e475708401
- It is .Bl -hang not -ohang
2359 lines
63 KiB
Groff
2359 lines
63 KiB
Groff
.\" $NetBSD: named.conf.5,v 1.2 1999/11/29 18:28:18 christos Exp $
|
|
.\"
|
|
.\" Copyright (c) 1999 by Internet Software Consortium
|
|
.\"
|
|
.\" Permission to use, copy, modify, and distribute this software for any
|
|
.\" purpose with or without fee is hereby granted, provided that the above
|
|
.\" copyright notice and this permission notice appear in all copies.
|
|
.\"
|
|
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
|
|
.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
|
|
.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
|
.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
|
.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
|
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
|
.\" SOFTWARE.
|
|
|
|
.Dd January 7, 1999
|
|
.Dt NAMED.CONF 5
|
|
.Os BSD 4
|
|
|
|
.Sh NAME
|
|
.Nm named.conf
|
|
.Nd configuration file for
|
|
.Xr named 8
|
|
|
|
.Sh OVERVIEW
|
|
|
|
BIND 8 is much more configurable than previous release of BIND. There
|
|
are entirely new areas of configuration, such as access control lists
|
|
and categorized logging. Many options that previously applied to all
|
|
zones can now be used selectively. These features, plus a
|
|
consideration of future configuration needs led to the creation of a
|
|
new configuration file format.
|
|
|
|
.Ss General Syntax
|
|
|
|
A BIND 8 configuration consists of two general features, statements
|
|
and comments. All statements end with a semicolon. Many statements
|
|
can contain substatements, which are each also terminated with a
|
|
semicolon.
|
|
|
|
.Pp
|
|
The following statements are supported:
|
|
.Bl -tag -width 1
|
|
.It Ic logging
|
|
specifies what the server logs, and where the log messages are sent
|
|
|
|
.It Ic options
|
|
controls global server configuration options and sets defaults for other
|
|
statements
|
|
|
|
.It Ic zone
|
|
defines a zone
|
|
|
|
.It Ic acl
|
|
defines a named IP address matching list, for access control and other uses
|
|
|
|
.It Ic key
|
|
specifies key information for use in authentication and authorization
|
|
|
|
.It Ic trusted-keys
|
|
defines DNSSEC keys that are preconfigured into the server and implicitly
|
|
trusted
|
|
|
|
.It Ic server
|
|
sets certain configuration options for individual remote servers
|
|
|
|
.It Ic controls
|
|
declares control channels to be used by the
|
|
.Nm ndc
|
|
utility
|
|
|
|
.It Ic include
|
|
includes another file
|
|
|
|
.El
|
|
|
|
The
|
|
.Ic logging
|
|
and
|
|
.Ic options
|
|
statements may only occur once per configuration, while the rest may
|
|
appear numerous times. Further detail on each statement is provided
|
|
in individual sections below.
|
|
|
|
Comments may appear anywhere that whitespace may appear in a BIND
|
|
configuration file. To appeal to programmers of all kinds, they can
|
|
be written in C, C++, or shell/perl constructs.
|
|
|
|
C-style comments start with the two characters
|
|
.Li /*
|
|
(slash, star) and end with
|
|
.Li */
|
|
(star, slash).
|
|
Because they are completely delimited with these characters,
|
|
they can be used to comment only a portion of a line or to span
|
|
multiple lines.
|
|
|
|
C-style comments cannot be nested. For example, the following is
|
|
not valid because the entire comment ends with the first
|
|
.Li */ :
|
|
|
|
.Bd -literal -offset indent
|
|
/* This is the start of a comment.
|
|
This is still part of the comment.
|
|
/* This is an incorrect attempt at nesting a comment. */
|
|
This is no longer in any comment. */
|
|
.Ed
|
|
|
|
C++-style comments start with the two characters
|
|
.Li //
|
|
(slash, slash) and continue to the end of the physical line.
|
|
They cannot be continued across multiple physical lines; to have
|
|
one logical comment span multiple lines, each line must use the
|
|
.Li //
|
|
pair. For example:
|
|
|
|
.Bd -literal -offset indent
|
|
// This is the start of a comment. The next line
|
|
// is a new comment, even though it is logically
|
|
// part of the previous comment.
|
|
.Ed
|
|
|
|
Shell-style (or perl-style, if you prefer) comments start with the
|
|
character
|
|
.Li #
|
|
(hash or pound or number or octothorpe or whatever) and continue to
|
|
the end of the physical line, like C++ comments. For example:
|
|
|
|
.Bd -literal -offset indent
|
|
# This is the start of a comment. The next line
|
|
# is a new comment, even though it is logically
|
|
# part of the previous comment.
|
|
.Ed
|
|
|
|
.Em WARNING:
|
|
you cannot use the
|
|
.Li ;
|
|
(semicolon) character to start a comment such as you would in a zone
|
|
file. The semicolon indicates the end of a configuration statement,
|
|
so whatever follows it will be interpreted as the start of the next
|
|
statement.
|
|
|
|
.Ss Converting from BIND 4.9.x
|
|
|
|
.Pp
|
|
BIND 4.9.x configuration files can be converted to the new format
|
|
by using
|
|
.Pa src/bin/named/named-bootconf ,
|
|
a shell script that is part of the BIND 8.2.x source kit.
|
|
|
|
.Sh DOCUMENTATION DEFINITIONS
|
|
|
|
Described below are elements used throughout the BIND configuration
|
|
file documentation. Elements which are only associated with one
|
|
statement are described only in the section describing that statement.
|
|
|
|
.Bl -tag -width 1
|
|
.It Va acl_name
|
|
The name of an
|
|
.Va address_match_list
|
|
as defined by the
|
|
.Ic acl
|
|
statement.
|
|
|
|
.It Va address_match_list
|
|
A list of one or more
|
|
.Va ip_addr ,
|
|
.Va ip_prefix ,
|
|
.Va key_id ,
|
|
or
|
|
.Va acl_name
|
|
elements, as described in the
|
|
.Sx ADDRESS MATCH LISTS
|
|
section.
|
|
|
|
.It Va dotted-decimal
|
|
One or more integers valued 0 through 255 separated only by dots
|
|
(``.''), such as
|
|
.Li 123 ,
|
|
.Li 45.67
|
|
or
|
|
.Li 89.123.45.67 .
|
|
|
|
.It Va domain_name
|
|
A quoted string which will be used as a DNS name, for example
|
|
.Qq Li my.test.domain .
|
|
|
|
.It Va path_name
|
|
A quoted string which will be used as a pathname, such as
|
|
.Qq Li zones/master/my.test.domain .
|
|
|
|
.It Va ip_addr
|
|
An IP address in with exactly four elements in
|
|
.Va dotted-decimal
|
|
notation.
|
|
|
|
.It Va ip_port
|
|
An IP port
|
|
.Va number .
|
|
.Va number is limited to
|
|
.Li 0
|
|
through
|
|
.Li 65535 ,
|
|
with values below 1024 typically restricted to
|
|
root-owned processes. In some cases an asterisk (``*'') character
|
|
can be used as a placeholder to select a random high-numbered port.
|
|
|
|
.It Va ip_prefix
|
|
An IP network specified in
|
|
.Va dotted-decimal
|
|
form, followed by ``/''
|
|
and then the number of bits in the netmask. E.g.
|
|
.Li 127/8
|
|
is
|
|
the network
|
|
.Li 127.0.0.0
|
|
with netmask
|
|
.Li 255.0.0.0 .
|
|
.Li 1.2.3.0/28
|
|
is network
|
|
.Li 1.2.3.0
|
|
with netmask
|
|
.Li 255.255.255.240.
|
|
|
|
.It Va key_name
|
|
A string representing the name of a shared key, to be used for transaction
|
|
security.
|
|
|
|
.It Va number
|
|
A non-negative integer with an entire range limited by the range of a
|
|
C language signed integer (2,147,483,647 on a machine with 32 bit
|
|
integers). Its acceptable value might further be limited by the
|
|
context in which it is used.
|
|
|
|
.It Va size_spec
|
|
A
|
|
.Va number ,
|
|
the word
|
|
.Li unlimited ,
|
|
or the word
|
|
.Li default .
|
|
|
|
.Pp
|
|
The maximum value of
|
|
.Va size_spec
|
|
is that of unsigned long integers on the machine.
|
|
.Li unlimited
|
|
requests unlimited use, or the maximum available amount.
|
|
.Li default
|
|
uses the limit that was in force when the server was started.
|
|
|
|
.Pp
|
|
A
|
|
.Va number
|
|
can optionally be followed by a scaling factor:
|
|
.Li K
|
|
or
|
|
.Li k
|
|
for kilobytes,
|
|
.Li M
|
|
or
|
|
.Li m
|
|
for megabytes, and
|
|
.Li G
|
|
or
|
|
.Li g
|
|
for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024
|
|
respectively.
|
|
|
|
.Pp
|
|
Integer storage overflow is currently silently ignored during
|
|
conversion of scaled values, resulting in values less than intended,
|
|
possibly even negative. Using
|
|
.Li unlimited
|
|
is the best way to safely set a really large number.
|
|
|
|
.It Va yes_or_no
|
|
Either
|
|
.Li yes
|
|
or
|
|
.Li no .
|
|
The words
|
|
.Li true
|
|
and
|
|
.Li false
|
|
are also accepted, as are the numbers
|
|
.Li 1 and
|
|
.Li 0 .
|
|
|
|
.El
|
|
|
|
.Sh ADDRESS MATCH LISTS
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
\fIaddress_match_list\fR = 1\&*\fIaddress_match_element\fR
|
|
|
|
\fIaddress_match_element\fR = [ \&"!\&" ] ( \fIaddress_match_list\fR /
|
|
\fIip_address\fR / \fIip_prefix\fR /
|
|
\fIacl_name\fR / \&"key \&" \fIkey_id\fR ) \&";\&"
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
Address match lists are primarily used to determine access control for
|
|
various server operations. They are also used to define priorities
|
|
for querying other nameservers and to set the addresses on which
|
|
.Nm named
|
|
will listen for queries.
|
|
The elements which constitute an address match list can be any
|
|
of the following:
|
|
|
|
.Bl -bullet
|
|
.It
|
|
an
|
|
.Va ip-address
|
|
(in
|
|
.Va dotted-decimal
|
|
notation,
|
|
.It
|
|
an
|
|
.Va ip-prefix
|
|
(in the '/'-notation),
|
|
.It
|
|
A
|
|
.Va key_id ,
|
|
as defined by the
|
|
.Ic key
|
|
statement,
|
|
.It
|
|
the name of an address match list previously defined with
|
|
the
|
|
.Ic acl
|
|
statement, or
|
|
.It
|
|
another
|
|
.Va address_match_list .
|
|
.El
|
|
|
|
.Pp
|
|
Elements can be negated with a leading exclamation mark (``!''), and
|
|
the match list names
|
|
.Li any ,
|
|
.Li none ,
|
|
.Li localhost
|
|
and
|
|
.Li localnets
|
|
are predefined. More information on those names can be found in the
|
|
description of the
|
|
.Ic acl
|
|
statement.
|
|
|
|
.Pp
|
|
The addition of the
|
|
.Ic key
|
|
clause made the name of this syntactic element something of a
|
|
misnomer, since security keys can be used to validate access without
|
|
regard to a host or network address. Nonetheless, the term ``address
|
|
match list'' is still used throughout the documentation.
|
|
|
|
.Pp
|
|
When a given IP address or prefix is compared to an address match
|
|
list, the list is traversed in order until an element matches. The
|
|
interpretation of a match depends on whether the list is being used
|
|
for access control, defining
|
|
.Ic listen-on
|
|
ports, or as a topology, and whether the element was
|
|
negated.
|
|
|
|
.Pp
|
|
When used as an access control list, a non-negated match allows access
|
|
and a negated match denies access. If there is no match at all in the
|
|
list, access is denied. The clauses
|
|
.Ic allow-query ,
|
|
.Ic allow-transfer ,
|
|
.Ic allow-update ,
|
|
.Ic allow-recursion ,
|
|
and
|
|
.Ic blackhole
|
|
all use address match lists like this. Similarly, the
|
|
.Ic listen-on
|
|
option will cause the server to not accept queries on any of the
|
|
machine's addresses which do not match the list.
|
|
|
|
.Pp
|
|
When used with the
|
|
.Ic topology
|
|
option, a non-negated match returns a distance based on its position on
|
|
the list (the closer the match is to the start of the list, the
|
|
shorter the distance is between it and the server). A negated match
|
|
will be assigned the maximum distance from the server. If there is no
|
|
match, the address will get a distance which is further than any
|
|
non-negated list element, and closer than any negated element.
|
|
|
|
.Pp
|
|
Because of the first-match aspect of the algorithm, an element that
|
|
defines a subset of another element in the list should come before the
|
|
broader element, regardless of whether either is negated. For
|
|
example, in
|
|
.Dl 1.2.3/24; !1.2.3.13
|
|
the 1.2.3.13 element is completely useless, because the algorithm will
|
|
match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using
|
|
.Dl !1.2.3.13; 1.2.3/24
|
|
fixes that problem by having 1.2.3.13 blocked by the negation but all
|
|
other 1.2.3.* hosts fall through.
|
|
|
|
.Sh THE LOGGING STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
logging {
|
|
[ channel \fIchannel_name\fR {
|
|
( file \fIpath_name\fR
|
|
[ versions ( \fInumber\fR | unlimited ) ]
|
|
[ size \fIsize_spec\fR ]
|
|
| syslog ( kern | user | mail | daemon | auth | syslog | lpr |
|
|
news | uucp | cron | authpriv | ftp |
|
|
local0 | local1 | local2 | local3 |
|
|
local4 | local5 | local6 | local7 )
|
|
| null );
|
|
|
|
[ severity ( critical | error | warning | notice |
|
|
info | debug [ \fIlevel\fR ] | dynamic ); ]
|
|
[ print-category \fIyes_or_no\fR; ]
|
|
[ print-severity \fIyes_or_no\fR; ]
|
|
[ print-time \fIyes_or_no\fR; ]
|
|
}; ]
|
|
|
|
[ category \fIcategory_name\fR {
|
|
\fIchannel_name\fR; [ \fIchannel_name\fR; ... ]
|
|
}; ]
|
|
...
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic logging
|
|
statement configures a wide variety of logging options for the nameserver.
|
|
Its
|
|
.Ic channel
|
|
phrase associates output methods, format options and
|
|
severity levels with a name that can then be used with the
|
|
.Ic category
|
|
phrase to select how various classes of messages are logged.
|
|
|
|
.Pp
|
|
Only one
|
|
.Ic logging
|
|
statement is used to define as many channels and categories as are wanted.
|
|
If there are multiple logging statements in a configuration, the first
|
|
defined determines the logging, and warnings are issued for the
|
|
others. If there is no logging statement, the logging configuration
|
|
will be:
|
|
|
|
.Bd -literal
|
|
logging {
|
|
category default { default_syslog; default_debug; };
|
|
category panic { default_syslog; default_stderr; };
|
|
category packet { default_debug; };
|
|
category eventlib { default_debug; };
|
|
};
|
|
.Ed
|
|
|
|
The logging configuration is established as soon as the
|
|
.Ic logging
|
|
statement is parsed. If you want to redirect
|
|
messages about processing of the entire configuration file, the
|
|
.Ic logging
|
|
statement must appear first. Even if you do not
|
|
redirect configuration file parsing messages, we recommend
|
|
always putting the
|
|
.Ic logging
|
|
statement first so that this rule need not be consciously recalled if
|
|
you ever do need want the parser's messages relocated.
|
|
|
|
.Ss The channel phrase
|
|
|
|
All log output goes to one or more ``channels''; you can make as many
|
|
of them as you want.
|
|
|
|
.Pp
|
|
Every channel definition must include a clause that says whether
|
|
messages selected for the channel go to a file, to a particular syslog
|
|
facility, or are discarded. It can optionally also limit the message
|
|
severity level that will be accepted by the channel (default is
|
|
.Li info ) ,
|
|
and whether to include a time stamp generated by
|
|
.Nm named ,
|
|
the category name, or severity level. The default is not to include
|
|
any of those three.
|
|
|
|
.Pp
|
|
The word
|
|
.Li null
|
|
as the destination option for the
|
|
channel will cause all messages sent to it to be discarded; other
|
|
options for the channel are meaningless.
|
|
|
|
.Pp
|
|
The
|
|
.Ic file
|
|
clause can include limitations both on how
|
|
large the file is allowed to become, and how many versions of the file
|
|
will be saved each time the file is opened.
|
|
|
|
.Pp
|
|
The
|
|
.Ic size
|
|
option for files is simply a hard ceiling on
|
|
log growth. If the file ever exceeds the size, then
|
|
.Nm named
|
|
will just not write anything more to it until the file is reopened;
|
|
exceeding the size does not automatically trigger a reopen. The
|
|
default behavior is to not limit the size of the file.
|
|
|
|
.Pp
|
|
If you use the
|
|
.Ic version
|
|
logfile option, then
|
|
.Nm named
|
|
will retain that many backup versions of the file
|
|
by renaming them when opening. For example, if you choose to keep 3
|
|
old versions of the file lamers.log then just before it is opened
|
|
lamers.log.1 is renamed to lames.log.2, lamers.log.0 is renamed to
|
|
lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled
|
|
versions are kept by default; any existing log file is simply appended.
|
|
The
|
|
.Li unlimited
|
|
keyword is synonymous with
|
|
.Li 99
|
|
in current BIND releases. Example usage of size and versions options:
|
|
|
|
.Bd -literal
|
|
channel an_example_level {
|
|
file "lamers.log" versions 3 size 20m;
|
|
print-time yes;
|
|
print-category yes;
|
|
};
|
|
.Ed
|
|
|
|
.Pp
|
|
The argument for the
|
|
.Ic syslog
|
|
clause is a syslog facility as described in the
|
|
.Xr syslog 3
|
|
manual page. How
|
|
.Nm syslogd
|
|
will handle messages sent to this facility is described in the
|
|
.Xr syslog.conf 5
|
|
manual page. If you have a system which uses a very old version of
|
|
syslog that only uses two arguments to the
|
|
.Fn openlog()
|
|
function, then this clause is silently ignored.
|
|
|
|
.Pp
|
|
The
|
|
.Ic severity
|
|
clause works like syslog's ``priorities'', except that they can also be
|
|
used if you are writing straight to a file rather than using
|
|
syslog. Messages which are not at least of the severity level given
|
|
will not be selected for the channel; messages of higher severity
|
|
levels will be accepted.
|
|
|
|
.Pp
|
|
If you are using syslog, then the
|
|
.Pa syslog.conf
|
|
priorities will also determine what eventually passes through.
|
|
For example, defining a channel facility and severity as
|
|
.Li daemon
|
|
and
|
|
.Li debug
|
|
but only logging
|
|
.Li daemon.warning
|
|
via
|
|
.Pa syslog.conf
|
|
will cause messages of severity
|
|
.Li info
|
|
and
|
|
.Li notice
|
|
to be dropped. If the situation were reversed, with
|
|
.Nm named
|
|
writing messages of only
|
|
.Li warning
|
|
or higher, then
|
|
.Nm syslogd
|
|
would print all messages it received from the channel.
|
|
|
|
.Pp
|
|
The server can supply extensive debugging information when it is in
|
|
debugging mode. If the server's global debug level is greater than
|
|
zero, then debugging mode will be active. The global debug level is
|
|
set either by starting the
|
|
.Nm named
|
|
server with the
|
|
.Fl d
|
|
flag followed by a positive integer, or by sending the running server the
|
|
.Dv SIGUSR1
|
|
signal (for example, by using
|
|
.Ic ndc trace ) .
|
|
The global debug level can be set to
|
|
zero, and debugging mode turned off, by sending the server the
|
|
.Dv SIGUSR2
|
|
signal (as with
|
|
.Ic ndc notrace ) .
|
|
All debugging messages in the server have a
|
|
debug level, and higher debug levels give more more detailed output.
|
|
Channels that specify a specific debug severity, e.g.
|
|
|
|
.Bd -literal
|
|
channel specific_debug_level {
|
|
file \&"foo\&";
|
|
severity debug 3;
|
|
};
|
|
.Ed
|
|
|
|
will get debugging output of level 3 or less any time the
|
|
server is in debugging mode, regardless of the global debugging level.
|
|
Channels with
|
|
.Li dynamic
|
|
severity use the server's global level to determine what messages to
|
|
print.
|
|
|
|
.Pp
|
|
If
|
|
.Ic print-time
|
|
has been turned on, then the date and time will be logged.
|
|
.Ic print-time
|
|
may be specified for a syslog channel, but is usually pointless since
|
|
syslog also prints the date and time.
|
|
If
|
|
.Ic print-category
|
|
is requested, then the category of the message will be logged as well.
|
|
Finally, if
|
|
.Ic print-severity
|
|
is on, then the severity level of the message will be logged. The
|
|
.Ic print-
|
|
options may be used
|
|
in any combination, and will always be printed in the following order:
|
|
time, category, severity. Here is an example where all three
|
|
.Ic print-
|
|
options are on:
|
|
|
|
.Bd -literal
|
|
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.
|
|
.Ed
|
|
|
|
.Pp
|
|
There are four predefined channels that are used for
|
|
.Nm named 's
|
|
default logging as follows. How they are used
|
|
used is described in the next section,
|
|
.Sx The category phrase.
|
|
|
|
.Bd -literal
|
|
channel default_syslog {
|
|
syslog daemon; # send to syslog's daemon facility
|
|
severity info; # only send priority info and higher
|
|
};
|
|
|
|
channel default_debug {
|
|
file \&"named.run\&"; # write to named.run in the working directory
|
|
# Note: stderr is used instead of \&"named.run\&"
|
|
# if the server is started with the -f option.
|
|
severity dynamic; # log at the server's current debug level
|
|
};
|
|
|
|
channel default_stderr { # writes to stderr
|
|
file \&"<stderr>\&"; # this is illustrative only; there's currently
|
|
# no way of specifying an internal file
|
|
# descriptor in the configuration language.
|
|
severity info; # only send priority info and higher
|
|
};
|
|
|
|
channel null {
|
|
null; # toss anything sent to this channel
|
|
};
|
|
.Ed
|
|
|
|
Once a channel is defined, it cannot be redefined. Thus you cannot
|
|
alter the built-in channels directly, but you can modify the default
|
|
logging by pointing categories at channels you have defined.
|
|
|
|
.Ss The category phrase
|
|
|
|
There are many categories, so you can send the logs you want to see
|
|
wherever you want, without seeing logs you don't want. If you don't
|
|
specify a list of channels for a category, then log messages in that
|
|
category will be sent to the
|
|
.Li default
|
|
category instead.
|
|
If you don't specify a default category, the following ``default
|
|
default'' is used:
|
|
|
|
.Bd -literal
|
|
category default { default_syslog; default_debug; };
|
|
.Ed
|
|
|
|
As an example, let's say you want to log security events to a file,
|
|
but you also want keep the default logging behavior. You'd specify
|
|
the following:
|
|
|
|
.Bd -literal
|
|
channel my_security_channel {
|
|
file \&"my_security_file\&";
|
|
severity info;
|
|
};
|
|
category security { my_security_channel;
|
|
default_syslog; default_debug; };
|
|
.Ed
|
|
|
|
To discard all messages in a category, specify the
|
|
.Li null
|
|
channel:
|
|
|
|
.Bd -literal
|
|
category lame-servers { null; };
|
|
category cname { null; };
|
|
.Ed
|
|
|
|
The following categories are available:
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic default
|
|
The catch-all. Many things still aren't classified into categories,
|
|
and they all end up here. Also, if you don't specify any channels for
|
|
a category, the default category is used instead. If you do not
|
|
define the default category, the following definition is used:
|
|
.Dl category default { default_syslog; default_debug; };
|
|
|
|
.It Ic config
|
|
High-level configuration file processing.
|
|
|
|
.It Ic parser
|
|
Low-level configuration file processing.
|
|
|
|
.It Ic queries
|
|
A short log message is generated for every query the server receives.
|
|
|
|
.It Ic lame-servers
|
|
Messages like ``Lame server on ...''
|
|
|
|
.It Ic statistics
|
|
Statistics.
|
|
|
|
.It Ic panic
|
|
If the server has to shut itself down due to an internal problem, it
|
|
will log the problem in this category as well as in the problem's native
|
|
category. If you do not define the panic category, the following definition
|
|
is used:
|
|
.Dl category panic { default_syslog; default_stderr; };
|
|
|
|
.It Ic update
|
|
Dynamic updates.
|
|
|
|
.It Ic ncache
|
|
Negative caching.
|
|
|
|
.It Ic xfer-in
|
|
Zone transfers the server is receiving.
|
|
|
|
.It Ic xfer-out
|
|
Zone transfers the server is sending.
|
|
|
|
.It Ic db
|
|
All database operations.
|
|
|
|
.It Ic eventlib
|
|
Debugging info from the event system. Only one channel may be specified for
|
|
this category, and it must be a file channel. If you do not define the
|
|
eventlib category, the following definition is used:
|
|
.Dl category eventlib { default_debug; };
|
|
|
|
.It Ic packet
|
|
Dumps of packets received and sent. Only one channel may be specified for
|
|
this category, and it must be a file channel. If you do not define the
|
|
packet category, the following definition is used:
|
|
.Dl category packet { default_debug; };
|
|
|
|
.It Ic notify
|
|
The NOTIFY protocol.
|
|
|
|
.It Ic cname
|
|
Messages like ``... points to a CNAME''.
|
|
|
|
.It Ic security
|
|
Approved/unapproved requests.
|
|
|
|
.It Ic os
|
|
Operating system problems.
|
|
|
|
.It Ic insist
|
|
Internal consistency check failures.
|
|
|
|
.It Ic maintenance
|
|
Periodic maintenance events.
|
|
|
|
.It Ic load
|
|
Zone loading messages.
|
|
|
|
.It Ic response-checks
|
|
Messages arising from response checking, such as
|
|
``Malformed response ...'', ``wrong ans. name ...'',
|
|
``unrelated additional info ...'', ``invalid RR type ...'',
|
|
and ``bad referral ...''.
|
|
|
|
.El
|
|
|
|
.Sh THE OPTIONS STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
options {
|
|
[ version \fIversion_string\fR; ]
|
|
[ directory \fIpath_name\fR; ]
|
|
[ named-xfer \fIpath_name\fR; ]
|
|
[ dump-file \fIpath_name\fR; ]
|
|
[ memstatistics-file \fIpath_name\fR; ]
|
|
[ pid-file \fIpath_name\fR; ]
|
|
[ statistics-file \fIpath_name\fR; ]
|
|
[ auth-nxdomain \fIyes_or_no\fR; ]
|
|
[ deallocate-on-exit \fIyes_or_no\fR; ]
|
|
[ dialup \fIyes_or_no\fR; ]
|
|
[ fake-iquery \fIyes_or_no\fR; ]
|
|
[ fetch-glue \fIyes_or_no\fR; ]
|
|
[ has-old-clients \fIyes_or_no\fR; ]
|
|
[ host-statistics \fIyes_or_no\fR; ]
|
|
[ multiple-cnames \fIyes_or_no\fR; ]
|
|
[ notify \fIyes_or_no\fR; ]
|
|
[ recursion \fIyes_or_no\fR; ]
|
|
[ rfc2308-type1 \fIyes_or_no\fR; ]
|
|
[ use-id-pool \fIyes_or_no\fR; ]
|
|
[ treat-cr-as-space \fIyes_or_no\fR; ]
|
|
[ also-notify \fIyes_or_no\fR; ]
|
|
[ forward ( only | first ); ]
|
|
[ forwarders { [ \fIin_addr\fR ; [ \fIin_addr\fR ; ... ] ] }; ]
|
|
[ check-names ( master | slave | response ) ( warn | fail | ignore); ]
|
|
[ allow-query { \fIaddress_match_list\fR }; ]
|
|
[ allow-recursion { \fIaddress_match_list\fR }; ]
|
|
[ allow-transfer { \fIaddress_match_list\fR }; ]
|
|
[ blackhole { \fIaddress_match_list\fR }; ]
|
|
[ listen-on [ port \fIip_port\fR ] { \fIaddress_match_list\fR }; ]
|
|
[ query-source [ address ( \fIip_addr\fR | * ) ]
|
|
[ port ( \fIip_port\fR | * ) ] ; ]
|
|
[ lame-ttl \fInumber\fR; ]
|
|
[ max-transfer-time-in \fInumber\fR; ]
|
|
[ max-ncache-ttl \fInumber\fR; ]
|
|
[ min-roots \fInumber\fR; ]
|
|
[ serial-queries \fInumber\fR; ]
|
|
[ transfer-format ( one-answer | many-answers ); ]
|
|
[ transfers-in \fInumber\fR; ]
|
|
[ transfers-out \fInumber\fR; ]
|
|
[ transfers-per-ns \fInumber\fR; ]
|
|
[ transfer-source \fIip_addr\fR; ]
|
|
[ maintain-ixfr-base \fIyes_or_no\fR; ]
|
|
[ max-ixfr-log-size \fInumber\fR; ]
|
|
[ coresize \fIsize_spec\fR ; ]
|
|
[ datasize \fIsize_spec\fR ; ]
|
|
[ files \fIsize_spec\fR ; ]
|
|
[ stacksize \fIsize_spec\fR ; ]
|
|
[ cleaning-interval \fInumber\fR; ]
|
|
[ heartbeat-interval \fInumber\fR; ]
|
|
[ interface-interval \fInumber\fR; ]
|
|
[ statistics-interval \fInumber\fR; ]
|
|
[ topology { \fIaddress_match_list\fR }; ]
|
|
[ sortlist { \fIaddress_match_list|fR }; ]
|
|
[ rrset-order { \fIorder_spec\fR ; [ \fIorder_spec\fR ; ... [ [ };
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The options statement sets up global options to be used by
|
|
BIND. This statement may appear at only once in a
|
|
configuration file; if more than one occurrence is found, the
|
|
first occurrence determines the actual options used,
|
|
and a warning will be generated. If there is no options statement,
|
|
an options block with each option set to its default will be used.
|
|
|
|
.Ss Pathnames
|
|
|
|
.Bl -tag -width 1
|
|
|
|
.It Ic version
|
|
The version the server should report via the ndc command or via a query of
|
|
name
|
|
.Pa version.bind
|
|
in class chaos. The default is the real version number of ths server,
|
|
but some server operators prefer the string (
|
|
.Ic surely you must be joking
|
|
).
|
|
|
|
.It Ic directory
|
|
The working directory of the server. Any non-absolute
|
|
pathnames in the configuration file will be taken as relative to this
|
|
directory. The default location for most server output files
|
|
(e.g.
|
|
.Pa named.run )
|
|
is this directory. If a directory is not
|
|
specified, the working directory defaults to
|
|
.Pa . ,
|
|
the directory from which the
|
|
server was started. The directory specified should be an absolute path.
|
|
|
|
.It Ic named-xfer
|
|
The pathname to the named-xfer program that the server uses for
|
|
inbound zone transfers. If not specified, the default is
|
|
system dependent (e.g.
|
|
.Pa /usr/sbin/named-xfer
|
|
).
|
|
|
|
.It Ic dump-file
|
|
The pathname of the file the server dumps the database to when it
|
|
receives
|
|
.Dv SIGINT
|
|
signal (as sent by
|
|
.Ic ndc dumpdb
|
|
). If not specified, the default is
|
|
.Pa named_dump.db .
|
|
|
|
.It Ic memstatistics-file
|
|
The pathname of the file the server writes memory usage statistics to
|
|
on exit, if
|
|
.Ic deallocate-on-exit
|
|
is
|
|
.Li yes .
|
|
If not specified, the default is
|
|
.Pa named.memstats .
|
|
|
|
.It Ic pid-file
|
|
The pathname of the file the server writes its process ID in. If not
|
|
specified, the default is operating system dependent, but is usually
|
|
.Pa /var/run/named.pid
|
|
or
|
|
.Pa /etc/named.pid .
|
|
The pid-file is used by programs like
|
|
.Nm ndc
|
|
that want to send signals to the running nameserver.
|
|
|
|
.It Ic statistics-file
|
|
The pathname of the file the server appends statistics to when it
|
|
receives
|
|
.Dv SIGILL
|
|
signal (from
|
|
.Ic ndc stats ) .
|
|
If not specified, the default is
|
|
.Pa named.stats .
|
|
.El
|
|
|
|
.Ss Boolean Options
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic auth-nxdomain
|
|
If
|
|
.Li yes ,
|
|
then the
|
|
.Li AA
|
|
bit is always set on
|
|
.Dv NXDOMAIN
|
|
responses, even if the server is not actually authoritative.
|
|
The default is
|
|
.Li yes .
|
|
Do not turn off
|
|
.Ic auth-nxdomain
|
|
unless you are sure you know what you are
|
|
doing, as some older software won't like it.
|
|
|
|
.It Ic deallocate-on-exit
|
|
If
|
|
.Li yes ,
|
|
then when the server exits it will painstakingly deallocate every
|
|
object it allocated, and then write a memory usage report to the
|
|
.Ic memstatistics-file .
|
|
The default is
|
|
.Li no ,
|
|
because it is faster to let the operating system clean up.
|
|
.Ic deallocate-on-exit
|
|
is handy for detecting memory leaks.
|
|
|
|
.It Ic dialup
|
|
If
|
|
.Li yes ,
|
|
then the server treats all zones as if they are doing zone transfers
|
|
across a dial on demand dialup link, which can be brought up by
|
|
traffic originating from this server. This has different effects
|
|
according to zone type and concentrates the zone maintenance so that
|
|
it all happens in a short interval, once every
|
|
.Ic heartbeat-interval
|
|
and hopefully during the one call.
|
|
It also suppresses some of the normal zone maintenance traffic.
|
|
The default is
|
|
.Li no .
|
|
The
|
|
.Ic dialup
|
|
option may also be specified in the
|
|
.Ic zone
|
|
statement, in which
|
|
case it overrides the
|
|
.Ic options dialup
|
|
statement.
|
|
|
|
.Pp
|
|
If the zone is a
|
|
.Ic master
|
|
then the server will send out
|
|
.Dv NOTIFY
|
|
request to all the slaves.
|
|
This will trigger the zone up to date checking in the slave (providing
|
|
it supports
|
|
.Dv NOTIFY )
|
|
allowing the slave
|
|
to verify the zone while the call us up.
|
|
|
|
.Pp
|
|
If the zone is a
|
|
.Ic slave
|
|
or
|
|
.Ic stub
|
|
then the server will suppress the zone regular zone up to date queries
|
|
and only perform the when the
|
|
.Ic heartbeat-interval
|
|
expires.
|
|
|
|
.It Ic fake-iquery
|
|
If
|
|
.Li yes ,
|
|
the server will simulate the obsolete DNS query type
|
|
.Dv IQUERY .
|
|
The default is
|
|
.Li no .
|
|
|
|
.It Ic fetch-glue
|
|
If
|
|
.Li yes
|
|
(the default), the server will fetch ``glue'' resource
|
|
records it doesn't have when constructing the additional data section of
|
|
a response.
|
|
.Ic fetch-glue no
|
|
can be used in conjunction with
|
|
.Ic recursion no
|
|
to prevent the server's cache from growing or
|
|
becoming corrupted (at the cost of requiring more work from the client).
|
|
|
|
.It Ic has-old-clients
|
|
Setting the option to
|
|
.Li yes ,
|
|
is equivalent to setting the following three options:
|
|
.Ic auth-nxdomain yes ;,
|
|
.Ic maintain-ixfr-base yes ;,
|
|
and
|
|
.Ic rfc2308-type1 no ;
|
|
. The use of
|
|
.Ic has-old-clients
|
|
with
|
|
.Ic auth-nxdomain ,
|
|
.Ic maintain-ixfr-base ,
|
|
and
|
|
.Ic rfc2308-type1
|
|
is order dependant.
|
|
|
|
.It Ic host-statistics
|
|
If
|
|
.Li yes ,
|
|
then statistics are kept for every host that the the nameserver
|
|
interacts with. The default is
|
|
.Li no .
|
|
.Em Note:
|
|
turning on
|
|
.Ic host-statistics
|
|
can consume huge amounts of memory.
|
|
|
|
.It Ic maintain-ixfr-base
|
|
If
|
|
.Li yes ,
|
|
statistics are kept for every host that the nameserver interacts with. The default is
|
|
.Li no .
|
|
.Em Note:
|
|
turning on
|
|
.Li host-statistics
|
|
can consume huge amounts of memory.
|
|
|
|
.It Ic multiple-cnames
|
|
If
|
|
.Li yes ,
|
|
then multiple CNAME resource records will be
|
|
allowed for a domain name. The default is
|
|
.Li no .
|
|
Allowing multiple CNAME records is against standards and is not recommended.
|
|
Multiple CNAME support is available because previous versions of BIND
|
|
allowed multiple CNAME records, and these records have been used for load
|
|
balancing by a number of sites.
|
|
|
|
.It Ic notify
|
|
If
|
|
.Li yes
|
|
(the default), DNS NOTIFY messages are sent when a
|
|
zone the server is authoritative for changes. The use of NOTIFY
|
|
speeds convergence between the master and its slaves. Slave servers
|
|
that receive a NOTIFY message and understand it will contact the
|
|
master server for the zone and see if they need to do a zone transfer, and
|
|
if they do, they will initiate it immediately. The
|
|
.Ic notify
|
|
option may also be specified in the
|
|
.Ic zone
|
|
statement, in which case it overrides the
|
|
.Ic options notify
|
|
statement.
|
|
|
|
.It Ic recursion
|
|
If
|
|
.Li yes ,
|
|
and a DNS query requests recursion, then the
|
|
server will attempt to do all the work required to answer the query.
|
|
If recursion is not on, the server will return a referral to the
|
|
client if it doesn't know the answer. The default is
|
|
.Li yes .
|
|
See also
|
|
.Ic fetch-glue
|
|
above.
|
|
|
|
.It Ic rfc2308-type1
|
|
If
|
|
.Li yes,
|
|
the server will send NS records along with the SOA record for negative
|
|
answers. You need to set this to no if you have an old BIND server using
|
|
you as a forwarder that does not understand negative answers which contain
|
|
both SOA and NS records or you have an old version of sendmail. The correct
|
|
fix is to upgrade the broken server or sendmail. The default is
|
|
.Li no .
|
|
|
|
.It Ic use-id-pool
|
|
If
|
|
.Li yes,
|
|
the server will keep track of its own outstanding query ID's to avoid duplication
|
|
and increase randomness. This will result in 128KB more memory being consumed
|
|
by the server. The default is
|
|
.Li no .
|
|
|
|
.It Ic treat-cr-as-space
|
|
If
|
|
.Li yes,
|
|
the server will treat CR characters the same way it treats a space
|
|
or tab. This may be necessary when loading zone files on a UNIX system
|
|
that were generated on an NT or DOS machine. The default is
|
|
.Li no .
|
|
|
|
|
|
.El
|
|
|
|
.Ss Also-Notify
|
|
|
|
.Ic also-notify
|
|
|
|
Defines a global list of IP addresses that also get sent NOTIFY messages
|
|
whenever a fresh copy of the zone is loaded. This helps to ensure that copies of
|
|
the zones will quickly converge on ``stealth'' servers. If an
|
|
.Ic also-notify
|
|
list is given in a
|
|
.Ic zone
|
|
statement, it will override the
|
|
.Ic options also-notify
|
|
statement. When a
|
|
.Ic zone notify
|
|
statement is set to
|
|
.Ic no ,
|
|
the IP addresses in
|
|
the global
|
|
.Ic also-notify
|
|
list will not get sent NOTIFY messages for that zone.
|
|
The default is the empty list (no global notification list).
|
|
|
|
.Ss Forwarding
|
|
|
|
.Pp
|
|
The forwarding facility can be used to create a large site-wide
|
|
cache on a few servers, reducing traffic over links to external
|
|
nameservers. It can also be used to allow queries by servers that do
|
|
not have direct access to the Internet, but wish to look up exterior
|
|
names anyway. Forwarding occurs only on those queries for which the
|
|
server is not authoritative and does not have the answer in its cache.
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic forward
|
|
This option is only meaningful if the
|
|
.Ic forwarders
|
|
list is
|
|
not empty. A value of
|
|
.Li first ,
|
|
the default, causes the
|
|
server to query the forwarders first, and if that doesn't answer the
|
|
question the server will then look for the answer itself. If
|
|
.Li only
|
|
is specified, the server will only query the forwarders.
|
|
|
|
.It Ic forwarders
|
|
Specifies the IP addresses to be used for forwarding. The default is the
|
|
empty list (no forwarding).
|
|
.El
|
|
|
|
.Pp
|
|
Forwarding can also be configured on a per-zone basis, allowing for
|
|
the global forwarding options to be overridden in a variety of ways.
|
|
You can set particular zones to use different forwarders, or have
|
|
different
|
|
.Ic forward only/first
|
|
behavior, or to not forward
|
|
at all. See
|
|
.Sx THE ZONE STATEMENT
|
|
section for more information.
|
|
|
|
.Pp
|
|
Future versions of BIND 8 will provide a more powerful forwarding
|
|
system. The syntax described above will continue to be supported.
|
|
|
|
.Ss Name Checking
|
|
|
|
The server can check domain names based upon their expected client contexts.
|
|
For example, a domain name used as a hostname can be checked for compliance
|
|
with the RFCs defining valid hostnames.
|
|
|
|
.Pp
|
|
Three checking methods are available:
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic ignore
|
|
No checking is done.
|
|
|
|
.It Ic warn
|
|
Names are checked against their expected client contexts. Invalid names are
|
|
logged, but processing continues normally.
|
|
|
|
.It Ic fail
|
|
Names are checked against their expected client contexts. Invalid names are
|
|
logged, and the offending data is rejected.
|
|
.El
|
|
|
|
.Pp
|
|
The server can check names three areas: master zone files, slave
|
|
zone files, and in responses to queries the server has initiated. If
|
|
.Ic check-names response fail
|
|
has been specified, and
|
|
answering the client's question would require sending an invalid name
|
|
to the client, the server will send a
|
|
.Dv REFUSED
|
|
response code to the client.
|
|
|
|
.Pp
|
|
The defaults are:
|
|
|
|
.Bd -literal
|
|
check-names master fail;
|
|
check-names slave warn;
|
|
check-names response ignore;
|
|
.Ed
|
|
|
|
.Pp
|
|
.Ic check-names
|
|
may also be specified in the
|
|
.Ic zone
|
|
statement, in which case it overrides the
|
|
.Ic options check-names
|
|
statement. When used in a
|
|
.Ic zone
|
|
statement, the area is not specified (because it can be deduced from
|
|
the zone type).
|
|
|
|
.Ss Access Control
|
|
|
|
.Pp
|
|
Access to the server can be restricted based on the IP address of the
|
|
requesting system or via shared secret keys. See
|
|
.Sx ADDRESS MATCH LISTS
|
|
for details on how to specify access criteria.
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic allow-query
|
|
Specifies which hosts are allowed to ask ordinary questions.
|
|
.Ic allow-query
|
|
may also be specified in the
|
|
.Ic zone
|
|
statement, in which case it overrides the
|
|
.Ic options allow-query
|
|
statement. If not specified, the default is
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic allow-recursion
|
|
Specifies which hosts are allowed to ask recursive questions.
|
|
.Ic allow-recursion
|
|
may also be specified in the
|
|
.Ic zone
|
|
statement, in which case it overrides the
|
|
.Ic options allow-recursion
|
|
statement. If not specified, the default is to allow recursive queries
|
|
from all hosts.
|
|
|
|
.It Ic allow-transfer
|
|
Specifies which hosts are allowed to receive zone transfers from the
|
|
server.
|
|
.Ic allow-transfer
|
|
may also be specified in the
|
|
.Ic zone
|
|
statement, in which case it overrides the
|
|
.Ic options allow-transfer
|
|
statement. If not specified, the default
|
|
is to allow transfers from all hosts.
|
|
|
|
.It Ic blackhole
|
|
Specifies a list of addresses that the server will not accept queries from
|
|
or use to resolve a query. Queries from these addresses will not be
|
|
responded to.
|
|
.El
|
|
.El
|
|
|
|
.Ss Interfaces
|
|
|
|
.Pp
|
|
The interfaces and ports that the server will answer queries from may
|
|
be specified using the
|
|
.Ic listen-on
|
|
option.
|
|
.Ic listen-on
|
|
takes an optional port, and an address match list.
|
|
The server will listen on all interfaces allowed by the address match
|
|
list. If a port is not specified, port 53 will be used.
|
|
|
|
.Pp
|
|
Multiple
|
|
.Ic listen-on
|
|
statements are allowed. For example,
|
|
|
|
.Bd -literal
|
|
listen-on { 5.6.7.8; };
|
|
listen-on port 1234 { !1.2.3.4; 1.2/16; };
|
|
.Ed
|
|
|
|
will enable the nameserver on port 53 for the IP address 5.6.7.8, and
|
|
on port 1234 of an address on the machine in net 1.2 that is not
|
|
1.2.3.4.
|
|
|
|
.Pp
|
|
If no
|
|
.Ic listen-on
|
|
is specified, the server will listen on port
|
|
53 on all interfaces.
|
|
|
|
.Ss Query Address
|
|
|
|
.Pp
|
|
If the server doesn't know the answer to a question, it will query
|
|
other nameservers.
|
|
.Ic query-source
|
|
specifies the address and port used for such queries. If
|
|
.Ic address
|
|
is
|
|
.Li *
|
|
or is omitted, a wildcard IP address
|
|
(
|
|
.Dv INADDR_ANY )
|
|
will be used. If
|
|
.Va port
|
|
is
|
|
.Li *
|
|
or is omitted, a random unprivileged port will be used.
|
|
The default is
|
|
.Dl query-source address * port *;
|
|
|
|
.Pp
|
|
Note:
|
|
.Ic query-source
|
|
currently applies only to UDP queries;
|
|
TCP queries always use a wildcard IP address and a random unprivileged
|
|
port.
|
|
|
|
.Ss Zone Transfers
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic max-transfer-time-in
|
|
Inbound zone transfers (
|
|
.Nm named-xfer
|
|
processes) running
|
|
longer than this many minutes will be terminated.
|
|
The default is 120 minutes (2 hours).
|
|
|
|
.It Ic transfer-format
|
|
The server supports two zone transfer methods.
|
|
.Li one-answer
|
|
uses one DNS message per resource record
|
|
transferred.
|
|
.Li many-answers
|
|
packs as many resource records
|
|
as possible into a message.
|
|
.Li many-answers
|
|
is more efficient, but is only known to be understood by BIND 8.1 and
|
|
patched versions of BIND 4.9.5. The default is
|
|
.Li one-answer .
|
|
.Ic transfer-format
|
|
may be overridden on a per-server basis by using the
|
|
.Ic server
|
|
statement.
|
|
|
|
.It Ic transfers-in
|
|
The maximum number of inbound zone transfers that can be running
|
|
concurrently. The default value is 10. Increasing
|
|
.Ic transfers-in
|
|
may speed up the convergence of slave zones,
|
|
but it also may increase the load on the local system.
|
|
|
|
.It Ic transfers-out
|
|
This option will be used in the future to limit the number of
|
|
concurrent outbound zone transfers. It is checked for syntax, but is
|
|
otherwise ignored.
|
|
|
|
.It Ic transfers-per-ns
|
|
The maximum number of inbound zone transfers (
|
|
.Nm named-xfer
|
|
processes) that can be concurrently transferring from a given remote
|
|
nameserver. The default value is 2. Increasing
|
|
.Ic transfers-per-ns
|
|
may speed up the convergence of slave zones, but it also may increase
|
|
the load on the remote nameserver.
|
|
.Ic transfers-per-ns
|
|
may be overridden on a per-server basis by using the
|
|
.Ic transfers
|
|
phrase of the
|
|
.Ic server
|
|
statement.
|
|
|
|
.It Ic transfer-source
|
|
.Nm transfer-source
|
|
determines which local address will be bound to the TCP connection used to fetch all zones
|
|
transferred inbound by the server. If not set, it defaults to a system controlled value which will usually be the address of the interface ``closest to`` the remote end. This
|
|
address must appear in the remote end's
|
|
.Nm allow-transfer
|
|
option for the zones being transferred, if one is specified. This statement sets the
|
|
.Nm transfer-source
|
|
for all zones, but can be overriden on a per-zone basis by includinga
|
|
.Nm transfer-source
|
|
statement within the zone block in the configuration file.
|
|
.El
|
|
|
|
.Ss Resource Limits
|
|
|
|
.Pp
|
|
The server's usage of many system resources can be limited. Some
|
|
operating systems don't support some of the limits. On such systems,
|
|
a warning will be issued if the unsupported limit is used. Some
|
|
operating systems don't support limiting resources, and on these systems
|
|
a
|
|
.D1 cannot set resource limits on this system
|
|
message will
|
|
be logged.
|
|
|
|
.Pp
|
|
Scaled values are allowed when specifying resource limits. For
|
|
example,
|
|
.Li 1G
|
|
can be used instead of
|
|
.Li 1073741824
|
|
to specify a limit of one gigabyte.
|
|
.Li unlimited
|
|
requests unlimited use, or the maximum
|
|
available amount.
|
|
.Li default
|
|
uses the limit that was in
|
|
force when the server was started.
|
|
See the definition of
|
|
.Va size_spec
|
|
in the
|
|
.Sx DOCUMENTATION DEFINITIONS
|
|
section for more details.
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic coresize
|
|
The maximum size of a core dump. The default value is
|
|
.Li default .
|
|
|
|
.It Ic datasize
|
|
The maximum amount of data memory the server may use. The default
|
|
value is
|
|
.Li default .
|
|
|
|
.It Ic files
|
|
The maximum number of files the server may have open concurrently.
|
|
The default value is
|
|
.Li unlimited .
|
|
Note that on some operating systems the server cannot set an unlimited
|
|
value and cannot determine the maximum number of open files the kernel
|
|
can support. On such systems, choosing
|
|
.Li unlimited
|
|
will cause the server to use
|
|
the larger of the
|
|
.Va rlim_max
|
|
from
|
|
.Fn getrlimit RLIMIT_NOFILE
|
|
and the value returned by
|
|
.Fn sysconf _SC_OPEN_MAX .
|
|
If the
|
|
actual kernel limit is larger than this value, use
|
|
.Ic limit files
|
|
to specify the limit explicitly.
|
|
|
|
.It Ic max-ixfr-log-size
|
|
The
|
|
.Li max-ixfr-log-size
|
|
will be used in a future release of the server to limit the size of the transaction
|
|
log kept for Incremental Zone Transfer.
|
|
|
|
.It Ic stacksize
|
|
The maximum amount of stack memory the server may use. The default value is
|
|
.Li default .
|
|
.El
|
|
|
|
.Ss Periodic Task Intervals
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic cleaning-interval
|
|
The server will remove expired resource records from the cache every
|
|
|
|
.Ic cleaning-interval
|
|
minutes. The default is 60 minutes. If set
|
|
to 0, no periodic cleaning will occur.
|
|
|
|
.It Ic heartbeat-interval
|
|
The server will perform zone maintenance tasks for all zones marked
|
|
.Ic dialup yes
|
|
whenever this interval expires.
|
|
The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes).
|
|
If set to 0, no zone maintenance for these zones will occur.
|
|
|
|
.It Ic interface-interval
|
|
The server will scan the network interface list every
|
|
.Ic interface-interval
|
|
minutes. The default is 60 minutes.
|
|
If set to 0, interface scanning will only occur when the configuration
|
|
file is loaded. After the scan, listeners will be started on any new
|
|
interfaces (provided they are allowed by the
|
|
.Ic listen-on
|
|
configuration). Listeners on interfaces that have gone away will be
|
|
cleaned up.
|
|
|
|
.It Ic statistics-interval
|
|
Nameserver statistics will be logged every
|
|
.Ic statistics-interval
|
|
minutes. The default is 60. If set to 0, no statistics will be logged.
|
|
.El
|
|
|
|
.Ss Topology
|
|
|
|
.Pp
|
|
All other things being equal, when the server chooses a nameserver
|
|
to query from a list of nameservers, it prefers the one that is
|
|
topologically closest to itself. The
|
|
.Ic topology
|
|
statement takes an address match list and interprets it in a special way.
|
|
Each top-level list element is assigned a distance.
|
|
Non-negated elements get a distance based on
|
|
their position in the list, where the closer the match is to the start
|
|
of the list, the shorter the distance is between it and the server. A
|
|
negated match will be assigned the maximum distance from the server.
|
|
If there is no match, the address will get a distance which is further
|
|
than any non-negated list element, and closer than any negated
|
|
element. For example,
|
|
|
|
.Bd -literal
|
|
topology {
|
|
10/8;
|
|
!1.2.3/24;
|
|
{ 1.2/16; 3/8; };
|
|
};
|
|
.Ed
|
|
|
|
will prefer servers on network 10 the most, followed by hosts on
|
|
network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception
|
|
of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least
|
|
of all.
|
|
|
|
.Pp
|
|
The default topology is
|
|
.Dl topology { localhost; localnets; };
|
|
|
|
.Ss Resource Record sorting
|
|
|
|
.Pp
|
|
When returning multiple RRs, the nameserver will normally return them in
|
|
.Ic Round Robin ,
|
|
i.e. after each request, the first RR is put to the end of the list.
|
|
As the order of RRs is not defined, this should not cause any problems.
|
|
|
|
The client resolver code should re-arrange the RRs as appropriate, i.e. using
|
|
any addresses on the local net in preference to other addresses. However, not all
|
|
resolvers can do this, or are not correctly configured.
|
|
|
|
When a client is using a local server, the sorting can be performed in the server,
|
|
based on the client's address. This only requires configuring the nameservers,
|
|
not all the clients.
|
|
|
|
The
|
|
.Ic sortlist
|
|
statement takes an address match list and interprets it even more
|
|
specially than the
|
|
.Ictopology
|
|
statement does.
|
|
|
|
Each top level statement in the sortlist must itself be an explicit address match
|
|
list with one or two elements. The first element (which may be an IP address,
|
|
an IP prefix, an ACL name or nested address match list) of each top level list is
|
|
checked against the source address of the query until a match is found.
|
|
|
|
Once the source address of the query has been matched, if the top level
|
|
statement contains only one element, the actual primitive element that
|
|
matched the source address is used to select the address in the response to
|
|
move to the beginning of the response. If the statement is a list of two elements,
|
|
the second element is treated like the address match list in a topology
|
|
statement. Each top level element is assigned a distance and the address in the
|
|
response with the minimum distance is moved to the beginning of the response.
|
|
|
|
In the following example, any queries received from any of the addresses of the
|
|
host itself will get responses preferring addresses on any of the locally
|
|
connected networks. Next most preferred are addresses on the 192.168.1/24
|
|
network, and after that either the 192.168.2/24 or 192.168.3/24 network with no
|
|
preference shown between these two networks. Queries received from a host on
|
|
the 192.168.1/24 network will prefer other addresses on that network to the
|
|
192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the
|
|
192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on
|
|
their directly connected networks.
|
|
|
|
.Bd -literal
|
|
sortlist {
|
|
{ localhost; // IF the local host
|
|
{ localnets; // THEN first fit on the
|
|
192.168.1/24; // following nets
|
|
{ 192,168.2/24; 192.168.3/24; }; }; };
|
|
{ 192.168.1/24; // IF on class C 192.168.1
|
|
{ 192.168.1/24; // THEN use .1, or .2 or .3
|
|
{ 192.168.2/24; 192.168.3/24; }; }; };
|
|
{ 192.168.2/24; // IF on class C 192.168.2
|
|
{ 192.168.2/24; // THEN use .2, or .1 or .3
|
|
{ 192.168.1/24; 192.168.3/24; }; }; };
|
|
{ 192.168.3/24; // IF on class C 192.168.3
|
|
{ 192.168.3/24; // THEN use .3, or .1 or .2
|
|
{ 192.168.1/24; 192.168.2/24; }; }; };
|
|
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
|
|
};
|
|
};
|
|
.Ed
|
|
|
|
The following example will give reasonable behaviour for the local host and
|
|
hosts on directly connected networks. It is similar to the behavior of the
|
|
address sort in BIND 4.9.x. Responses sent to queries from the local host will
|
|
favor any of the directly connected networks. Responses sent to queries from
|
|
any other hosts on a directly connected network will prefer addresses on that
|
|
same network. Responses to other queries will not be sorted.
|
|
|
|
.Bd -literal
|
|
sortlist {
|
|
{ localhost; localnets; };
|
|
{ localnets; };
|
|
};
|
|
.Ed
|
|
|
|
.Ss RRset Ordering
|
|
|
|
.Pp
|
|
When multiple records are returned in an answer it may be useful to configure
|
|
the order the records are placed into the response. For example the records for
|
|
a zone might be configured to always be returned in the order they are defined
|
|
in the zone file. Or perhaps a random shuffle of the records as they are
|
|
returned is wanted. The rrset-order statement permits configuration of the
|
|
ordering made of the records in a multiple record response. The default, if no
|
|
ordering is defined, is a cyclic ordering (round robin).
|
|
|
|
An
|
|
.Ic order_spec
|
|
is defined as follows:
|
|
|
|
.Bd -literal
|
|
[ \fIclass class_name\fR ][ \fItype type_name\fR ][ \fIname\fR "FQDN" ] \fIorder\fR ordering
|
|
.Ed
|
|
|
|
If no class is specified, the default is
|
|
.Ic ANY .
|
|
If no
|
|
.Li Ictype
|
|
is specified, the default is
|
|
.Ic ANY .
|
|
If no name is specified, the default is "*".
|
|
|
|
The legal values for
|
|
.Ic ordering
|
|
are:
|
|
|
|
.Bd -literal
|
|
.Ic fixed
|
|
Records are returned in the order they are defined in the zone file.
|
|
.Ic random
|
|
Records are returned in some random order.
|
|
.Ic cyclic
|
|
Records are returned in a round-robin order.
|
|
|
|
For example:
|
|
|
|
rrset-order {
|
|
class IN type A name "rc.vix.com" order random;
|
|
order cyclic;
|
|
};
|
|
.Ed
|
|
|
|
will cause any responses for type A records in class IN that have "rc.vix.com" as
|
|
a suffix, to always be returned in random order. All other records are returned
|
|
in cyclic order.
|
|
|
|
If multiple
|
|
.Ic rrset-order
|
|
statements appear, they are not combined--the last one applies.
|
|
|
|
If no
|
|
.Ic rrset-order
|
|
statement is specified, a default one of:
|
|
|
|
.Bd -literal
|
|
rrset-order { class ANY type ANY name "*" order cyclic ; };
|
|
.Ed
|
|
|
|
is used.
|
|
|
|
.Ss Tuning
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic lame-ttl
|
|
Sets the number of seconds to cache a lame server indication. 0 disables
|
|
caching. Default is 600 (10 minutes). Maximum value is 1800 (30 minutes)
|
|
.It Ic max-ncache-ttl
|
|
To reduce network traffic and increase performance the server store negative
|
|
answers.
|
|
.Ic max-ncache-ttl
|
|
is used to set a maximum retention time
|
|
for these answers in the server is seconds. The default
|
|
.Ic max-ncache-ttl
|
|
is 10800 seconds (3 hours).
|
|
.Ic max-ncache-ttl
|
|
cannot exceed the maximum retention time for ordinary (positive)
|
|
answers (7 days) and will be silently truncated to 7 days if set to a
|
|
value which is greater that 7 days.
|
|
.It Ic min-roots
|
|
The minimum number of root servers that is required for a request for the root
|
|
servers to be accepted. Default is 2.
|
|
.El
|
|
|
|
.Sh THE ZONE STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] {
|
|
type master;
|
|
file \fIpath_name\fR;
|
|
[ check-names ( warn | fail | ignore ); ]
|
|
[ allow-update { \fIaddress_match_list\fR }; ]
|
|
[ allow-query { \fIaddress_match_list\fR }; ]
|
|
[ allow-transfer { \fIaddress_match_list\fR }; ]
|
|
[ dialup \fIyes_or_no\fR; ]
|
|
[ notify \fIyes_or_no\fR; ]
|
|
[ also-notify { \fIip_addr\fR; [ \fIip_addr\fR; ... ] };
|
|
[ pubkey \fInumber\fR \fInumber\fR \fInumber\fR \fIstring\fR; ]
|
|
};
|
|
|
|
zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] {
|
|
type ( slave | stub );
|
|
[ file \fIpath_name\fR; ]
|
|
masters [ port \fIip_port\fR ] { \fIip_addr\fR; [ \fIip_addr\fR; ... ] };
|
|
[ check-names ( warn | fail | ignore ); ]
|
|
[ allow-update { \fIaddress_match_list\fR }; ]
|
|
[ allow-query { \fIaddress_match_list\fR }; ]
|
|
[ allow-transfer { \fIaddress_match_list\fR }; ]
|
|
[ transfer-source \fIip_addr\fR; ]
|
|
[ max-transfer-time-in \fInumber\fR; ]
|
|
[ notify \fIyes_or_no\fR; ]
|
|
[ also-notify { \fIip_addr\fR; [ \fIip_addr\fR; ... ] };
|
|
[ pubkey \fInumber\fR \fInumber\fR \fInumber\fR \fIstring\fR; ]
|
|
};
|
|
|
|
zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] {
|
|
type forward;
|
|
[ forward ( only | first ); ]
|
|
[ forwarders { [ \fIip_addr\fR ; [ \fIip_addr\fR ; ... ] ] }; ]
|
|
[ check-names ( warn | fail | ignore ); ]
|
|
};
|
|
|
|
zone \&".\&" [ ( in | hs | hesiod | chaos ) ] {
|
|
type hint;
|
|
file \fIpath_name\fR;
|
|
[ check-names ( warn | fail | ignore ); ]
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic zone
|
|
statement is used to define how information about particular DNS zones
|
|
is managed by the server. There are five different zone types.
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic master
|
|
The server has a master copy of the data for the zone and will be able
|
|
to provide authoritative answers for it.
|
|
|
|
.It Ic slave
|
|
A
|
|
.Ic slave
|
|
zone is a replica of a master zone. The
|
|
.Ic masters
|
|
list specifies one or more IP addresses that the slave contacts to
|
|
update its copy of the zone. If a
|
|
.Ic port
|
|
is specified then checks to see if the zone is current and zone transfers
|
|
will be done to the port given. If
|
|
.Ic file
|
|
is specified, then the replica will be written to the named file.
|
|
Use of the
|
|
.Ic file
|
|
clause is highly recommended, since it often speeds server startup
|
|
and eliminates a needless waste of bandwidth.
|
|
|
|
.It Ic stub
|
|
A
|
|
.Ic stub
|
|
zone is like a slave zone, except that it replicates
|
|
only the NS records of a master zone instead of the entire zone.
|
|
|
|
.It Ic forward
|
|
A
|
|
.Ic forward
|
|
zone is used to direct all queries in it to other servers, as described in
|
|
.Sx THE OPTIONS STATEMENT
|
|
section. The specification of options in such a zone will override
|
|
any global options declared in the
|
|
.Ic options
|
|
statement.
|
|
|
|
.Pp
|
|
If either no
|
|
.Ic forwarders
|
|
clause is present in the zone or an empty list for
|
|
.Ic forwarders
|
|
is given, then no forwarding will be done for the zone, cancelling the
|
|
effects of any
|
|
.Ic forwarders
|
|
in the
|
|
.Ic options
|
|
statement.
|
|
Thus if you want to use this type of zone to change only the behavior of
|
|
the global
|
|
.Ic forward
|
|
option, and not the servers used, then you also need to respecify the
|
|
global forwarders.
|
|
|
|
.It Ic hint
|
|
The initial set of root nameservers is specified using a
|
|
.Ic hint
|
|
zone. When the server starts up, it uses the root hints
|
|
to find a root nameserver and get the most recent list of root nameservers.
|
|
.El
|
|
|
|
.Pp
|
|
Note: previous releases of BIND used the term
|
|
.Ic primary
|
|
for a master zone,
|
|
.Ic secondary
|
|
for a slave zone, and
|
|
.Ic cache
|
|
for a hint zone.
|
|
|
|
.Ss Classes
|
|
|
|
The zone's name may optionally be followed by a class. If a class is not
|
|
specified, class
|
|
.Ic in
|
|
(for "internet"), is assumed. This is correct for the vast majority
|
|
of cases.
|
|
|
|
.Pp
|
|
The
|
|
.Ic hesiod
|
|
class is for an information service from MIT's Project Athena. It is
|
|
used to share information about various systems databases, such as
|
|
users, groups, printers and so on. More information can be found at
|
|
ftp://athena-dist.mit.edu/pub/ATHENA/usenix/athena_changes.PS.
|
|
The keyword
|
|
.Ic hs
|
|
is a synonym for
|
|
.Ic hesiod .
|
|
|
|
.Pp
|
|
Another MIT development was CHAOSnet, a LAN protocol created in the
|
|
mid-1970s. It is still sometimes seen on LISP stations and other
|
|
hardware in the AI community, and zone data for it can be specified
|
|
with the
|
|
.Ic chaos
|
|
class.
|
|
|
|
.Ss Options
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic check-names
|
|
See the subsection on
|
|
.Sx Name Checking
|
|
in
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic allow-query
|
|
See the description of
|
|
.Ic allow-query
|
|
in the
|
|
.Sx Access Control
|
|
subsection of
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic allow-update
|
|
Specifies which hosts are allowed to submit Dynamic DNS updates to the
|
|
server. The default is to deny updates from all hosts.
|
|
|
|
.It Ic allow-transfer
|
|
See the description of
|
|
.Ic allow-transfer
|
|
in the
|
|
.Sx Access Control
|
|
subsection of
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic transfer-source
|
|
.Ic transfer-source
|
|
determines which local address will be bound to the TCP connection
|
|
used to fetch this zone. If not set, it defaults to a system
|
|
controlled value which will usually be the address of the interface
|
|
``closest to'' the remote end. This address must appear in the remote end's
|
|
.Ic allow-transfer
|
|
option for this zone if one is specified.
|
|
|
|
.It Ic max-transfer-time-in
|
|
See the description of
|
|
.Ic max-transfer-time-in
|
|
in the
|
|
.Sx Zone Transfers
|
|
subsection of
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic dialup
|
|
See the description of
|
|
.Ic dialup
|
|
in the
|
|
.Sx Boolean Options
|
|
subsection of
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic notify
|
|
See the description of
|
|
.Sx notify
|
|
in the
|
|
.Sx Boolean Options
|
|
subsection of the
|
|
.Sx THE OPTIONS STATEMENT .
|
|
|
|
.It Ic also-notify
|
|
.Ic also-notify
|
|
is only meaningful if
|
|
.Ic notify
|
|
is active for this zone.
|
|
The set of machines that will receive a DNS NOTIFY message for this
|
|
zone is made up of all the listed nameservers for the zone (other than
|
|
the primary master) plus any IP addresses specified with
|
|
.Ic also-notify .
|
|
.Ic also-notify
|
|
is not meaningful for
|
|
.Ic stub
|
|
zones. The default is the empty list.
|
|
|
|
.It Ic forward
|
|
.Ic forward
|
|
is only meaningful if the zone has a
|
|
.Ic forwarders
|
|
list. The
|
|
.Ic only
|
|
value causes the lookup to fail after trying the
|
|
.Ic forwarders
|
|
and getting no answer, while
|
|
.Ic first
|
|
would allow a normal lookup to be tried.
|
|
|
|
.It Ic forwarders
|
|
The
|
|
.Ic forwarders
|
|
option in a zone is used to override the list of global forwarders.
|
|
If it is not specified in a zone of type
|
|
.Ic forward ,
|
|
.Em no
|
|
forwarding is done for the zone; the global options are not used.
|
|
|
|
.It Ic pubkey
|
|
The DNSSEC flags, protocol, and algorithm are specified, as well as a base-64
|
|
encoded string representing the key.
|
|
.El
|
|
|
|
.Sh THE ACL STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
acl \fIname\fR {
|
|
\fIaddress_match_list\fR
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic acl
|
|
statement creates a named address match list.
|
|
It gets its name from a primary use of address match lists: Access
|
|
Control Lists (ACLs).
|
|
|
|
.Pp
|
|
Note that an address match list's name must be defined with
|
|
.Ic acl
|
|
before it can be used elsewhere; no forward
|
|
references are allowed.
|
|
|
|
.Pp
|
|
The following ACLs are built-in:
|
|
|
|
.Bl -tag -width 1
|
|
.It Ic any
|
|
Allows all hosts.
|
|
.It Ic none
|
|
Denies all hosts.
|
|
.It Ic localhost
|
|
Allows the IP addresses of all interfaces on the system.
|
|
.It Ic localnets
|
|
Allows any host on a network for which the system has an interface.
|
|
.El
|
|
|
|
.Sh THE KEY STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
key \fIkey_id\fR {
|
|
algorithm \fIalgorithm_id\fR;
|
|
secret \fIsecret_string\fR;
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic key
|
|
statement defines a key ID which can be used in a
|
|
.Ic server
|
|
statement to associate a method of authentication with a particular
|
|
name server that is more rigorous than simple IP address matching.
|
|
A key ID must be created with the
|
|
.Ic key
|
|
statement before it can be used in a
|
|
.Ic server
|
|
definition or an address match list.
|
|
|
|
.Pp
|
|
The
|
|
.Va algorithm_id
|
|
is a string that specifies a
|
|
security/authentication algorithm.
|
|
.Va secret_string
|
|
is the secret to be used by the algorithm,
|
|
and is treated as a base-64 encoded string.
|
|
It should go without saying, but probably can't,
|
|
that if you have
|
|
.Va secret_string 's
|
|
in your
|
|
.Pa named.conf ,
|
|
then it should not be readable by anyone but the superuser.
|
|
|
|
.Sh THE TRUSTED-KEYS STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
trusted-keys {
|
|
[ \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ]
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic trusted-keys
|
|
statement is for use with DNSSEC-style security, originally specified
|
|
in RFC 2065. DNSSEC is meant to
|
|
provide three distinct services: key distribution, data origin
|
|
authentication, and transaction and request authentication. A
|
|
complete description of DNSSEC and its use is beyond the scope of this
|
|
document, and readers interested in more information should start with
|
|
RFC 2065 and then continue with the Internet Drafts available at
|
|
http://www.ietf.org/ids.by.wg/dnssec.html.
|
|
|
|
.Pp
|
|
Each trusted key is associated with a domain name. Its attributes are
|
|
the non-negative integral
|
|
.Va flags ,
|
|
.Va protocol ,
|
|
and
|
|
.Va algorithm ,
|
|
as well as a base-64 encoded string representing the
|
|
.Va key .
|
|
|
|
.Pp
|
|
Any number of trusted keys can be specified.
|
|
|
|
.Sh THE SERVER STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
server \fIip_addr\fR {
|
|
[ bogus \fIyes_or_no\fR; ]
|
|
[ transfers \fInumber\fR; ]
|
|
[ transfer-format ( one-answer | many-answers ); ]
|
|
[ keys { \fIkey_id\fR [ \fIkey_id\fR ... ] }; ]
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The server statement defines the characteristics to be
|
|
associated with a remote name server.
|
|
|
|
.Pp
|
|
If you discover that a server is giving out bad data, marking it as
|
|
.Ic bogus
|
|
will prevent further queries to it. The default value of
|
|
.Ic bogus
|
|
is
|
|
.Li no .
|
|
|
|
.Pp
|
|
The server supports two zone transfer methods. The first,
|
|
.Ic one-answer ,
|
|
uses one DNS message per resource record transferred.
|
|
.Ic many-answers
|
|
packs as many resource records as possible into a message.
|
|
.Ic many-answers
|
|
is more efficient, but is only known to be understood by BIND 8.1 and
|
|
patched versions of BIND 4.9.5. You can specify which method to use
|
|
for a server with the
|
|
.Ic transfer-format
|
|
option. If
|
|
.Ic transfer-format
|
|
is not specified, the
|
|
.Ic transfer-format
|
|
specified by the
|
|
.Ic options
|
|
statement will be used.
|
|
|
|
.Pp
|
|
The
|
|
.Ic transfers
|
|
will be used in a future release of the server to limit the number of
|
|
concurrent in-bound zone transfers from the specified server. It is
|
|
checked for syntax but is otherwise ignored.
|
|
|
|
.Pp
|
|
The
|
|
.Ic keys
|
|
clause is used to identify a
|
|
.Va key_id
|
|
defined by the
|
|
.Ic key
|
|
statement, to be used for transaction security when talking to the
|
|
remote server.
|
|
The
|
|
.Ic key
|
|
statememnt must come before the
|
|
.Ic server
|
|
statement that references it.
|
|
|
|
.Pp
|
|
The
|
|
.Ic keys
|
|
statement is intended for future use by the
|
|
server. It is checked for syntax but is otherwise ignored.
|
|
|
|
.Sh THE CONTROLS STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
controls {
|
|
[ inet \fIip_addr\fR
|
|
port \fIip_port\fR
|
|
allow { \fIaddress_match_list\fR; }; ]
|
|
[ unix \fIpath_name\fR
|
|
perm \fInumber\fR
|
|
owner \fInumber\fR
|
|
group \fInumber\fR; ]
|
|
};
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic controls
|
|
statement declares control channels to be used by system
|
|
administrators to affect the operation of the local name server.
|
|
These control channels are used by the
|
|
.Nm ndc
|
|
utility to send commands
|
|
to and retrieve non-DNS results from a name server.
|
|
|
|
.Pp
|
|
A
|
|
.Ic unix
|
|
control channel is a FIFO in the file system, and access to it is
|
|
controlled by normal file system permissions. It is created by
|
|
.Nm named
|
|
with the specified file mode bits (see
|
|
.Xr chmod 1 ) ,
|
|
user and group owner. Note that, unlike
|
|
.Nm chmod ,
|
|
the mode bits specified for
|
|
.Ic perm
|
|
will normally have a leading
|
|
.Li 0
|
|
so the number is interpreted as octal. Also note that the user and
|
|
group ownership specified as
|
|
.Ic owner
|
|
and
|
|
.Ic group
|
|
must be given as numbers, not names.
|
|
It is recommended that the
|
|
permissions be restricted to administrative personnel only, or else any
|
|
user on the system might be able to manage the local name server.
|
|
|
|
.Pp
|
|
An
|
|
.Ic inet
|
|
control channel is a TCP/IP socket accessible to the Internet, created
|
|
at the specified
|
|
.Va ip_port
|
|
on the specified
|
|
.Va ip_addr .
|
|
Modern
|
|
.Nm telnet
|
|
clients are capable of speaking directly to these
|
|
sockets, and the control protocol is ARPAnet-style text.
|
|
It is recommended that 127.0.0.1 be the only
|
|
.Va ip_addr
|
|
used, and this only if you trust all non-privileged users on the local
|
|
host to manage your name server.
|
|
|
|
.Sh THE INCLUDE STATEMENT
|
|
.Ss Syntax
|
|
|
|
.Bd -literal
|
|
include \fIpath_name\fR;
|
|
.Ed
|
|
|
|
.Ss Definition and Usage
|
|
|
|
The
|
|
.Ic include
|
|
statement inserts the specified file at the point that the
|
|
.Ic include
|
|
statement is encountered. It cannot be used within another statement,
|
|
though, so a line such as
|
|
.Dl acl internal_hosts { include "internal_hosts.acl"; };
|
|
is not allowed.
|
|
|
|
.Pp
|
|
Use
|
|
.Ic include
|
|
to break the configuration up into easily-managed chunks.
|
|
For example:
|
|
|
|
.Bd -literal
|
|
include "/etc/security/keys.bind";
|
|
include "/etc/acls.bind";
|
|
.Ed
|
|
|
|
could be used at the top of a BIND configuration file in order to
|
|
include any ACL or key information.
|
|
|
|
.Pp
|
|
Be careful not to type
|
|
``#include'', like you would in a C program, because
|
|
``#'' is used to start a comment.
|
|
|
|
.Sh EXAMPLES
|
|
|
|
The simplest configuration file that is still realistically useful is
|
|
one which simply defines a hint zone that has a full path to the root
|
|
servers file.
|
|
.Bd -literal
|
|
zone \&".\&" in {
|
|
type hint;
|
|
file \&"/var/named/root.cache\&";
|
|
};
|
|
.Ed
|
|
|
|
Here's a more typical real-world example.
|
|
|
|
.Bd -literal
|
|
/*
|
|
* A simple BIND 8 configuration
|
|
*/
|
|
|
|
logging {
|
|
category lame-servers { null; };
|
|
category cname { null; };
|
|
};
|
|
|
|
options {
|
|
directory \&"/var/named\&";
|
|
};
|
|
|
|
controls {
|
|
inet * port 52 allow { any; }; // a bad idea
|
|
unix \&"/var/run/ndc\&" perm 0600 owner 0 group 0; // the default
|
|
};
|
|
|
|
zone \&"isc.org\&" in {
|
|
type master;
|
|
file \&"master/isc.org\&";
|
|
};
|
|
|
|
zone \&"vix.com\&" in {
|
|
type slave;
|
|
file \&"slave/vix.com\&";
|
|
masters { 10.0.0.53; };
|
|
};
|
|
|
|
zone \&"0.0.127.in-addr.arpa\&" in {
|
|
type master;
|
|
file \&"master/127.0.0\&";
|
|
};
|
|
|
|
zone \&".\&" in {
|
|
type hint;
|
|
file \&"root.cache\&";
|
|
};
|
|
.Ed
|
|
|
|
.Sh FILES
|
|
.Bl -tag -width 1 -compact
|
|
.It Pa /etc/named.conf
|
|
The BIND 8
|
|
.Nm named
|
|
configuration file.
|
|
.El
|
|
|
|
.Sh SEE ALSO
|
|
.Xr named 8 ,
|
|
.Xr ndc 8
|