12.3.1 /etc/named.conf

The main configuration file for named is /etc/named.conf, which contains settings for named and the top-level definitions for zones, for example:

include "/etc/rndc.key";

controls {
    inet allow { localhost; } keys { "rndc-key"; }

zone "us.mydom.com" {
    type master;
    file "master-data";
    allow-update { key "rndc-key"; };
    notify yes;

zone "mydom.com" IN {
    type slave;
    file "sec/slave-data";
    allow-update { key "rndc-key"; };
    masters {;};

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;

The include statement allows external files to be referenced so that potentially sensitive data such as key hashes can be placed in a separate file with restricted permissions.

The controls statement defines access information and the security requirements that are necessary to use the rndc command with the named server:


Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (


Specifies the names of the keys that can be used. The example specifies using the key named rndc-key, which is defined in /etc/rndc.key. Keys authenticate various actions by named and are the primary method of controlling remote access and administration.

The zone statements define the role of the server in different zones.

The following zone options are used:


Specifies that this system is the master name server for the zone us.mydom.com and a slave server for mydom.com. 2.168.192.in-addr.arpa is a reverse zone for resolving IP addresses to host names. See Section 12.3.3, “About Resource Records for Reverse-name Resolution ”.


Specifies the path to the zone file relative to /var/named. The zone file for us.mydom.com is stored in /var/named/master-data and the transferred zone data for mydom.com is cached in /var/named/sec/slave-data.


Specifies that a shared key must exist on both the master and a slave name server for a zone transfer to take place from the master to the slave. The following is an example record for a key in /etc/rndc.key:

key "rndc-key" {
    algorithm hmac-md5;
    secret "XQX8NmM41+RfbbSdcqOejg==";

You can use the rndc-confgen -a command to generate a key file.


Specifies whether to notify the slave name servers when the zone information is updated.


Specifies the master name server for a slave name server.

The next example is taken from the default /etc/named.conf file that is installed with the bind package, and which configures a caching-only name server.

options {
    listen-on port 53 {; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query { localnets; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;

zone "." IN {
    type hint;
    file "named.ca";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

The options statement defines global server configuration options and sets defaults for other statements.


The port on which named listens for queries.


Specifies the default directory for zone files if a relative pathname is specified.


Specifies where named dumps its cache if it crashes.


Specifies the output file for the rndc stats command.


Specifies the output file for named memory-usage statistics.


Specifies which IP addresses may query the server. localnets specifies all locally attached networks.


Specifies whether the name server performs recursive queries.


Specifies whether to use secure DNS (DNSSEC).


Whether the name server should validate replies from DNSSEC-enabled zones.


Whether to enable DNSSEC Lookaside Validation (DLV) using the key in /etc/named.iscdlv.key defined by bindkeys-file.

The logging section enables logging of messages to /var/named/data/named.run. The severity parameter controls the logging level, and the dynamic value means that this level can be controlled by using the rndc trace command.

The zone section specifies the initial set of root servers using a hint zone. This zone specifies that named should consult /var/named/named.ca for the IP addresses of authoritative servers for the root domain (.).

For more information, see the named.conf(5) manual page and the BIND documentation in /usr/share/doc/bind-version/arm.