The main configuration file for named
is
/etc/named.conf
, which contains settings for named
and the top-level definitions for zones, for example:
include "/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; } }; zone "us.mydom.com" { type master; file "master-data"; allow-update { key "rndc-key"; }; notify yes; }; zone "mydom.com" IN { type slave; file "sec/slave-data"; allow-update { key "rndc-key"; }; masters {10.1.32.1;}; }; zone "2.168.192.in-addr.arpa" IN { type master; file "reverse-192.168.2"; allow-update { key “rndc-key”; }; notify yes; };
The include
statement allows external files to be referenced so that
potentially sensitive data such as key hashes can be placed in a separate file with
restricted permissions.
The controls
statement defines access information and the security
requirements that are necessary to use the rndc command with the
named
server:
inet
Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (127.0.0.1).
keys
Specifies the names of the keys that can be used. The example specifies using the key named
rndc-key
, which is defined in/etc/rndc.key
. Keys authenticate various actions bynamed
and are the primary method of controlling remote access and administration.
The zone
statements define the role of the server in different zones.
The following zone options are used:
type
Specifies that this system is the master name server for the zone
us.mydom.com
and a slave server formydom.com
.2.168.192.in-addr.arpa
is a reverse zone for resolving IP addresses to host names. See Section 12.3.3, “About Resource Records for Reverse-name Resolution ”.file
Specifies the path to the zone file relative to
/var/named
. The zone file forus.mydom.com
is stored in/var/named/master-data
and the transferred zone data formydom.com
is cached in/var/named/sec/slave-data
.allow-update
Specifies that a shared key must exist on both the master and a slave name server for a zone transfer to take place from the master to the slave. The following is an example record for a key in
/etc/rndc.key
:key "rndc-key" { algorithm hmac-md5; secret "XQX8NmM41+RfbbSdcqOejg=="; };
You can use the rndc-confgen -a command to generate a key file.
notify
Specifies whether to notify the slave name servers when the zone information is updated.
masters
Specifies the master name server for a slave name server.
The next example is taken from the default /etc/named.conf
file that
is installed with the bind
package, and which configures a caching-only
name server.
options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localnets; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
The options
statement defines global server configuration options and
sets defaults for other statements.
listen-on
The port on which
named
listens for queries.directory
Specifies the default directory for zone files if a relative pathname is specified.
dump-file
Specifies where
named
dumps its cache if it crashes.statistics-file
Specifies the output file for the rndc stats command.
memstatistics-file
Specifies the output file for
named
memory-usage statistics.allow-query
Specifies which IP addresses may query the server.
localnets
specifies all locally attached networks.recursion
Specifies whether the name server performs recursive queries.
dnssec-enable
Specifies whether to use secure DNS (DNSSEC).
dnssec-validation
Whether the name server should validate replies from DNSSEC-enabled zones.
dnssec-lookaside
Whether to enable DNSSEC Lookaside Validation (DLV) using the key in
/etc/named.iscdlv.key
defined bybindkeys-file
.
The logging
section enables logging of messages to
/var/named/data/named.run
. The severity
parameter
controls the logging level, and the dynamic
value means that this level
can be controlled by using the rndc trace command.
The zone
section specifies the initial set of root servers using a
hint zone. This zone specifies that named
should consult
/var/named/named.ca
for the IP addresses of authoritative servers for
the root domain (.
).
For more information, see the named.conf(5)
manual page and the BIND
documentation in
/usr/share/doc/bind-
.version
/arm