Table of Contents for
DNS and BIND, 5th Edition
DNS and BIND, 5th Edition
Published by
O'Reilly Media, Inc., 2006
- Cover
- DNS and BIND, 5th Edition
- DNS and BIND, 5th Edition
- A Note Regarding Supplemental Files
- Preface
- 1. Background
- 2. How Does DNS Work?
- 3. Where Do I Start?
- 4. Setting Up BIND
- 5. DNS and Electronic Mail
- 6. Configuring Hosts
- 7. Maintaining BIND
- 8. Growing Your Domain
- 9. Parenting
- 10. Advanced Features
- 11. Security
- 12. nslookup and dig
- 13. Reading BIND Debugging Output
- 14. Troubleshooting DNS and BIND
- 15. Programming with the Resolver and Nameserver Library Routines
- 16. Architecture
- 17. Miscellaneous
- A. DNS Message Format and Resource Records
- B. BIND Compatibility Matrix
- C. Compiling and Installing BIND on Linux
- D. Top-Level Domains
- E. BIND Nameserver and Resolver Configuration
- Index
- About the Authors
- Colophon
- Copyright
Appendix E. BIND Nameserver and Resolver Configuration
BIND Nameserver Boot File Directives and Configuration File Statements
Here’s a handy list of all the boot file directives and configuration file statements for the BIND nameserver, as well as configuration directives for the BIND resolver. Some of the directives and statements exist only in later versions, so your nameserver may not support them yet. Most of this information is based on the named.conf manual page, so you can check your manual page if your version of BIND is a newer than 8.4.7or 9.3.2.
The options statement has become quite extensive. At the end of this appendix, we have included the description of each configuration option from the BIND 9 Administrator Reference Manual, in case you don’t have easy access to the manual page. For BIND 8, this information is on the named.conf manual page.
BIND 8 Configuration File Statements
logging
- Function
Configures the nameserver’s logging behavior.
- Syntax
logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog ( kern | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 ) | null ); [ severity ( critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes_or_no; ] [ print-severity yes_or_no; ] [ print-time yes_or_no; ] }; ] [ category category_name { channel_name; [ channel_name; ... ] }; ] ... };
Covered in Chapter 7.
options
- Function
Configures global options.
- Syntax
options { [ allow-query { address_match_list }; ] [ allow-recursion { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; ] [ auth-nxdomain yes_or_no; ] [ blackhole { address_match_list }; ] [ check-names ( master | slave | response ) ( warn | fail | ignore ); ] [ cleaning-interval number; ] [ coresize size_spec; ] [ datasize size_spec; ] [ deallocate-on-exit yes_or_no; ] [ dialup yes_or_no; ] [ directory path_name; ] [ dump-file path_name; ] [ edns-udp-size number; ] [ fake-iquery yes_or_no; ] [ fetch-glue yes_or_no; ] [ files size_spec; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ has-old-clients yes_or_no; ] [ heartbeat-interval number; ] [ hostname hostname_string; ] [ host-statistics yes_or_no; ] [ host-statistics-max number; ] [ interface-interval number; ] [ lame-ttl number; ] [ listen-on [ port ip_port ] { address_match_list }; ] [ listen-on-v6 [ port ip_port ] { address_match_list }; ] [ maintain-ixfr-base yes_or_no; ] [ max-ixfr-log-size number; ] [ max-ncache-ttl number; ] [ max-transfer-time-in number; ] [ memstatistics-file path_name; ] [ min-roots number; ] [ multiple-cnames yes_or_no; ] [ named-xfer path_name; ] [ notify yes_or_no; ] [ pid-file path_name; ] [ preferred-glue ( A | AAAA ); ] [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ]; ] [ query-source-v6 [ address ( ipv6_addr | * ) ] [ port ( ip_port | * ) ] ; ] [ recursion yes_or_no; ] [ rfc2308-type1 yes_or_no; ] [ rrset-order { order_spec; [ order_spec; ... ] }; ] [ serial-queries number; ] [ sortlist { address_match_list }; ] [ stacksize size_spec; ] [ statistics-file path_name; ] [ statistics-interval number; ] [ suppress-initial-notify yes_or_no; ] [ topology { address_match_list }; ] [ transfer-format ( one-answer | many-answers ); ] [ transfer-source ( ip_addr | * ); ] [ transfer-source-v6 ipv6_addr; ] [ transfers-in number; ] [ transfers-out number; ] [ transfers-per-ns number; ] [ treat-cr-as-space yes_or_no; ] [ use-id-pool yes_or_no; ] [ use-ixfr yes_or_no; ] [ version version_string; ] };
Covered in Chapters 4, 10, 11, and 16.
zone
- Function
Configures the zones maintained by the nameserver.
- Syntax
zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type master; file path_name; [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ... ] [ check-names ( warn | fail | ignore ); ] [ dialup yes_or_no | notify; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr; [ ip_addr; ... ] ] }; ] [ notify yes_or_no; ] [ pubkey flags protocol_id algorithm_id public_key_string; ] }; zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type (slave | stub); masters [ port ip_port ] { ip_addr; [ ip_addr; ... ] }; [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update { address_match_list }; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; [ check-names ( warn | fail | ignore ); ] [ dialup yes_or_no; ] [ file path_name; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr; [ ip_addr; ... ] ] }; ] [ max-transfer-time-in number; ] [ notify yes_or_no; ] [ pubkey flags protocol_id algorithm_id public_key_string; ] [ transfer-source ipv4_addr; ] [ transfer-source-v6 ipv6_addr; ] }; zone "domain_name" [ ( in | hs | hesiod | chaos ) ] { type forward; [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ check-names ( warn | fail | ignore ); ] }; zone "." [ ( in | hs | hesiod | chaos ) ] { type hint; file path_name; [ check-names ( warn | fail | ignore ); ] };
Covered in Chapters 4 and 10.
BIND 9 Configuration File Statements
Comments
C style:
/* */C++ style:
// to end of lineUnix style:
# to end of line
logging
- Function
Configures the nameserver’s logging behavior.
- Syntax
logging { channel string { file log_file [ versions ( number | unlimited ) ] [ size size_spec ]; syslog optional_facility; null; stderr; severity log_severity; print-time boolean; print-severity boolean; print-category boolean; }; category string { string; ... }; };
Covered in Chapter 7.
lwres
The light-weight resolver daemon is not covered in this book.
masters
- Function
Defines the masters for a zone. You can define the masters for a zone directly inside the zone statement, or you can define the masters in one place (using this statement), give the list a name, and refer to the list name inside the zone statement.
- Syntax
masters string [ port integer ] { ( masters | ipv4_address [port integer] | ipv6_address [port integer] ) [ key string ]; ... };
Covered in Chapters 4 and 10 as part of the zone statement.
options
- Function
Configures global options.
- Syntax
options { avoid-v4-udp-ports { port; ... }; avoid-v6-udp-ports { port; ... }; blackhole { address_match_element; ... }; coresize size; datasize size; directory quoted_string; dump-file quoted_string; files size; heartbeat-interval integer; host-statistics boolean; // not implemented host-statistics-max number; // not implemented hostname ( quoted_string | none ); interface-interval integer; listen-on [ port integer ] { address_match_element; ... }; listen-on-v6 [ port integer ] { address_match_element; ... }; match-mapped-addresses boolean; memstatistics-file quoted_string; pid-file ( quoted_string | none ); port integer; querylog boolean; recursing-file quoted_string; random-device quoted_string; recursive-clients integer; serial-query-rate integer; server-id ( quoted_string | none |; stacksize size; statistics-file quoted_string; statistics-interval integer; // not yet implemented tcp-clients integer; tcp-listen-queue integer; tkey-dhkey quoted_string integer; tkey-gssapi-credential quoted_string; tkey-domain quoted_string; transfers-per-ns integer; transfers-in integer; transfers-out integer; use-ixfr boolean; version ( quoted_string | none ); allow-recursion { address_match_element; ... }; sortlist { address_match_element; ... }; topology { address_match_element; ... }; // not implemented auth-nxdomain boolean; // default changed minimal-responses boolean; recursion boolean; rrset-order { [ class string ] [ type string ] [ name quoted_string ] string string; ... }; provide-ixfr boolean; request-ixfr boolean; rfc2308-type1 boolean; // not yet implemented additional-from-auth boolean; additional-from-cache boolean; query-source querysource4; query-source-v6 querysource6; cleaning-interval integer; min-roots integer; // not implemented lame-ttl integer; max-ncache-ttl integer; max-cache-ttl integer; transfer-format ( many-answers | one-answer ); max-cache-size size_no_default; check-names ( master | slave | response ) ( fail | warn | ignore ); cache-file quoted_string; suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers [ port integer ] { ( quoted_string [port integer] | ipv4_address [port integer] | ipv6_address [port integer] ); ... } edns-udp-size integer; root-delegation-only [ exclude { quoted_string; ... } ]; disable-algorithms string { string; ... }; dnssec-enable boolean; dnssec-lookaside string trust-anchor string; dnssec-must-be-secure string boolean; dialup dialuptype; ixfr-from-differences ixfrdiff; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; allow-v6-synthesis { address_match_element; ... }; // obsolete deallocate-on-exit boolean; // obsolete fake-iquery boolean; // obsolete fetch-glue boolean; // obsolete has-old-clients boolean; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete multiple-cnames boolean; // obsolete named-xfer quoted_string; // obsolete serial-queries integer; // obsolete treat-cr-as-space boolean; // obsolete use-id-pool boolean; // obsolete };
Covered in Chapters 4, 10, 11, and 16.
server
- Function
Defines the characteristics to be associated with a remote nameserver.
- Syntax
server ( ipv4_address | ipv6_address ) { bogus boolean; edns boolean; provide-ixfr boolean; request-ixfr boolean; keys server_key; transfers integer; transfer-format ( many-answers | one-answer ); transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; support-ixfr boolean; // obsolete };
Covered in Chapters 10 and 11.
view
- Function
Creates and configures a view.
- Syntax
view string optional_class { match-clients { address_match_element; ... }; match-destinations { address_match_element; ... }; match-recursive-only boolean; key string { algorithm string; secret string; }; zone string optional_class { ... }; server ( ipv4_address | ipv6_address ) { ... }; trusted-keys { string integer integer integer quoted_string; ... }; allow-recursion { address_match_element; ... }; sortlist { address_match_element; ... }; topology { address_match_element; ... }; // not implemented auth-nxdomain boolean; // default changed minimal-responses boolean; recursion boolean; rrset-order { [ class string ] [ type string ] [ name quoted_string ] string string; ... }; provide-ixfr boolean; request-ixfr boolean; rfc2308-type1 boolean; // not yet implemented additional-from-auth boolean; additional-from-cache boolean; query-source querysource4; query-source-v6 querysource6; cleaning-interval integer; min-roots integer; // not implemented lame-ttl integer; max-ncache-ttl integer; max-cache-ttl integer; transfer-format ( many-answers | one-answer ); max-cache-size size_no_default; check-names ( master | slave | response ) ( fail | warn | ignore ); cache-file quoted_string; suppress-initial-notify boolean; // not yet implemented preferred-glue string; dual-stack-servers [ port integer ] { ( quoted_string [port integer] | ipv4_address [port integer] | ipv6_address [port integer] ); ... }; edns-udp-size integer; root-delegation-only [ exclude { quoted_string; ... } ]; disable-algorithms string { string; ... }; dnssec-enable boolean; dnssec-lookaside string trust-anchor string; dnssec-must-be-secure string boolean; dialup dialuptype; ixfr-from-differences ixfrdiff; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; allow-v6-synthesis { address_match_element; ... }; // obsolete fetch-glue boolean; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete };
Covered in Chapters 10 and 11.
zone
- Function
Configures the zones maintained by the nameserver.
- Syntax
zone string optional_class { type ( master | slave | stub | hint | forward | delegation-only ); file quoted_string; masters [ port integer ] { ( masters | ipv4_address [port integer] | ipv6_address [ port integer ] ) [ key string ]; ... }; database string; delegation-only boolean; check-names ( fail | warn | ignore ); dialup dialuptype; ixfr-from-differences boolean; allow-query { address_match_element; ... }; allow-transfer { address_match_element; ... }; allow-update { address_match_element; ... }; allow-update-forwarding { address_match_element; ... }; update-policy { ( grant | deny ) string ( name | subdomain | wildcard | self ) string rrtypelist; ... }; notify notifytype; notify-source ( ipv4_address | * ) [ port ( integer | * ) ]; notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; also-notify [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; allow-notify { address_match_element; ... }; forward ( first | only ); forwarders [ port integer ] { ( ipv4_address | ipv6_address ) [ port integer ]; ... }; max-journal-size size_no_default; max-transfer-time-in integer; max-transfer-time-out integer; max-transfer-idle-in integer; max-transfer-idle-out integer; max-retry-time integer; min-retry-time integer; max-refresh-time integer; min-refresh-time integer; multi-master boolean; sig-validity-interval integer; transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) ]; alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]; use-alt-transfer-source boolean; zone-statistics boolean; key-directory quoted_string; ixfr-base quoted_string; // obsolete ixfr-tmp-file quoted_string; // obsolete maintain-ixfr-base boolean; // obsolete max-ixfr-log-size size; // obsolete pubkey integer integer integer quoted_string; // obsolete };
Covered in Chapters 4 and 10.
BIND Resolver Statements
The following statements are for the resolver configuration file, /etc/resolv.conf.
domain
Covered in Chapter 6.
options debug
Covered in Chapter 6.
BIND 9 Options Statement
Remember that statement that had way too many choices for you to consider?
options {
avoid-v4-udp-ports { port; ... };
avoid-v6-udp-ports { port; ... };
blackhole { address_match_element; ... };
...
}This section explains each choice.
This text came from the BIND 9 Administrator Reference Manual (created by Nominum). If you are running BIND 8, look for similar information in the named.conf manual page.
Definition and Usage
The options statement sets up global options to be used by BIND. This statement may appear only once in a configuration file. If there is no options statement, an options block with each option set to its default is used.
- directory
The working directory of the server. Any nonabsolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g., named.run) is this directory. If a directory is not specified, the working directory defaults to ., the directory from which the server was started. The directory specified should be an absolute path.
- key-directory
When performing dynamic update of secure zones, the directory where the public- and private-key files should be found, if different than the current working directory. The directory specified must be an absolute path.
- named-xfer
This option is obsolete. It was used in BIND 8 to specify the pathname to the named-xfer program. In BIND 9, no separate named-xfer program is needed; its functionality is built into the nameserver.
- tkey-domain
The domain appended to the names of all shared keys generated with TKEY. When a client requests a TKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be "client-specified part" + "tkey-domain.” Otherwise, the name of the shared key will be "random hex digits" + "tkey-domain.” In most cases, the domainname should be the server’s domain name.
- tkey-dhkey
The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server’s hostname.
- dump-file
The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db.
- memstatistics-file
The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is named.memstats.
- pid-file
The pathname of the file the server writes its process ID in. If not specified, the default is /var/run/named.pid. The pid-file is used by programs that want to send signals to the running nameserver. Specifying pid-file none disables the use of a PID file: no file will be written and all existing files are removed. Note that none is a keyword, not a filename, and therefore is not enclosed in double quotes.
- statistics-file
The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server’s current directory.
- port
The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 can’t communicate with the global DNS.
- random-device
The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This option specifies the device (or file) from which to read entropy. If this is a file, operations requiring entropy will fail when the file has been exhausted. If not specified, the default value is /dev/random (or equivalent) when present, and none otherwise. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads.
- preferred-glue
If specified, the listed type (A or AAAA) is emitted before other glue in the additional section of a query response. The default is not to preference any type (NONE).
- root-delegation-only
Turns on enforcement of delegation-only in TLDs and root zones with an optional exclude list.
Note that some TLDs are not delegation-only (e.g., “DE,” “LV,” “US,” and “MUSEUM”).
options { root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; };- disable-algorithms
Disables the specified DNSSEC algorithms at and below the specified name. Multiple disable-algorithms statements are allowed. Only the most specific will be applied.
- dnssec-lookaside
When set, dnssec-lookaside provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest dnssec-lookaside, and the normal dnssec validation has left the key untrusted, the trust-anchor is appended to the key name, and a DLV record is looked up to see if it can validate the key. If the DLV record validates a DNSKEY (similarly to the way a DS record does), the DNSKEY RRset is deemed to be trusted.
- dnssec-must-be-secure
Specifies hierarchies that must/may not be secure (signed and validated). If yes, then named accepts answers only if they are secure. If no, normal dnssec validation applies, allowing for insecure answers to be accepted. The specified domain must be under a trusted-key, or dnssec-lookaside must be active.
Boolean Options
- auth-nxdomain
If yes, the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is no; this is a change from BIND 8. If you are using very old DNS software, you may need to set it to yes.
- deallocate-on-exit
This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs the checks.
- dialup
If yes, the server treats all zones as if they are doing zone transfers across a dial-on-demand dialup link, which can be brought up by traffic originating from this server. This has different effects according to zone type and concentrates the zone maintenance so that it all happens in a short interval, once every heartbeat-interval and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is no.
The dialup option may also be specified in the view and zone statements, in which case it overrides the global dialup option.
If the zone is a master zone, the server sends out a NOTIFY request to all the slaves (default). This should trigger the zone serial number check in the slave (providing it supports NOTIFY), allowing the slave to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by notify and also-notify.
If the zone is a slave or stub zone, the server suppresses the regular “zone up to date” (refresh) queries and performs them only when the heartbeat-interval expires in addition to sending NOTIFY requests.
Finer control can be achieved using notify, which sends only NOTIFY messages; notify-passive, which sends NOTIFY messages and suppresses the normal refresh queries; refresh, which suppresses normal refresh processing and sends refresh queries when the heartbeat-interval expires; and passive, which just disables normal refresh processing.
Dialup mode
Normal refresh
heartbeat refresh
heartbeat notify
no (default)
Yes
No
No
yes
No
Yes
Yes
notify
Yes
No
Yes
refresh
No
Yes
No
passive
No
No
No
notify-passive
No
No
Yes
Note that normal NOTIFY processing is not affected by dialup.
- fake-iquery
In BIND 8, if this option is enabled, it simulates the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation.
- fetch-glue
This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch-glue resource records it didn’t have when constructing the additional data section of a response. This is now considered a bad idea, and BIND 9 never does it.
- flush-zones-on-shutdown
When the nameserver exits due receiving SIGTERM, flush/do not flush any pending zone writes. The default is flush-zones-on-shutdown no.
- has-old-clients
This option was incorrectly implemented in BIND 8 and is ignored by BIND 9. To achieve the intended effect of has-old-clients yes, specify the two separate options auth-nxdomain yes and rfc2308-type1 no instead.
- host-statistics
In BIND 8, this option enables statistics to be kept for every host the nameserver interacts with. Not implemented in BIND 9.
- maintain-ixfr-base
This option is obsolete. It was used in BIND 8 to determine whether a transaction log was kept for incremental zone transfer. BIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone transfers, use provide-ixfr no.
- minimal-responses
If yes, then when generating responses, the server adds records to the authority and additional data sections only when they are required (e.g., delegations, negative responses). This may improve the performance of the server. The default is no.
- multiple-cnames
This option is used in BIND 8 to allow a domain name to have multiple CNAME records in violation of the DNS standards. BIND 9.2 always strictly enforces the CNAME rules both in master files and dynamic updates.
- notify
If yes (the default), DNS NOTIFY messages are sent when a zone the server is in is authoritative for changes. The messages are sent to the servers listed in the zone’s NS records (except the master server identified in the SOA MNAME field) and to any servers listed in the also-notify option.
If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent.
The notify option may also be specified in the zone statement, in which case it overrides the options notify statement. It is necessary to turn off this option only if it causes slaves to crash.
- recursion
If yes, and a DNS query requests recursion, the server attempts to do all the work required to answer the query. If recursion is off, and the server does not already know the answer, it returns a referral response. The default is yes. Note that setting recursion no does not prevent clients from getting data from the server’s cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur due to the server’s internal operation, such as NOTIFY address lookups. See also fetch-glue.
- rfc2308-type1
Setting this to yes causes the server to send NS records along with the SOA record for negative answers. The default is no. Not yet implemented in BIND 9.
- use-id-pool
This option is obsolete. BIND 9 always allocates query IDs from a pool.
- zone-statistics
If yes, the server collects statistical data on all zones (unless specifically turned off on a per-zone basis by specifying zone-statistics no in the zone statement). These statistics may be accessed using rndc stats, which dumps them to the file listed in the statistics-file.
- use-ixfr
This option is obsolete. If you need to disable IXFR to a particular server or servers, see the information on the provide-ixfr option.
- provide-ixfr
This clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. If set to yes, incremental transfer is provided whenever possible. If set to no, all transfers to the remote server are nonincremental.
- request-ixfr
The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master.
- treat-cr-as-space
This option was used in BIND 8 to make the server treat carriage return (“\r”) characters the same way as a space or tab character, in order to facilitate loading of zone files on a Unix system that were generated on an NT or DOS machine. In BIND 9, both Unix “\n” and NT/DOS “\r\n” newlines are always accepted, and the option is ignored.
- additional-from-auth
additional-from-cache These options control the behavior of an authoritative server when answering queries that have additional data, or when following CNAME and DNAME chains.
When both options are set to yes (the default), and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the reply is filled in using data from other authoritative zones and from the cache. In some situations, this is undesirable, such as when there is concern about the correctness of the cache, or when servers have slave zones that may be added and modified by untrusted third parties. Also, avoiding the search for this additional data speeds up server operations at the possible expense of additional queries to resolve what would otherwise be provided in the additional section.
For example, if a query asks for an MX record for host foo.example.com, and the record found is "MX 10 mail.example.net,” normally the address records (A and AAAA) for mail.example.net are provided as well, if known, even though they are not in the example.com zone. Setting these options to no disables this behavior and makes the server search for additional data only in the zone it answers from.
These options are intended for use in authoritative-only servers or in authoritative-only views. Attempts to set them to no without also specifying recursion no causes the server to ignore the options and logs a warning message.
Specifying additional-from-cache no actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the desired behavior in an authoritative-only server when the correctness of the cached data is an issue.
When a nameserver is nonrecursively queried for a name that is not below the apex of any served zone, it normally answers with an “upwards referral” to the root servers or the servers of some other known parent of the query name. Since the data in an upwards referral comes from the cache, the server can’t provide upwards referrals when additional-from-cache no has been specified. Instead, it responds to such queries with REFUSED. This should not cause any problems because upwards referrals are not required for the resolution process.
- match-mapped-addresses
If yes, an IPv4-mapped IPv6 address matches any address match list entries that match the corresponding IPv4 address. Enabling this option is sometimes useful on IPv6-enabled Linux systems. It works around a kernel quirk that causes IPv4 TCP connections such as zone transfers to be accepted on an IPv6 socket that uses mapped addresses. As a result, address match lists designed for IPv4 fail to match. The use of this option for any other purpose is discouraged.
- ixfr-from-differences
When yes, and when the server loads a new version of a master zone from its zone file or receives a new version of a slave file via a nonincremental zone transfer, it compares the new version to the previous one and calculates a set of differences. The differences are then logged in the zone’s journal file such that the changes can be transmitted to downstream slaves as an incremental zone transfer.
By allowing incremental zone transfers to be used for nondynamic zones, this option saves bandwidth at the expense of increased CPU and memory consumption at the master. In particular, if the new version of a zone is completely different from the previous one, the set of differences are comparable in size to the combined size of the old and new zone version. The server then needs to temporarily allocate memory to hold this complete difference set.
- multi-master
This should be set when you have multiple masters for a zone and the addresses refer to different machines. If yes, named will not log when the serial number on the master is less than what named currently has. The default is no.
- dnssec-enable
Enables DNSSEC support in named. Unless set to yes, named behaves as if it does not support DNSSEC. The default is no.
- querylog
Specifies whether query logging should be started when named starts. If querylog is not specified, the query logging is determined by the presence of the logging category queries.
- check-names
Restricts the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones, the default is fail. For slave zones, the default is warn. For answer, received from the network (response), the default is ignore.
The rules for legal hostnames/mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.
check-names applies to the owner names of A, AAA, and MX records. It also applies to the domain names in the RDATA of NS, SOA, and MX records, and to the RDATA of PTR records when the owner name indicates when it is a reverse lookup of a hostname (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
Forwarding
The forwarding facility can create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. It can also allow queries by servers that do not have direct access to the Internet but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
- forward
This option is meaningful only if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first, and if that doesn’t answer the question, the server then looks for the answer itself. If only is specified, the server queries only the forwarders.
- forwarders
Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, which allows global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, have a different forward only/first behavior, or not forward at all.
Dual-Stack Servers
Dual-stack servers are used as servers of last resort to work around problems in reachability due the lack of support for either IPv4 or IPv6 on the host machine.
- dual-stack-servers
Specifies hostnames/addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual-stacked, the dual-stack-servers have no effect unless access to a transport has been disabled on the command line (e.g., named -4).
Access Control
Access to the server can be restricted based on the IP address of the requesting system.
- allow-notify
Specifies which hosts are allowed to notify this server—a slave—of zone changes in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone’s master.
- allow-query
Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
- allow-recursion
Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server’s cache.
- allow-update-forwarding
Specifies which hosts are allowed to submit dynamic DNS updates to slave zones that are forwarded to the master. The default is none, which means that no update forwarding is performed. To enable update forwarding, specify allow-update-forwarding any. Specifying values other than none or any is usually counterproductive because the responsibility for update access control should rest with the master server, not the slaves.
Note that enabling the update-forwarding feature on a slave server may expose to attacks those master servers that rely on insecure IP address-based access control.
- allow-v6-synthesis
This option was introduced for the smooth transition from AAAA to A6 and from “nibble labels” to binary labels. However, since both A6 and binary labels were then deprecated, this option was also deprecated. It is now ignored with some warning messages.
- allow-transfer
Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. If not specified, the default allows transfers to all hosts.
- blackhole
Specifies a list of addresses the server doesn’t accept queries from or use to resolve a query. Queries from these addresses aren’t responded to. The default is none.
Interfaces
The interfaces and ports that the server answers queries from may be specified using the listen-on option. listen-on takes an optional port, and an address_match_list. The server listens on all interfaces allowed by the address match list. If a port is not specified, port 53 is used.
Multiple listen-on statements are allowed. For example:
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };enables the nameserver on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.
If no listen-on is specified, the server listens on port 53 on all interfaces.
The listen-on-v6 option specifies the interfaces and the ports on which the server listens for incoming queries sent using IPv6.
When:
{ any; }is specified as the address_match_list for the listen-on-v6 option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542). Instead, it listens on the IPv6 wildcard address. If the system has incomplete API support for IPv6, however, the behavior is the same as that for IPv4.
A list of particular IPv6 addresses can also be specified, in which case the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system.
Multiple listen-on-v6 options can be used. For example:
listen-on-v6 { any; };
listen-on-v6 port 1234 { !2001:db8::/32; any; };enables the nameserver on port 53 for any IPv6 addresses (with a single wildcard socket) and on port 1234 of IPv6 addresses that is not in the prefix 2001:db8::/32 (with separate sockets for each matched address).
To make the server not listen on any IPv6 address, use:
listen-on-v6 { none; };If no listen-on-v6 option is specified, the server doesn’t listen on any IPv6 address.
Query Address
If the server doesn’t know the answer to a question, it queries other nameservers. query-source specifies the address and port used for such queries. For queries sent over IPv6, there is a separate query-source-v6 option. If address is * or is omitted, a wildcard IP address (INADDR_ANY) is used. If port is * or is omitted, a random unprivileged port is used; avoid-v4-udp-ports and avoid-v6-udp-ports can prevent named from selecting certain ports. The defaults are:
query-source address * port *; query-source-v6 address * port *;
Note that the address specified in the query-source option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port.
See also transfer-source and notify-source.
Zone Transfers
BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load transfers place on the system. The following options apply to zone transfers:
- also-notify
Defines a global list of IP addresses of nameservers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone’s NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. If an also-notify list is given in a zone statement, it overrides the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list are not sent NOTIFY messages for that zone. The default is the empty list (no global notification list).
- max-transfer-time-in
Inbound zone transfers running longer than this many minutes are terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40,320 minutes).
- max-transfer-idle-in
Inbound zone transfers making no progress in this many minutes are terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40,320 minutes).
- max-transfer-time-out
Outbound zone transfers running longer than this many minutes are terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40,320 minutes).
- max-transfer-idle-out
Outbound zone transfers making no progress in this many minutes are terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40,320 minutes).
- serial-query-rate
Slave servers periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server’s network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option, an integer, is the maximum number of queries sent per second. The default is 20.
- serial-queries
In BIND 8, the serial-queries option sets the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined using the serial-query-rate option.
- transfer-format
Zone transfers can be sent using two different formats, one-answer and many-answers. The transfer-format option is used on the master server to determine which format it sends. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only supported by relatively new slave servers, such as BIND 9, BIND 8.x, and patched versions of BIND 4.9.5. The default is many-answers. transfer-format may be overridden on a per-server basis using the server statement.
- transfers-in
The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence of slave zones, but it also may increase the load on the local system.
- transfers-out
The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit are refused. The default value is 10.
- transfers-per-ns
The maximum number of inbound zone transfers that can be concurrently transferring from a given remote nameserver. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote nameserver. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase of the server statement.
- transfer-source
transfer-source determines which local addresses are bound to IPv4 TCP connections that fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the refresh queries and forwarded dynamic updates. If not set, it defaults to a system controlled value that is usually the address of the interface closest to the remote end. This address must appear in the remote end’s allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer-source for all zones but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block in the configuration file.
- transfer-source-v6
The same as transfer-source, except zone transfers are performed using IPv6.
- alt-transfer-source
An alternate transfer source if the one listed in transfer-source fails, and use-alt-transfer-source is set.
- alt-transfer-source-v6
An alternate transfer source if the one listed in transfer-source-v6 fails, and use-alt-transfer-source is set.
- use-alt-transfer-source
Use the alternate transfer sources or not. If views are specified, this defaults to no; otherwise, it defaults to yes (for BIND 8 compatibility).
- notify-source
notify-source determines which local source address—and, optionally, UDP port—is used to send NOTIFY messages. This address must appear in the slave server’s masters zone clause or in an allow-notify clause. This statement sets the notify-source for all zones but can be overridden on a per-zone/per-view basis by including a notify-source statement within the zone or view block in the configuration file.
- notify-source-v6
Like notify-source, but applies to notify messages sent to IPv6 addresses.
Bad UDP Port Lists
avoid-v4-udp-ports and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that aren’t used as system-assigned source ports for UDP sockets. These lists prevent named from choosing as its random source port a port that is blocked by your firewall. If a query is sent with such a source port, the answer doesn’t get by the firewall, and the nameserver has to query again.
Operating System Resource Limits
The server’s usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For example, 1G can be used instead of 1073741824 to specify a limit of one gigabyte. unlimited requests unlimited use, or the maximum available amount. default uses the limit that was in force when the server was started.
The following options set operating system resource limits for the nameserver process. Some operating systems don’t support some or any of the limits. On such systems, a warning is issued if the unsupported limit is used.
- coresize
The maximum size of a core dump. The default is default.
- datasize
The maximum amount of data memory the server may use. The default is default. This is a hard limit on server memory usage. If the server attempts to allocate memory in excess of this limit, the allocation will fail, which may, in turn, leave the server unable to perform DNS service. Therefore, this option is rarely useful as a way to limit the amount of memory used by the server, but it can be used to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the max-cache-size and recursive-clients options instead.
- files
The maximum number of files the server may have open concurrently. The default is unlimited.
- stacksize
The maximum amount of stack memory the server may use. The default is default.
Server Resource Limits
The following options set limits on the server’s resource consumption that are enforced internally by the server rather than the operating system:
- max-ixfr-log-size
This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option max-journal-size performs a similar function in BIND 8.
- max-journal-size
Sets a maximum size for each journal file. When the journal file approaches the specified size, some of the oldest transactions in the journal are automatically removed. The default is unlimited.
- host-statistics-max
In BIND 8, specifies the maximum number of host statistic entries to be kept. Not implemented in BIND 9.
- recursive-clients
The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default is 1000. Because each recursing client uses a fair bit of memory, on the order of 20 kilobytes, the value of the recursive-clients option may have to be decreased on hosts with limited memory.
- tcp-clients
The maximum number of simultaneous client TCP connections the server will accept. The default is 100.
- max-cache-size
The maximum amount of memory to use for the server’s cache, in bytes. When the amount of data in the cache reaches this limit, the server causes records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default is unlimited, meaning that records are purged from the cache only when their TTLs expire.
- tcp-listen-queue
The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter “dataready,” this also controls how many TCP connections are queued in kernel space waiting for some data before being passed to accept. Values less than 3 are silently raised.
Periodic Task Intervals
- cleaning-interval
The server removes expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. The maximum value is 28 days (40,320 minutes). If set to 0, no periodic cleaning occurs.
- heartbeat-interval
The server performs zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1,440 minutes). The maximum value is 28 days (40,320 minutes). If set to 0, no zone maintenance for these zones occurs.
- interface-interval
The server scans the network interface list every interface-interval minutes. The default is 60 minutes. The maximum value is 28 days (40,320 minutes). If set to 0, interface scanning occurs only when the configuration file is loaded. After the scan, the server begins listening for queries on any newly discovered interfaces (provided they are allowed by the listen-on configuration), and stops listening on interfaces that have gone away.
- statistics-interval
Nameserver statistics are logged every statistics-interval minutes. The default is 60. The maximum value is 28 days (40,320 minutes). If set to 0, no statistics are logged.
Topology
All other things being equal, when the server chooses a nameserver to query from a list of nameservers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Nonnegated elements get a distance based on their position in the list, in which the closer the match is to the start of the list, the shorter the distance between it and the server. A negated match is assigned the maximum distance from the server. If there is no match, the address gets a distance that is further than any nonnegated list element and closer than any negated element. For example:
topology {
10/8;
!1.2.3/24;
{ 1.2/16; 3/8; };
};prefers servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
The default topology is:
topology { localhost; localnets; };The sortlist Statement
The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The nameserver will normally return the RRs within the RRset in an indeterminate order. The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. However, not all resolvers can do this or are correctly configured. When a client is using a local server, the sorting can be performed in the server, based on the client’s address. This requires configuring only the nameservers, not all the clients.
The sortlist statement (see below) takes an address_match_list and interprets it even more specifically than the topology statement does. Each top-level statement in the sortlist must itself be an explicit address_match_list with one or two elements. The first element (which may be an IP address, an IP prefix, an ACL name, or a nested address_match_list) of each top-level list is checked against the source address of the query until a match is found.
Once the source address of the query has been matched, if the top-level statement contains only one element, the actual primitive element that matched the source address selects the address in the response to move to the beginning of the response. If the statement is a list of two elements, the second element is treated the same as the address_match_list in a topology statement. Each top-level element is assigned a distance, and the address in the response with the minimum distance is moved to the beginning of the response.
In the following example, any queries received from any of the addresses of the host itself will get responses preferring addresses on any of the locally connected networks. The next most preferred are addresses on the 192.168.1/24 network, and after that, either the 192.168.2/24 or 192.168.3/24 network; no preference is shown between these two networks. Queries received from a host on the 192.168.1/24 network prefer other addresses on that network to the 192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the 192.168.4/24 or 192.168.5/24 network prefer only other addresses on their directly connected networks.
sortlist {
{ localhost; // IF the local host
{ localnets; // THEN first fit on the
192.168.1/24; // following nets
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.1/24; // IF on class C 192.168.1
{ 192.168.1/24; // THEN use .1, or .2 or .3
{ 192.168.2/24; 192.168.3/24; }; }; };
{ 192.168.2/24; // IF on class C 192.168.2
{ 192.168.2/24; // THEN use .2, or .1 or .3
{ 192.168.1/24; 192.168.3/24; }; }; };
{ 192.168.3/24; // IF on class C 192.168.3
{ 192.168.3/24; // THEN use .3, or .1 or .2
{ 192.168.1/24; 192.168.2/24; }; }; };
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
};
};The following example gives reasonable behavior for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted.
sortlist {
{ localhost; localnets; };
{ localnets; };
};RRset Ordering
When multiple records are returned in an answer, it may be useful to configure the order of the records placed into the response. The rrset-order statement permits configuration of the ordering of the records in a multiple-record response.
An order_spec is defined as follows:
[ classclass_name][ typetype_name][ name"domain_name"] orderordering
If no class is specified, the default is ANY. If no type is specified, the default is ANY. If no name is specified, the default is “*”.
Here are the legal values for ordering:
- fixed
Records are returned in the order they are defined in the zone file.
- random
Records are returned in a random order.
- cyclic
Records are returned in a round-robin order.
For example:
rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};causes any responses for type A records in class IN that have host.example.com as a suffix to always be returned in random order. All other records are returned in cyclic order.
If multiple rrset-order statements appear, they are not combined: the last one applies.
Tuning
- lame-ttl
Sets the number of seconds to cache a lame server indication. 0 disables caching; this is not recommended. Default is 600 (10 minutes). Maximum value is 1800 (30 minutes).
- max-ncache-ttl
To reduce network traffic and increase performance, the server stores negative answers. max-ncache-ttl sets a maximum retention time for these answers in the server in seconds. The default max-ncache-ttl is 10,800 seconds (3 hours). max-ncache-ttl cannot exceed seven days and is silently truncated to seven days if set to a greater value.
- max-cache-ttl
max-cache-ttl sets the maximum time for which the server caches ordinary (positive) answers. The default is one week (seven days).
- min-roots
The minimum number of root servers that is required for a request for the root servers to be accepted. Default is 2. Not yet implemented in BIND 9.
- sig-validity-interval
Specifies the number of days in the future when DNSSEC signatures automatically generated as a result of dynamic updates will expire. The default is 30 days. The maximum value is 10 years (3,660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.
- min-refresh-time
max-refresh-time
min-retry-time
max-retry-time These options control the server’s behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values are set by the master, giving slave server administrators little control over their contents.
These options allow the administrator to set a minimum and maximum refresh and retry time per-zone, per-view, or globally. These options are valid for slave and stub zones, and clamp the SOA refresh and retry times to the specified values.
- edns-udp-size
edns-udp-size sets the advertised EDNS UDP buffer size. Valid values are 512 to 4096 (values outside this range are silently adjusted). The default value is 4096. The usual reason for setting edns-udp-size to a nondefault value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes.
Built-in Server Information Zones
The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain bind in the CHAOS class. These zones are part of a built-in view of class CHAOS, which is separate from the default view of class IN; therefore, any global server options such as allow-query do not apply to these zones. If you feel the need to disable these zones, use the following options, or hide the built-in CHAOS view by defining an explicit view of class CHAOS that matches all clients.
- version
The version the server should report via a query of the name version.bind with type TXT, class CHAOS. The default is the real version number of this server. Specifying version none disables processing of the queries.
- hostname
The hostname the server should report via a query of the name hostname.bind with type TXT, class CHAOS. This defaults to the hostname of the machine hosting the nameserver as found by gethostname(). The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying hostname none; disables processing of the queries.
- server-id
The ID of the server should report via a query of the name ID.SERVER with type TXT, class CHAOS. The primary purpose of such queries is to identify which of a group of anycast servers is actually answering your queries. Specifying server-id none; disables processing of the queries. Specifying server-id hostname; causes named to use the hostname as found by gethostname(). The default server-id is none.