The named Configuration File

The main configuration file for the named service is /etc/named.conf. Detailed configuration information is available in the named.conf(5) manual page and the BIND 9 Administrator Reference Manual.

Default Configuration

The following example comes from the default /etc/named.conf file that's installed with the bind package and which configures a caching-only name server:

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
    allow-query { localnets; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

   pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";

};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Options Block

The options block defines the global server configuration options and sets defaults for other statements.

listen-on

Specifies the port on which named listens for queries.

directory

Specifies the default directory for zone files if a relative pathname is specified.

dump-file

Specifies where named dumps its cache if it crashes.

statistics-file

Specifies the output file for the rndc stats command.

memstatistics-file

Specifies the output file for named memory-usage statistics.

allow-query

Specifies which IP addresses might query the server. localnets specifies all locally attached networks.

recursion

Specifies whether the name server performs recursive queries.

dnssec-enable

Specifies whether to use secure DNS (DNSSEC).

dnssec-validation

Specifies whether the name server would validate replies from DNSSEC-enabled zones.

dnssec-lookaside

Specifies whether to enable DNSSEC Lookaside Validation (DLV) using the key in /etc/named.iscdlv.key defined by bindkeys-file.

Logging Block

The logging block activates the logging of messages to /var/named/data/named.run. The severity parameter controls the logging level, and the dynamic value means that this level can be controlled by using the rndc trace command.

Zone Block

The zone block specifies the initial set of root servers using a hint zone. This zone specifies that named consult /var/named/named.ca for the IP addresses of authoritative servers for the root domain (.).

Zone Definition Example

You can add definitions to the configuration file that are appropriate to the network environment. The following example defines settings for the service and the top-level definitions for zones:

include "/etc/rndc.key";

controls {
    inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }
};

zone "us.example.com" {
    type master;
    file "master-data";
    allow-update { key "rndc-key"; };
    notify yes;
};

zone "example.com" IN {
    type slave;
    file "sec/slave-data";
    allow-update { key "rndc-key"; };
    masters {10.1.32.1;};
};

zone "2.168.192.in-addr.arpa" IN {
    type master;
    file "reverse-192.168.2";
    allow-update { key “rndc-key”; };
    notify yes;
};

The include directive enables external files to be referenced so that sensitive data such as key hashes can be placed in a separate file with restricted permissions.

The controls block defines access information and the security requirements that are necessary to use the rndc command with the named server:

inet

Specifies which hosts can run rndc to control named. In this example, rndc must be run on the local host (127.0.0.1).

keys

Specifies the names of the keys that can be used. The example specifies using the key named rndc-key, which is defined in /etc/rndc.key. Keys authenticate various actions by named and are the primary method of controlling remote access and administration.

The zone blocks define the role of the server in different zones.

The following zone options are used:

type

Specifies that this system is the primary name server for the zone us.example.com and a backup server for example.com. 2.168.192.in-addr.arpa is a reverse zone for resolving IP addresses to host names. See Resource Records for Reverse-Name Resolution.

file

Specifies the path to the zone file relative to /var/named. The zone file for us.example.com is stored in /var/named/master-data and the transferred zone data for example.com is cached in /var/named/sec/slave-data.

allow-update

Specifies that a shared key must exist on both the primary and backup name servers for a zone transfer to take place from the primary to the backup. The following is an example record for a key in the /etc/rndc.key file:

key "rndc-key" {
    algorithm hmac-md5;
    secret "XQX8NmM41+RfbbSdcqOejg==";
};

You can use the rndc-confgen -a command to generate a key file.

notify

Specifies whether to notify the backup name servers when the zone information is updated.

masters

Specifies the primary name server for a backup name server.