NAMED.CONF(5) BIND 9 NAMED.CONF(5) NAME named.conf - configuration file for **named** SYNOPSIS named.conf DESCRIPTION named.conf is the configuration file for named. For complete documentation about the configuration statements, please refer to the Configuration Reference section in the BIND 9 Administrator Reference Manual. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: C style: /* */ C++ style: // to end of line Unix style: # to end of line acl { ; ... }; // may occur multiple times controls { inet ( | | * ) [ port ( | * ) ] allow { ; ... } [ keys { ; ... } ] [ read-only ]; // may occur multiple times unix perm owner group [ keys { ; ... } ] [ read-only ]; // may occur multiple times }; // may occur multiple times dlz { database ; search ; }; // may occur multiple times dnssec-policy { dnskey-ttl ; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; nsec3param [ iterations ] [ optout ] [ salt-length ]; parent-ds-ttl ; parent-propagation-delay ; parent-registration-delay ; // obsolete publish-safety ; purge-keys ; retire-safety ; signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; zone-propagation-delay ; }; // may occur multiple times dyndb { }; // may occur multiple times http { endpoints { ; ... }; listener-clients ; streams-per-connection ; }; // may occur multiple times key { algorithm ; secret ; }; // may occur multiple times logging { category { ; ... }; // may occur multiple times channel { buffered ; file [ versions ( unlimited | ) ] [ size ] [ suffix ( increment | timestamp ) ]; null; print-category ; print-severity ; print-time ( iso8601 | iso8601-utc | local | ); severity ; stderr; syslog [ ]; }; // may occur multiple times }; managed-keys { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times, deprecated options { allow-new-zones ; allow-notify { ; ... }; allow-query { ; ... }; allow-query-cache { ; ... }; allow-query-cache-on { ; ... }; allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; alt-transfer-source ( | * ) ; // deprecated alt-transfer-source-v6 ( | * ) ; // deprecated answer-cookie ; attach-cache ; auth-nxdomain ; auto-dnssec ( allow | maintain | off ); // deprecated automatic-interface-scan ; avoid-v4-udp-ports { ; ... }; // deprecated avoid-v6-udp-ports { ; ... }; // deprecated bindkeys-file ; blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling ; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard ; clients-per-query ; cookie-algorithm ( aes | siphash24 ); cookie-secret ; // may occur multiple times coresize ( default | unlimited | ); // deprecated datasize ( default | unlimited | ); // deprecated deny-answer-addresses { ; ... } [ except-from { ; ... } ]; deny-answer-aliases { ; ... } [ except-from { ; ... } ]; dialup ( notify | notify-passive | passive | refresh | ); // deprecated directory ; disable-algorithms { ; ... }; // may occur multiple times disable-ds-digests { ; ... }; // may occur multiple times disable-empty-zone ; // may occur multiple times dns64 { break-dnssec ; clients { ; ... }; exclude { ; ... }; mapped { ; ... }; recursive-only ; suffix ; }; // may occur multiple times dns64-contact ; dns64-server ; dnskey-sig-validity ; dnsrps-enable ; // not configured dnsrps-options { }; // not configured dnssec-accept-expired ; dnssec-dnskey-kskonly ; dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured dnstap-identity ( | none | hostname ); // not configured dnstap-output ( file | unix ) [ size ( unlimited | ) ] [ versions ( unlimited | ) ] [ suffix ( increment | timestamp ) ]; // not configured dnstap-version ( | none ); // not configured dscp ; // obsolete dual-stack-servers [ port ] { ( [ port ] | [ port ] | [ port ] ); ... }; dump-file ; edns-udp-size ; empty-contact ; empty-server ; empty-zones-enable ; fetch-quota-params ; fetches-per-server [ ( drop | fail ) ]; fetches-per-zone [ ( drop | fail ) ]; files ( default | unlimited | ); // deprecated flush-zones-on-shutdown ; forward ( first | only ); forwarders [ port ] { ( | ) [ port ]; ... }; fstrm-set-buffer-hint ; // not configured fstrm-set-flush-timeout ; // not configured fstrm-set-input-queue-size ; // not configured fstrm-set-output-notify-threshold ; // not configured fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured geoip-directory ( | none ); glue-cache ; // deprecated heartbeat-interval ; // deprecated hostname ( | none ); http-listener-clients ; http-port ; http-streams-per-connection ; https-port ; interface-interval ; ipv4only-contact ; ipv4only-enable ; ipv4only-server ; ixfr-from-differences ( primary | master | secondary | slave | ); keep-response-order { ; ... }; key-directory ; lame-ttl ; listen-on [ port ] [ tls ] [ http ] { ; ... }; // may occur multiple times listen-on-v6 [ port ] [ tls ] [ http ] { ; ... }; // may occur multiple times lmdb-mapsize ; lock-file ( | none ); managed-keys-directory ; masterfile-format ( raw | text ); masterfile-style ( full | relative ); match-mapped-addresses ; max-cache-size ( default | unlimited | | ); max-cache-ttl ; max-clients-per-query ; max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-records ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; max-rsa-exponent-size ; max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-udp-size ; max-zone-ttl ( unlimited | ); memstatistics ; memstatistics-file ; message-compression ; min-cache-ttl ; min-ncache-ttl ; min-refresh-time ; min-retry-time ; minimal-any ; minimal-responses ( no-auth | no-auth-recursive | ); multi-master ; new-zones-directory ; no-case-compress { ; ... }; nocookie-udp-size ; notify ( explicit | master-only | primary-only | ); notify-delay ; notify-rate ; notify-source ( | * ) ; notify-source-v6 ( | * ) ; notify-to-soa ; nsec3-test-zone ; // test only nta-lifetime ; nta-recheck ; nxdomain-redirect ; parental-source ( | * ) ; parental-source-v6 ( | * ) ; pid-file ( | none ); port ; preferred-glue ; prefetch [ ]; provide-ixfr ; qname-minimization ( strict | relaxed | disabled | off ); query-source [ address ] ( | * ); query-source-v6 [ address ] ( | * ); querylog ; random-device ( | none ); // obsolete rate-limit { all-per-second ; errors-per-second ; exempt-clients { ; ... }; ipv4-prefix-length ; ipv6-prefix-length ; log-only ; max-table-size ; min-table-size ; nodata-per-second ; nxdomains-per-second ; qps-scale ; referrals-per-second ; responses-per-second ; slip ; window ; }; recursing-file ; recursion ; recursive-clients ; request-expire ; request-ixfr ; request-nsid ; require-server-cookie ; reserved-sockets ; // deprecated resolver-nonbackoff-tries ; // deprecated resolver-query-timeout ; resolver-retry-interval ; // deprecated response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; reuseport ; root-delegation-only [ exclude { ; ... } ]; // deprecated root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; secroots-file ; send-cookie ; serial-query-rate ; serial-update-method ( date | increment | unixtime ); server-id ( | none | hostname ); servfail-ttl ; session-keyalg ; session-keyfile ( | none ); session-keyname ; sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; sig-validity-interval [ ]; sortlist { ; ... }; stacksize ( default | unlimited | ); // deprecated stale-answer-client-timeout ( disabled | off | ); stale-answer-enable ; stale-answer-ttl ; stale-cache-enable ; stale-refresh-time ; startup-notify-rate ; statistics-file ; suppress-initial-notify ; // obsolete synth-from-dnssec ; tcp-advertised-timeout ; tcp-clients ; tcp-idle-timeout ; tcp-initial-timeout ; tcp-keepalive-timeout ; tcp-listen-queue ; tcp-receive-buffer ; tcp-send-buffer ; tkey-dhkey ; // deprecated tkey-domain ; tkey-gssapi-credential ; tkey-gssapi-keytab ; tls-port ; transfer-format ( many-answers | one-answer ); transfer-message-size ; transfer-source ( | * ) ; transfer-source-v6 ( | * ) ; transfers-in ; transfers-out ; transfers-per-ns ; trust-anchor-telemetry ; try-tcp-refresh ; udp-receive-buffer ; udp-send-buffer ; update-check-ksk ; update-quota ; use-alt-transfer-source ; // deprecated use-v4-udp-ports { ; ... }; // deprecated use-v6-udp-ports { ; ... }; // deprecated v6-bias ; validate-except { ; ... }; version ( | none ); zero-no-soa-ttl ; zero-no-soa-ttl-cache ; zone-statistics ( full | terse | none | ); }; parental-agents [ port ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; // may occur multiple times plugin ( query ) [ { } ]; // may occur multiple times primaries [ port ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; // may occur multiple times server { bogus