dotted-decimal form, followed by a slash (/) and then the number of bits in the netmask. For example, 127/8 is the network 127.0.0.0 with netmask 255.0.0.0 and 1.2.3.0/28 is network 1.2.3.0 with netmask 255.255.255.240.
- key_name
-
A string representing the name of a shared key, to be used for transaction security.
- number
-
A non-negative integer with an entire range limited by the range of a C language signed integer (2,147,483,647 on a machine with 32 bit integers). Its acceptable value might be limited further by the context in which it is used.
- size_spec
-
A number, the word unlimited, or the word default.
The maximum value of size_spec is that of unsigned long integers on the machine. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started.
A number can optionally be followed by a scaling factor: K or k for kilobytes, M or m for megabytes, and G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.
Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, or negative values. Using unlimited is the best way to set a very large number safely.
- yes_or_no
-
Either yes or no. The words true and false are also accepted, as are the numbers 1 and 0.
Described below are elements used throughout the configuration file documentation. Elements only associated with one statement are described only in the section for that statement.
ADDRESS MATCH LISTS
address_match_list = 1*address_match_element
address_match_element = [ "!" ] ( address_match_list /
ip_address / ip_prefix /
acl_name / "key " key_id ) ";"
Definition and Usage
-
An ip-address (in dotted-decimal notation).
-
An ip-prefix (in the "/" notation).
-
A key_id, as defined by the key statement.
-
The name of an address match list previously defined with the acl statement.
-
Or another address match list.
Address match lists are primarily used to determine access control for various server operations. They are also used to define priorities for querying other name servers and to set the addresses on which named listens for queries. The elements that constitute an address match list can be any of the following:
Elements can be negated with a leading exclamation mark (!), and the match list names any, none, localhost and localnets are predefined. More information on those names can be found in the description of the acl statement.
The addition of the key clause made the name of this syntactic element something of a misnomer, since security keys can be used to validate access without regard to a host or network address. Nonetheless, the term "address match list" is still used throughout the documentation.
When a given IP address or prefix is compared to an address match list, the list is traversed in order until an element matches. The interpretation of a match depends on whether the list is being used for access control, defining listen-on ports, or as a topology, and whether the element was negated.
When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match at all in the list, access is denied. The clauses allow-query, allow-transfer, allow-update, allow-recursion, and blackhole all use address match lists of this type. Similarly, the listen-on option causes the server not to accept queries on any of the machine's addresses that do not match the list.
When used with the topology option, a non-negated match returns a distance based on its position in the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match is assigned the maximum distance from the server. If there is no match, the address gets a distance further than any non-negated list element, and closer than any negated element.
An element that defines a subset of another element in the list should come before the broader element, regardless of either being negated. This is because of the first-match aspect of the algorithm. For example, in 1.2.3/24; !1.2.3.13, the 1.2.3.13 element is completely useless, because the algorithm matches any lookup for 1.2.3.13 to the 1.2.3/24 element. Using !1.2.3.13; 1.2.3/24 fixes that problem by having 1.2.3.13 blocked by the negation but all other 1.2.3.* hosts fall through.
THE LOGGING STATEMENT
logging {
[ channel channel_name {
( file path_name
[ versions ( number | unlimited ) ]
[ size size_spec ]
| syslog ( kern | user | mail | daemon | auth | syslog | lpr |
news | uucp | cron | authpriv | ftp |
local0 | local1 | local2 | local3 |
local4 | local5 | local6 | local7 )
| null );
[ severity ( critical | error | warning | notice |
info | debug [ level ] | dynamic ); ]
[ print-category yes_or_no; ]
[ print-severity yes_or_no; ]
[ print-time yes_or_no; ]
}; ]
[ category category_name {
channel_name; [ channel_name; ... ]
}; ]
...
};
Definition and Usage
The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
Only one logging statement is used to define as many channels and categories as are required. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there is no logging statement, the logging configuration is:
logging {
category default { default_syslog; default_debug; };
category panic { default_syslog; default_stderr; };
category packet { default_debug; };
category eventlib { default_debug; };
};
The logging configuration is established as soon as the logging statement is parsed. If you want to redirect messages about processing of the entire configuration file, the logging statement must appear first. Even if you do not redirect configuration file parsing messages, we recommend always putting the logging statement first so that this rule need not be consciously recalled if you ever do need to relocate the parser's messages.
The Channel Phrase
All log output goes to one or more channels. You can make as many channels as you want.
Each channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog facility, or are discarded. Optionally, it can also limit the message severity level that is accepted by the channel (default is info), and choose whether to include a time stamp generated by named, the category name, or the severity level. The default is to include none of the above three elements.
The word null as the destination option for the channel causes all messages sent to it to be discarded. Other options for the channel are meaningless.
The file clause can include the limits of both how large the file is allowed to become, and of how many versions of the file are saved each time the file is opened.
The size option for files is a hard ceiling on log growth. If the file ever exceeds the size, then named writes nothing more to it until the file is reopened. Exceeding the size does not automatically trigger reopening. The default behavior is not to limit the size of the file.
If you use the version option of the logfile, then named retains that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file lamers.log, then immediately before it is opened lamers.log.1 is renamed lamers.log.2, lamers.log.0 is renamed lamers.log.1, and lamers.log is renamed lamers.log.0. No rolled versions are kept by default and any existing log file is simply appended. The unlimited keyword is synonymous with 99 in current BIND releases. Example usage of size and versions options:
channel an_example_level {
file "lamers.log" versions 3 size 20m;
print-time yes;
print-category yes;
};
The argument for the syslog clause is a syslog facility described in the syslog(3) manual page. How syslogd handles messages sent to this facility is described in the syslog.conf(5) manual page. If you have a system that uses a very old version of syslog that only uses two arguments to the openlog() function, this clause is silently ignored.
The severity clause works like priorities in syslog, except that they can also be used if you are writing straight to a file rather than using syslog. Messages that are not at least of the severity level given are not selected for the channel. Messages of higher severity levels are accepted.
If you are using syslog, then the syslog.conf priorities also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via syslog.conf causes messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it receives from the channel.
The server can supply extensive debugging information when it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode is active. The global debug level is set either by starting the named server with the -d flag followed by a positive integer, or by sending the running server the SIGUSR1 signal (for example, by using ndc trace). The global debug level can be set to zero, and debugging mode turned off, by sending the server the SIGUSR2 signal (as with ndc notrace). All debugging messages in the server have a debug level, and higher debug levels give more detailed output. It is possible for channels to specify a specific debug severity, for example:
channel specific_debug_level {
file "foo";
severity debug 3;
};
The channel in the above example gets debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global level to determine what messages to print.
If print-time has been turned on, then the date and time are logged. print-time can be specified for a syslog channel, but is pointless because syslog also prints the date and time. If print-category is requested, the category of the message is logged as well. Finally, if print-severity is on, the severity level of the message is logged. The print-options can be used in any combination, and always printed in the following order: time, category, severity. Here is an example with all three print-options activated:
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.
The four predefined channels that are used for default logging named are defined below. How they are used is described in the next section, The Category Phase.
channel default_syslog {
syslog daemon; # send to syslog's daemon facility
severity info; # only send priority info and higher
};
channel default_debug {
file "named.run"; # write to named.run in the working directory
# Note: stderr is used instead of "named.run"
# if the server is started with the -f option.
severity dynamic; # log at the server's current debug level
};
channel default_stderr { # writes to stderr
file "<stderr>"; # this is illustrative only; there's currently
# no way of specifying an internal file
# descriptor in the configuration language.
severity info; # only send priority info and higher
};
channel null {
null; # toss anything sent to this channel
};
Once a channel is defined, it cannot be redefined. You cannot therefore alter the built-in channels directly, but you can modify the default logging by pointing categories at channels you have defined.
The Category Phrase
There are a number of categories, so you can send the logs you want to see wherever you want, without seeing the logs you do not want. If you do not specify a list of channels for a category, log messages in that category are sent to the default category. If you do not specify a default category, the following ``default default'' is used:
category default { default_syslog; default_debug; };
For example, in order to log security events to a file, but also to keep the default logging behavior, you would specify the following:
channel my_security_channel {
file "my_security_file";
severity info;
};
category security { my_security_channel;
default_syslog; default_debug; };
To discard all messages in a category, specify the null channel:
category lame-servers { null; };
category cname { null; };
The following categories are available:
- default
-
The catch-all. Many things are still not classified into categories, and they all end up here. Also, if you do not specify any channels for a category, the default category is used. If you do not define the default category, the following definition is used: category default { default_syslog; default_debug; };
- config
-
High-level configuration file processing.
- parser
-
Low-level configuration file processing.
- queries
-
A short log message is generated for every query the server receives.
- lame-servers
-
Messages such as
Lame server on ...
- statistics
-
Statistics.
- panic
-
If the server has to shut itself down due to an internal problem, it logs the problem in this category, as well as in the category where the problem originated. If you do not define the panic category, the following definition is used:
category panic { default_syslog; default_stderr; }; - update
-
Dynamic updates.
- ncache
-
Negative caching.
- xfer-in
-
Zone transfers the server is receiving.
- xfer-out
-
Zone transfers the server is sending.
- db
-
All database operations.
- eventlib
-
Debugging info from the event system. Only one channel can be specified for this category, and it must be a file channel. If you do not define the eventlib category, the following definition is used:
category eventlib { default_debug; };
- packet
-
Dumps of received and sent packets. Only one channel can be specified for this category, and it must be a file channel. If you do not define the packet category, the following definition is used:
category packet { default_debug; };
- notify
-
The NOTIFY protocol.
- cname
-
Messages such as
... points to a CNAME
- security
-
Approved/unapproved requests.
- os
-
Operating system problems.
- insist
-
Internal consistency check failures.
- maintenance
-
Periodic maintenance events.
- load
-
Zone loading messages.
- response-checks
-
Messages arising from response checking, such as
Malformed response ...
,
wrong ans. name ...
,
unrelated additional info ...
,
invalid RR type ...
, and
bad referral ...
.
THE OPTIONS STATEMENT
options {
[ version version_string; ]
[ directory path_name; ]
[ named-xfer path_name; ]
[ dump-file path_name; ]
[ memstatistics-file path_name; ]
[ pid-file path_name; ]
[ statistics-file path_name; ]
[ auth-nxdomain yes_or_no; ]
[ deallocate-on-exit yes_or_no; ]
[ dialup yes_or_no; ]
[ fake-iquery yes_or_no; ]
[ fetch-glue yes_or_no; ]
[ has-old-clients yes_or_no; ]
[ host-statistics yes_or_no; ]
[ multiple-cnames yes_or_no; ]
[ notify yes_or_no; ]
[ recursion yes_or_no; ]
[ rfc2308-type1 yes_or_no; ]
[ use-id-pool yes_or_no; ]
[ treat-cr-as-space yes_or_no; ]
[ also-notify yes_or_no; ]
[ forward ( only | first ); ]
[ forwarders { [ in_addr ; [ in_addr ; ... ] ] }; ]
[ check-names ( master | slave | response ) ( warn | fail | ignore); ]
[ allow-query { address_match_list }; ]
[ allow-recursion { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ blackhole { address_match_list }; ]
[ listen-on [ port ip_port ] { address_match_list }; ]
[ query-source [ address ( ip_addr | * ]
[ port ( ip_port | * ] ; ]
[ lame-ttl number; ]
[ max-transfer-time-in number; ]
[ max-ncache-ttl number; ]
[ min-roots number; ]
[ serial-queries number; ]
[ transfer-format ( one-answer | many-answers ); ]
[ transfers-in number; ]
[ transfers-out number; ]
[ transfers-per-ns number; ]
[ transfer-source ip_addr; ]
[ coresize size_spec ; ]
[ datasize size_spec ; ]
[ files size_spec ; ]
[ stacksize size_spec ; ]
[ cleaning-interval number; ]
[ heartbeat-interval number; ]
[ interface-interval number; ]
[ statistics-interval number; ]
[ topology { address_match_list }; ]
[ sortlist { address_match_list|fR }; ]
[ rrset-order { order_spec ; [ order_spec ; ... [ [ };
};
Definition and Usage
The options statement sets up global options to be used by . This statement appears only once in a configuration file. If more than one occurrence is found, the first occurrence determines the actual options used, and a warning is generated. If there is no options statement, an options block with each option set to its default is used.
Pathnames
- version
-
The version the server should report via the ndc command or via a query called version.bind in the chaos class. The default is the real version number of this server, but some server operators prefer the string.
- directory
-
The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files, for example, named.run, is this directory. If a directory is not specified, the working directory defaults to ".", the directory from which the server was started. The directory specified should be an absolute path.
- named-xfer
-
The pathname to the named-xfer program that the server uses for inbound zone transfers. If not specified, the default is system-dependent (for example, /usr/sbin/named-xfer).
- dump-file
-
The pathname of the file the server dumps the database to when it receives the SIGINT signal (as sent by ndc dumpdb ). If not specified, the default is named_dump.db.
- memstatistics-file
-
The pathname of the file the server writes memory usage statistics to on exit, if deallocate-on-exit is yes. If not specified, the default is named.memstats.
- pid-file
-
The pathname of the file to which the server writes its process ID. If not specified, the default is operating system dependent, but is usually /var/run/named.pid or /etc/named.pid. The pid-file is used by programs like ndc that want to send signals to the running nameserver.
- statistics-file
-
The pathname of the file to which the server appends statistics when it receives the SIGILL signal (from ndc stats). If not specified, the default is named.stats.
Boolean Options
- auth-nxdomain
-
If yes, then the AA bit is always set to NXDOMAIN responses, even if the server is not actually authoritative. The default is yes. Do not turn off auth-nxdomain unless you an expert-level user: older software does not function without it.
- deallocate-on-exit
-
If yes, then when the server exits it systemastically de-allocates every object it allocated, and then write a memory usage report to the memstatistics-file. The default is no, because it is faster to let the operating system clean up. deallocate-on-exit is useful for detecting memory leaks.
- dialup
-
If yes, then the server treats all zones as if they are performing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates zone maintenance so that it all happens in a short interval, once every heartbeat-interval and preferably during a single call. It also suppresses some of the normal zone maintenance traffic. The default is no. The dialup option is also be specified in the zone statement, in which case it overrides the dialup statement.
If the zone is a master, the server sends out NOTIFY requests to all the slaves. This triggers checks in the slave to ensure that the zone is up to date (providing it supports NOTIFY), allowing the slave to verify the zone while the call is up.
If the zone is a slave or a stub, the server suppresses the regular queries about the currentness of the zone and only perform them when the heartbeat-interval expires.
- fake-iquery
-
If yes, the server simulates the obsolete DNS query type IQUERY. The default is no.
- fetch-glue
-
If yes (the default), the server fetches (``glue'') resource records it does not have when constructing the additional data section of a response. fetch-glue no can be used in conjunction with recursion no to prevent the server's cache from growing or becoming corrupted (at the cost of requiring more work from the client).
- has-old-clients
-
Setting this option to yes is equivalent to setting the following options: authnxdomain yes ; and rfc2308-type1 no;. The has-old-clients option with auth-nxdomain and rfc2308-type1 is order-dependent.
- host-statistics
-
If yes, then statistics are kept for every host that the nameserver interacts with. The default is no. Note: turning on host-statistics can consume large amounts of memory.
- multiple-cnames
-
If yes, then multiple CNAME resource records are allowed for a domain name. The default is no. Allowing multiple CNAME records is against standards and is not recommended. Multiple CNAME support is available because previous versions of BIND allowed multiple CNAME records, and these records have been used for load balancing by a number of sites.
- notify
-
If yes (the default), DNS NOTIFY messages are sent when a zone for which the server is authoritative changes. The use of NOTIFY speeds convergence between the master and its slaves. Slave servers that receive a NOTIFY message and understand it contact the master server for the zone and check if a zone transfer is required. If a zome trasnfer is required the slave servers initiate it immediately. The notify option is specified in the zone statement, in which case it overrides notify in the options statement.
- recursion
-
If yes, and a DNS query requests recursion, the server attempts to do all the work required to answer the query. If recursion is not on, the server returns a referral to the client if it does not have the answer. The default is yes. See also fetch-glue above.
- rfc2308-type1
-
If yes, the server sends NS records along with the SOA record for negative answers. You need to set this to no if you have an old version of sendmail or if you are a forwarder for an old BIND server that cannot process negative answers containing both SOA and NS records. The correct fix is to upgrade the broken server or sendmail. The default is no.
- use-id-pool
-
If yes, the server keeps track of its own outstanding query IDs to avoid duplication and increase randomness. This results in 128KB more memory being consumed by the server. The default is no.
- treat-cr-as-space
-
If yes, the server treats CR characters the same way it treats a space or tab. This is necessary when loading zone files that were generated on an NT or DOS machine onto a UNIX system. The default is no.
Also-Notify
- also-notify
-
Defines a global list of IP addresses that also get sent NOTIFY messages whenever a fresh copy of the zone is loaded. This helps to ensure that copies of the zones quickly converge on "stealth" servers. If an also-notify list is given in a zone statement, it overrides also-notify in the options statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list does not get sent NOTIFY messages for that zone. The default is an empty list (no global notification list).
Forwarding
- forward
-
This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first, and if that does not answer the question the server then looks for the answer itself. If only is specified, the server only queries the forwarders.
- forwarders
-
Specifies the IP addresses to be used for forwarding. The default is an empty list (no forwarding).
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet, but which need to look up external names. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
Forwarding can also be configured on a per-zone basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular zones to use different forwarders, to have different forward only/first behavior, or not to forward at all. See THE ZONE STATEMENT section for more information.
Future versions of provides a more powerful forwarding system. The syntax described above continues to be supported.
Name checking
- ignore
-
No checking is done.
- warn
-
Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally.
- fail
-
Names are checked against their expected client contexts. Invalid names are logged, and the offending data is rejected.
The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames.
Three checking methods are available:
The server can check names in three areas: master zone files, slave zone files, and in response to queries the server has initiated. If check-names response fail has been specified, and answering the client's question would require sending an invalid name to the client, the server sends a REFUSED response code to the client.
The defaults are:
check-names master fail;
check-names slave warn;
check-names response ignore;
check-names is also specified in the zone statement, in which case it overrides check-names in the options statement. When used in a zone statement, the area is not specified (because it can be deduced from the zone type).
Access Control
- allow-query
-
Specifies which hosts are allowed to ask ordinary questions. allow-query can also be specified in the zone statement, in which case it overrides allow-query in the options statement. If not specified, the default is to allow queries from all hosts.
- allow-recursion
-
Specifies which hosts are allowed to ask recursive questions. allow-recursion can also be specified in the zone statement, in which case it overrides allow-recursion in the options statement. If not specified, the default is to allow recursive queries from all hosts.
- allow-transfer
-
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer can also be specified in the zone statement, in which case it overrides allow-transfer in the options statement. If not specified, the default is to allow transfers from all hosts.
- blackhole
-
Specifies a list of addresses from which the server does not accept queries or resolve queries. Queries from these addresses are not responded to.
Access to the server can be restricted based on the IP address of the requesting system or via shared secret keys. See ADDRESS MATCH LISTS for details on how to specify access criteria.
Interfaces
The interfaces and ports from which the server answers queries are specified using the listen-on option. listen-on takes an optional port, and an address match list. The server does listen on all interfaces allowed by the address match list. If a port is not specified, port 53 is used.
Multiple listen-on statements are allowed. For example:
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
The above example enables the nameserver on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.
If no listen-on is specified, the server listens on port 53 on all interfaces.
Query Address
If the server does not know the answer to a question, it queries other name servers. query-source specifies the address and port used for such queries. If address is * or is omitted, a wildcard IP address (INADDR_ANY) is used. If port is * or is omitted, a random unprivileged port is used. The default is:
query-source address * port *;
Note -
query-source currently applies only to UDP queries. TCP queries always use a wildcard IP address and a random unprivileged port.
Zone Transfers
- max-transfer-time-in
-
Inbound zone transfers ( named-xfer processes) running longer than this number of minutes are terminated. The default is 120 minutes (2 hours).
- transfer-format
-
The server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by and patched versions of. The default is one-answer. transfer-format can be overridden on a per-server basis using the server statement.
- transfers-in
-
The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in speeds up the convergence of slave zones, but it also increases the load on the local system.
- transfers-out
-
This option is used in the future to limit the number of concurrent outbound zone transfers. It is checked for syntax, but is otherwise ignored.
- transfers-per-ns
-
The maximum number of inbound zone transfers ( named-xfer processes) that can be transferring concurrently from a given remote name server. The default value is 2. Increasing transfers-per-ns speeds up the convergence of slave zones, but it also increases the load on the remote name server. transfers-per-ns is overridden on a per-server basis using the transfers phrase of the server statement.
- transfer-source
-
transfer-source determines which local address is bound to the TCP connection used to fetch all inbound zones transferred by the server. If not set, it defaults to a system-controlled value, usually be the address of the interface closest to the remote end. If specified, this address must appear in the remote end's allow-transfer option for the zones being transferred. This statement sets the transfer-source for all zones, but can be overridden on a per-zone basis by including a transfer-source statement within the zone block in the configuration file.
Resource Limits
- coresize
-
The maximum size of a core dump. The default value is default.
- datasize
-
The maximum amount of data memory the server can use. The default value is default.
- files
-
The maximum number of files the server can have open concurrently. The default value is unlimited. Note that on some operating systems the server cannot set an unlimited value and cannot determine the maximum number of open files the microkernel can support. On such systems, choosing unlimited causes the server to use the larger of either rlim_max from getrlimit ( RLIMIT_NOFILE ) or the value returned by sysconf ( _SC_OPEN_MAX ). If the actual microkernel limit is larger than this value, use limit files to specify the limit explicitly.
- max-infr-log-size
-
The max-infr-log-size is used in a future release of the server to limit the size of the transaction log kept for Incremental Zone Transfer.
- stacksize
-
The maximum amount of stack memory the server can use. The default value is default.
The server's usage of many system resources can be limited. Some operating systems do not support all of the limits. On such systems, a warning is issued if the unsupported limit is used. Some operating systems do not support limiting resources, and on these systems the following message is logged:
set resource limits on this system
Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started. See the definition of size_spec in the DOCUMENTATION DEFINITIONS section for more details.
Periodic Task Intervals
- cleaning-interval
-
The server removes expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. If set to 0, no periodic cleaning occurs.
- heartbeat-interval
-
The server performs zone maintenance tasks for all zones marked dialup yes whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones occurs.
- interface-interval
-
The server scans the network interface list every interface-interval minutes. The default is 60 minutes. If set to 0, interface scanning only occurs when the configuration file is loaded. After the scan, listeners are started on any new interfaces (provided they are allowed by the listen-on configuration). Listeners on interfaces that no longer exist are cleaned up.
- statistics-interval
-
Nameserver statistics are logged every statistics-interval minutes. The default is 60. If set to 0, no statistics are logged.
Topology
-
Each top-level list element is assigned a distance.
-
Non-negated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server.
-
A negated match is assigned the maximum distance from the server.
-
If there is no match, the address is assigned a distance further than any non-negated list element, and closer than any negated element.
All other things being equal, when the server chooses a nameserver to query from a list of name servers, it selects the one that is topologically closest to itself. The topology statement takes an address match list and interprets it in a specific way, as follows:
topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};
This example favours servers on network 10, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is the least preferred.
The default topology is: topology { localhost; localnets; };
Resource Record sorting
-
Each top level statement in the sortlist must itself be an explicit address match list with one or two elements.
-
The first element of each top level list is checked against the source address of the query until a match is found. The first element can be an IP address, an IP prefix, an ACL name or a nested address match list.
-
Once the source address of the query has been matched:
-
if the top level statement contains only one element, the actual primitive element that matched the source address is used to select which address in the response moves to the beginning of the response
-
if the statement is a list of two elements, the second element is treated like the address match list in a topology statement
-
-
Each top level element is assigned a distance and the address in the response with the minimum distance is moved to the beginning of the response.
When returning multiple Resource Records (RRs), the nameserver normally returns them in Round Robin, that is, after each request the first RR is put to the end of the list. The order of RRs is not defined, so this should not cause any problems.
The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers are able or correctly configured to do this.
When a client is using a local server, the sorting can be performed on the server, based on the client's address. This only requires configuring the name servers, not all the clients.
The sortlist statement takes an address match list and interprets it in an even more specific way than the topology statement, as follows:
In the following example, any queries received from any of the addresses of the host itself gets responses preferring addresses on any of the locally connected networks. Next most preferred are addresses on the 192.168.1/24 network, and after that either the 192.168.2/24 or 192.168.3/24 network with no preference shown between these two networks. Queries received from a host on the 192.168.1/24 network favour other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or the 192.168.5/24 network prefers only other addresses on their directly connected networks.
sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
192.168.1/24; // following nets
{ 192,168.2/24; 192.168.3/24; }; }; };
{ 192.168.1/24; // IF on class C 192.168.1
{ 192.168.1/24; // THEN use .1, or .2 or .3
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.2/24; // IF on class C 192.168.2
{ 192.168.2/24; // THEN use .2, or .1 or .3
{ 192.168.1/24; 192.168.3/24; }; }; };
{ 192.168.3/24; // IF on class C 192.168.3
{ 192.168.3/24; // THEN use .3, or .1 or .2
{ 192.168.1/24; 192.168.2/24; }; }; };
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
};
};
The following example produces reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sorting in . Responses sent to queries from the local host favours any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network prefers addresses on that same network. Responses to other queries are not sorted.
sortlist {
{ localhost; localnets; };
{ localnets; };
};
RRset Ordering
- fixed
-
Records are returned in the order they are defined in the zone file.
- random
-
Records are returned in random order.
- cyclic
-
Records are returned in a round-robin order.
When multiple records are returned in an answer, it is useful to configure the order in which the records are placed into the response. For example, the records for a zone might be configured to always be returned in the order they are defined in the zone file. Alternatively, a user might require a random shuffle of the records as they are returned. The rrset-order statement permits configuration of the ordering made of the records in a multiple record response. The default, if no ordering is defined, is a cyclic ordering (round robin).
An order_spec is defined as follows:
[ class class_name ][ type type_name ][ name "FQDN" ] order ordering
If no class is specified, the default is ANY. If no Ictype is specified, the default is ANY. If no name is specified, the default is "*".
The legal values for ordering are:
For example:
rrset-order {
class IN type A name "rc.vix.com" order random;
order cyclic;
};
This example causes any responses for type A records in class IN that have rc.vix.com as a suffix, to always be returned in random order. All other records are returned in cyclic order.
If multiple rrset-order statements appear, they are not combined - the last one applies.
If no rrset-order statement is specified, the following default is used:
rrset-order { class ANY type ANY name "*" order cyclic ; };
Tuning
- lame-ttl
-
Sets the number of seconds to cache a lame server indication. 0 disables caching. Default is 600 (10 minutes). Maximum value is 1800 (30 minutes) .
- max-ncache-ttl
-
To reduce network traffic and increase performance the server stores negative answers. max-ncache-ttl is used to set a maximum retention time in seconds for these answers in the server. The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot exceed the maximum retention time for ordinary (positive) answers (7 days) and is silently truncated to 7 days if set to a value which is greater that 7 days.
- min-roots
-
The minimum number of root servers that is required for a request for the root servers to be accepted. Default is 2.
THE ZONE STATEMENT
zone domain_name [ ( in | hs | hesiod | chaos ) ] {
type master;
file path_name;
[ check-names ( warn | fail | ignore ); ]
[ allow-update { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ dialup yes_or_no; ]
[ notify yes_or_no; ]
[ also-notify { ip_addr; [ ip_addr; ... ] };
[ pubkey number number number string; ]
};
zone domain_name [ ( in | hs | hesiod | chaos ) ] {
type ( slave | stub );
[ file path_name; ]
masters [ port ip_port ] { ip_addr; [ ip_addr; ... ] };
[ check-names ( warn | fail | ignore ); ]
[ allow-update { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-transfer { address_match_list }; ]
[ transfer-source ip_addr; ]
[ max-transfer-time-in number; ]
[ notify yes_or_no; ]
[ also-notify { ip_addr; [ ip_addr; ... ] };
[ pubkey number number number string; ]
};
zone domain_name [ ( in | hs | hesiod | chaos ) ] {
type forward;
[ forward ( only | first ); ]
[ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ]
[ check-names ( warn | fail | ignore ); ]
};
zone "." [ ( in | hs | hesiod | chaos ) ] {
type hint;
file path_name;
[ check-names ( warn | fail | ignore ); ]
};
Definition and Usage
- master
-
The server has a master copy of the data for the zone and provides authoritative answers for it.
- slave
-
A slave zone is a replica of a master zone. The masters list specifies one or more IP addresses that the slave contacts to update its copy of the zone. If a port is specified, zone transfers and checks are performed on the given port to see whether the zone is current. If file is specified, the replica is written to the designated file. Use of the file clause is highly recommended, as it often speeds server startup and eliminates a needless waste of bandwidth.
- stub
-
A stub zone is like a slave zone, except that it replicates only the NS records of a master zone instead of the entire zone.
- forward
-
A forward zone is used to direct all queries in it to other servers, as described in THE OPTIONS STATEMENT section. The specification of options in such a zone overrides any global options declared in the options statement.
If either a no forwarders clause is present in the zone or an empty list for forwarders is given, then no forwarding is done for the zone, cancelling the effects of any forwarders in the options statement. Thus if you require to use this type of zone to change only the behavior of the global forward option, and not the servers used, then you also need to re-specify the global forwarders.
- hint
-
The initial set of root name servers is specified using a hint zone. When the server starts up, it uses the root hints to find a root nameserver and get the most recent list of root name servers.
The zone statement is used to define how information about particular DNS zones is managed by the server. There are five different zone types:
Note -
Previous releases of used the term primary for a master zone, secondary for a slave zone, and cache for a hint zone.
Classes
The zone's name is optionally followed by a class. If a class is not specified, class in (for "internet"), is assumed. This is correct for the majority of cases.
The hesiod class is for an information service from MIT's Project Athena. It is used to share information about various system databases, such as users, groups, printers and so on. More information can be found at ftp://athena- dist.mit.edu/pub/ATHENA/usenix/athena_changes.PS. The keyword hs is a synonym for hesiod.
Another MIT development is , a LAN protocol created in the mid-1970s. It is still sometimes seen on LISP stations and other hardware in the AI community, and zone data for it can be specified with the chaos class.
Options
- check-names
-
See the subsection on name checking in THE OPTIONS STATEMENT section.
- allow-query
-
See the description of allow-query in the Access Control subsection of THE OPTIONS STATEMENT section.
- allow-update
-
Specifies which hosts are allowed to submit Dynamic DNS updates to the server. The default is to deny updates from all hosts.
- allow-transfer
-
See the description of allow-transfer in the Access Control subsection of THE OPTIONS STATEMENT section.
- transfer-source
-
transfer-source determines which local addresses to bound to the TCP connection used to fetch this zone. If not set, it defaults to a system-controlled value, usually be the address of the interface ``closest to'' the remote end. This address must appear in the remote end's allow-transfer option for this zone if one is specified.
- max-transfer-time-in
-
See the description of max-transfer-time-in in the Zone Transfers subsection of THE OPTIONS STATEMENT section.
- dialup
-
See the description of dialup in the Boolean Options subsection of THE OPTIONS STATEMENT section.
- notify
-
See the description of notify in the Boolean Options subsection of THE OPTIONS STATEMENT section.
- also-notify
-
also-notify is only meaningful if notify is active for this zone. The set of machines that receives a DNS NOTIFY message for this zone is made up of all the listed name servers for the zone (other than the primary master) plus any IP addresses specified with also-notify. also-notify is not meaningful for stub zones. The default is an empty list.
- forward
-
forward is only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried.
- forwarders
-
The forwarders option in a zone is used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is performed for the zone. The global options are not used.
- pubkey
-
The DNSSEC flags, protocol, and algorithm are specified, as well as a base-64 encoded string representing the key.
THE ACL STATEMENT
acl name {
address_match_list
};
Definition and Usage
- any
-
Allows all hosts.
- none
-
Denies all hosts.
- localhost
-
Allows the IP addresses of all interfaces on the system.
- localnets
-
Allows any host on a network for which the system has an interface.
The acl statement creates a designated address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).
Note that an address match list's name must be defined with acl before it can be used elsewhere. No forward references are allowed.
The following ACLs are built-in:
THE KEY STATEMENT
key key_id {
algorithm algorithm_id;
secret secret_string;
};
Definition and Usage
The key statement defines a key ID which can be used in a server statement to associate a method of authentication with a particular name server that is more rigorous than simple IP address matching. A key ID must be created with the key statement before it can be used in a server definition or in an address match list.
The algorithm_id is a string that specifies a security/authentication algorithm. secret_string is the secret to be used by the algorithm, and is treated as a base-64 encoded string. Note: if you have secret_string in your named.conf, it should not be readable by anyone but the superuser.
THE TRUSTED-KEYS STATEMENT
trusted-keys {
[ domain_name flags protocol algorithm key; ]
};
Definition and Usage
The trusted-keys statement is for use with DNSSEC-style security, originally specified in RFC 2065. DNSSEC provides three distinct services: key distribution, data origin authentication, and transaction and request authentication. A complete description of DNSSEC and its use is beyond the scope of this document, and readers interested in more information should start with RFC 2065 and then continue with the Internet Drafts available at http://www.ietf.org/ids.by.wg/dnssec.html.
Each trusted key is associated with a domain name. Its attributes are the non-negative integral flags protocol, and algorithm, as well as a base-64 encoded string representing the key.
Any number of trusted keys can be specified.
THE SERVER STATEMENT
server ip_addr {
[ bogus yes_or_no; ]
[ transfers number; ]
[ transfer-format ( one-answer | many-answers ); ]
[ keys { key_id [ key_id ... ] }; ]
};
Definition and Usage
The server statement defines the characteristics to be associated with a remote name server.
If you discover that a server is giving out bad data, marking it as bogus prevenst further queries. The default value of bogus is no.
The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by and patched versions of . You can specify which method to use for a server with the transfer-format option. If transfer-format is not specified, the transfer-format specified by the options statement is used.
The transfers are used in a future release of the server to limit the number of concurrent in-bound zone transfers from the server specified. It is checked for syntax but is otherwise ignored.
The keys clause is used to identify a key_id defined by the key statement, to be used for transaction security when talking to the remote server. The key statement must come before the server statement that references it.
The keys statement is intended for future use by the server. It is checked for syntax but is otherwise ignored.
THE CONTROLS STATEMENT
controls {
[ inet ip_addr
port ip_port
allow { address_match_list; }; ]
[ unix path_name
perm number
owner number
group number; ]
};
Definition and Usage
The controls statement declares control channels to be used by system administrators to affect the operation of the local name server. These control channels are used by the ndc utility to send commands to and retrieve non-DNS results from a name server.
A UNIX system control channel is a FIFO in the file system, and access to it is controlled by normal file system permissions. It is created by named with the specified file mode bits (see chmod(1)), user and group owner. Note that, unlike chmod, the mode bits specified for perm normally have a leading 0, therefore the number is interpreted as octal. Also note that the user and group ownership specified as owner and group must be given as numbers, not names. It is recommended that the permissions be restricted to administrative personnel only, otherwise any user on the system might be able to manage the local name server.
An inet control channel is a TCP/IP socket accessible to the Internet, created on the specified ip_port at the specified ip_addr. Modern telnet clients are capable of speaking directly to these sockets, and the control protocol is ARPAnet-style text. It is recommended that 127.0.0.1 be the only ip_addr used, and this only if you trust all non-privileged users on the local host to manage your name server.
THE INCLUDE STATEMENT
include path_name;
Definition and Usage
The include statement inserts the specified file at the point that the include statement is encountered.
Use include to break the configuration up into easily-managed chunks. For example:
include "/etc/security/keys.bind"; include "/etc/acls.bind";
This example could be used at the top of a BIND configuration file in order to include any ACL or key information.
Be careful not to type #include, as you would in a C program, because ``#'' is used to start a comment.
EXAMPLES
The simplest configuration file that is still realistically useful is one which simply defines a hint zone that has a full path to the root servers file.
zone "." in {
type hint;
file "/var/named/root.cache";
};
Here is a more typical real-world example:
/*
* A simple BIND 8 configuration
*/
logging {
category lame-servers { null; };
category cname { null; };
};
options {
directory "/var/named";
};
controls {
inet * port 52 allow { any; }; // a bad idea
unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default
};
zone "isc.org" in {
type master;
file "master/isc.org";
};
zone "vix.com" in {
type slave;
file "slave/vix.com";
masters { 10.0.0.53; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "master/127.0.0";
};
zone "." in {
type hint;
file "root.cache";
};
FILES
The named configuration file.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|---|---|
| Interface Stability | Evolving |
SEE ALSO
ChorusOS 5.0 Last Revised December 2001NAME | OVERVIEW | DOCUMENTATION DEFINITIONS | ADDRESS MATCH LISTS | THE LOGGING STATEMENT | THE OPTIONS STATEMENT | THE ZONE STATEMENT | THE ACL STATEMENT | THE KEY STATEMENT | THE TRUSTED-KEYS STATEMENT | THE SERVER STATEMENT | THE CONTROLS STATEMENT | THE INCLUDE STATEMENT | EXAMPLES | FILES | ATTRIBUTES | SEE ALSO
- © 2010, Oracle Corporation and/or its affiliates