Manpages

NAME

named.conf - configuration file for **named**

SYNOPSIS

named.conf

DESCRIPTION

named.conf is the configuration file for named.

For complete documentation about the configuration statements, please refer to the Configuration Reference section in the BIND 9 Administrator Reference Manual.

Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported:

C style: /* */

C++ style: // to end of line

Unix style: # to end of line

acl <string> { <address_match_element>; ... }; // may occur multiple times

controls {
     inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
     unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
}; // may occur multiple times

dlz <string> {
     database <string>;
     search <boolean>;
}; // may occur multiple times

dnssec-policy <string> {
     cdnskey <boolean>;
     cds-digest-types { <string>; ... };
     dnskey-ttl <duration>;
     inline-signing <boolean>;
     keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
     max-zone-ttl <duration>;
     nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
     parent-ds-ttl <duration>;
     parent-propagation-delay <duration>;
     publish-safety <duration>;
     purge-keys <duration>;
     retire-safety <duration>;
     signatures-jitter <duration>;
     signatures-refresh <duration>;
     signatures-validity <duration>;
     signatures-validity-dnskey <duration>;
     zone-propagation-delay <duration>;
}; // may occur multiple times

dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times

http <string> {
     endpoints { <quoted_string>; ... };
     listener-clients <integer>;
     streams-per-connection <integer>;
}; // may occur multiple times

key <string> {
     algorithm <string>;
     secret <string>;
}; // may occur multiple times

key-store <string> {
     directory <string>;
     pkcs11-uri <quoted_string>;
}; // may occur multiple times

logging {
     category <string> { <string>; ... }; // may occur multiple times
     channel <string> {
          buffered <boolean>;
          file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
          null;
          print-category <boolean>;
          print-severity <boolean>;
          print-time ( iso8601 | iso8601-utc | local | <boolean> );
          severity <log_severity>;
          stderr;
          syslog [ <syslog_facility> ];
     }; // may occur multiple times
};

managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

options {
     allow-new-zones <boolean>;
     allow-notify { <address_match_element>; ... };
     allow-proxy { <address_match_element>; ... }; // experimental
     allow-proxy-on { <address_match_element>; ... }; // experimental
     allow-query { <address_match_element>; ... };
     allow-query-cache { <address_match_element>; ... };
     allow-query-cache-on { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     allow-recursion { <address_match_element>; ... };
     allow-recursion-on { <address_match_element>; ... };
     allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
     allow-update { <address_match_element>; ... };
     allow-update-forwarding { <address_match_element>; ... };
     also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     answer-cookie <boolean>;
     attach-cache <string>;
     auth-nxdomain <boolean>;
     automatic-interface-scan <boolean>;
     avoid-v4-udp-ports { <portrange>; ... }; // deprecated
     avoid-v6-udp-ports { <portrange>; ... }; // deprecated
     bindkeys-file <quoted_string>; // test only
     blackhole { <address_match_element>; ... };
     catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
     check-dup-records ( fail | warn | ignore );
     check-integrity <boolean>;
     check-mx ( fail | warn | ignore );
     check-mx-cname ( fail | warn | ignore );
     check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
     check-sibling <boolean>;
     check-spf ( warn | ignore );
     check-srv-cname ( fail | warn | ignore );
     check-svcb <boolean>;
     check-wildcard <boolean>;
     clients-per-query <integer>;
     cookie-algorithm ( siphash24 );
     cookie-secret <string>; // may occur multiple times
     deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
     deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
     dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
     directory <quoted_string>;
     disable-algorithms <string> { <string>; ... }; // may occur multiple times
     disable-ds-digests <string> { <string>; ... }; // may occur multiple times
     disable-empty-zone <string>; // may occur multiple times
     dns64 <netprefix> {
          break-dnssec <boolean>;
          clients { <address_match_element>; ... };
          exclude { <address_match_element>; ... };
          mapped { <address_match_element>; ... };
          recursive-only <boolean>;
          suffix <ipv6_address>;
     }; // may occur multiple times
     dns64-contact <string>;
     dns64-server <string>;
     dnskey-sig-validity <integer>; // obsolete
     dnsrps-enable <boolean>; // not configured
     dnsrps-library <quoted_string>; // not configured
     dnsrps-options { <unspecified-text> }; // not configured
     dnssec-accept-expired <boolean>;
     dnssec-dnskey-kskonly <boolean>; // obsolete
     dnssec-loadkeys-interval <integer>;
     dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
     dnssec-policy <string>;
     dnssec-secure-to-insecure <boolean>; // obsolete
     dnssec-update-mode ( maintain | no-resign ); // obsolete
     dnssec-validation ( yes | no | auto );
     dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
     dnstap-identity ( <quoted_string> | none | hostname ); // not configured
     dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
     dnstap-version ( <quoted_string> | none ); // not configured
     dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
     dump-file <quoted_string>;
     edns-udp-size <integer>;
     empty-contact <string>;
     empty-server <string>;
     empty-zones-enable <boolean>;
     fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
     fetches-per-server <integer> [ ( drop | fail ) ];
     fetches-per-zone <integer> [ ( drop | fail ) ];
     flush-zones-on-shutdown <boolean>;
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     fstrm-set-buffer-hint <integer>; // not configured
     fstrm-set-flush-timeout <integer>; // not configured
     fstrm-set-input-queue-size <integer>; // not configured
     fstrm-set-output-notify-threshold <integer>; // not configured
     fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
     fstrm-set-output-queue-size <integer>; // not configured
     fstrm-set-reopen-interval <duration>; // not configured
     geoip-directory ( <quoted_string> | none );
     heartbeat-interval <integer>; // deprecated
     hostname ( <quoted_string> | none );
     http-listener-clients <integer>;
     http-port <integer>;
     http-streams-per-connection <integer>;
     https-port <integer>;
     interface-interval <duration>;
     ipv4only-contact <string>;
     ipv4only-enable <boolean>;
     ipv4only-server <string>;
     ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
     keep-response-order { <address_match_element>; ... }; // obsolete
     key-directory <quoted_string>;
     lame-ttl <duration>;
     listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
     listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
     lmdb-mapsize <sizeval>;
     managed-keys-directory <quoted_string>;
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     match-mapped-addresses <boolean>;
     max-cache-size ( default | unlimited | <sizeval> | <percentage> );
     max-cache-ttl <duration>;
     max-clients-per-query <integer>;
     max-ixfr-ratio ( unlimited | <percentage> );
     max-journal-size ( default | unlimited | <sizeval> );
     max-ncache-ttl <duration>;
     max-records <integer>;
     max-records-per-type <integer>;
     max-recursion-depth <integer>;
     max-recursion-queries <integer>;
     max-refresh-time <integer>;
     max-retry-time <integer>;
     max-rsa-exponent-size <integer>;
     max-stale-ttl <duration>;
     max-transfer-idle-in <integer>;
     max-transfer-idle-out <integer>;
     max-transfer-time-in <integer>;
     max-transfer-time-out <integer>;
     max-types-per-name <integer>;
     max-udp-size <integer>;
     max-validation-failures-per-fetch <integer>; // experimental
     max-validations-per-fetch <integer>; // experimental
     max-zone-ttl ( unlimited | <duration> ); // deprecated
     memstatistics <boolean>;
     memstatistics-file <quoted_string>;
     message-compression <boolean>;
     min-cache-ttl <duration>;
     min-ncache-ttl <duration>;
     min-refresh-time <integer>;
     min-retry-time <integer>;
     minimal-any <boolean>;
     minimal-responses ( no-auth | no-auth-recursive | <boolean> );
     multi-master <boolean>;
     new-zones-directory <quoted_string>;
     no-case-compress { <address_match_element>; ... };
     nocookie-udp-size <integer>;
     notify ( explicit | master-only | primary-only | <boolean> );
     notify-delay <integer>;
     notify-rate <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     notify-to-soa <boolean>;
     nsec3-test-zone <boolean>; // test only
     nta-lifetime <duration>;
     nta-recheck <duration>;
     nxdomain-redirect <string>;
     parental-source ( <ipv4_address> | * );
     parental-source-v6 ( <ipv6_address> | * );
     pid-file ( <quoted_string> | none );
     port <integer>;
     preferred-glue <string>;
     prefetch <integer> [ <integer> ];
     provide-ixfr <boolean>;
     qname-minimization ( strict | relaxed | disabled | off );
     query-source [ address ] ( <ipv4_address> | * );
     query-source-v6 [ address ] ( <ipv6_address> | * );
     querylog <boolean>;
     rate-limit {
          all-per-second <integer>;
          errors-per-second <integer>;
          exempt-clients { <address_match_element>; ... };
          ipv4-prefix-length <integer>;
          ipv6-prefix-length <integer>;
          log-only <boolean>;
          max-table-size <integer>;
          min-table-size <integer>;
          nodata-per-second <integer>;
          nxdomains-per-second <integer>;
          qps-scale <integer>;
          referrals-per-second <integer>;
          responses-per-second <integer>;
          slip <integer>;
          window <integer>;
     };
     recursing-file <quoted_string>;
     recursion <boolean>;
     recursive-clients <integer>;
     request-expire <boolean>;
     request-ixfr <boolean>;
     request-nsid <boolean>;
     require-server-cookie <boolean>;
     resolver-query-timeout <integer>;
     resolver-use-dns64 <boolean>;
     response-padding { <address_match_element>; ... } block-size <integer>;
     response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
     reuseport <boolean>;
     root-key-sentinel <boolean>;
     rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
     secroots-file <quoted_string>;
     send-cookie <boolean>;
     serial-query-rate <integer>;
     serial-update-method ( date | increment | unixtime );
     server-id ( <quoted_string> | none | hostname );
     servfail-ttl <duration>;
     session-keyalg <string>;
     session-keyfile ( <quoted_string> | none );
     session-keyname <string>;
     sig-signing-nodes <integer>;
     sig-signing-signatures <integer>;
     sig-signing-type <integer>;
     sig-validity-interval <integer> [ <integer> ]; // obsolete
     sig0checks-quota <integer>; // experimental
     sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
     sortlist { <address_match_element>; ... }; // deprecated
     stale-answer-client-timeout ( disabled | off | <integer> );
     stale-answer-enable <boolean>;
     stale-answer-ttl <duration>;
     stale-cache-enable <boolean>;
     stale-refresh-time <duration>;
     startup-notify-rate <integer>;
     statistics-file <quoted_string>;
     synth-from-dnssec <boolean>;
     tcp-advertised-timeout <integer>;
     tcp-clients <integer>;
     tcp-idle-timeout <integer>;
     tcp-initial-timeout <integer>;
     tcp-keepalive-timeout <integer>;
     tcp-listen-queue <integer>;
     tcp-receive-buffer <integer>;
     tcp-send-buffer <integer>;
     tkey-domain <quoted_string>;
     tkey-gssapi-credential <quoted_string>;
     tkey-gssapi-keytab <quoted_string>;
     tls-port <integer>;
     transfer-format ( many-answers | one-answer );
     transfer-message-size <integer>;
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     transfers-in <integer>;
     transfers-out <integer>;
     transfers-per-ns <integer>;
     trust-anchor-telemetry <boolean>;
     try-tcp-refresh <boolean>;
     udp-receive-buffer <integer>;
     udp-send-buffer <integer>;
     update-check-ksk <boolean>; // obsolete
     update-quota <integer>;
     use-v4-udp-ports { <portrange>; ... }; // deprecated
     use-v6-udp-ports { <portrange>; ... }; // deprecated
     v6-bias <integer>;
     validate-except { <string>; ... };
     version ( <quoted_string> | none );
     zero-no-soa-ttl <boolean>;
     zero-no-soa-ttl-cache <boolean>;
     zone-statistics ( full | terse | none | <boolean> );
};

parental-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times

primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

server <netprefix> {
     bogus <boolean>;
     edns <boolean>;
     edns-udp-size <integer>;
     edns-version <integer>;
     keys <server_key>;
     max-udp-size <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     padding <integer>;
     provide-ixfr <boolean>;
     query-source [ address ] ( <ipv4_address> | * );
     query-source-v6 [ address ] ( <ipv6_address> | * );
     request-expire <boolean>;
     request-ixfr <boolean>;
     request-nsid <boolean>;
     require-cookie <boolean>;
     send-cookie <boolean>;
     tcp-keepalive <boolean>;
     tcp-only <boolean>;
     transfer-format ( many-answers | one-answer );
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     transfers <integer>;
}; // may occur multiple times

statistics-channels {
     inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
}; // may occur multiple times

tls <string> {
     ca-file <quoted_string>;
     cert-file <quoted_string>;
     cipher-suites <string>;
     ciphers <string>;
     dhparam-file <quoted_string>;
     key-file <quoted_string>;
     prefer-server-ciphers <boolean>;
     protocols { <string>; ... };
     remote-hostname <quoted_string>;
     session-tickets <boolean>;
}; // may occur multiple times

trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times

trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated


view <string> [ <class> ] {
     allow-new-zones <boolean>;
     allow-notify { <address_match_element>; ... };
     allow-proxy { <address_match_element>; ... }; // experimental
     allow-proxy-on { <address_match_element>; ... }; // experimental
     allow-query { <address_match_element>; ... };
     allow-query-cache { <address_match_element>; ... };
     allow-query-cache-on { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     allow-recursion { <address_match_element>; ... };
     allow-recursion-on { <address_match_element>; ... };
     allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
     allow-update { <address_match_element>; ... };
     allow-update-forwarding { <address_match_element>; ... };
     also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     attach-cache <string>;
     auth-nxdomain <boolean>;
     catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
     check-dup-records ( fail | warn | ignore );
     check-integrity <boolean>;
     check-mx ( fail | warn | ignore );
     check-mx-cname ( fail | warn | ignore );
     check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
     check-sibling <boolean>;
     check-spf ( warn | ignore );
     check-srv-cname ( fail | warn | ignore );
     check-svcb <boolean>;
     check-wildcard <boolean>;
     clients-per-query <integer>;
     deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
     deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
     dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
     disable-algorithms <string> { <string>; ... }; // may occur multiple times
     disable-ds-digests <string> { <string>; ... }; // may occur multiple times
     disable-empty-zone <string>; // may occur multiple times
     dlz <string> {
          database <string>;
          search <boolean>;
     }; // may occur multiple times
     dns64 <netprefix> {
          break-dnssec <boolean>;
          clients { <address_match_element>; ... };
          exclude { <address_match_element>; ... };
          mapped { <address_match_element>; ... };
          recursive-only <boolean>;
          suffix <ipv6_address>;
     }; // may occur multiple times
     dns64-contact <string>;
     dns64-server <string>;
     dnskey-sig-validity <integer>; // obsolete
     dnsrps-enable <boolean>; // not configured
     dnsrps-options { <unspecified-text> }; // not configured
     dnssec-accept-expired <boolean>;
     dnssec-dnskey-kskonly <boolean>; // obsolete
     dnssec-loadkeys-interval <integer>;
     dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
     dnssec-policy <string>;
     dnssec-secure-to-insecure <boolean>; // obsolete
     dnssec-update-mode ( maintain | no-resign ); // obsolete
     dnssec-validation ( yes | no | auto );
     dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
     dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
     dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
     edns-udp-size <integer>;
     empty-contact <string>;
     empty-server <string>;
     empty-zones-enable <boolean>;
     fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
     fetches-per-server <integer> [ ( drop | fail ) ];
     fetches-per-zone <integer> [ ( drop | fail ) ];
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     ipv4only-contact <string>;
     ipv4only-enable <boolean>;
     ipv4only-server <string>;
     ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
     key <string> {
          algorithm <string>;
          secret <string>;
     }; // may occur multiple times
     key-directory <quoted_string>;
     lame-ttl <duration>;
     lmdb-mapsize <sizeval>;
     managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     match-clients { <address_match_element>; ... };
     match-destinations { <address_match_element>; ... };
     match-recursive-only <boolean>;
     max-cache-size ( default | unlimited | <sizeval> | <percentage> );
     max-cache-ttl <duration>;
     max-clients-per-query <integer>;
     max-ixfr-ratio ( unlimited | <percentage> );
     max-journal-size ( default | unlimited | <sizeval> );
     max-ncache-ttl <duration>;
     max-records <integer>;
     max-records-per-type <integer>;
     max-recursion-depth <integer>;
     max-recursion-queries <integer>;
     max-refresh-time <integer>;
     max-retry-time <integer>;
     max-stale-ttl <duration>;
     max-transfer-idle-in <integer>;
     max-transfer-idle-out <integer>;
     max-transfer-time-in <integer>;
     max-transfer-time-out <integer>;
     max-types-per-name <integer>;
     max-udp-size <integer>;
     max-validation-failures-per-fetch <integer>; // experimental
     max-validations-per-fetch <integer>; // experimental
     max-zone-ttl ( unlimited | <duration> ); // deprecated
     message-compression <boolean>;
     min-cache-ttl <duration>;
     min-ncache-ttl <duration>;
     min-refresh-time <integer>;
     min-retry-time <integer>;
     minimal-any <boolean>;
     minimal-responses ( no-auth | no-auth-recursive | <boolean> );
     multi-master <boolean>;
     new-zones-directory <quoted_string>;
     no-case-compress { <address_match_element>; ... };
     nocookie-udp-size <integer>;
     notify ( explicit | master-only | primary-only | <boolean> );
     notify-delay <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     notify-to-soa <boolean>;
     nsec3-test-zone <boolean>; // test only
     nta-lifetime <duration>;
     nta-recheck <duration>;
     nxdomain-redirect <string>;
     parental-source ( <ipv4_address> | * );
     parental-source-v6 ( <ipv6_address> | * );
     plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
     preferred-glue <string>;
     prefetch <integer> [ <integer> ];
     provide-ixfr <boolean>;
     qname-minimization ( strict | relaxed | disabled | off );
     query-source [ address ] ( <ipv4_address> | * );
     query-source-v6 [ address ] ( <ipv6_address> | * );
     rate-limit {
          all-per-second <integer>;
          errors-per-second <integer>;
          exempt-clients { <address_match_element>; ... };
          ipv4-prefix-length <integer>;
          ipv6-prefix-length <integer>;
          log-only <boolean>;
          max-table-size <integer>;
          min-table-size <integer>;
          nodata-per-second <integer>;
          nxdomains-per-second <integer>;
          qps-scale <integer>;
          referrals-per-second <integer>;
          responses-per-second <integer>;
          slip <integer>;
          window <integer>;
     };
     recursion <boolean>;
     request-expire <boolean>;
     request-ixfr <boolean>;
     request-nsid <boolean>;
     require-server-cookie <boolean>;
     resolver-query-timeout <integer>;
     resolver-use-dns64 <boolean>;
     response-padding { <address_match_element>; ... } block-size <integer>;
     response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
     root-key-sentinel <boolean>;
     rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
     send-cookie <boolean>;
     serial-update-method ( date | increment | unixtime );
     server <netprefix> {
          bogus <boolean>;
          edns <boolean>;
          edns-udp-size <integer>;
          edns-version <integer>;
          keys <server_key>;
          max-udp-size <integer>;
          notify-source ( <ipv4_address> | * );
          notify-source-v6 ( <ipv6_address> | * );
          padding <integer>;
          provide-ixfr <boolean>;
          query-source [ address ] ( <ipv4_address> | * );
          query-source-v6 [ address ] ( <ipv6_address> | * );
          request-expire <boolean>;
          request-ixfr <boolean>;
          request-nsid <boolean>;
          require-cookie <boolean>;
          send-cookie <boolean>;
          tcp-keepalive <boolean>;
          tcp-only <boolean>;
          transfer-format ( many-answers | one-answer );
          transfer-source ( <ipv4_address> | * );
          transfer-source-v6 ( <ipv6_address> | * );
          transfers <integer>;
     }; // may occur multiple times
     servfail-ttl <duration>;
     sig-signing-nodes <integer>;
     sig-signing-signatures <integer>;
     sig-signing-type <integer>;
     sig-validity-interval <integer> [ <integer> ]; // obsolete
     sortlist { <address_match_element>; ... }; // deprecated
     stale-answer-client-timeout ( disabled | off | <integer> );
     stale-answer-enable <boolean>;
     stale-answer-ttl <duration>;
     stale-cache-enable <boolean>;
     stale-refresh-time <duration>;
     synth-from-dnssec <boolean>;
     transfer-format ( many-answers | one-answer );
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     trust-anchor-telemetry <boolean>;
     trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
     trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
     try-tcp-refresh <boolean>;
     update-check-ksk <boolean>; // obsolete
     v6-bias <integer>;
     validate-except { <string>; ... };
     zero-no-soa-ttl <boolean>;
     zero-no-soa-ttl-cache <boolean>;
     zone-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times

Any of these zone statements can also be set inside the view statement.

zone <string> [ <class> ] {
     type primary;
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
     allow-update { <address_match_element>; ... };
     also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     check-dup-records ( fail | warn | ignore );
     check-integrity <boolean>;
     check-mx ( fail | warn | ignore );
     check-mx-cname ( fail | warn | ignore );
     check-names ( fail | warn | ignore );
     check-sibling <boolean>;
     check-spf ( warn | ignore );
     check-srv-cname ( fail | warn | ignore );
     check-svcb <boolean>;
     check-wildcard <boolean>;
     checkds ( explicit | <boolean> );
     database <string>;
     dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
     dlz <string>;
     dnskey-sig-validity <integer>; // obsolete
     dnssec-dnskey-kskonly <boolean>; // obsolete
     dnssec-loadkeys-interval <integer>;
     dnssec-policy <string>;
     dnssec-secure-to-insecure <boolean>; // obsolete
     dnssec-update-mode ( maintain | no-resign ); // obsolete
     file <quoted_string>;
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     inline-signing <boolean>;
     ixfr-from-differences <boolean>;
     journal <quoted_string>;
     key-directory <quoted_string>;
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     max-ixfr-ratio ( unlimited | <percentage> );
     max-journal-size ( default | unlimited | <sizeval> );
     max-records <integer>;
     max-records-per-type <integer>;
     max-transfer-idle-out <integer>;
     max-transfer-time-out <integer>;
     max-types-per-name <integer>;
     max-zone-ttl ( unlimited | <duration> ); // deprecated
     notify ( explicit | master-only | primary-only | <boolean> );
     notify-delay <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     notify-to-soa <boolean>;
     nsec3-test-zone <boolean>; // test only
     parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     parental-source ( <ipv4_address> | * );
     parental-source-v6 ( <ipv6_address> | * );
     serial-update-method ( date | increment | unixtime );
     sig-signing-nodes <integer>;
     sig-signing-signatures <integer>;
     sig-signing-type <integer>;
     sig-validity-interval <integer> [ <integer> ]; // obsolete
     update-check-ksk <boolean>; // obsolete
     update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
     zero-no-soa-ttl <boolean>;
     zone-statistics ( full | terse | none | <boolean> );
};

zone <string> [ <class> ] {
     type secondary;
     allow-notify { <address_match_element>; ... };
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
     allow-update-forwarding { <address_match_element>; ... };
     also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     check-names ( fail | warn | ignore );
     checkds ( explicit | <boolean> );
     database <string>;
     dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
     dlz <string>;
     dnskey-sig-validity <integer>; // obsolete
     dnssec-dnskey-kskonly <boolean>; // obsolete
     dnssec-loadkeys-interval <integer>;
     dnssec-policy <string>;
     dnssec-update-mode ( maintain | no-resign ); // obsolete
     file <quoted_string>;
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     inline-signing <boolean>;
     ixfr-from-differences <boolean>;
     journal <quoted_string>;
     key-directory <quoted_string>;
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     max-ixfr-ratio ( unlimited | <percentage> );
     max-journal-size ( default | unlimited | <sizeval> );
     max-records <integer>;
     max-records-per-type <integer>;
     max-refresh-time <integer>;
     max-retry-time <integer>;
     max-transfer-idle-in <integer>;
     max-transfer-idle-out <integer>;
     max-transfer-time-in <integer>;
     max-transfer-time-out <integer>;
     max-types-per-name <integer>;
     min-refresh-time <integer>;
     min-retry-time <integer>;
     multi-master <boolean>;
     notify ( explicit | master-only | primary-only | <boolean> );
     notify-delay <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     notify-to-soa <boolean>;
     nsec3-test-zone <boolean>; // test only
     parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     parental-source ( <ipv4_address> | * );
     parental-source-v6 ( <ipv6_address> | * );
     primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     request-expire <boolean>;
     request-ixfr <boolean>;
     sig-signing-nodes <integer>;
     sig-signing-signatures <integer>;
     sig-signing-type <integer>;
     sig-validity-interval <integer> [ <integer> ]; // obsolete
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     try-tcp-refresh <boolean>;
     update-check-ksk <boolean>; // obsolete
     zero-no-soa-ttl <boolean>;
     zone-statistics ( full | terse | none | <boolean> );
};

zone <string> [ <class> ] {
     type mirror;
     allow-notify { <address_match_element>; ... };
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
     allow-update-forwarding { <address_match_element>; ... };
     also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     check-names ( fail | warn | ignore );
     database <string>;
     file <quoted_string>;
     ixfr-from-differences <boolean>;
     journal <quoted_string>;
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     max-ixfr-ratio ( unlimited | <percentage> );
     max-journal-size ( default | unlimited | <sizeval> );
     max-records <integer>;
     max-records-per-type <integer>;
     max-refresh-time <integer>;
     max-retry-time <integer>;
     max-transfer-idle-in <integer>;
     max-transfer-idle-out <integer>;
     max-transfer-time-in <integer>;
     max-transfer-time-out <integer>;
     max-types-per-name <integer>;
     min-refresh-time <integer>;
     min-retry-time <integer>;
     multi-master <boolean>;
     notify ( explicit | master-only | primary-only | <boolean> );
     notify-delay <integer>;
     notify-source ( <ipv4_address> | * );
     notify-source-v6 ( <ipv6_address> | * );
     primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     request-expire <boolean>;
     request-ixfr <boolean>;
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     try-tcp-refresh <boolean>;
     zero-no-soa-ttl <boolean>;
     zone-statistics ( full | terse | none | <boolean> );
};

zone <string> [ <class> ] {
     type forward;
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
};

zone <string> [ <class> ] {
     type hint;
     check-names ( fail | warn | ignore );
     file <quoted_string>;
};

zone <string> [ <class> ] {
     type redirect;
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     dlz <string>;
     file <quoted_string>;
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     max-records <integer>;
     max-records-per-type <integer>;
     max-types-per-name <integer>;
     max-zone-ttl ( unlimited | <duration> ); // deprecated
     primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     zone-statistics ( full | terse | none | <boolean> );
};

zone <string> [ <class> ] {
     type static-stub;
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     max-records <integer>;
     max-records-per-type <integer>;
     max-types-per-name <integer>;
     server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
     server-names { <string>; ... };
     zone-statistics ( full | terse | none | <boolean> );
};

zone <string> [ <class> ] {
     type stub;
     allow-query { <address_match_element>; ... };
     allow-query-on { <address_match_element>; ... };
     check-names ( fail | warn | ignore );
     database <string>;
     dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
     file <quoted_string>;
     forward ( first | only );
     forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
     masterfile-format ( raw | text );
     masterfile-style ( full | relative );
     max-records <integer>;
     max-records-per-type <integer>;
     max-refresh-time <integer>;
     max-retry-time <integer>;
     max-transfer-idle-in <integer>;
     max-transfer-time-in <integer>;
     max-types-per-name <integer>;
     min-refresh-time <integer>;
     min-retry-time <integer>;
     multi-master <boolean>;
     primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
     transfer-source ( <ipv4_address> | * );
     transfer-source-v6 ( <ipv6_address> | * );
     zone-statistics ( full | terse | none | <boolean> );
};


zone <string> [ <class> ] {
     in-view <string>;
};

FILES

/etc/bind/named.conf

SEE ALSO

named(8), named-checkconf(8), rndc(8), rndc-confgen(8), tsig-keygen(8), BIND 9 Administrator Reference Manual.

AUTHOR

Internet Systems Consortium

COPYRIGHT

2024, Internet Systems Consortium