diff options
Diffstat (limited to 'doc/arm/Bv9ARM.ch06.html')
| -rw-r--r-- | doc/arm/Bv9ARM.ch06.html | 4573 |
1 files changed, 2355 insertions, 2218 deletions
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 1d353986f4c1..51e7f755eeac 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,13 +14,12 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id$ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Chapter 6. BIND 9 Configuration Reference</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<meta name="generator" content="DocBook XSL Stylesheets V1.78.1"> +<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> @@ -39,71 +38,72 @@ </table> <hr> </div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div> +<div class="chapter"> +<div class="titlepage"><div><div><h1 class="title"> +<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h1></div></div></div> <div class="toc"> <p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dl class="toc"> +<dt><span class="section"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573374">Comment Syntax</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#comment_syntax">Comment Syntax</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574035"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl_grammar"><span class="command"><strong>acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#acl"><span class="command"><strong>acl</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574225"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_grammar"><span class="command"><strong>controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span class="command"><strong>controls</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574584"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574601"><span><strong class="command">include</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_grammar"><span class="command"><strong>include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#include_statement"><span class="command"><strong>include</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_grammar"><span class="command"><strong>key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#key_statement"><span class="command"><strong>key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_grammar"><span class="command"><strong>logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#logging_statement"><span class="command"><strong>logging</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_grammar"><span class="command"><strong>lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#lwres_statement"><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_grammar"><span class="command"><strong>masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#masters_statement"><span class="command"><strong>masters</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574761"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574785"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574875"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575001"><span><strong class="command">logging</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#options_grammar"><span class="command"><strong>options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#options"><span class="command"><strong>options</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577236"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577309"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577373"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577417"><span><strong class="command">masters</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577438"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span class="command"><strong>server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span class="command"><strong>server</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590832"><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<dt><span class="section"><a href="Bv9ARM.ch06.html#statschannels"><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_channels"><span class="command"><strong>statistics-channels</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591139"><span><strong class="command">trusted-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted-keys"><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#trusted_keys"><span class="command"><strong>trusted-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591186"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed_keys"><span class="command"><strong>managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#managed-keys"><span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591553"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span class="command"><strong>view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#view_statement"><span class="command"><strong>view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span class="command"><strong>zone</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593398"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_statement"><span class="command"><strong>zone</strong></span> Statement Definition and Usage</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2597084">Zone File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_file">Zone File</a></span></dt> <dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600002">Discussion of MX Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600549">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600812">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601017"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#mx_records">Discussion of MX Records</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#ipv4_reverse">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zone_directives">Other Zone File Directives</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#generate_directive"><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +</dl></dd> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> +<dd><dl> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statsfile">The Statistics File</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt> </dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> -<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd> </dl> </div> <p> @@ -122,7 +122,7 @@ using the shell script <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>. </p> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> <p> @@ -131,8 +131,8 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.855in" class="1"> +<col width="3.770in" class="2"> </colgroup> <tbody> <tr> @@ -144,7 +144,7 @@ <td> <p> The name of an <code class="varname">address_match_list</code> as - defined by the <span><strong class="command">acl</strong></span> statement. + defined by the <span class="command"><strong>acl</strong></span> statement. </p> </td> </tr> @@ -160,7 +160,7 @@ <code class="varname">ip_addr</code>, <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, or <code class="varname">acl_name</code> elements, see - <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. + <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. </p> </td> </tr> @@ -215,8 +215,8 @@ <td> <p> One to four integers valued 0 through - 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, - <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>. + 255 separated by dots (`.'), such as <span class="command"><strong>123</strong></span>, + <span class="command"><strong>45.67</strong></span> or <span class="command"><strong>89.123.45.67</strong></span>. </p> </td> </tr> @@ -241,7 +241,7 @@ </td> <td> <p> - An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. + An IPv6 address, such as <span class="command"><strong>2001:db8::1234</strong></span>. IPv6 scoped addresses that have ambiguity on their scope zones must be disambiguated by an appropriate zone ID with the percent character (`%') as @@ -253,9 +253,9 @@ currently only interface names as link identifiers are supported, assuming one-to-one mapping between interfaces and links. For example, a link-local - address <span><strong class="command">fe80::1</strong></span> on the link - attached to the interface <span><strong class="command">ne0</strong></span> - can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. + address <span class="command"><strong>fe80::1</strong></span> on the link + attached to the interface <span class="command"><strong>ne0</strong></span> + can be specified as <span class="command"><strong>fe80::1%ne0</strong></span>. Note that on most systems link-local addresses always have the ambiguity, and need to be disambiguated. @@ -306,10 +306,10 @@ netmask. Trailing zeros in a <code class="varname">ip_addr</code> may omitted. - For example, <span><strong class="command">127/8</strong></span> is the - network <span><strong class="command">127.0.0.0</strong></span> with - netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is - network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>. + For example, <span class="command"><strong>127/8</strong></span> is the + network <span class="command"><strong>127.0.0.0</strong></span> with + netmask <span class="command"><strong>255.0.0.0</strong></span> and <span class="command"><strong>1.2.3.0/28</strong></span> is + network <span class="command"><strong>1.2.3.0</strong></span> with netmask <span class="command"><strong>255.255.255.240</strong></span>. </p> <p> When specifying a prefix involving a IPv6 scoped address @@ -417,7 +417,7 @@ Integers may take values 0 <= value <= 18446744073709551615, though certain parameters - (such as <span><strong class="command">max-journal-size</strong></span>) may + (such as <span class="command"><strong>max-journal-size</strong></span>) may use a more limited range within these extremes. In most cases, setting a value to 0 does not literally mean zero; it means "undefined" or @@ -488,39 +488,39 @@ </tr> </tbody> </table></div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573073"></a>Syntax</h4></div></div></div> +<a name="id-1.7.4.4.2"></a>Syntax</h4></div></div></div> <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; [<span class="optional"> address_match_list_element; ... </span>] <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | key key_id | acl_name | { address_match_list } ) </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573100"></a>Definition and Usage</h4></div></div></div> +<a name="id-1.7.4.4.3"></a>Definition and Usage</h4></div></div></div> <p> Address match lists are primarily used to determine access control for various server operations. They are also used in - the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> + the <span class="command"><strong>listen-on</strong></span> and <span class="command"><strong>sortlist</strong></span> statements. The elements which constitute an address match list can be any of the following: </p> -<div class="itemizedlist"><ul type="disc"> -<li>an IP address (IPv4 or IPv6)</li> -<li>an IP prefix (in `/' notation)</li> -<li> - a key ID, as defined by the <span><strong class="command">key</strong></span> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">an IP address (IPv4 or IPv6)</li> +<li class="listitem">an IP prefix (in `/' notation)</li> +<li class="listitem"> + a key ID, as defined by the <span class="command"><strong>key</strong></span> statement </li> -<li>the name of an address match list defined with - the <span><strong class="command">acl</strong></span> statement +<li class="listitem">the name of an address match list defined with + the <span class="command"><strong>acl</strong></span> statement </li> -<li>a nested address match list enclosed in braces</li> +<li class="listitem">a nested address match list enclosed in braces</li> </ul></div> <p> Elements can be negated with a leading exclamation mark (`!'), @@ -544,25 +544,25 @@ </p> <p> The interpretation of a match depends on whether the list is being - used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a - <span><strong class="command">sortlist</strong></span>, and whether the element was negated. + used for access control, defining <span class="command"><strong>listen-on</strong></span> ports, or in a + <span class="command"><strong>sortlist</strong></span>, and whether the element was negated. </p> <p> When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses - <span><strong class="command">allow-notify</strong></span>, - <span><strong class="command">allow-recursion</strong></span>, - <span><strong class="command">allow-recursion-on</strong></span>, - <span><strong class="command">allow-query</strong></span>, - <span><strong class="command">allow-query-on</strong></span>, - <span><strong class="command">allow-query-cache</strong></span>, - <span><strong class="command">allow-query-cache-on</strong></span>, - <span><strong class="command">allow-transfer</strong></span>, - <span><strong class="command">allow-update</strong></span>, - <span><strong class="command">allow-update-forwarding</strong></span>, and - <span><strong class="command">blackhole</strong></span> all use address match - lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the + <span class="command"><strong>allow-notify</strong></span>, + <span class="command"><strong>allow-recursion</strong></span>, + <span class="command"><strong>allow-recursion-on</strong></span>, + <span class="command"><strong>allow-query</strong></span>, + <span class="command"><strong>allow-query-on</strong></span>, + <span class="command"><strong>allow-query-cache</strong></span>, + <span class="command"><strong>allow-query-cache-on</strong></span>, + <span class="command"><strong>allow-transfer</strong></span>, + <span class="command"><strong>allow-update</strong></span>, + <span class="command"><strong>allow-update-forwarding</strong></span>, and + <span class="command"><strong>blackhole</strong></span> all use address match + lists. Similarly, the <span class="command"><strong>listen-on</strong></span> option will cause the server to refuse queries on any of the machine's addresses which do not match the list. </p> @@ -575,18 +575,18 @@ defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in - <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> + <span class="command"><strong>1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is completely useless because the algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 - element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes + element. Using <span class="command"><strong>! 1.2.3.13; 1.2.3/24</strong></span> fixes that problem by having 1.2.3.13 blocked by the negation, but all other 1.2.3.* hosts fall through. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2573374"></a>Comment Syntax</h3></div></div></div> +<a name="comment_syntax"></a>Comment Syntax</h3></div></div></div> <p> The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for comments to appear @@ -594,9 +594,9 @@ file. To appeal to programmers of all kinds, they can be written in the C, C++, or shell/perl style. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573458"></a>Syntax</h4></div></div></div> +<a name="id-1.7.4.5.3"></a>Syntax</h4></div></div></div> <p> </p> <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> @@ -610,9 +610,9 @@ <p> </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2573488"></a>Definition and Usage</h4></div></div></div> +<a name="id-1.7.4.5.4"></a>Definition and Usage</h4></div></div></div> <p> Comments may appear anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration file. @@ -684,7 +684,7 @@ </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> <p> @@ -700,13 +700,13 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.336in" class="1"> +<col width="3.778in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">acl</strong></span></p> + <p><span class="command"><strong>acl</strong></span></p> </td> <td> <p> @@ -717,18 +717,18 @@ </tr> <tr> <td> - <p><span><strong class="command">controls</strong></span></p> + <p><span class="command"><strong>controls</strong></span></p> </td> <td> <p> declares control channels to be used - by the <span><strong class="command">rndc</strong></span> utility. + by the <span class="command"><strong>rndc</strong></span> utility. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">include</strong></span></p> + <p><span class="command"><strong>include</strong></span></p> </td> <td> <p> @@ -738,7 +738,7 @@ </tr> <tr> <td> - <p><span><strong class="command">key</strong></span></p> + <p><span class="command"><strong>key</strong></span></p> </td> <td> <p> @@ -749,7 +749,7 @@ </tr> <tr> <td> - <p><span><strong class="command">logging</strong></span></p> + <p><span class="command"><strong>logging</strong></span></p> </td> <td> <p> @@ -760,31 +760,31 @@ </tr> <tr> <td> - <p><span><strong class="command">lwres</strong></span></p> + <p><span class="command"><strong>lwres</strong></span></p> </td> <td> <p> - configures <span><strong class="command">named</strong></span> to - also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>). + configures <span class="command"><strong>named</strong></span> to + also act as a light-weight resolver daemon (<span class="command"><strong>lwresd</strong></span>). </p> </td> </tr> <tr> <td> - <p><span><strong class="command">masters</strong></span></p> + <p><span class="command"><strong>masters</strong></span></p> </td> <td> <p> defines a named masters list for inclusion in stub and slave zones' - <span><strong class="command">masters</strong></span> or - <span><strong class="command">also-notify</strong></span> lists. + <span class="command"><strong>masters</strong></span> or + <span class="command"><strong>also-notify</strong></span> lists. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">options</strong></span></p> + <p><span class="command"><strong>options</strong></span></p> </td> <td> <p> @@ -795,7 +795,7 @@ </tr> <tr> <td> - <p><span><strong class="command">server</strong></span></p> + <p><span class="command"><strong>server</strong></span></p> </td> <td> <p> @@ -806,18 +806,18 @@ </tr> <tr> <td> - <p><span><strong class="command">statistics-channels</strong></span></p> + <p><span class="command"><strong>statistics-channels</strong></span></p> </td> <td> <p> declares communication channels to get access to - <span><strong class="command">named</strong></span> statistics. + <span class="command"><strong>named</strong></span> statistics. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">trusted-keys</strong></span></p> + <p><span class="command"><strong>trusted-keys</strong></span></p> </td> <td> <p> @@ -827,7 +827,7 @@ </tr> <tr> <td> - <p><span><strong class="command">managed-keys</strong></span></p> + <p><span class="command"><strong>managed-keys</strong></span></p> </td> <td> <p> @@ -838,7 +838,7 @@ </tr> <tr> <td> - <p><span><strong class="command">view</strong></span></p> + <p><span class="command"><strong>view</strong></span></p> </td> <td> <p> @@ -848,7 +848,7 @@ </tr> <tr> <td> - <p><span><strong class="command">zone</strong></span></p> + <p><span class="command"><strong>zone</strong></span></p> </td> <td> <p> @@ -859,25 +859,25 @@ </tbody> </table></div> <p> - The <span><strong class="command">logging</strong></span> and - <span><strong class="command">options</strong></span> statements may only occur once + The <span class="command"><strong>logging</strong></span> and + <span class="command"><strong>options</strong></span> statements may only occur once per configuration. </p> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574035"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { +<a name="acl_grammar"></a><span class="command"><strong>acl</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>acl</strong></span> acl-name { address_match_list }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and +<a name="acl"></a><span class="command"><strong>acl</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">acl</strong></span> statement assigns a symbolic + The <span class="command"><strong>acl</strong></span> statement assigns a symbolic name to an address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs). </p> @@ -886,13 +886,13 @@ </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.130in" class="1"> +<col width="4.000in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">any</strong></span></p> + <p><span class="command"><strong>any</strong></span></p> </td> <td> <p> @@ -902,7 +902,7 @@ </tr> <tr> <td> - <p><span><strong class="command">none</strong></span></p> + <p><span class="command"><strong>none</strong></span></p> </td> <td> <p> @@ -912,44 +912,44 @@ </tr> <tr> <td> - <p><span><strong class="command">localhost</strong></span></p> + <p><span class="command"><strong>localhost</strong></span></p> </td> <td> <p> Matches the IPv4 and IPv6 addresses of all network interfaces on the system. When addresses are - added or removed, the <span><strong class="command">localhost</strong></span> + added or removed, the <span class="command"><strong>localhost</strong></span> ACL element is updated to reflect the changes. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">localnets</strong></span></p> + <p><span class="command"><strong>localnets</strong></span></p> </td> <td> <p> Matches any host on an IPv4 or IPv6 network for which the system has an interface. When addresses are added or removed, - the <span><strong class="command">localnets</strong></span> + the <span class="command"><strong>localnets</strong></span> ACL element is updated to reflect the changes. Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. - In such a case, <span><strong class="command">localnets</strong></span> + In such a case, <span class="command"><strong>localnets</strong></span> only matches the local - IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. + IPv6 addresses, just like <span class="command"><strong>localhost</strong></span>. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574225"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">controls</strong></span> { +<a name="controls_grammar"></a><span class="command"><strong>controls</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>controls</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> } keys { <em class="replaceable"><code>key_list</code></em> }; ] @@ -960,70 +960,70 @@ }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and +<a name="controls_statement_definition_and_usage"></a><span class="command"><strong>controls</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">controls</strong></span> statement declares control + The <span class="command"><strong>controls</strong></span> statement declares control channels to be used by system administrators to control the operation of the name server. These control channels are - used by the <span><strong class="command">rndc</strong></span> utility to send + used by the <span class="command"><strong>rndc</strong></span> utility to send commands to and retrieve non-DNS results from a name server. </p> <p> - An <span><strong class="command">inet</strong></span> control channel is a TCP socket - listening at the specified <span><strong class="command">ip_port</strong></span> on the - specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 - address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + An <span class="command"><strong>inet</strong></span> control channel is a TCP socket + listening at the specified <span class="command"><strong>ip_port</strong></span> on the + specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, - use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. - If you will only use <span><strong class="command">rndc</strong></span> on the local host, + use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>. + If you will only use <span class="command"><strong>rndc</strong></span> on the local host, using the loopback address (<code class="literal">127.0.0.1</code> or <code class="literal">::1</code>) is recommended for maximum security. </p> <p> If no port is specified, port 953 is used. The asterisk - "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>. + "<code class="literal">*</code>" cannot be used for <span class="command"><strong>ip_port</strong></span>. </p> <p> The ability to issue commands over the control channel is - restricted by the <span><strong class="command">allow</strong></span> and - <span><strong class="command">keys</strong></span> clauses. + restricted by the <span class="command"><strong>allow</strong></span> and + <span class="command"><strong>keys</strong></span> clauses. Connections to the control channel are permitted based on the - <span><strong class="command">address_match_list</strong></span>. This is for simple - IP address based filtering only; any <span><strong class="command">key_id</strong></span> - elements of the <span><strong class="command">address_match_list</strong></span> + <span class="command"><strong>address_match_list</strong></span>. This is for simple + IP address based filtering only; any <span class="command"><strong>key_id</strong></span> + elements of the <span class="command"><strong>address_match_list</strong></span> are ignored. </p> <p> - A <span><strong class="command">unix</strong></span> control channel is a UNIX domain + A <span class="command"><strong>unix</strong></span> control channel is a UNIX domain socket listening at the specified path in the file system. - Access to the socket is specified by the <span><strong class="command">perm</strong></span>, - <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses. + Access to the socket is specified by the <span class="command"><strong>perm</strong></span>, + <span class="command"><strong>owner</strong></span> and <span class="command"><strong>group</strong></span> clauses. Note on some platforms (SunOS and Solaris) the permissions - (<span><strong class="command">perm</strong></span>) are applied to the parent directory + (<span class="command"><strong>perm</strong></span>) are applied to the parent directory as the permissions on the socket itself are ignored. </p> <p> The primary authorization mechanism of the command - channel is the <span><strong class="command">key_list</strong></span>, which - contains a list of <span><strong class="command">key_id</strong></span>s. - Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span> + channel is the <span class="command"><strong>key_list</strong></span>, which + contains a list of <span class="command"><strong>key_id</strong></span>s. + Each <span class="command"><strong>key_id</strong></span> in the <span class="command"><strong>key_list</strong></span> is authorized to execute commands over the control channel. - See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) - for information about configuring keys in <span><strong class="command">rndc</strong></span>. + See <a class="xref" href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a class="xref" href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) + for information about configuring keys in <span class="command"><strong>rndc</strong></span>. </p> <p> - If no <span><strong class="command">controls</strong></span> statement is present, - <span><strong class="command">named</strong></span> will set up a default + If no <span class="command"><strong>controls</strong></span> statement is present, + <span class="command"><strong>named</strong></span> will set up a default control channel listening on the loopback address 127.0.0.1 and its IPv6 counterpart ::1. - In this case, and also when the <span><strong class="command">controls</strong></span> statement - is present but does not have a <span><strong class="command">keys</strong></span> clause, - <span><strong class="command">named</strong></span> will attempt to load the command channel key + In this case, and also when the <span class="command"><strong>controls</strong></span> statement + is present but does not have a <span class="command"><strong>keys</strong></span> clause, + <span class="command"><strong>named</strong></span> will attempt to load the command channel key from the file <code class="filename">rndc.key</code> in <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> was specified as when <acronym class="acronym">BIND</acronym> was built). @@ -1034,12 +1034,12 @@ The <code class="filename">rndc.key</code> feature was created to ease the transition of systems from <acronym class="acronym">BIND</acronym> 8, which did not have digital signatures on its command channel - messages and thus did not have a <span><strong class="command">keys</strong></span> clause. + messages and thus did not have a <span class="command"><strong>keys</strong></span> clause. It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8 configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged, - and still have <span><strong class="command">rndc</strong></span> work the same way - <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the + and still have <span class="command"><strong>rndc</strong></span> work the same way + <span class="command"><strong>ndc</strong></span> worked in BIND 8, simply by executing the command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is installed. </p> @@ -1055,10 +1055,10 @@ those things. The <code class="filename">rndc.key</code> file also has its permissions set such that only the owner of the file (the user that - <span><strong class="command">named</strong></span> is running as) can access it. + <span class="command"><strong>named</strong></span> is running as) can access it. If you desire greater flexibility in allowing other users to access - <span><strong class="command">rndc</strong></span> commands, then you need to create + <span class="command"><strong>rndc</strong></span> commands, then you need to create a <code class="filename">rndc.conf</code> file and make it group readable by a group @@ -1066,23 +1066,22 @@ </p> <p> To disable the command channel, use an empty - <span><strong class="command">controls</strong></span> statement: - <span><strong class="command">controls { };</strong></span>. + <span class="command"><strong>controls</strong></span> statement: + <span class="command"><strong>controls { };</strong></span>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574584"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> +<a name="include_grammar"></a><span class="command"><strong>include</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574601"></a><span><strong class="command">include</strong></span> Statement Definition and - Usage</h3></div></div></div> +<a name="include_statement"></a><span class="command"><strong>include</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">include</strong></span> statement inserts the - specified file at the point where the <span><strong class="command">include</strong></span> - statement is encountered. The <span><strong class="command">include</strong></span> + The <span class="command"><strong>include</strong></span> statement inserts the + specified file at the point where the <span class="command"><strong>include</strong></span> + statement is encountered. The <span class="command"><strong>include</strong></span> statement facilitates the administration of configuration files by permitting the reading or writing of some things but not @@ -1090,42 +1089,40 @@ that are readable only by the name server. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574761"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { +<a name="key_grammar"></a><span class="command"><strong>key</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>key</strong></span> <em class="replaceable"><code>key_id</code></em> { algorithm <em class="replaceable"><code>algorithm_id</code></em>; secret <em class="replaceable"><code>secret_string</code></em>; }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574785"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="key_statement"></a><span class="command"><strong>key</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">key</strong></span> statement defines a shared - secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + The <span class="command"><strong>key</strong></span> statement defines a shared + secret key for use with TSIG (see <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) or the command channel - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and Usage”</a>). </p> <p> - The <span><strong class="command">key</strong></span> statement can occur at the + The <span class="command"><strong>key</strong></span> statement can occur at the top level - of the configuration file or inside a <span><strong class="command">view</strong></span> - statement. Keys defined in top-level <span><strong class="command">key</strong></span> + of the configuration file or inside a <span class="command"><strong>view</strong></span> + statement. Keys defined in top-level <span class="command"><strong>key</strong></span> statements can be used in all views. Keys intended for use in - a <span><strong class="command">controls</strong></span> statement - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + a <span class="command"><strong>controls</strong></span> statement + (see <a class="xref" href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called “<span class="command"><strong>controls</strong></span> Statement Definition and Usage”</a>) must be defined at the top level. </p> <p> The <em class="replaceable"><code>key_id</code></em>, also known as the key name, is a domain name uniquely identifying the key. It can - be used in a <span><strong class="command">server</strong></span> + be used in a <span class="command"><strong>server</strong></span> statement to cause requests sent to that server to be signed with this key, or in address match lists to verify that incoming requests have been signed with a key @@ -1146,46 +1143,45 @@ encoded string. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2574875"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">logging</strong></span> { - [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { - ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> - [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] - [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] - | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> - | <span><strong class="command">stderr</strong></span> - | <span><strong class="command">null</strong></span> ); - [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | +<a name="logging_grammar"></a><span class="command"><strong>logging</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>logging</strong></span> { + [ <span class="command"><strong>channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { + ( <span class="command"><strong>file</strong></span> <em class="replaceable"><code>path_name</code></em> + [ <span class="command"><strong>versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span class="command"><strong>unlimited</strong></span> ) ] + [ <span class="command"><strong>size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] + | <span class="command"><strong>syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> + | <span class="command"><strong>stderr</strong></span> + | <span class="command"><strong>null</strong></span> ); + [ <span class="command"><strong>severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] - [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span class="command"><strong>print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] }; ] - [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { + [ <span class="command"><strong>category</strong></span> <em class="replaceable"><code>category_name</code></em> { <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ] }; ] ... }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2575001"></a><span><strong class="command">logging</strong></span> Statement Definition and - Usage</h3></div></div></div> +<a name="logging_statement"></a><span class="command"><strong>logging</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">logging</strong></span> statement configures a + The <span class="command"><strong>logging</strong></span> statement configures a wide - variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase + variety of logging options for the name server. Its <span class="command"><strong>channel</strong></span> phrase associates output methods, format options and severity levels with - a name that can then be used with the <span><strong class="command">category</strong></span> phrase + a name that can then be used with the <span class="command"><strong>category</strong></span> phrase to select how various classes of messages are logged. </p> <p> - Only one <span><strong class="command">logging</strong></span> statement is used to + Only one <span class="command"><strong>logging</strong></span> statement is used to define - as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, + as many channels and categories as are wanted. If there is no <span class="command"><strong>logging</strong></span> statement, the logging configuration will be: </p> <pre class="programlisting">logging { @@ -1197,16 +1193,16 @@ In <acronym class="acronym">BIND</acronym> 9, the logging configuration is only established when the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was - established as soon as the <span><strong class="command">logging</strong></span> + established as soon as the <span class="command"><strong>logging</strong></span> statement was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "<code class="option">-g</code>" option was specified. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2575053"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<a name="channel"></a>The <span class="command"><strong>channel</strong></span> Phrase</h4></div></div></div> <p> All log output goes to one or more <span class="emphasis"><em>channels</em></span>; you can make as many of them as you want. @@ -1217,18 +1213,18 @@ particular syslog facility, to the standard error stream, or are discarded. It can optionally also limit the message severity level that will be accepted by the channel (the default is - <span><strong class="command">info</strong></span>), and whether to include a - <span><strong class="command">named</strong></span>-generated time stamp, the + <span class="command"><strong>info</strong></span>), and whether to include a + <span class="command"><strong>named</strong></span>-generated time stamp, the category name and/or severity level (the default is not to include any). </p> <p> - The <span><strong class="command">null</strong></span> destination clause + The <span class="command"><strong>null</strong></span> destination clause causes all messages sent to the channel to be discarded; in that case, other options for the channel are meaningless. </p> <p> - The <span><strong class="command">file</strong></span> destination clause directs + The <span class="command"><strong>file</strong></span> destination clause directs the channel to a disk file. It can include limitations both on how large the file is allowed to become, and how many @@ -1236,9 +1232,9 @@ of the file will be saved each time the file is opened. </p> <p> - If you use the <span><strong class="command">versions</strong></span> log file + If you use the <span class="command"><strong>versions</strong></span> log file option, then - <span><strong class="command">named</strong></span> will retain that many backup + <span class="command"><strong>named</strong></span> will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions @@ -1248,10 +1244,10 @@ <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is renamed to <code class="filename">lamers.log.0</code>. - You can say <span><strong class="command">versions unlimited</strong></span> to + You can say <span class="command"><strong>versions unlimited</strong></span> to not limit the number of versions. - If a <span><strong class="command">size</strong></span> option is associated with + If a <span class="command"><strong>size</strong></span> option is associated with the log file, then renaming is only done when the file being opened exceeds the indicated size. No backup versions are kept by default; any @@ -1259,14 +1255,14 @@ log file is simply appended. </p> <p> - The <span><strong class="command">size</strong></span> option for files is used + The <span class="command"><strong>size</strong></span> option for files is used to limit log - growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will - stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option + growth. If the file ever exceeds the size, then <span class="command"><strong>named</strong></span> will + stop writing to the file unless it has a <span class="command"><strong>versions</strong></span> option associated with it. If backup versions are kept, the files are rolled as described above and a new one begun. If there is no - <span><strong class="command">versions</strong></span> option, no more data will + <span class="command"><strong>versions</strong></span> option, no more data will be written to the log until some out-of-band mechanism removes or truncates the log to less than the @@ -1275,8 +1271,8 @@ file. </p> <p> - Example usage of the <span><strong class="command">size</strong></span> and - <span><strong class="command">versions</strong></span> options: + Example usage of the <span class="command"><strong>size</strong></span> and + <span class="command"><strong>versions</strong></span> options: </p> <pre class="programlisting">channel an_example_channel { file "example.log" versions 3 size 20m; @@ -1285,53 +1281,53 @@ }; </pre> <p> - The <span><strong class="command">syslog</strong></span> destination clause + The <span class="command"><strong>syslog</strong></span> destination clause directs the channel to the system log. Its argument is a - syslog facility as described in the <span><strong class="command">syslog</strong></span> man - page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, - <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, - <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, - <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, - <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, - <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, - <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and - <span><strong class="command">local7</strong></span>, however not all facilities + syslog facility as described in the <span class="command"><strong>syslog</strong></span> man + page. Known facilities are <span class="command"><strong>kern</strong></span>, <span class="command"><strong>user</strong></span>, + <span class="command"><strong>mail</strong></span>, <span class="command"><strong>daemon</strong></span>, <span class="command"><strong>auth</strong></span>, + <span class="command"><strong>syslog</strong></span>, <span class="command"><strong>lpr</strong></span>, <span class="command"><strong>news</strong></span>, + <span class="command"><strong>uucp</strong></span>, <span class="command"><strong>cron</strong></span>, <span class="command"><strong>authpriv</strong></span>, + <span class="command"><strong>ftp</strong></span>, <span class="command"><strong>local0</strong></span>, <span class="command"><strong>local1</strong></span>, + <span class="command"><strong>local2</strong></span>, <span class="command"><strong>local3</strong></span>, <span class="command"><strong>local4</strong></span>, + <span class="command"><strong>local5</strong></span>, <span class="command"><strong>local6</strong></span> and + <span class="command"><strong>local7</strong></span>, however not all facilities are supported on all operating systems. - How <span><strong class="command">syslog</strong></span> will handle messages + How <span class="command"><strong>syslog</strong></span> will handle messages sent to - this facility is described in the <span><strong class="command">syslog.conf</strong></span> man - page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that - only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, + this facility is described in the <span class="command"><strong>syslog.conf</strong></span> man + page. If you have a system which uses a very old version of <span class="command"><strong>syslog</strong></span> that + only uses two arguments to the <span class="command"><strong>openlog()</strong></span> function, then this clause is silently ignored. </p> <p> On Windows machines syslog messages are directed to the EventViewer. </p> <p> - The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s + The <span class="command"><strong>severity</strong></span> clause works like <span class="command"><strong>syslog</strong></span>'s "priorities", except that they can also be used if you are writing - straight to a file rather than using <span><strong class="command">syslog</strong></span>. + straight to a file rather than using <span class="command"><strong>syslog</strong></span>. Messages which are not at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted. </p> <p> - If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities + If you are using <span class="command"><strong>syslog</strong></span>, then the <span class="command"><strong>syslog.conf</strong></span> priorities will also determine what eventually passes through. For example, - defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but - only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will - cause messages of severity <span><strong class="command">info</strong></span> and - <span><strong class="command">notice</strong></span> to - be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing - messages of only <span><strong class="command">warning</strong></span> or higher, - then <span><strong class="command">syslogd</strong></span> would + defining a channel facility and severity as <span class="command"><strong>daemon</strong></span> and <span class="command"><strong>debug</strong></span> but + only logging <span class="command"><strong>daemon.warning</strong></span> via <span class="command"><strong>syslog.conf</strong></span> will + cause messages of severity <span class="command"><strong>info</strong></span> and + <span class="command"><strong>notice</strong></span> to + be dropped. If the situation were reversed, with <span class="command"><strong>named</strong></span> writing + messages of only <span class="command"><strong>warning</strong></span> or higher, + then <span class="command"><strong>syslogd</strong></span> would print all messages it received from the channel. </p> <p> - The <span><strong class="command">stderr</strong></span> destination clause + The <span class="command"><strong>stderr</strong></span> destination clause directs the channel to the server's standard error stream. This is intended for @@ -1344,11 +1340,11 @@ it is in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug - level is set either by starting the <span><strong class="command">named</strong></span> server + level is set either by starting the <span class="command"><strong>named</strong></span> server with the <code class="option">-d</code> flag followed by a positive integer, - or by running <span><strong class="command">rndc trace</strong></span>. + or by running <span class="command"><strong>rndc trace</strong></span>. The global debug level - can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc + can be set to zero, and debugging mode turned off, by running <span class="command"><strong>rndc notrace</strong></span>. All debugging messages in the server have a debug level, and higher debug levels give more detailed output. Channels that specify a specific debug severity, for example: @@ -1361,26 +1357,26 @@ notrace</strong></span>. All debugging messages in the server have a debug <p> will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging - level. Channels with <span><strong class="command">dynamic</strong></span> + level. Channels with <span class="command"><strong>dynamic</strong></span> severity use the server's global debug level to determine what messages to print. </p> <p> - If <span><strong class="command">print-time</strong></span> has been turned on, + If <span class="command"><strong>print-time</strong></span> has been turned on, then - the date and time will be logged. <span><strong class="command">print-time</strong></span> may - be specified for a <span><strong class="command">syslog</strong></span> channel, + the date and time will be logged. <span class="command"><strong>print-time</strong></span> may + be specified for a <span class="command"><strong>syslog</strong></span> channel, but is usually - pointless since <span><strong class="command">syslog</strong></span> also logs + pointless since <span class="command"><strong>syslog</strong></span> also logs the date and - time. If <span><strong class="command">print-category</strong></span> is + time. If <span class="command"><strong>print-category</strong></span> is requested, then the - category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is - on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may + category of the message will be logged as well. Finally, if <span class="command"><strong>print-severity</strong></span> is + on, then the severity level of the message will be logged. The <span class="command"><strong>print-</strong></span> options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all - three <span><strong class="command">print-</strong></span> options + three <span class="command"><strong>print-</strong></span> options are on: </p> <p> @@ -1388,9 +1384,9 @@ notrace</strong></span>. All debugging messages in the server have a debug </p> <p> There are four predefined channels that are used for - <span><strong class="command">named</strong></span>'s default logging as follows. + <span class="command"><strong>named</strong></span>'s default logging as follows. How they are - used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. + used is described in <a class="xref" href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span class="command"><strong>category</strong></span> Phrase”</a>. </p> <pre class="programlisting">channel default_syslog { // send to syslog's daemon facility @@ -1420,7 +1416,7 @@ channel null { }; </pre> <p> - The <span><strong class="command">default_debug</strong></span> channel has the + The <span class="command"><strong>default_debug</strong></span> channel has the special property that it only produces output when the server's debug level is @@ -1430,9 +1426,9 @@ channel null { <p> For security reasons, when the "<code class="option">-u</code>" command line option is used, the <code class="filename">named.run</code> file - is created only after <span><strong class="command">named</strong></span> has + is created only after <span class="command"><strong>named</strong></span> has changed to the - new UID, and any debug output generated while <span><strong class="command">named</strong></span> is + new UID, and any debug output generated while <span class="command"><strong>named</strong></span> is starting up and still running as root is discarded. If you need to capture this output, you must run the server with the "<code class="option">-g</code>" option and redirect standard error to a file. @@ -1444,15 +1440,15 @@ channel null { defined. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> +<a name="the_category_phrase"></a>The <span class="command"><strong>category</strong></span> Phrase</h4></div></div></div> <p> There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages - in that category will be sent to the <span><strong class="command">default</strong></span> category + in that category will be sent to the <span class="command"><strong>default</strong></span> category instead. If you don't specify a default category, the following "default default" is used: </p> @@ -1473,7 +1469,7 @@ category security { default_debug; };</pre> <p> - To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel: + To discard all messages in a category, specify the <span class="command"><strong>null</strong></span> channel: </p> <pre class="programlisting">category xfer-out { null; }; category notify { null; }; @@ -1485,364 +1481,376 @@ category notify { null; }; </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">default</strong></span></p> - </td> + <p><span class="command"><strong>client</strong></span></p> + </td> <td> - <p> - The default category defines the logging - options for those categories where no specific - configuration has been - defined. - </p> - </td> + <p> + Processing of client requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">general</strong></span></p> - </td> + <p><span class="command"><strong>cname</strong></span></p> + </td> <td> - <p> - The catch-all. Many things still aren't - classified into categories, and they all end up here. - </p> - </td> + <p> + Logs nameservers that are skipped due to them being + a CNAME rather than A / AAAA records. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">database</strong></span></p> - </td> + <p><span class="command"><strong>config</strong></span></p> + </td> <td> - <p> - Messages relating to the databases used - internally by the name server to store zone and cache - data. - </p> - </td> + <p> + Configuration file parsing and processing. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">security</strong></span></p> - </td> + <p><span class="command"><strong>database</strong></span></p> + </td> <td> - <p> - Approval and denial of requests. - </p> - </td> + <p> + Messages relating to the databases used + internally by the name server to store zone and cache + data. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">config</strong></span></p> - </td> + <p><span class="command"><strong>default</strong></span></p> + </td> <td> - <p> - Configuration file parsing and processing. - </p> - </td> + <p> + The default category defines the logging + options for those categories where no specific + configuration has been + defined. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">resolver</strong></span></p> - </td> + <p><span class="command"><strong>delegation-only</strong></span></p> + </td> <td> - <p> - DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. - </p> - </td> + <p> + Delegation only. Logs queries that have been + forced to NXDOMAIN as the result of a + delegation-only zone or a + <span class="command"><strong>delegation-only</strong></span> in a + forward, hint or stub zone declaration. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">xfer-in</strong></span></p> - </td> + <p><span class="command"><strong>dispatch</strong></span></p> + </td> <td> - <p> - Zone transfers the server is receiving. - </p> - </td> + <p> + Dispatching of incoming packets to the + server modules where they are to be processed. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">xfer-out</strong></span></p> - </td> + <p><span class="command"><strong>dnssec</strong></span></p> + </td> <td> - <p> - Zone transfers the server is sending. - </p> - </td> + <p> + DNSSEC and TSIG protocol processing. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">notify</strong></span></p> - </td> + <p><span class="command"><strong>edns-disabled</strong></span></p> + </td> <td> - <p> - The NOTIFY protocol. - </p> - </td> + <p> + Log queries that have been forced to use plain + DNS due to timeouts. This is often due to + the remote servers not being RFC 1034 compliant + (not always returning FORMERR or similar to + EDNS queries and other extensions to the DNS + when they are not understood). In other words, this is + targeted at servers that fail to respond to + DNS queries that they don't understand. + </p> + <p> + Note: the log message can also be due to + packet loss. Before reporting servers for + non-RFC 1034 compliance they should be re-tested + to determine the nature of the non-compliance. + This testing should prevent or reduce the + number of false-positive reports. + </p> + <p> + Note: eventually <span class="command"><strong>named</strong></span> will have to stop + treating such timeouts as due to RFC 1034 non + compliance and start treating it as plain + packet loss. Falsely classifying packet + loss as due to RFC 1034 non compliance impacts + on DNSSEC validation which requires EDNS for + the DNSSEC records to be returned. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">client</strong></span></p> - </td> + <p><span class="command"><strong>general</strong></span></p> + </td> <td> - <p> - Processing of client requests. - </p> - </td> + <p> + The catch-all. Many things still aren't + classified into categories, and they all end up here. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">unmatched</strong></span></p> - </td> + <p><span class="command"><strong>lame-servers</strong></span></p> + </td> <td> - <p> - Messages that <span><strong class="command">named</strong></span> was unable to determine the - class of or for which there was no matching <span><strong class="command">view</strong></span>. - A one line summary is also logged to the <span><strong class="command">client</strong></span> category. - This category is best sent to a file or stderr, by - default it is sent to - the <span><strong class="command">null</strong></span> channel. - </p> - </td> + <p> + Lame servers. These are misconfigurations + in remote servers, discovered by BIND 9 when trying to + query those servers during resolution. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">network</strong></span></p> - </td> + <p><span class="command"><strong>network</strong></span></p> + </td> <td> - <p> - Network operations. - </p> - </td> + <p> + Network operations. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">update</strong></span></p> - </td> + <p><span class="command"><strong>notify</strong></span></p> + </td> <td> - <p> - Dynamic updates. - </p> - </td> + <p> + The NOTIFY protocol. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">update-security</strong></span></p> - </td> + <p><span class="command"><strong>queries</strong></span></p> + </td> <td> - <p> - Approval and denial of update requests. - </p> - </td> + <p> + Specify where queries should be logged to. + </p> + <p> + At startup, specifying the category <span class="command"><strong>queries</strong></span> will also + enable query logging unless <span class="command"><strong>querylog</strong></span> option has been + specified. + </p> + + <p> + The query log entry reports the client's IP + address and port number, and the query name, + class and type. Next it reports whether the + Recursion Desired flag was set (+ if set, - + if not set), if the query was signed (S), + EDNS was in use (E), if TCP was used (T), if + DO (DNSSEC Ok) was set (D), or if CD (Checking + Disabled) was set (C). After this the + destination address the query was sent to is + reported. + </p> + + <p> + <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> + </p> + <p> + <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> + </p> + <p> + (The first part of this log message, showing the + client address/port number and query name, is + repeated in all subsequent log messages related + to the same query.) + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">queries</strong></span></p> - </td> + <p><span class="command"><strong>query-errors</strong></span></p> + </td> <td> - <p> - Specify where queries should be logged to. - </p> - <p> - At startup, specifying the category <span><strong class="command">queries</strong></span> will also - enable query logging unless <span><strong class="command">querylog</strong></span> option has been - specified. - </p> - - <p> - The query log entry reports the client's IP - address and port number, and the query name, - class and type. Next it reports whether the - Recursion Desired flag was set (+ if set, - - if not set), if the query was signed (S), - EDNS was in use (E), if TCP was used (T), if - DO (DNSSEC Ok) was set (D), or if CD (Checking - Disabled) was set (C). After this the - destination address the query was sent to is - reported. - </p> - - <p> - <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> - </p> - <p> - <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> - </p> - <p> - (The first part of this log message, showing the - client address/port number and query name, is - repeated in all subsequent log messages related - to the same query.) - </p> - </td> + <p> + Information about queries that resulted in some + failure. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">query-errors</strong></span></p> - </td> + <p><span class="command"><strong>rate-limit</strong></span></p> + </td> <td> - <p> - Information about queries that resulted in some - failure. - </p> - </td> + <p> + (Only available when <acronym class="acronym">BIND</acronym> 9 is + configured with the <strong class="userinput"><code>--enable-rrl</code></strong> + option at compile time.) + </p> + <p> + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + <span class="command"><strong>info</strong></span> severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + </p> + <p> + Rate limiting of individual requests + is logged in the <span class="command"><strong>query-errors</strong></span> category. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">dispatch</strong></span></p> - </td> + <p><span class="command"><strong>resolver</strong></span></p> + </td> <td> - <p> - Dispatching of incoming packets to the - server modules where they are to be processed. - </p> - </td> + <p> + DNS resolution, such as the recursive + lookups performed on behalf of clients by a caching name + server. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">dnssec</strong></span></p> - </td> + <p><span class="command"><strong>rpz</strong></span></p> + </td> <td> - <p> - DNSSEC and TSIG protocol processing. - </p> - </td> + <p> + Information about errors in response policy zone files, + rewritten responses, and at the highest + <span class="command"><strong>debug</strong></span> levels, mere rewriting + attempts. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">lame-servers</strong></span></p> - </td> + <p><span class="command"><strong>security</strong></span></p> + </td> <td> - <p> - Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query those servers during resolution. - </p> - </td> + <p> + Approval and denial of requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">delegation-only</strong></span></p> - </td> + <p><span class="command"><strong>spill</strong></span></p> + </td> <td> - <p> - Delegation only. Logs queries that have been - forced to NXDOMAIN as the result of a - delegation-only zone or a - <span><strong class="command">delegation-only</strong></span> in a - forward, hint or stub zone declaration. - </p> - </td> + <p> + Logs queries that have been terminated, either by dropping + or responding with SERVFAIL, as a result of a fetchlimit + quota being exceeded. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">edns-disabled</strong></span></p> - </td> + <p><span class="command"><strong>unmatched</strong></span></p> + </td> <td> - <p> - Log queries that have been forced to use plain - DNS due to timeouts. This is often due to - the remote servers not being RFC 1034 compliant - (not always returning FORMERR or similar to - EDNS queries and other extensions to the DNS - when they are not understood). In other words, this is - targeted at servers that fail to respond to - DNS queries that they don't understand. - </p> - <p> - Note: the log message can also be due to - packet loss. Before reporting servers for - non-RFC 1034 compliance they should be re-tested - to determine the nature of the non-compliance. - This testing should prevent or reduce the - number of false-positive reports. - </p> - <p> - Note: eventually <span><strong class="command">named</strong></span> will have to stop - treating such timeouts as due to RFC 1034 non - compliance and start treating it as plain - packet loss. Falsely classifying packet - loss as due to RFC 1034 non compliance impacts - on DNSSEC validation which requires EDNS for - the DNSSEC records to be returned. - </p> - </td> + <p> + Messages that <span class="command"><strong>named</strong></span> was unable to determine the + class of or for which there was no matching <span class="command"><strong>view</strong></span>. + A one line summary is also logged to the <span class="command"><strong>client</strong></span> category. + This category is best sent to a file or stderr, by + default it is sent to + the <span class="command"><strong>null</strong></span> channel. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">RPZ</strong></span></p> - </td> + <p><span class="command"><strong>update</strong></span></p> + </td> <td> - <p> - Information about errors in response policy zone files, - rewritten responses, and at the highest - <span><strong class="command">debug</strong></span> levels, mere rewriting - attempts. - </p> - </td> + <p> + Dynamic updates. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">rate-limit</strong></span></p> - </td> + <p><span class="command"><strong>update-security</strong></span></p> + </td> <td> - <p> - (Only available when <acronym class="acronym">BIND</acronym> 9 is - configured with the <strong class="userinput"><code>--enable-rrl</code></strong> - option at compile time.) - </p> - <p> - The start, periodic, and final notices of the - rate limiting of a stream of responses are logged at - <span><strong class="command">info</strong></span> severity in this category. - These messages include a hash value of the domain name - of the response and the name itself, - except when there is insufficient memory to record - the name for the final notice - The final notice is normally delayed until about one - minute after rate limit stops. - A lack of memory can hurry the final notice, - in which case it starts with an asterisk (*). - Various internal events are logged at debug 1 level - and higher. - </p> - <p> - Rate limiting of individual requests - is logged in the <span><strong class="command">query-errors</strong></span> category. - </p> - </td> + <p> + Approval and denial of update requests. + </p> + </td> </tr> <tr> <td> - <p><span><strong class="command">cname</strong></span></p> - </td> + <p><span class="command"><strong>xfer-in</strong></span></p> + </td> <td> - <p> - Logs nameservers that are skipped due to them being - a CNAME rather than A / AAAA records. - </p> - </td> + <p> + Zone transfers the server is receiving. + </p> + </td> +</tr> +<tr> +<td> + <p><span class="command"><strong>xfer-out</strong></span></p> + </td> +<td> + <p> + Zone transfers the server is sending. + </p> + </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2576580"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> +<a name="query_errors"></a>The <span class="command"><strong>query-errors</strong></span> Category</h4></div></div></div> <p> - The <span><strong class="command">query-errors</strong></span> category is + The <span class="command"><strong>query-errors</strong></span> category is specifically intended for debugging purposes: To identify why and how specific queries result in responses which indicate an error. Messages of this category are therefore only logged - with <span><strong class="command">debug</strong></span> levels. + with <span class="command"><strong>debug</strong></span> levels. </p> <p> At the debug levels of 1 or higher, each response with the @@ -1905,8 +1913,8 @@ badresp:1,adberr:0,findfail:0,valfail:0] </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -2061,14 +2069,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577236"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<a name="lwres_grammar"></a><span class="command"><strong>lwres</strong></span> Statement Grammar</h3></div></div></div> <p> - This is the grammar of the <span><strong class="command">lwres</strong></span> + This is the grammar of the <span class="command"><strong>lwres</strong></span> statement in the <code class="filename">named.conf</code> file: </p> -<pre class="programlisting"><span><strong class="command">lwres</strong></span> { +<pre class="programlisting"><span class="command"><strong>lwres</strong></span> { [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] @@ -2077,19 +2085,19 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577309"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="lwres_statement"></a><span class="command"><strong>lwres</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">lwres</strong></span> statement configures the + The <span class="command"><strong>lwres</strong></span> statement configures the name server to also act as a lightweight resolver server. (See - <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple - <span><strong class="command">lwres</strong></span> statements configuring + <a class="xref" href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple + <span class="command"><strong>lwres</strong></span> statements configuring lightweight resolver servers with different properties. </p> <p> - The <span><strong class="command">listen-on</strong></span> statement specifies a + The <span class="command"><strong>listen-on</strong></span> statement specifies a list of IPv4 addresses (and ports) that this instance of a lightweight resolver daemon @@ -2100,7 +2108,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] port 921. </p> <p> - The <span><strong class="command">view</strong></span> statement binds this + The <span class="command"><strong>view</strong></span> statement binds this instance of a lightweight resolver daemon to a view in the DNS namespace, so that the @@ -2111,49 +2119,49 @@ badresp:1,adberr:0,findfail:0,valfail:0] used, and if there is no default view, an error is triggered. </p> <p> - The <span><strong class="command">search</strong></span> statement is equivalent to + The <span class="command"><strong>search</strong></span> statement is equivalent to the - <span><strong class="command">search</strong></span> statement in + <span class="command"><strong>search</strong></span> statement in <code class="filename">/etc/resolv.conf</code>. It provides a list of domains which are appended to relative names in queries. </p> <p> - The <span><strong class="command">ndots</strong></span> statement is equivalent to + The <span class="command"><strong>ndots</strong></span> statement is equivalent to the - <span><strong class="command">ndots</strong></span> statement in + <span class="command"><strong>ndots</strong></span> statement in <code class="filename">/etc/resolv.conf</code>. It indicates the minimum number of dots in a relative domain name that should result in an exact match lookup before search path elements are appended. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577373"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<a name="masters_grammar"></a><span class="command"><strong>masters</strong></span> Statement Grammar</h3></div></div></div> <pre class="programlisting"> -<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | +<span class="command"><strong>masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577417"></a><span><strong class="command">masters</strong></span> Statement Definition and +<a name="masters_statement"></a><span class="command"><strong>masters</strong></span> Statement Definition and Usage</h3></div></div></div> -<p><span><strong class="command">masters</strong></span> +<p><span class="command"><strong>masters</strong></span> lists allow for a common set of masters to be easily used by - multiple stub and slave zones in their <span><strong class="command">masters</strong></span> - or <span><strong class="command">also-notify</strong></span> lists. + multiple stub and slave zones in their <span class="command"><strong>masters</strong></span> + or <span class="command"><strong>also-notify</strong></span> lists. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2577438"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<a name="options_grammar"></a><span class="command"><strong>options</strong></span> Statement Grammar</h3></div></div></div> <p> - This is the grammar of the <span><strong class="command">options</strong></span> + This is the grammar of the <span class="command"><strong>options</strong></span> statement in the <code class="filename">named.conf</code> file: </p> -<pre class="programlisting"><span><strong class="command">options</strong></span> { +<pre class="programlisting"><span class="command"><strong>options</strong></span> { [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>] [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] @@ -2197,6 +2205,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>] + [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>] [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | @@ -2268,7 +2277,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> fetches-per-server <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] [<span class="optional"> fetch-quota-params <em class="replaceable"><code>number fixedpoint fixedpoint fixedpoint</code></em> ; </span>] - [<span class="optional"> fetches-per-zone<em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] + [<span class="optional"> fetches-per-zone <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>(drop | fail)</code></em></span>]; </span>] [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] @@ -2286,9 +2295,9 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> - [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] @@ -2305,6 +2314,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>|<code class="constant">date</code>; </span>] [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] @@ -2330,7 +2340,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> suffix IPv6-address; </span>] + [<span class="optional"> suffix <em class="replaceable"><code>IPv6-address</code></em>; </span>] [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>] }; </span>]; @@ -2389,21 +2399,21 @@ badresp:1,adberr:0,findfail:0,valfail:0] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and +<a name="options"></a><span class="command"><strong>options</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">options</strong></span> statement sets up global + The <span class="command"><strong>options</strong></span> statement sets up global options to be used by <acronym class="acronym">BIND</acronym>. This statement may appear only - once in a configuration file. If there is no <span><strong class="command">options</strong></span> + once in a configuration file. If there is no <span class="command"><strong>options</strong></span> statement, an options block with each option set to its default will be used. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>attach-cache</strong></span></span></dt> <dd> <p> Allows multiple views to share a single cache @@ -2415,15 +2425,15 @@ badresp:1,adberr:0,findfail:0,valfail:0] improve resolution efficiency by using this option. </p> <p> - The <span><strong class="command">attach-cache</strong></span> option - may also be specified in <span><strong class="command">view</strong></span> + The <span class="command"><strong>attach-cache</strong></span> option + may also be specified in <span class="command"><strong>view</strong></span> statements, in which case it overrides the - global <span><strong class="command">attach-cache</strong></span> option. + global <span class="command"><strong>attach-cache</strong></span> option. </p> <p> The <em class="replaceable"><code>cache_name</code></em> specifies the cache to be shared. - When the <span><strong class="command">named</strong></span> server configures + When the <span class="command"><strong>named</strong></span> server configures views which are supposed to share a cache, it creates a cache with the specified name for the first view of these sharing views. @@ -2434,7 +2444,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] One common configuration to share a cache would be to allow all views to share a single cache. This can be done by specifying - the <span><strong class="command">attach-cache</strong></span> as a global + the <span class="command"><strong>attach-cache</strong></span> as a global option with an arbitrary name. </p> <p> @@ -2443,7 +2453,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] retain their own caches. For example, if there are three views A, B, and C, and only A and B should share a cache, specify the - <span><strong class="command">attach-cache</strong></span> option as a view A (or + <span class="command"><strong>attach-cache</strong></span> option as a view A (or B)'s option, referring to the other view name: </p> <pre class="programlisting"> @@ -2466,14 +2476,14 @@ badresp:1,adberr:0,findfail:0,valfail:0] The current implementation requires the following configurable options be consistent among these views: - <span><strong class="command">check-names</strong></span>, - <span><strong class="command">cleaning-interval</strong></span>, - <span><strong class="command">dnssec-accept-expired</strong></span>, - <span><strong class="command">dnssec-validation</strong></span>, - <span><strong class="command">max-cache-ttl</strong></span>, - <span><strong class="command">max-ncache-ttl</strong></span>, - <span><strong class="command">max-cache-size</strong></span>, and - <span><strong class="command">zero-no-soa-ttl</strong></span>. + <span class="command"><strong>check-names</strong></span>, + <span class="command"><strong>cleaning-interval</strong></span>, + <span class="command"><strong>dnssec-accept-expired</strong></span>, + <span class="command"><strong>dnssec-validation</strong></span>, + <span class="command"><strong>max-cache-ttl</strong></span>, + <span class="command"><strong>max-ncache-ttl</strong></span>, + <span class="command"><strong>max-cache-size</strong></span>, and + <span class="command"><strong>zero-no-soa-ttl</strong></span>. </p> <p> Note that there may be other parameters that may @@ -2488,7 +2498,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] not cause disruption with a shared cache. </p> </dd> -<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>directory</strong></span></span></dt> <dd><p> The working directory of the server. Any non-absolute pathnames in the configuration file will be @@ -2503,7 +2513,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] was started. The directory specified should be an absolute path. </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt> <dd><p> When performing dynamic update of secure zones, the directory where the public and private DNSSEC key files @@ -2514,7 +2524,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] <code class="filename">rndc.key</code> or <code class="filename">session.key</code>.) </p></dd> -<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>managed-keys-directory</strong></span></span></dt> <dd> <p> Specifies the directory in which to store the files that @@ -2522,7 +2532,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] directory. </p> <p> - If <span><strong class="command">named</strong></span> is not configured to use views, + If <span class="command"><strong>named</strong></span> is not configured to use views, then managed keys for the server will be tracked in a single file called <code class="filename">managed-keys.bind</code>. Otherwise, managed keys will be tracked in separate files, @@ -2531,23 +2541,23 @@ badresp:1,adberr:0,findfail:0,valfail:0] <code class="filename">.mkeys</code>. </p> </dd> -<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>named-xfer</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete.</em></span> It was used in <acronym class="acronym">BIND</acronym> 8 to specify - the pathname to the <span><strong class="command">named-xfer</strong></span> + the pathname to the <span class="command"><strong>named-xfer</strong></span> program. In <acronym class="acronym">BIND</acronym> 9, no separate - <span><strong class="command">named-xfer</strong></span> program is needed; + <span class="command"><strong>named-xfer</strong></span> program is needed; its functionality is built into the name server. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-gssapi-keytab</strong></span></span></dt> <dd><p> The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-gssapi-credential</strong></span></span></dt> <dd><p> The security credential with which the server should authenticate keys requested by the GSS-TSIG protocol. @@ -2558,128 +2568,128 @@ badresp:1,adberr:0,findfail:0,valfail:0] The location keytab file can be overridden using the tkey-gssapi-keytab option. Normally this principal is of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>". - To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must + To use GSS-TSIG, <span class="command"><strong>tkey-domain</strong></span> must also be set if a specific keytab is not set with tkey-gssapi-keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-domain</strong></span></span></dt> <dd><p> The domain appended to the names of all shared keys - generated with <span><strong class="command">TKEY</strong></span>. When a - client requests a <span><strong class="command">TKEY</strong></span> exchange, + generated with <span class="command"><strong>TKEY</strong></span>. When a + client requests a <span class="command"><strong>TKEY</strong></span> exchange, it may or may not specify the desired name for the key. If present, the name of the shared key will be <code class="varname">client specified part</code> + <code class="varname">tkey-domain</code>. Otherwise, the name of the shared key will be <code class="varname">random hex digits</code> + <code class="varname">tkey-domain</code>. - In most cases, the <span><strong class="command">domainname</strong></span> + In most cases, the <span class="command"><strong>domainname</strong></span> should be the server's domain name, or an otherwise non-existent subdomain like "_tkey.<code class="varname">domainname</code>". If you are using GSS-TSIG, this variable must be defined, unless you specify a specific keytab using tkey-gssapi-keytab. </p></dd> -<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tkey-dhkey</strong></span></span></dt> <dd><p> The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode - of <span><strong class="command">TKEY</strong></span>. The server must be + of <span class="command"><strong>TKEY</strong></span>. The server must be able to load the public and private keys from files in the working directory. In most cases, the keyname should be the server's host name. </p></dd> -<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>cache-file</strong></span></span></dt> <dd><p> This is for testing only. Do not use. </p></dd> -<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dump-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps the database to when instructed to do so with - <span><strong class="command">rndc dumpdb</strong></span>. + <span class="command"><strong>rndc dumpdb</strong></span>. If not specified, the default is <code class="filename">named_dump.db</code>. </p></dd> -<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>memstatistics-file</strong></span></span></dt> <dd><p> The pathname of the file the server writes memory usage statistics to on exit. If not specified, the default is <code class="filename">named.memstats</code>. </p></dd> -<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>pid-file</strong></span></span></dt> <dd><p> The pathname of the file the server writes its process ID in. If not specified, the default is <code class="filename">/var/run/named/named.pid</code>. The PID file is used by programs that want to send signals to the running - name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the + name server. Specifying <span class="command"><strong>pid-file none</strong></span> disables the use of a PID file — no file will be written and any - existing one will be removed. Note that <span><strong class="command">none</strong></span> + existing one will be removed. Note that <span class="command"><strong>none</strong></span> is a keyword, not a filename, and therefore is not enclosed in double quotes. </p></dd> -<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursing-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps the queries that are currently recursing when instructed - to do so with <span><strong class="command">rndc recursing</strong></span>. + to do so with <span class="command"><strong>rndc recursing</strong></span>. If not specified, the default is <code class="filename">named.recursing</code>. </p></dd> -<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>statistics-file</strong></span></span></dt> <dd><p> The pathname of the file the server appends statistics - to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. + to when instructed to do so using <span class="command"><strong>rndc stats</strong></span>. If not specified, the default is <code class="filename">named.stats</code> in the server's current directory. The format of the file is described - in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + in <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>bindkeys-file</strong></span></span></dt> <dd><p> The pathname of a file to override the built-in trusted - keys provided by <span><strong class="command">named</strong></span>. - See the discussion of <span><strong class="command">dnssec-lookaside</strong></span> - and <span><strong class="command">dnssec-validation</strong></span> for details. + keys provided by <span class="command"><strong>named</strong></span>. + See the discussion of <span class="command"><strong>dnssec-lookaside</strong></span> + and <span class="command"><strong>dnssec-validation</strong></span> for details. If not specified, the default is <code class="filename">/etc/bind.keys</code>. </p></dd> -<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>secroots-file</strong></span></span></dt> <dd><p> The pathname of the file the server dumps security roots to when instructed to do so with - <span><strong class="command">rndc secroots</strong></span>. + <span class="command"><strong>rndc secroots</strong></span>. If not specified, the default is <code class="filename">named.secroots</code>. </p></dd> -<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyfile</strong></span></span></dt> <dd><p> The pathname of the file into which to write a TSIG - session key generated by <span><strong class="command">named</strong></span> for use by - <span><strong class="command">nsupdate -l</strong></span>. If not specified, the + session key generated by <span class="command"><strong>named</strong></span> for use by + <span class="command"><strong>nsupdate -l</strong></span>. If not specified, the default is <code class="filename">/var/run/named/session.key</code>. - (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in + (See <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in particular the discussion of the - <span><strong class="command">update-policy</strong></span> statement's + <span class="command"><strong>update-policy</strong></span> statement's <strong class="userinput"><code>local</code></strong> option for more information about this feature.) </p></dd> -<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyname</strong></span></span></dt> <dd><p> The key name to use for the TSIG session key. If not specified, the default is "local-ddns". </p></dd> -<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>session-keyalg</strong></span></span></dt> <dd><p> The algorithm to use for the TSIG session key. Valid values are hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, hmac-sha512 and hmac-md5. If not specified, the default is hmac-sha256. </p></dd> -<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>port</strong></span></span></dt> <dd><p> The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. @@ -2689,7 +2699,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] communicate with the global DNS. </p></dd> -<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>random-device</strong></span></span></dt> <dd><p> The source of entropy to be used by the server. Entropy is primarily needed @@ -2703,20 +2713,22 @@ badresp:1,adberr:0,findfail:0,valfail:0] is <code class="filename">/dev/random</code> (or equivalent) when present, and none otherwise. The - <span><strong class="command">random-device</strong></span> option takes + <span class="command"><strong>random-device</strong></span> option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. </p></dd> -<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>preferred-glue</strong></span></span></dt> <dd><p> If specified, the listed type (A or AAAA) will be emitted before other glue in the additional section of a query response. - The default is not to prefer any type (NONE). + The default is to prefer A records when responding + to queries that arrived via IPv4 and AAAA when + responding to queries that arrived via IPv6. </p></dd> <dt> -<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span> +<a name="root_delegation_only"></a><span class="term"><span class="command"><strong>root-delegation-only</strong></span></span> </dt> <dd> <p> @@ -2762,22 +2774,22 @@ options { }; </pre> </dd> -<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>disable-algorithms</strong></span></span></dt> <dd><p> Disable the specified DNSSEC algorithms at and below the specified name. - Multiple <span><strong class="command">disable-algorithms</strong></span> + Multiple <span class="command"><strong>disable-algorithms</strong></span> statements are allowed. Only the most specific will be applied. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-lookaside</strong></span></span></dt> <dd> <p> - When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the + When set, <span class="command"><strong>dnssec-lookaside</strong></span> provides the validator with an alternate method to validate DNSKEY records at the top of a zone. When a DNSKEY is at or below a domain specified by the deepest - <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC + <span class="command"><strong>dnssec-lookaside</strong></span>, and the normal DNSSEC validation has left the key untrusted, the trust-anchor will be appended to the key name and a DLV record will be looked up to see if it can validate the key. If the DLV @@ -2785,61 +2797,61 @@ options { record does) the DNSKEY RRset is deemed to be trusted. </p> <p> - If <span><strong class="command">dnssec-lookaside</strong></span> is set to + If <span class="command"><strong>dnssec-lookaside</strong></span> is set to <strong class="userinput"><code>auto</code></strong>, then built-in default values for the DLV domain and trust anchor will be used, along with a built-in key for validation. </p> <p> - If <span><strong class="command">dnssec-lookaside</strong></span> is set to + If <span class="command"><strong>dnssec-lookaside</strong></span> is set to <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside is not used. </p> <p> The default DLV key is stored in the file <code class="filename">bind.keys</code>; - <span><strong class="command">named</strong></span> will load that key at - startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to + <span class="command"><strong>named</strong></span> will load that key at + startup if <span class="command"><strong>dnssec-lookaside</strong></span> is set to <code class="constant">auto</code>. A copy of the file is installed along with <acronym class="acronym">BIND</acronym> 9, and is current as of the release date. If the DLV key expires, a new copy of <code class="filename">bind.keys</code> can be downloaded - from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. + from <a class="link" href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. </p> <p> (To prevent problems if <code class="filename">bind.keys</code> is not found, the current key is also compiled in to - <span><strong class="command">named</strong></span>. Relying on this is not - recommended, however, as it requires <span><strong class="command">named</strong></span> + <span class="command"><strong>named</strong></span>. Relying on this is not + recommended, however, as it requires <span class="command"><strong>named</strong></span> to be recompiled with a new key when the DLV key expires.) </p> <p> - NOTE: <span><strong class="command">named</strong></span> only loads certain specific + NOTE: <span class="command"><strong>named</strong></span> only loads certain specific keys from <code class="filename">bind.keys</code>: those for the DLV zone and for the DNS root zone. The file cannot be used to store keys for other zones. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-must-be-secure</strong></span></span></dt> <dd><p> Specify hierarchies which must be or may not be secure (signed and validated). If <strong class="userinput"><code>yes</code></strong>, - then <span><strong class="command">named</strong></span> will only accept answers if + then <span class="command"><strong>named</strong></span> will only accept answers if they are secure. If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation applies allowing for insecure answers to be accepted. The specified domain must be under a - <span><strong class="command">trusted-keys</strong></span> or - <span><strong class="command">managed-keys</strong></span> statement, or - <span><strong class="command">dnssec-lookaside</strong></span> must be active. + <span class="command"><strong>trusted-keys</strong></span> or + <span class="command"><strong>managed-keys</strong></span> statement, or + <span class="command"><strong>dnssec-lookaside</strong></span> must be active. </p></dd> -<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dns64</strong></span></span></dt> <dd> <p> - This directive instructs <span><strong class="command">named</strong></span> to + This directive instructs <span class="command"><strong>named</strong></span> to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. It is intended to be used in conjunction with a NAT64. Each - <span><strong class="command">dns64</strong></span> defines one DNS64 prefix. + <span class="command"><strong>dns64</strong></span> defines one DNS64 prefix. Multiple DNS64 prefixes can be defined. </p> <p> @@ -2850,21 +2862,21 @@ options { Additionally a reverse IP6.ARPA zone will be created for the prefix to provide a mapping from the IP6.ARPA names to the corresponding IN-ADDR.ARPA names using synthesized - CNAMEs. <span><strong class="command">dns64-server</strong></span> and - <span><strong class="command">dns64-contact</strong></span> can be used to specify + CNAMEs. <span class="command"><strong>dns64-server</strong></span> and + <span class="command"><strong>dns64-contact</strong></span> can be used to specify the name of the server and contact for the zones. These are settable at the view / options level. These are not settable on a per-prefix basis. </p> <p> - Each <span><strong class="command">dns64</strong></span> supports an optional - <span><strong class="command">clients</strong></span> ACL that determines which + Each <span class="command"><strong>dns64</strong></span> supports an optional + <span class="command"><strong>clients</strong></span> ACL that determines which clients are affected by this directive. If not defined, it defaults to <strong class="userinput"><code>any;</code></strong>. </p> <p> - Each <span><strong class="command">dns64</strong></span> supports an optional - <span><strong class="command">mapped</strong></span> ACL that selects which + Each <span class="command"><strong>dns64</strong></span> supports an optional + <span class="command"><strong>mapped</strong></span> ACL that selects which IPv4 addresses are to be mapped in the corresponding A RRset. If not defined it defaults to <strong class="userinput"><code>any;</code></strong>. @@ -2873,15 +2885,15 @@ options { Normally, DNS64 won't apply to a domain name that owns one or more AAAA records; these records will simply be returned. The optional - <span><strong class="command">exclude</strong></span> ACL allows specification + <span class="command"><strong>exclude</strong></span> ACL allows specification of a list of IPv6 addresses that will be ignored if they appear in a domain name's AAAA records, and DNS64 will be applied to any A records the domain - name owns. If not defined, <span><strong class="command">exclude</strong></span> + name owns. If not defined, <span class="command"><strong>exclude</strong></span> defaults to none. </p> <p> - A optional <span><strong class="command">suffix</strong></span> can also + A optional <span class="command"><strong>suffix</strong></span> can also be defined to set the bits trailing the mapped IPv4 address bits. By default these bits are set to <strong class="userinput"><code>::</code></strong>. The bits @@ -2889,17 +2901,17 @@ options { must be zero. </p> <p> - If <span><strong class="command">recursive-only</strong></span> is set to - <span><strong class="command">yes</strong></span> the DNS64 synthesis will + If <span class="command"><strong>recursive-only</strong></span> is set to + <span class="command"><strong>yes</strong></span> the DNS64 synthesis will only happen for recursive queries. The default - is <span><strong class="command">no</strong></span>. + is <span class="command"><strong>no</strong></span>. </p> <p> - If <span><strong class="command">break-dnssec</strong></span> is set to - <span><strong class="command">yes</strong></span> the DNS64 synthesis will + If <span class="command"><strong>break-dnssec</strong></span> is set to + <span class="command"><strong>yes</strong></span> the DNS64 synthesis will happen even if the result, if validated, would cause a DNSSEC validation failure. If this option - is set to <span><strong class="command">no</strong></span> (the default), the DO + is set to <span class="command"><strong>no</strong></span> (the default), the DO is set on the incoming query, and there are RRSIGs on the applicable records, then synthesis will not happen. </p> @@ -2914,46 +2926,83 @@ options { }; </pre> </dd> -<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt> +<dd><p> + When a zone is configured with <span class="command"><strong>auto-dnssec + maintain;</strong></span> its key repository must be checked + periodically to see if any new keys have been added + or any existing keys' timing metadata has been updated + (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The + <span class="command"><strong>dnssec-loadkeys-interval</strong></span> option + sets the frequency of automatic repository checks, in + minutes. The default is <code class="literal">60</code> (1 hour), + the minimum is <code class="literal">1</code> (1 minute), and the + maximum is <code class="literal">1440</code> (24 hours); any higher + value is silently reduced. + </p></dd> +<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt> <dd> <p> If this option is set to its default value of <code class="literal">maintain</code> in a zone of type <code class="literal">master</code> which is DNSSEC-signed and configured to allow dynamic updates (see - <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and - if <span><strong class="command">named</strong></span> has access to the + <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and + if <span class="command"><strong>named</strong></span> has access to the private signing key(s) for the zone, then - <span><strong class="command">named</strong></span> will automatically sign all new + <span class="command"><strong>named</strong></span> will automatically sign all new or changed records and maintain signatures for the zone by regenerating RRSIG records whenever they approach their expiration date. </p> <p> If the option is changed to <code class="literal">no-resign</code>, - then <span><strong class="command">named</strong></span> will sign all new or + then <span class="command"><strong>named</strong></span> will sign all new or changed records, but scheduled maintenance of signatures is disabled. </p> <p> - With either of these settings, <span><strong class="command">named</strong></span> + With either of these settings, <span class="command"><strong>named</strong></span> will reject updates to a DNSSEC-signed zone when the signing keys are inactive or unavailable to - <span><strong class="command">named</strong></span>. (A planned third option, + <span class="command"><strong>named</strong></span>. (A planned third option, <code class="literal">external</code>, will disable all automatic signing and allow DNSSEC data to be submitted into a zone via dynamic update; this is not yet implemented.) </p> </dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may use this + option to set the update method that will be used for + the zone serial number in the SOA record. + </p> +<p> + With the default setting of + <span class="command"><strong>serial-update-method increment;</strong></span>, the + SOA serial number will be incremented by one each time + the zone is updated. + </p> +<p> + When set to + <span class="command"><strong>serial-update-method unixtime;</strong></span>, the + SOA serial number will be set to the number of seconds + since the UNIX epoch, unless the serial number is + already greater than or equal to that value, in which + case it is simply incremented by one. + </p> +</dd> +<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>full</code></strong>, the server will collect statistical data on all zones (unless specifically turned off on a per-zone basis by specifying - <span><strong class="command">zone-statistics terse</strong></span> or - <span><strong class="command">zone-statistics none</strong></span> - in the <span><strong class="command">zone</strong></span> statement). + <span class="command"><strong>zone-statistics terse</strong></span> or + <span class="command"><strong>zone-statistics none</strong></span> + in the <span class="command"><strong>zone</strong></span> statement). The default is <strong class="userinput"><code>terse</code></strong>, providing minimal statistics on zones (including name and current serial number, but not query type @@ -2961,15 +3010,15 @@ options { </p> <p> These statistics may be accessed via the - <span><strong class="command">statistics-channel</strong></span> or - using <span><strong class="command">rndc stats</strong></span>, which + <span class="command"><strong>statistics-channel</strong></span> or + using <span class="command"><strong>rndc stats</strong></span>, which will dump them to the file listed - in the <span><strong class="command">statistics-file</strong></span>. See - also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + in the <span class="command"><strong>statistics-file</strong></span>. See + also <a class="xref" href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. </p> <p> For backward compatibility with earlier versions - of BIND 9, the <span><strong class="command">zone-statistics</strong></span> + of BIND 9, the <span class="command"><strong>zone-statistics</strong></span> option can also accept <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>, which have the same effect as <strong class="userinput"><code>full</code></strong> and @@ -2977,20 +3026,20 @@ options { </p> </dd> </dl></div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="boolean_options"></a>Boolean Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-new-zones</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then zones can be - added at runtime via <span><strong class="command">rndc addzone</strong></span> - or deleted via <span><strong class="command">rndc delzone</strong></span>. + added at runtime via <span class="command"><strong>rndc addzone</strong></span> + or deleted via <span class="command"><strong>rndc delzone</strong></span>. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auth-nxdomain</strong></span></span></dt> <dd><p> - If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit + If <strong class="userinput"><code>yes</code></strong>, then the <span class="command"><strong>AA</strong></span> bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is <strong class="userinput"><code>no</code></strong>; @@ -2999,22 +3048,22 @@ options { are using very old DNS software, you may need to set it to <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>deallocate-on-exit</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to enable checking for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs the checks. </p></dd> -<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>memstatistics</strong></span></span></dt> <dd><p> Write memory statistics to the file specified by - <span><strong class="command">memstatistics-file</strong></span> at exit. + <span class="command"><strong>memstatistics-file</strong></span> at exit. The default is <strong class="userinput"><code>no</code></strong> unless '-m record' is specified on the command line in which case it is <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong>, then the @@ -3026,16 +3075,16 @@ options { according to zone type and concentrates the zone maintenance so that it all - happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and + happens in a short interval, once every <span class="command"><strong>heartbeat-interval</strong></span> and hopefully during the one call. It also suppresses some of the normal zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>. </p> <p> - The <span><strong class="command">dialup</strong></span> option - may also be specified in the <span><strong class="command">view</strong></span> and - <span><strong class="command">zone</strong></span> statements, - in which case it overrides the global <span><strong class="command">dialup</strong></span> + The <span class="command"><strong>dialup</strong></span> option + may also be specified in the <span class="command"><strong>view</strong></span> and + <span class="command"><strong>zone</strong></span> statements, + in which case it overrides the global <span class="command"><strong>dialup</strong></span> option. </p> <p> @@ -3048,7 +3097,7 @@ options { to verify the zone while the connection is active. The set of servers to which NOTIFY is sent can be controlled by - <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>. + <span class="command"><strong>notify</strong></span> and <span class="command"><strong>also-notify</strong></span>. </p> <p> If the @@ -3056,7 +3105,7 @@ options { the regular "zone up to date" (refresh) queries and only perform them when the - <span><strong class="command">heartbeat-interval</strong></span> expires in + <span class="command"><strong>heartbeat-interval</strong></span> expires in addition to sending NOTIFY requests. </p> @@ -3069,7 +3118,7 @@ options { suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> which suppresses normal refresh processing and sends refresh queries - when the <span><strong class="command">heartbeat-interval</strong></span> + when the <span class="command"><strong>heartbeat-interval</strong></span> expires, and <strong class="userinput"><code>passive</code></strong> which just disables normal refresh @@ -3077,10 +3126,10 @@ options { </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="1.150in" class="3"> +<col width="1.150in" class="4"> </colgroup> <tbody> <tr> @@ -3107,7 +3156,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">no</strong></span> (default)</p> + <p><span class="command"><strong>no</strong></span> (default)</p> </td> <td> <p> @@ -3127,7 +3176,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">yes</strong></span></p> + <p><span class="command"><strong>yes</strong></span></p> </td> <td> <p> @@ -3147,7 +3196,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">notify</strong></span></p> + <p><span class="command"><strong>notify</strong></span></p> </td> <td> <p> @@ -3167,7 +3216,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">refresh</strong></span></p> + <p><span class="command"><strong>refresh</strong></span></p> </td> <td> <p> @@ -3187,7 +3236,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">passive</strong></span></p> + <p><span class="command"><strong>passive</strong></span></p> </td> <td> <p> @@ -3207,7 +3256,7 @@ options { </tr> <tr> <td> - <p><span><strong class="command">notify-passive</strong></span></p> + <p><span class="command"><strong>notify-passive</strong></span></p> </td> <td> <p> @@ -3229,17 +3278,17 @@ options { </table></div> <p> Note that normal NOTIFY processing is not affected by - <span><strong class="command">dialup</strong></span>. + <span class="command"><strong>dialup</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fake-iquery</strong></span></span></dt> <dd><p> In <acronym class="acronym">BIND</acronym> 8, this option enabled simulating the obsolete DNS query type IQUERY. <acronym class="acronym">BIND</acronym> 9 never does IQUERY simulation. </p></dd> -<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fetch-glue</strong></span></span></dt> <dd><p> This option is obsolete. In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> @@ -3250,31 +3299,31 @@ options { idea and BIND 9 never does it. </p></dd> -<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>flush-zones-on-shutdown</strong></span></span></dt> <dd><p> When the nameserver exits due receiving SIGTERM, flush or do not flush any pending zone writes. The default is - <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. + <span class="command"><strong>flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>has-old-clients</strong></span></span></dt> <dd><p> This option was incorrectly implemented in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9. To achieve the intended effect of - <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify - the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> - and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. + <span class="command"><strong>has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify + the two separate options <span class="command"><strong>auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> + and <span class="command"><strong>rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>host-statistics</strong></span></span></dt> <dd><p> In BIND 8, this enables keeping of statistics for every host that the name server interacts with. Not implemented in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>maintain-ixfr-base</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. It was used in <acronym class="acronym">BIND</acronym> 8 to @@ -3282,9 +3331,9 @@ options { kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone - transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. + transfers, use <span class="command"><strong>provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>minimal-responses</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then when generating responses the server will only add records to the authority @@ -3293,7 +3342,7 @@ options { performance of the server. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multiple-cnames</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to allow a domain name to have multiple CNAME records in violation of @@ -3301,18 +3350,18 @@ options { always strictly enforces the CNAME rules both in master files and dynamic updates. </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong> (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for - changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are + changes, see <a class="xref" href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are sent to the servers listed in the zone's NS records (except the master server identified in the SOA MNAME field), and to any servers listed in the - <span><strong class="command">also-notify</strong></span> option. + <span class="command"><strong>also-notify</strong></span> option. </p> <p> If <strong class="userinput"><code>master-only</code></strong>, notifies are only @@ -3320,20 +3369,20 @@ options { for master zones. If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to - servers explicitly listed using <span><strong class="command">also-notify</strong></span>. + servers explicitly listed using <span class="command"><strong>also-notify</strong></span>. If <strong class="userinput"><code>no</code></strong>, no notifies are sent. </p> <p> - The <span><strong class="command">notify</strong></span> option may also be - specified in the <span><strong class="command">zone</strong></span> + The <span class="command"><strong>notify</strong></span> option may also be + specified in the <span class="command"><strong>zone</strong></span> statement, - in which case it overrides the <span><strong class="command">options notify</strong></span> statement. + in which case it overrides the <span class="command"><strong>options notify</strong></span> statement. It would only be necessary to turn off this option if it caused slaves to crash. </p> </dd> -<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong> do not check the nameservers in the NS RRset against the SOA MNAME. Normally a NOTIFY @@ -3344,7 +3393,7 @@ options { want the ultimate master to still send NOTIFY messages to all the nameservers listed in the NS RRset. </p></dd> -<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursion</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, and a DNS query requests recursion, then the server will attempt @@ -3355,26 +3404,25 @@ options { return a referral response. The default is <strong class="userinput"><code>yes</code></strong>. - Note that setting <span><strong class="command">recursion no</strong></span> does not prevent + Note that setting <span class="command"><strong>recursion no</strong></span> does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. - See also <span><strong class="command">fetch-glue</strong></span> above. </p></dd> -<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>request-nsid</strong></span></span></dt> <dd><p> If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. If the authoritative server returns an NSID option in its response, then its contents are logged in - the <span><strong class="command">resolver</strong></span> category at level - <span><strong class="command">info</strong></span>. + the <span class="command"><strong>resolver</strong></span> category at level + <span class="command"><strong>info</strong></span>. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>rfc2308-type1</strong></span></span></dt> <dd> <p> Setting this to <strong class="userinput"><code>yes</code></strong> will @@ -3390,55 +3438,52 @@ options { </p> </div> </dd> -<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-id-pool</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. <acronym class="acronym">BIND</acronym> 9 always allocates query IDs from a pool. </p></dd> -<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-ixfr</strong></span></span></dt> <dd><p> <span class="emphasis"><em>This option is obsolete</em></span>. If you need to disable IXFR to a particular server or servers, see - the information on the <span><strong class="command">provide-ixfr</strong></span> option - in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + the information on the <span class="command"><strong>provide-ixfr</strong></span> option + in <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. See also - <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. + <a class="xref" href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>provide-ixfr</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">provide-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + <span class="command"><strong>provide-ixfr</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>request-ixfr</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">request-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + <span class="command"><strong>request-ixfr</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called “<span class="command"><strong>server</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>treat-cr-as-space</strong></span></span></dt> <dd><p> This option was used in <acronym class="acronym">BIND</acronym> 8 to make - the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way + the server treat carriage return ("<span class="command"><strong>\r</strong></span>") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated - on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>" - and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines + on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span class="command"><strong>\n</strong></span>" + and NT/DOS "<span class="command"><strong>\r\n</strong></span>" newlines are always accepted, and the option is ignored. </p></dd> <dt> -<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> +<span class="term"><span class="command"><strong>additional-from-auth</strong></span>, </span><span class="term"><span class="command"><strong>additional-from-cache</strong></span></span> </dt> <dd> <p> @@ -3473,7 +3518,7 @@ options { and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, if known, even though they are not in the example.com zone. - Setting these options to <span><strong class="command">no</strong></span> + Setting these options to <span class="command"><strong>no</strong></span> disables this behavior and makes the server only search for additional data in the zone it answers from. @@ -3481,14 +3526,14 @@ options { <p> These options are intended for use in authoritative-only servers, or in authoritative-only views. Attempts to set - them to <span><strong class="command">no</strong></span> without also + them to <span class="command"><strong>no</strong></span> without also specifying - <span><strong class="command">recursion no</strong></span> will cause the + <span class="command"><strong>recursion no</strong></span> will cause the server to ignore the options and log a warning message. </p> <p> - Specifying <span><strong class="command">additional-from-cache no</strong></span> actually + Specifying <span class="command"><strong>additional-from-cache no</strong></span> actually disables the use of the cache not only for additional data lookups but also when looking up the answer. This is usually the @@ -3508,7 +3553,7 @@ options { upwards referral comes from the cache, the server will not be able to provide upwards - referrals when <span><strong class="command">additional-from-cache no</strong></span> + referrals when <span class="command"><strong>additional-from-cache no</strong></span> has been specified. Instead, it will respond to such queries with REFUSED. This should not cause any problems since @@ -3516,7 +3561,7 @@ options { process. </p> </dd> -<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>match-mapped-addresses</strong></span></span></dt> <dd> <p> If <strong class="userinput"><code>yes</code></strong>, then an @@ -3529,11 +3574,11 @@ options { connections, such as zone transfers, to be accepted on an IPv6 socket using mapped addresses. This caused address match lists designed for IPv4 to fail to match. However, - <span><strong class="command">named</strong></span> now solves this problem + <span class="command"><strong>named</strong></span> now solves this problem internally. The use of this option is discouraged. </p> </dd> -<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>filter-aaaa-on-v4</strong></span></span></dt> <dd> <p> This option is only available when @@ -3544,14 +3589,14 @@ options { to DNS clients unless they have connections to the IPv6 Internet. This is not recommended unless absolutely necessary. The default is <strong class="userinput"><code>no</code></strong>. - The <span><strong class="command">filter-aaaa-on-v4</strong></span> option - may also be specified in <span><strong class="command">view</strong></span> statements - to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span> + The <span class="command"><strong>filter-aaaa-on-v4</strong></span> option + may also be specified in <span class="command"><strong>view</strong></span> statements + to override the global <span class="command"><strong>filter-aaaa-on-v4</strong></span> option. </p> <p> If <strong class="userinput"><code>yes</code></strong>, - the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>, + the DNS client is at an IPv4 address, in <span class="command"><strong>filter-aaaa</strong></span>, and if the response does not include DNSSEC signatures, then all AAAA records are deleted from the response. This filtering applies to all responses and not only @@ -3584,7 +3629,7 @@ options { answer requests for AAAA records received via IPv4. </p> </dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt> <dd> <p> When <strong class="userinput"><code>yes</code></strong> and the server loads a new @@ -3608,40 +3653,80 @@ options { temporarily allocate memory to hold this complete difference set. </p> -<p><span><strong class="command">ixfr-from-differences</strong></span> - also accepts <span><strong class="command">master</strong></span> and - <span><strong class="command">slave</strong></span> at the view and options +<p><span class="command"><strong>ixfr-from-differences</strong></span> + also accepts <span class="command"><strong>master</strong></span> and + <span class="command"><strong>slave</strong></span> at the view and options levels which causes - <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for - all <span><strong class="command">master</strong></span> or - <span><strong class="command">slave</strong></span> zones respectively. + <span class="command"><strong>ixfr-from-differences</strong></span> to be enabled for + all <span class="command"><strong>master</strong></span> or + <span class="command"><strong>slave</strong></span> zones respectively. It is off by default. </p> </dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt> <dd><p> This should be set when you have multiple masters for a zone and the - addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will + addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span class="command"><strong>named</strong></span> will not log - when the serial number on the master is less than what <span><strong class="command">named</strong></span> + when the serial number on the master is less than what <span class="command"><strong>named</strong></span> currently has. The default is <strong class="userinput"><code>no</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may use this + option to allow varying levels of automatic DNSSEC key + management. There are three possible settings: + </p> +<p> + <span class="command"><strong>auto-dnssec allow;</strong></span> permits + keys to be updated and the zone fully re-signed + whenever the user issues the command <span class="command"><strong>rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span>. + </p> +<p> + <span class="command"><strong>auto-dnssec maintain;</strong></span> includes the + above, but also automatically adjusts the zone's DNSSEC + keys on schedule, according to the keys' timing metadata + (see <a class="xref" href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a class="xref" href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command + <span class="command"><strong>rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span class="command"><strong>named</strong></span> to load keys from the key + repository and sign the zone with all keys that are + active. + <span class="command"><strong>rndc loadkeys + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span class="command"><strong>named</strong></span> to load keys from the key + repository and schedule key maintenance events to occur + in the future, but it does not sign the full zone + immediately. Note: once keys have been loaded for a + zone the first time, the repository will be searched + for changes periodically, regardless of whether + <span class="command"><strong>rndc loadkeys</strong></span> is used. The recheck + interval is defined by + <span class="command"><strong>dnssec-loadkeys-interval</strong></span>.) + </p> +<p> + The default setting is <span class="command"><strong>auto-dnssec off</strong></span>. + </p> +</dd> +<dt><span class="term"><span class="command"><strong>dnssec-enable</strong></span></span></dt> <dd><p> This indicates whether DNSSEC-related resource - records are to be returned by <span><strong class="command">named</strong></span>. + records are to be returned by <span class="command"><strong>named</strong></span>. If set to <strong class="userinput"><code>no</code></strong>, - <span><strong class="command">named</strong></span> will not return DNSSEC-related + <span class="command"><strong>named</strong></span> will not return DNSSEC-related resource records unless specifically queried for. The default is <strong class="userinput"><code>yes</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-validation</strong></span></span></dt> <dd> <p> - Enable DNSSEC validation in <span><strong class="command">named</strong></span>. - Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + Enable DNSSEC validation in <span class="command"><strong>named</strong></span>. + Note <span class="command"><strong>dnssec-enable</strong></span> also needs to be set to <strong class="userinput"><code>yes</code></strong> to be effective. If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation is disabled. If set to <strong class="userinput"><code>auto</code></strong>, @@ -3649,8 +3734,8 @@ options { trust-anchor for the DNS root zone is used. If set to <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled, but a trust anchor must be manually configured using - a <span><strong class="command">trusted-keys</strong></span> or - <span><strong class="command">managed-keys</strong></span> statement. The default + a <span class="command"><strong>trusted-keys</strong></span> or + <span class="command"><strong>managed-keys</strong></span> statement. The default is <strong class="userinput"><code>yes</code></strong>. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -3659,27 +3744,27 @@ options { Whenever the resolver sends out queries to an EDNS-compliant server, it always sets the DO bit indicating it can support DNSSEC responses even if - <span><strong class="command">dnssec-validation</strong></span> is off. + <span class="command"><strong>dnssec-validation</strong></span> is off. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-accept-expired</strong></span></span></dt> <dd><p> Accept expired signatures when verifying DNSSEC signatures. The default is <strong class="userinput"><code>no</code></strong>. Setting this option to <strong class="userinput"><code>yes</code></strong> - leaves <span><strong class="command">named</strong></span> vulnerable to + leaves <span class="command"><strong>named</strong></span> vulnerable to replay attacks. </p></dd> -<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>querylog</strong></span></span></dt> <dd><p> - Specify whether query logging should be started when <span><strong class="command">named</strong></span> + Specify whether query logging should be started when <span class="command"><strong>named</strong></span> starts. - If <span><strong class="command">querylog</strong></span> is not specified, + If <span class="command"><strong>querylog</strong></span> is not specified, then the query logging - is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. + is determined by the presence of the logging category <span class="command"><strong>queries</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt> <dd> <p> This option is used to restrict the character set and syntax @@ -3688,17 +3773,17 @@ options { received from the network. The default varies according to usage area. For - <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. - For <span><strong class="command">slave</strong></span> zones the default - is <span><strong class="command">warn</strong></span>. - For answers received from the network (<span><strong class="command">response</strong></span>) - the default is <span><strong class="command">ignore</strong></span>. + <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>. + For <span class="command"><strong>slave</strong></span> zones the default + is <span class="command"><strong>warn</strong></span>. + For answers received from the network (<span class="command"><strong>response</strong></span>) + the default is <span class="command"><strong>ignore</strong></span>. </p> <p> The rules for legal hostnames and mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123. </p> -<p><span><strong class="command">check-names</strong></span> +<p><span class="command"><strong>check-names</strong></span> applies to the owner names of A, AAAA and MX records. It also applies to the domain names in the RDATA of NS, SOA, MX, and SRV records. @@ -3707,32 +3792,32 @@ options { (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). </p> </dd> -<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-dup-records</strong></span></span></dt> <dd><p> Check master zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. The - default is to <span><strong class="command">warn</strong></span>. Other possible - values are <span><strong class="command">fail</strong></span> and - <span><strong class="command">ignore</strong></span>. + default is to <span class="command"><strong>warn</strong></span>. Other possible + values are <span class="command"><strong>fail</strong></span> and + <span class="command"><strong>ignore</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt> <dd><p> Check whether the MX record appears to refer to a IP address. - The default is to <span><strong class="command">warn</strong></span>. Other possible - values are <span><strong class="command">fail</strong></span> and - <span><strong class="command">ignore</strong></span>. + The default is to <span class="command"><strong>warn</strong></span>. Other possible + values are <span class="command"><strong>fail</strong></span> and + <span class="command"><strong>ignore</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt> <dd><p> This option is used to check for non-terminal wildcards. The use of non-terminal wildcards is almost always as a result of a failure to understand the wildcard matching algorithm (RFC 1034). This option - affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check + affects master zones. The default (<span class="command"><strong>yes</strong></span>) is to check for non-terminal wildcards and issue a warning. </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt> <dd> <p> Perform post load zone integrity checks on master @@ -3741,11 +3826,11 @@ options { address records exist for delegated zones. For MX and SRV records only in-zone hostnames are checked (for out-of-zone hostnames use - <span><strong class="command">named-checkzone</strong></span>). + <span class="command"><strong>named-checkzone</strong></span>). For NS records only names below top of zone are checked (for out-of-zone names and glue consistency - checks use <span><strong class="command">named-checkzone</strong></span>). - The default is <span><strong class="command">yes</strong></span>. + checks use <span class="command"><strong>named-checkzone</strong></span>). + The default is <span class="command"><strong>yes</strong></span>. </p> <p> The use of the SPF record for publishing Sender @@ -3755,48 +3840,48 @@ options { Policy Framework record exists (starts with "v=spf1") if there is an SPF record. Warnings are emitted if the TXT record does not exist and can be suppressed with - <span><strong class="command">check-spf</strong></span>. + <span class="command"><strong>check-spf</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx-cname</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then fail, warn or ignore MX records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + to CNAMES. The default is to <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-srv-cname</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then fail, warn or ignore SRV records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + to CNAMES. The default is to <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt> <dd><p> When performing integrity checks, also check that - sibling glue exists. The default is <span><strong class="command">yes</strong></span>. + sibling glue exists. The default is <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt> <dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then + If <span class="command"><strong>check-integrity</strong></span> is set then check that there is a TXT Sender Policy Framework record present (starts with "v=spf1") if there is an SPF record present. The default is - <span><strong class="command">warn</strong></span>. + <span class="command"><strong>warn</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt> <dd><p> When returning authoritative negative responses to SOA queries set the TTL of the SOA record returned in the authority section to zero. - The default is <span><strong class="command">yes</strong></span>. + The default is <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl-cache</strong></span></span></dt> <dd><p> When caching a negative response to a SOA query set the TTL to zero. - The default is <span><strong class="command">no</strong></span>. + The default is <span class="command"><strong>no</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt> <dd> <p> When set to the default value of <code class="literal">yes</code>, @@ -3811,7 +3896,7 @@ options { However, if this option is set to <code class="literal">no</code>, then the KSK bit is ignored; KSKs are treated as if they were ZSKs and are used to sign the entire zone. This is - similar to the <span><strong class="command">dnssec-signzone -z</strong></span> + similar to the <span class="command"><strong>dnssec-signzone -z</strong></span> command line option. </p> <p> @@ -3823,52 +3908,37 @@ options { for that algorithm. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt> <dd> <p> - When this option and <span><strong class="command">update-check-ksk</strong></span> + When this option and <span class="command"><strong>update-check-ksk</strong></span> are both set to <code class="literal">yes</code>, only key-signing keys (that is, keys with the KSK bit set) will be used to sign the DNSKEY RRset at the zone apex. Zone-signing keys (keys without the KSK bit set) will be used to sign the remainder of the zone, but not the DNSKEY RRset. This is similar to the - <span><strong class="command">dnssec-signzone -x</strong></span> command line option. + <span class="command"><strong>dnssec-signzone -x</strong></span> command line option. </p> <p> - The default is <span><strong class="command">no</strong></span>. If - <span><strong class="command">update-check-ksk</strong></span> is set to + The default is <span class="command"><strong>no</strong></span>. If + <span class="command"><strong>update-check-ksk</strong></span> is set to <code class="literal">no</code>, this option is ignored. </p> </dd> -<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt> -<dd><p> - When a zone is configured with <span><strong class="command">auto-dnssec - maintain;</strong></span> its key repository must be checked - periodically to see if any new keys have been added - or any existing keys' timing metadata has been updated - (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and - <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The - <span><strong class="command">dnssec-loadkeys-interval</strong></span> option - sets the frequency of automatic repository checks, in - minutes. The default is <code class="literal">60</code> (1 hour), - the minimum is <code class="literal">1</code> (1 minute), and the - maximum is <code class="literal">1440</code> (24 hours); any higher - value is silently reduced. - </p></dd> -<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt> <dd><p> Try to refresh the zone using TCP if UDP queries fail. For BIND 8 compatibility, the default is - <span><strong class="command">yes</strong></span>. + <span class="command"><strong>yes</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt> <dd> <p> Allow a dynamic zone to transition from secure to insecure (i.e., signed to unsigned) by deleting all - of the DNSKEY records. The default is <span><strong class="command">no</strong></span>. - If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset + of the DNSKEY records. The default is <span class="command"><strong>no</strong></span>. + If set to <span class="command"><strong>yes</strong></span>, and if the DNSKEY RRset at the zone apex is deleted, all RRSIG and NSEC records will be removed from the zone as well. </p> @@ -3881,17 +3951,17 @@ options { </p> <p> Note that if a zone has been configured with - <span><strong class="command">auto-dnssec maintain</strong></span> and the + <span class="command"><strong>auto-dnssec maintain</strong></span> and the private keys remain accessible in the key repository, then the zone will be automatically signed again the - next time <span><strong class="command">named</strong></span> is started. + next time <span class="command"><strong>named</strong></span> is started. </p> </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583480"></a>Forwarding</h4></div></div></div> +<a name="forwarding"></a>Forwarding</h4></div></div></div> <p> The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -3902,8 +3972,8 @@ options { the server is not authoritative and does not have the answer in its cache. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt> <dd><p> This option is only meaningful if the forwarders list is not empty. A value of <code class="varname">first</code>, @@ -3915,7 +3985,7 @@ options { specified, the server will only query the forwarders. </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt> <dd><p> Specifies the IP addresses to be used for forwarding. The default is the empty list (no @@ -3927,15 +3997,14 @@ options { for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, - or have a different <span><strong class="command">forward only/first</strong></span> behavior, - or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone - Statement Grammar">the section called “<span><strong class="command">zone</strong></span> + or have a different <span class="command"><strong>forward only/first</strong></span> behavior, + or not forward at all, see <a class="xref" href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone Statement Grammar">the section called “<span class="command"><strong>zone</strong></span> Statement Grammar”</a>. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2583607"></a>Dual-stack Servers</h4></div></div></div> +<a name="dual_stack"></a>Dual-stack Servers</h4></div></div></div> <p> Dual-stack servers are used as servers of last resort to work around @@ -3943,64 +4012,64 @@ options { or IPv6 on the host machine. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>dual-stack-servers</strong></span></span></dt> <dd><p> Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. If a hostname is used, the server must be able to resolve the name using only the transport it has. If the machine is dual - stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless + stacked, then the <span class="command"><strong>dual-stack-servers</strong></span> have no effect unless access to a transport has been disabled on the command line - (e.g. <span><strong class="command">named -4</strong></span>). + (e.g. <span class="command"><strong>named -4</strong></span>). </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="access_control"></a>Access Control</h4></div></div></div> <p> Access to the server can be restricted based on the IP address - of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for + of the requesting system. See <a class="xref" href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for details on how to specify IP address lists. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to notify this server, a slave, of zone changes in addition to the zone masters. - <span><strong class="command">allow-notify</strong></span> may also be + <span class="command"><strong>allow-notify</strong></span> may also be specified in the - <span><strong class="command">zone</strong></span> statement, in which case + <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-notify</strong></span> + <span class="command"><strong>options allow-notify</strong></span> statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages only from a zone's master. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt> <dd> <p> Specifies which hosts are allowed to ask ordinary - DNS questions. <span><strong class="command">allow-query</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + DNS questions. <span class="command"><strong>allow-query</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-query</strong></span> statement. + <span class="command"><strong>options allow-query</strong></span> statement. If not specified, the default is to allow queries from all hosts. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - <span><strong class="command">allow-query-cache</strong></span> is now + <span class="command"><strong>allow-query-cache</strong></span> is now used to specify access to the cache. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt> <dd> <p> Specifies which local addresses can accept ordinary @@ -4010,16 +4079,16 @@ options { necessarily knowing the internal network's addresses. </p> <p> - Note that <span><strong class="command">allow-query-on</strong></span> is only + Note that <span class="command"><strong>allow-query-on</strong></span> is only checked for queries that are permitted by - <span><strong class="command">allow-query</strong></span>. A query must be + <span class="command"><strong>allow-query</strong></span>. A query must be allowed by both ACLs, or it will be refused. </p> <p> - <span><strong class="command">allow-query-on</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + <span class="command"><strong>allow-query-on</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which case it overrides the - <span><strong class="command">options allow-query-on</strong></span> statement. + <span class="command"><strong>options allow-query-on</strong></span> statement. </p> <p> If not specified, the default is to allow queries @@ -4028,57 +4097,57 @@ options { <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - <span><strong class="command">allow-query-cache</strong></span> is + <span class="command"><strong>allow-query-cache</strong></span> is used to specify access to the cache. </p> </div> </dd> -<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-cache</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to get answers - from the cache. If <span><strong class="command">allow-query-cache</strong></span> - is not set then <span><strong class="command">allow-recursion</strong></span> - is used if set, otherwise <span><strong class="command">allow-query</strong></span> - is used if set unless <span><strong class="command">recursion no;</strong></span> is - set in which case <span><strong class="command">none;</strong></span> is used, - otherwise the default (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. + from the cache. If <span class="command"><strong>allow-query-cache</strong></span> + is not set then <span class="command"><strong>allow-recursion</strong></span> + is used if set, otherwise <span class="command"><strong>allow-query</strong></span> + is used if set unless <span class="command"><strong>recursion no;</strong></span> is + set in which case <span class="command"><strong>none;</strong></span> is used, + otherwise the default (<span class="command"><strong>localnets;</strong></span> + <span class="command"><strong>localhost;</strong></span>) is used. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-cache-on</strong></span></span></dt> <dd><p> Specifies which local addresses can give answers from the cache. If not specified, the default is to allow cache queries on any address, - <span><strong class="command">localnets</strong></span> and - <span><strong class="command">localhost</strong></span>. + <span class="command"><strong>localnets</strong></span> and + <span class="command"><strong>localhost</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-recursion</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to make recursive queries through this server. If - <span><strong class="command">allow-recursion</strong></span> is not set - then <span><strong class="command">allow-query-cache</strong></span> is - used if set, otherwise <span><strong class="command">allow-query</strong></span> + <span class="command"><strong>allow-recursion</strong></span> is not set + then <span class="command"><strong>allow-query-cache</strong></span> is + used if set, otherwise <span class="command"><strong>allow-query</strong></span> is used if set, otherwise the default - (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. + (<span class="command"><strong>localnets;</strong></span> + <span class="command"><strong>localhost;</strong></span>) is used. </p></dd> -<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-recursion-on</strong></span></span></dt> <dd><p> Specifies which local addresses can accept recursive queries. If not specified, the default is to allow recursive queries on all addresses. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts. Note that allowing updates based on the requestor's IP address is insecure; see - <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. + <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt> <dd> <p> Specifies which hosts are allowed to @@ -4102,11 +4171,11 @@ options { server may expose master servers relying on insecure IP address based - access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> + access control to attacks; see <a class="xref" href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for more details. </p> </dd> -<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-v6-synthesis</strong></span></span></dt> <dd><p> This option was introduced for the smooth transition from AAAA @@ -4116,17 +4185,17 @@ options { this option was also deprecated. It is now ignored with some warning messages. </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt> <dd><p> Specifies which hosts are allowed to - receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> + receive zone transfers from the server. <span class="command"><strong>allow-transfer</strong></span> may + also be specified in the <span class="command"><strong>zone</strong></span> statement, in which - case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. + case it overrides the <span class="command"><strong>options allow-transfer</strong></span> statement. If not specified, the default is to allow transfers to all hosts. </p></dd> -<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>blackhole</strong></span></span></dt> <dd><p> Specifies a list of addresses that the server will not accept queries from or use to resolve a @@ -4134,25 +4203,25 @@ options { from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>filter-aaaa</strong></span></span></dt> <dd><p> Specifies a list of addresses to which - <span><strong class="command">filter-aaaa-on-v4</strong></span> + <span class="command"><strong>filter-aaaa-on-v4</strong></span> is applies. The default is <strong class="userinput"><code>any</code></strong>. </p></dd> -<dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>no-case-compress</strong></span></span></dt> <dd> <p> Specifies a list of addresses which require responses to use case-insensitive compression. This ACL can be - used when <span><strong class="command">named</strong></span> needs to work with + used when <span class="command"><strong>named</strong></span> needs to work with clients that do not comply with the requirement in RFC 1034 to use case-insensitive name comparisons when checking for matching domain names. </p> <p> If left undefined, the ACL defaults to - <span><strong class="command">none</strong></span>: case-insensitive compression + <span class="command"><strong>none</strong></span>: case-insensitive compression will be used for all clients. If the ACL is defined and matches a client, then case will be ignored when compressing domain names in DNS responses sent to that @@ -4176,7 +4245,7 @@ options { the client matches this ACL. </p> <p> - There are circumstances in which <span><strong class="command">named</strong></span> + There are circumstances in which <span class="command"><strong>named</strong></span> will not preserve the case of owner names of records: if a zone file defines records of different types with the same name, but the capitalization of the name is @@ -4191,7 +4260,7 @@ options { ACL. </p> </dd> -<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>resolver-query-timeout</strong></span></span></dt> <dd><p> The amount of time the resolver will spend attempting to resolve a recursive query before failing. The default @@ -4201,12 +4270,12 @@ options { </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2584281"></a>Interfaces</h4></div></div></div> +<a name="interfaces"></a>Interfaces</h4></div></div></div> <p> The interfaces and ports that the server will answer queries - from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes + from may be specified using the <span class="command"><strong>listen-on</strong></span> option. <span class="command"><strong>listen-on</strong></span> takes an optional port and an <code class="varname">address_match_list</code> of IPv4 addresses. (IPv6 addresses are ignored, with a logged warning.) @@ -4214,7 +4283,7 @@ options { match list. If a port is not specified, port 53 will be used. </p> <p> - Multiple <span><strong class="command">listen-on</strong></span> statements are + Multiple <span class="command"><strong>listen-on</strong></span> statements are allowed. For example, </p> @@ -4227,11 +4296,11 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; 1.2 that is not 1.2.3.4. </p> <p> - If no <span><strong class="command">listen-on</strong></span> is specified, the + If no <span class="command"><strong>listen-on</strong></span> is specified, the server will listen on port 53 on all IPv4 interfaces. </p> <p> - The <span><strong class="command">listen-on-v6</strong></span> option is used to + The <span class="command"><strong>listen-on-v6</strong></span> option is used to specify the interfaces and the ports on which the server will listen for incoming queries sent using IPv6. @@ -4242,7 +4311,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; <p> is specified as the <code class="varname">address_match_list</code> for the - <span><strong class="command">listen-on-v6</strong></span> option, + <span class="command"><strong>listen-on-v6</strong></span> option, the server does not bind a separate socket to each IPv6 interface address as it does for IPv4 if the operating system has enough API support for IPv6 (specifically if it conforms to RFC 3493 and RFC @@ -4257,11 +4326,11 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; }; the server listens on a separate socket for each specified address, regardless of whether the desired API is supported by the system. - IPv4 addresses specified in <span><strong class="command">listen-on-v6</strong></span> + IPv4 addresses specified in <span class="command"><strong>listen-on-v6</strong></span> will be ignored, with a logged warning. </p> <p> - Multiple <span><strong class="command">listen-on-v6</strong></span> options can + Multiple <span class="command"><strong>listen-on-v6</strong></span> options can be used. For example, </p> @@ -4280,52 +4349,52 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; }; <pre class="programlisting">listen-on-v6 { none; }; </pre> <p> - If no <span><strong class="command">listen-on-v6</strong></span> option is + If no <span class="command"><strong>listen-on-v6</strong></span> option is specified, the server will not listen on any IPv6 address - unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is - invoked. If <span><strong class="command">-6</strong></span> is specified then - <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default. + unless <span class="command"><strong>-6</strong></span> is specified when <span class="command"><strong>named</strong></span> is + invoked. If <span class="command"><strong>-6</strong></span> is specified then + <span class="command"><strong>named</strong></span> will listen on port 53 on all IPv6 interfaces by default. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="query_address"></a>Query Address</h4></div></div></div> <p> If the server doesn't know the answer to a question, it will - query other name servers. <span><strong class="command">query-source</strong></span> specifies + query other name servers. <span class="command"><strong>query-source</strong></span> specifies the address and port used for such queries. For queries sent over - IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. - If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted, - a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) + IPv6, there is a separate <span class="command"><strong>query-source-v6</strong></span> option. + If <span class="command"><strong>address</strong></span> is <span class="command"><strong>*</strong></span> (asterisk) or is omitted, + a wildcard IP address (<span class="command"><strong>INADDR_ANY</strong></span>) will be used. </p> <p> - If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, + If <span class="command"><strong>port</strong></span> is <span class="command"><strong>*</strong></span> or is omitted, a random port number from a pre-configured range is picked up and will be used for each query. The port range(s) is that specified in - the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4) - and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6) + the <span class="command"><strong>use-v4-udp-ports</strong></span> (for IPv4) + and <span class="command"><strong>use-v6-udp-ports</strong></span> (for IPv6) options, excluding the ranges specified in - the <span><strong class="command">avoid-v4-udp-ports</strong></span> - and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively. + the <span class="command"><strong>avoid-v4-udp-ports</strong></span> + and <span class="command"><strong>avoid-v6-udp-ports</strong></span> options, respectively. </p> <p> - The defaults of the <span><strong class="command">query-source</strong></span> and - <span><strong class="command">query-source-v6</strong></span> options + The defaults of the <span class="command"><strong>query-source</strong></span> and + <span class="command"><strong>query-source-v6</strong></span> options are: </p> <pre class="programlisting">query-source address * port *; query-source-v6 address * port *; </pre> <p> - If <span><strong class="command">use-v4-udp-ports</strong></span> or - <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified, - <span><strong class="command">named</strong></span> will check if the operating + If <span class="command"><strong>use-v4-udp-ports</strong></span> or + <span class="command"><strong>use-v6-udp-ports</strong></span> is unspecified, + <span class="command"><strong>named</strong></span> will check if the operating system provides a programming interface to retrieve the system's default range for ephemeral ports. If such an interface is available, - <span><strong class="command">named</strong></span> will use the corresponding system + <span class="command"><strong>named</strong></span> will use the corresponding system default range; otherwise, it will use its own defaults: </p> <pre class="programlisting">use-v4-udp-ports { range 1024 65535; }; @@ -4338,20 +4407,20 @@ use-v6-udp-ports { range 1024 65535; }; (14 bits of entropy). Note also that the system's default range when used may be too small for this purpose, and that the range may even be - changed while <span><strong class="command">named</strong></span> is running; the new - range will automatically be applied when <span><strong class="command">named</strong></span> + changed while <span class="command"><strong>named</strong></span> is running; the new + range will automatically be applied when <span class="command"><strong>named</strong></span> is reloaded. It is encouraged to - configure <span><strong class="command">use-v4-udp-ports</strong></span> and - <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the + configure <span class="command"><strong>use-v4-udp-ports</strong></span> and + <span class="command"><strong>use-v6-udp-ports</strong></span> explicitly so that the ranges are sufficiently large and are reasonably independent from the ranges used by other applications. </p> <p> Note: the operational configuration - where <span><strong class="command">named</strong></span> runs may prohibit the use + where <span class="command"><strong>named</strong></span> runs may prohibit the use of some ports. For example, UNIX systems will not allow - <span><strong class="command">named</strong></span> running without a root privilege + <span class="command"><strong>named</strong></span> running without a root privilege to use ports less than 1024. If such ports are included in the specified (or detected) set of query ports, the corresponding query attempts will @@ -4360,8 +4429,8 @@ use-v6-udp-ports { range 1024 65535; }; that can be safely used in the expected operational environment. </p> <p> - The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and - <span><strong class="command">avoid-v6-udp-ports</strong></span> options + The defaults of the <span class="command"><strong>avoid-v4-udp-ports</strong></span> and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> options are: </p> <pre class="programlisting">avoid-v4-udp-ports {}; @@ -4369,26 +4438,26 @@ avoid-v6-udp-ports {}; </pre> <p> Note: BIND 9.5.0 introduced - the <span><strong class="command">use-queryport-pool</strong></span> + the <span class="command"><strong>use-queryport-pool</strong></span> option to support a pool of such random ports, but this option is now obsolete because reusing the same ports in the pool may not be sufficiently secure. For the same reason, it is generally strongly discouraged to specify a particular port for the - <span><strong class="command">query-source</strong></span> or - <span><strong class="command">query-source-v6</strong></span> options; + <span class="command"><strong>query-source</strong></span> or + <span class="command"><strong>query-source-v6</strong></span> options; it implicitly disables the use of randomized port numbers. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>use-queryport-pool</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> -<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>queryport-pool-ports</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> -<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>queryport-pool-updateinterval</strong></span></span></dt> <dd><p> This option is obsolete. </p></dd> @@ -4396,7 +4465,7 @@ avoid-v6-udp-ports {}; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The address specified in the <span><strong class="command">query-source</strong></span> option + The address specified in the <span class="command"><strong>query-source</strong></span> option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. @@ -4412,12 +4481,12 @@ avoid-v6-udp-ports {}; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - See also <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">notify-source</strong></span>. + See also <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>notify-source</strong></span>. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> <p> @@ -4426,8 +4495,8 @@ avoid-v6-udp-ports {}; and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt> <dd> <p> Defines a global list of IP addresses of name servers @@ -4438,58 +4507,58 @@ avoid-v6-udp-ports {}; This helps to ensure that copies of the zones will quickly converge on stealth servers. Optionally, a port may be specified with each - <span><strong class="command">also-notify</strong></span> address to send + <span class="command"><strong>also-notify</strong></span> address to send the notify messages to a port other than the default of 53. An optional TSIG key can also be specified with each address to cause the notify messages to be signed; this can be useful when sending notifies to multiple views. In place of explicit addresses, one or more named - <span><strong class="command">masters</strong></span> lists can be used. + <span class="command"><strong>masters</strong></span> lists can be used. </p> <p> - If an <span><strong class="command">also-notify</strong></span> list - is given in a <span><strong class="command">zone</strong></span> statement, + If an <span class="command"><strong>also-notify</strong></span> list + is given in a <span class="command"><strong>zone</strong></span> statement, it will override - the <span><strong class="command">options also-notify</strong></span> - statement. When a <span><strong class="command">zone notify</strong></span> + the <span class="command"><strong>options also-notify</strong></span> + statement. When a <span class="command"><strong>zone notify</strong></span> statement - is set to <span><strong class="command">no</strong></span>, the IP - addresses in the global <span><strong class="command">also-notify</strong></span> list will + is set to <span class="command"><strong>no</strong></span>, the IP + addresses in the global <span class="command"><strong>also-notify</strong></span> list will not be sent NOTIFY messages for that zone. The default is the empty list (no global notification list). </p> </dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt> <dd><p> Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt> <dd><p> Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt> <dd><p> Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes (2 hours). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt> <dd><p> Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 hour). The maximum value is 28 days (40320 minutes). </p></dd> -<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-query-rate</strong></span></span></dt> <dd> <p> Slave servers will periodically query master @@ -4498,7 +4567,7 @@ avoid-v6-udp-ports {}; the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the - <span><strong class="command">serial-query-rate</strong></span> option, an + <span class="command"><strong>serial-query-rate</strong></span> option, an integer, is the maximum number of queries sent per second. The default is 20 per second. The lowest possible rate is one per second; when set @@ -4507,77 +4576,77 @@ avoid-v6-udp-ports {}; <p> In addition to controlling the rate SOA refresh queries are issued at, - <span><strong class="command">serial-query-rate</strong></span> also controls + <span class="command"><strong>serial-query-rate</strong></span> also controls the rate at which NOTIFY messages are sent from both master and slave zones. </p> </dd> -<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>serial-queries</strong></span></span></dt> <dd><p> - In BIND 8, the <span><strong class="command">serial-queries</strong></span> + In BIND 8, the <span class="command"><strong>serial-queries</strong></span> option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding - serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. + serial queries and ignores the <span class="command"><strong>serial-queries</strong></span> option. Instead, it limits the rate at which the queries are sent - as defined using the <span><strong class="command">serial-query-rate</strong></span> option. + as defined using the <span class="command"><strong>serial-query-rate</strong></span> option. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-format</strong></span></span></dt> <dd><p> Zone transfers can be sent using two different formats, - <span><strong class="command">one-answer</strong></span> and - <span><strong class="command">many-answers</strong></span>. - The <span><strong class="command">transfer-format</strong></span> option is used + <span class="command"><strong>one-answer</strong></span> and + <span class="command"><strong>many-answers</strong></span>. + The <span class="command"><strong>transfer-format</strong></span> option is used on the master server to determine which format it sends. - <span><strong class="command">one-answer</strong></span> uses one DNS message per + <span class="command"><strong>one-answer</strong></span> uses one DNS message per resource record transferred. - <span><strong class="command">many-answers</strong></span> packs as many resource + <span class="command"><strong>many-answers</strong></span> packs as many resource records as possible into a message. - <span><strong class="command">many-answers</strong></span> is more efficient, but is + <span class="command"><strong>many-answers</strong></span> is more efficient, but is only supported by relatively new slave servers, such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards. - The <span><strong class="command">many-answers</strong></span> format is also supported by + The <span class="command"><strong>many-answers</strong></span> format is also supported by recent Microsoft Windows nameservers. - The default is <span><strong class="command">many-answers</strong></span>. - <span><strong class="command">transfer-format</strong></span> may be overridden on a - per-server basis by using the <span><strong class="command">server</strong></span> + The default is <span class="command"><strong>many-answers</strong></span>. + <span class="command"><strong>transfer-format</strong></span> may be overridden on a + per-server basis by using the <span class="command"><strong>server</strong></span> statement. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-in</strong></span></span></dt> <dd><p> The maximum number of inbound zone transfers that can be running concurrently. The default value is <code class="literal">10</code>. - Increasing <span><strong class="command">transfers-in</strong></span> may + Increasing <span class="command"><strong>transfers-in</strong></span> may speed up the convergence of slave zones, but it also may increase the load on the local system. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-out</strong></span></span></dt> <dd><p> The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit will be refused. The default value is <code class="literal">10</code>. </p></dd> -<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfers-per-ns</strong></span></span></dt> <dd><p> The maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is <code class="literal">2</code>. - Increasing <span><strong class="command">transfers-per-ns</strong></span> + Increasing <span class="command"><strong>transfers-per-ns</strong></span> may speed up the convergence of slave zones, but it also may increase - the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may - be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase - of the <span><strong class="command">server</strong></span> statement. + the load on the remote name server. <span class="command"><strong>transfers-per-ns</strong></span> may + be overridden on a per-server basis by using the <span class="command"><strong>transfers</strong></span> phrase + of the <span class="command"><strong>server</strong></span> statement. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt> <dd> -<p><span><strong class="command">transfer-source</strong></span> +<p><span class="command"><strong>transfer-source</strong></span> determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the @@ -4587,15 +4656,15 @@ avoid-v6-udp-ports {}; controlled value which will usually be the address of the interface "closest to" the remote end. This address must appear in the remote end's - <span><strong class="command">allow-transfer</strong></span> option for the + <span class="command"><strong>allow-transfer</strong></span> option for the zone being transferred, if one is specified. This statement sets the - <span><strong class="command">transfer-source</strong></span> for all zones, + <span class="command"><strong>transfer-source</strong></span> for all zones, but can be overridden on a per-view or per-zone basis by including a - <span><strong class="command">transfer-source</strong></span> statement within - the <span><strong class="command">view</strong></span> or - <span><strong class="command">zone</strong></span> block in the configuration + <span class="command"><strong>transfer-source</strong></span> statement within + the <span class="command"><strong>view</strong></span> or + <span class="command"><strong>zone</strong></span> block in the configuration file. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -4606,58 +4675,60 @@ avoid-v6-udp-ports {}; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt> <dd><p> - The same as <span><strong class="command">transfer-source</strong></span>, + The same as <span class="command"><strong>transfer-source</strong></span>, except zone transfers are performed using IPv6. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt> <dd> <p> An alternate transfer source if the one listed in - <span><strong class="command">transfer-source</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is + <span class="command"><strong>transfer-source</strong></span> fails and + <span class="command"><strong>use-alt-transfer-source</strong></span> is set. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> +<p> If you do not wish the alternate transfer source to be used, you should set - <span><strong class="command">use-alt-transfer-source</strong></span> + <span class="command"><strong>use-alt-transfer-source</strong></span> appropriately and you should not depend upon getting an answer back to the first refresh query. - </div> + </p> +</div> </dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt> <dd><p> An alternate transfer source if the one listed in - <span><strong class="command">transfer-source-v6</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is + <span class="command"><strong>transfer-source-v6</strong></span> fails and + <span class="command"><strong>use-alt-transfer-source</strong></span> is set. </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt> <dd><p> Use the alternate transfer sources or not. If views are - specified this defaults to <span><strong class="command">no</strong></span> + specified this defaults to <span class="command"><strong>no</strong></span> otherwise it defaults to - <span><strong class="command">yes</strong></span> (for BIND 8 + <span class="command"><strong>yes</strong></span> (for BIND 8 compatibility). </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt> <dd> -<p><span><strong class="command">notify-source</strong></span> +<p><span class="command"><strong>notify-source</strong></span> determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave - server's <span><strong class="command">masters</strong></span> zone clause or - in an <span><strong class="command">allow-notify</strong></span> clause. This - statement sets the <span><strong class="command">notify-source</strong></span> + server's <span class="command"><strong>masters</strong></span> zone clause or + in an <span class="command"><strong>allow-notify</strong></span> clause. This + statement sets the <span class="command"><strong>notify-source</strong></span> for all zones, but can be overridden on a per-zone or per-view basis by including a - <span><strong class="command">notify-source</strong></span> statement within - the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration + <span class="command"><strong>notify-source</strong></span> statement within + the <span class="command"><strong>zone</strong></span> or + <span class="command"><strong>view</strong></span> block in the configuration file. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -4668,24 +4739,24 @@ avoid-v6-udp-ports {}; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt> <dd><p> - Like <span><strong class="command">notify-source</strong></span>, + Like <span class="command"><strong>notify-source</strong></span>, but applies to notify messages sent to IPv6 addresses. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585434"></a>UDP Port Lists</h4></div></div></div> +<a name="port_lists"></a>UDP Port Lists</h4></div></div></div> <p> - <span><strong class="command">use-v4-udp-ports</strong></span>, - <span><strong class="command">avoid-v4-udp-ports</strong></span>, - <span><strong class="command">use-v6-udp-ports</strong></span>, and - <span><strong class="command">avoid-v6-udp-ports</strong></span> + <span class="command"><strong>use-v4-udp-ports</strong></span>, + <span class="command"><strong>avoid-v4-udp-ports</strong></span>, + <span class="command"><strong>use-v6-udp-ports</strong></span>, and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> specify a list of IPv4 and IPv6 UDP ports that will be used or not used as source ports for UDP messages. - See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the + See <a class="xref" href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the available ports are determined. For example, with the following configuration </p> @@ -4695,14 +4766,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </pre> <p> UDP ports of IPv6 messages sent - from <span><strong class="command">named</strong></span> will be in one + from <span class="command"><strong>named</strong></span> will be in one of the following ranges: 32768 to 39999, 40001 to 49999, and 60001 to 65535. </p> <p> - <span><strong class="command">avoid-v4-udp-ports</strong></span> and - <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used - to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a + <span class="command"><strong>avoid-v4-udp-ports</strong></span> and + <span class="command"><strong>avoid-v6-udp-ports</strong></span> can be used + to prevent <span class="command"><strong>named</strong></span> from choosing as its random source port a port that is blocked by your firewall or a port that is used by other applications; if a query went out with a source port blocked by a @@ -4710,28 +4781,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; answer would not get by the firewall and the name server would have to query again. Note: the desired range can also be represented only with - <span><strong class="command">use-v4-udp-ports</strong></span> and - <span><strong class="command">use-v6-udp-ports</strong></span>, and the - <span><strong class="command">avoid-</strong></span> options are redundant in that + <span class="command"><strong>use-v4-udp-ports</strong></span> and + <span class="command"><strong>use-v6-udp-ports</strong></span>, and the + <span class="command"><strong>avoid-</strong></span> options are redundant in that sense; they are provided for backward compatibility and to possibly simplify the port specification. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2585562"></a>Operating System Resource Limits</h4></div></div></div> +<a name="resource_limits"></a>Operating System Resource Limits</h4></div></div></div> <p> The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For - example, <span><strong class="command">1G</strong></span> can be used instead of - <span><strong class="command">1073741824</strong></span> to specify a limit of + example, <span class="command"><strong>1G</strong></span> can be used instead of + <span class="command"><strong>1073741824</strong></span> to specify a limit of one - gigabyte. <span><strong class="command">unlimited</strong></span> requests + gigabyte. <span class="command"><strong>unlimited</strong></span> requests unlimited use, or the - maximum available amount. <span><strong class="command">default</strong></span> + maximum available amount. <span class="command"><strong>default</strong></span> uses the limit that was in force when the server was started. See the description - of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. + of <span class="command"><strong>size_spec</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. </p> <p> The following options set operating system resource limits for @@ -4741,13 +4812,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; the unsupported limit is used. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>coresize</strong></span></span></dt> <dd><p> The maximum size of a core dump. The default is <code class="literal">default</code>. </p></dd> -<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>datasize</strong></span></span></dt> <dd><p> The maximum amount of data memory the server may use. The default is <code class="literal">default</code>. @@ -4760,23 +4831,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to raise an operating system data size limit that is too small by default. If you wish to limit the amount of memory used by the server, use the - <span><strong class="command">max-cache-size</strong></span> and - <span><strong class="command">recursive-clients</strong></span> + <span class="command"><strong>max-cache-size</strong></span> and + <span class="command"><strong>recursive-clients</strong></span> options instead. </p></dd> -<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>files</strong></span></span></dt> <dd><p> The maximum number of files the server may have open concurrently. The default is <code class="literal">unlimited</code>. </p></dd> -<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>stacksize</strong></span></span></dt> <dd><p> The maximum amount of stack memory the server may use. The default is <code class="literal">default</code>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div> <p> @@ -4784,18 +4855,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; resource consumption that are enforced internally by the server rather than the operating system. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>max-ixfr-log-size</strong></span></span></dt> <dd><p> This option is obsolete; it is accepted and ignored for BIND 8 compatibility. The option - <span><strong class="command">max-journal-size</strong></span> performs a + <span class="command"><strong>max-journal-size</strong></span> performs a similar function in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt> <dd><p> Sets a maximum size for each journal file - (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file + (see <a class="xref" href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file approaches the specified size, some of the oldest transactions in the journal @@ -4805,13 +4876,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; means 2 gigabytes. This may also be set on a per-zone basis. </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>host-statistics-max</strong></span></span></dt> <dd><p> In BIND 8, specifies the maximum number of host statistics entries to be kept. Not implemented in BIND 9. </p></dd> -<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>recursive-clients</strong></span></span></dt> <dd> <p> The maximum number ("hard quota") of simultaneous @@ -4821,7 +4892,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; client uses a fair bit of memory (on the order of 20 kilobytes), the value of the - <span><strong class="command">recursive-clients</strong></span> option may + <span class="command"><strong>recursive-clients</strong></span> option may have to be decreased on hosts with limited memory. </p> <p> @@ -4842,28 +4913,28 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="option">recursive-clients</code>. </p> </dd> -<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tcp-clients</strong></span></span></dt> <dd><p> The maximum number of simultaneous client TCP connections that the server will accept. The default is <code class="literal">100</code>. </p></dd> <dt> -<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> +<a name="clients-per-query"></a><span class="term"><a name="cpq_term"></a><span class="command"><strong>clients-per-query</strong></span>, </span><span class="term"><span class="command"><strong>max-clients-per-query</strong></span></span> </dt> <dd> <p>These set the initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to + before dropping additional clients. <span class="command"><strong>named</strong></span> will attempt to self tune this value and changes will be logged. The default values are 10 and 100. </p> <p> This value should reflect how many queries come in for a given name in the time it takes to resolve that name. - If the number of queries exceed this value, <span><strong class="command">named</strong></span> will + If the number of queries exceed this value, <span class="command"><strong>named</strong></span> will assume that it is dealing with a non-responsive zone and will drop additional queries. If it gets a response after dropping queries, it will raise the estimate. The @@ -4871,18 +4942,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; remained unchanged. </p> <p> - If <span><strong class="command">clients-per-query</strong></span> is set to zero, + If <span class="command"><strong>clients-per-query</strong></span> is set to zero, then there is no limit on the number of clients per query and no queries will be dropped. </p> <p> - If <span><strong class="command">max-clients-per-query</strong></span> is set to zero, + If <span class="command"><strong>max-clients-per-query</strong></span> is set to zero, then there is no upper bound other than imposed by - <span><strong class="command">recursive-clients</strong></span>. + <span class="command"><strong>recursive-clients</strong></span>. </p> </dd> <dt> -<a name="fetches-per-zone"></a><span class="term"><span><strong class="command">fetches-per-zone</strong></span></span> +<a name="fetches-per-zone"></a><span class="term"><span class="command"><strong>fetches-per-zone</strong></span></span> </dt> <dd> <p> @@ -4916,13 +4987,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="literal">drop</code>. </p> <p> - If <span><strong class="command">fetches-per-zone</strong></span> is set to zero, + If <span class="command"><strong>fetches-per-zone</strong></span> is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero. </p> <p> The current list of active fetches can be dumped by - running <span><strong class="command">rndc recursing</strong></span>. The list + running <span class="command"><strong>rndc recursing</strong></span>. The list includes the number of active fetches for each domain and the number of queries that have been passed or dropped as a result of the @@ -4935,11 +5006,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> <dt> -<a name="fetches-per-server"></a><span class="term"><span><strong class="command">fetches-per-server</strong></span></span> +<a name="fetches-per-server"></a><span class="term"><span class="command"><strong>fetches-per-server</strong></span></span> </dt> <dd> <p> @@ -4962,32 +5033,32 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <code class="literal">fail</code>. </p> <p> - If <span><strong class="command">fetches-per-server</strong></span> is set to zero, + If <span class="command"><strong>fetches-per-server</strong></span> is set to zero, then there is no limit on the number of fetches per query and no queries will be dropped. The default is zero. </p> <p> - The <span><strong class="command">fetches-per-server</strong></span> quota is + The <span class="command"><strong>fetches-per-server</strong></span> quota is dynamically adjusted in response to detected congestion. As queries are sent to a server and are either answered or time out, an exponentially weighted moving average is calculated of the ratio of timeouts to responses. If the current average timeout ratio rises above a "high" - threshold, then <span><strong class="command">fetches-per-server</strong></span> + threshold, then <span class="command"><strong>fetches-per-server</strong></span> is reduced for that server. If the timeout ratio drops below a "low" threshold, then - <span><strong class="command">fetches-per-server</strong></span> is increased. - The <span><strong class="command">fetch-quota-params</strong></span> options + <span class="command"><strong>fetches-per-server</strong></span> is increased. + The <span class="command"><strong>fetch-quota-params</strong></span> options can be used to adjust the parameters for this calculation. </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> -<dt><span class="term"><span><strong class="command">fetch-quota-params</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>fetch-quota-params</strong></span></span></dt> <dd> <p> Sets the parameters to use for dynamic resizing of @@ -5019,15 +5090,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> (Note: This option is only available when BIND is - built with <span><strong class="command">configure --enable-fetchlimit</strong></span>.) + built with <span class="command"><strong>configure --enable-fetchlimit</strong></span>.) </p> </dd> -<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>reserved-sockets</strong></span></span></dt> <dd> <p> The number of file descriptors reserved for TCP, stdio, etc. This needs to be big enough to cover the number of - interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as + interfaces <span class="command"><strong>named</strong></span> listens on, <span class="command"><strong>tcp-clients</strong></span> as well as to provide room for outgoing TCP queries and incoming zone transfers. The default is <code class="literal">512</code>. The minimum value is <code class="literal">128</code> and the @@ -5038,7 +5109,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; This option has little effect on Windows. </p> </dd> -<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-cache-size</strong></span></span></dt> <dd><p> The maximum amount of memory to use for the server's cache, in bytes. @@ -5060,7 +5131,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; separately to the cache of each view. The default is 0. </p></dd> -<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>tcp-listen-queue</strong></span></span></dt> <dd><p> The listen queue depth. The default and minimum is 10. If the kernel supports the accept filter "dataready" this @@ -5074,35 +5145,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2586413"></a>Periodic Task Intervals</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> +<a name="intervals"></a>Periodic Task Intervals</h4></div></div></div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>cleaning-interval</strong></span></span></dt> <dd><p> This interval is effectively obsolete. Previously, the server would remove expired resource records - from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. + from the cache every <span class="command"><strong>cleaning-interval</strong></span> minutes. <acronym class="acronym">BIND</acronym> 9 now manages cache memory in a more sophisticated manner and does not rely on the periodic cleaning any more. Specifying this option therefore has no effect on the server's behavior. </p></dd> -<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>heartbeat-interval</strong></span></span></dt> <dd><p> The server will perform zone maintenance tasks - for all zones marked as <span><strong class="command">dialup</strong></span> whenever this + for all zones marked as <span class="command"><strong>dialup</strong></span> whenever this interval expires. The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). The maximum value is 28 days (40320 minutes). If set to 0, no zone maintenance for these zones will occur. </p></dd> -<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>interface-interval</strong></span></span></dt> <dd><p> The server will scan the network interface list - every <span><strong class="command">interface-interval</strong></span> + every <span class="command"><strong>interface-interval</strong></span> minutes. The default is 60 minutes. The maximum value is 28 days (40320 minutes). If set to 0, interface scanning will only occur when @@ -5110,15 +5181,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; server will begin listening for queries on any newly discovered interfaces (provided they are allowed by the - <span><strong class="command">listen-on</strong></span> configuration), and + <span class="command"><strong>listen-on</strong></span> configuration), and will stop listening on interfaces that have gone away. </p></dd> -<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>statistics-interval</strong></span></span></dt> <dd> <p> Name server statistics will be logged - every <span><strong class="command">statistics-interval</strong></span> + every <span class="command"><strong>statistics-interval</strong></span> minutes. The default is 60. The maximum value is 28 days (40320 minutes). If set to 0, no statistics will be logged. @@ -5133,15 +5204,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="topology"></a>Topology</h4></div></div></div> <p> All other things being equal, when the server chooses a name server to query from a list of name servers, it prefers the one that is - topologically closest to itself. The <span><strong class="command">topology</strong></span> statement - takes an <span><strong class="command">address_match_list</strong></span> and + topologically closest to itself. The <span class="command"><strong>topology</strong></span> statement + takes an <span class="command"><strong>address_match_list</strong></span> and interprets it in a special way. Each top-level list element is assigned a distance. @@ -5172,21 +5243,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The <span><strong class="command">topology</strong></span> option + The <span class="command"><strong>topology</strong></span> option is not implemented in <acronym class="acronym">BIND</acronym> 9. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> +<a name="the_sortlist_statement"></a>The <span class="command"><strong>sortlist</strong></span> Statement</h4></div></div></div> <p> The response to a DNS query may consist of multiple resource records (RRs) forming a resource records set (RRset). The name server will normally return the RRs within the RRset in an indeterminate order - (but see the <span><strong class="command">rrset-order</strong></span> - statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). + (but see the <span class="command"><strong>rrset-order</strong></span> + statement in <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). The client resolver code should rearrange the RRs as appropriate, that is, using any addresses on the local net in preference to other addresses. @@ -5197,18 +5268,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; configuring the name servers, not all the clients. </p> <p> - The <span><strong class="command">sortlist</strong></span> statement (see below) + The <span class="command"><strong>sortlist</strong></span> statement (see below) takes - an <span><strong class="command">address_match_list</strong></span> and + an <span class="command"><strong>address_match_list</strong></span> and interprets it even - more specifically than the <span><strong class="command">topology</strong></span> + more specifically than the <span class="command"><strong>topology</strong></span> statement - does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). - Each top level statement in the <span><strong class="command">sortlist</strong></span> must - itself be an explicit <span><strong class="command">address_match_list</strong></span> with + does (<a class="xref" href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). + Each top level statement in the <span class="command"><strong>sortlist</strong></span> must + itself be an explicit <span class="command"><strong>address_match_list</strong></span> with one or two elements. The first element (which may be an IP address, - an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) + an IP prefix, an ACL name or a nested <span class="command"><strong>address_match_list</strong></span>) of each top level list is checked against the source address of the query until a match is found. </p> @@ -5220,8 +5291,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; address in the response to move to the beginning of the response. If the statement is a list of two elements, then the second element is - treated the same as the <span><strong class="command">address_match_list</strong></span> in - a <span><strong class="command">topology</strong></span> statement. Each top + treated the same as the <span class="command"><strong>address_match_list</strong></span> in + a <span class="command"><strong>topology</strong></span> statement. Each top level element is assigned a distance and the address in the response with the minimum @@ -5286,21 +5357,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; }; </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> <p> When multiple records are returned in an answer it may be useful to configure the order of the records placed into the response. - The <span><strong class="command">rrset-order</strong></span> statement permits + The <span class="command"><strong>rrset-order</strong></span> statement permits configuration of the ordering of the records in a multiple record response. - See also the <span><strong class="command">sortlist</strong></span> statement, - <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. + See also the <span class="command"><strong>sortlist</strong></span> statement, + <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a>. </p> <p> - An <span><strong class="command">order_spec</strong></span> is defined as + An <span class="command"><strong>order_spec</strong></span> is defined as follows: </p> <p> @@ -5310,22 +5381,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; order <em class="replaceable"><code>ordering</code></em> </p> <p> - If no class is specified, the default is <span><strong class="command">ANY</strong></span>. - If no type is specified, the default is <span><strong class="command">ANY</strong></span>. - If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk). + If no class is specified, the default is <span class="command"><strong>ANY</strong></span>. + If no type is specified, the default is <span class="command"><strong>ANY</strong></span>. + If no name is specified, the default is "<span class="command"><strong>*</strong></span>" (asterisk). </p> <p> - The legal values for <span><strong class="command">ordering</strong></span> are: + The legal values for <span class="command"><strong>ordering</strong></span> are: </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.750in" class="1"> +<col width="3.750in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">fixed</strong></span></p> + <p><span class="command"><strong>fixed</strong></span></p> </td> <td> <p> @@ -5336,7 +5407,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </tr> <tr> <td> - <p><span><strong class="command">random</strong></span></p> + <p><span class="command"><strong>random</strong></span></p> </td> <td> <p> @@ -5346,7 +5417,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </tr> <tr> <td> - <p><span><strong class="command">cyclic</strong></span></p> + <p><span class="command"><strong>cyclic</strong></span></p> </td> <td> <p> @@ -5377,7 +5448,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; in random order. All other records are returned in cyclic order. </p> <p> - If multiple <span><strong class="command">rrset-order</strong></span> statements + If multiple <span class="command"><strong>rrset-order</strong></span> statements appear, they are not combined — the last one applies. </p> <p> @@ -5387,18 +5458,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <h3 class="title">Note</h3> <p> In this release of <acronym class="acronym">BIND</acronym> 9, the - <span><strong class="command">rrset-order</strong></span> statement does not support + <span class="command"><strong>rrset-order</strong></span> statement does not support "fixed" ordering by default. Fixed ordering can be enabled at compile time by specifying "--enable-fixed-rrset" on the "configure" command line. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="tuning"></a>Tuning</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>lame-ttl</strong></span></span></dt> <dd> <p> Sets the number of seconds to cache a @@ -5415,19 +5486,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; lame-ttl is set to less than 30 seconds. </p> </dd> -<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-ncache-ttl</strong></span></span></dt> <dd><p> To reduce network traffic and increase performance, - the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is + the server stores negative answers. <span class="command"><strong>max-ncache-ttl</strong></span> is used to set a maximum retention time for these answers in the server in seconds. The default - <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). - <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed + <span class="command"><strong>max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). + <span class="command"><strong>max-ncache-ttl</strong></span> cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value. </p></dd> -<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-cache-ttl</strong></span></span></dt> <dd><p> Sets the maximum time for which the server will cache ordinary (positive) answers. The default is @@ -5437,7 +5508,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; RRsets (such as NS and glue AAAA/A records) in the resolution process. </p></dd> -<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>min-roots</strong></span></span></dt> <dd> <p> The minimum number of root servers that @@ -5452,12 +5523,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> </div> </dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt> <dd> <p> Specifies the number of days into the future when DNSSEC signatures automatically generated as a - result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There + result of dynamic updates (<a class="xref" href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There is an optional second field which specifies how long before expiry that the signatures will be regenerated. If not specified, the signatures will @@ -5474,27 +5545,27 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; for a limited amount of clock skew. </p> <p> - The <span><strong class="command">sig-validity-interval</strong></span> + The <span class="command"><strong>sig-validity-interval</strong></span> should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the various timer and expiry dates. </p> </dd> -<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt> <dd><p> Specify the maximum number of nodes to be examined in each quantum when signing a zone with a new DNSKEY. The default is <code class="literal">100</code>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt> <dd><p> Specify a threshold number of signatures that will terminate processing a quantum when signing a zone with a new DNSKEY. The default is <code class="literal">10</code>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt> <dd> <p> Specify a private RDATA type to be used when generating @@ -5507,23 +5578,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> Signing state records are used to internally by - <span><strong class="command">named</strong></span> to track the current state of + <span class="command"><strong>named</strong></span> to track the current state of a zone-signing process, i.e., whether it is still active or has been completed. The records can be inspected using the command - <span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>. - Once <span><strong class="command">named</strong></span> has finished signing + <span class="command"><strong>rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>. + Once <span class="command"><strong>named</strong></span> has finished signing a zone with a particular key, the signing state record associated with that key can be removed from the zone by running - <span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>. To clear all of the completed signing state records for a zone, use - <span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>. + <span class="command"><strong>rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>. </p> </dd> <dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span> </dt> <dd> <p> @@ -5547,14 +5618,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The following defaults apply. - <span><strong class="command">min-refresh-time</strong></span> 300 seconds, - <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds - (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds, - and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds + <span class="command"><strong>min-refresh-time</strong></span> 300 seconds, + <span class="command"><strong>max-refresh-time</strong></span> 2419200 seconds + (4 weeks), <span class="command"><strong>min-retry-time</strong></span> 500 seconds, + and <span class="command"><strong>max-retry-time</strong></span> 1209600 seconds (2 weeks). </p> </dd> -<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>edns-udp-size</strong></span></span></dt> <dd> <p> Sets the advertised EDNS UDP buffer size in bytes @@ -5562,73 +5633,73 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting - <span><strong class="command">edns-udp-size</strong></span> to a non-default + <span class="command"><strong>edns-udp-size</strong></span> to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. </p> <p> - <span><strong class="command">named</strong></span> will fallback to using 512 bytes + <span class="command"><strong>named</strong></span> will fallback to using 512 bytes if it get a series of timeout at the initial value. 512 bytes is not being offered to encourage sites to fix their firewalls. Small EDNS UDP sizes will result in the excessive use of TCP. </p> </dd> -<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-udp-size</strong></span></span></dt> <dd> <p> Sets the maximum EDNS UDP message size - <span><strong class="command">named</strong></span> will send in bytes. + <span class="command"><strong>named</strong></span> will send in bytes. Valid values are 512 to 4096 (values outside this range will be silently adjusted). The default value is 4096. The usual reason for setting - <span><strong class="command">max-udp-size</strong></span> to a non-default + <span class="command"><strong>max-udp-size</strong></span> to a non-default value is to get UDP answers to pass through broken firewalls that block fragmented packets and/or block UDP packets that are greater than 512 bytes. This is independent of the advertised receive - buffer (<span><strong class="command">edns-udp-size</strong></span>). + buffer (<span class="command"><strong>edns-udp-size</strong></span>). </p> <p> Setting this to a low value will encourage additional TCP traffic to the nameserver. </p> </dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt> <dd> <p>Specifies the file format of zone files (see - <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). + <a class="xref" href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). The default value is <code class="constant">text</code>, which is the standard textual representation, except for slave zones, in which the default value is <code class="constant">raw</code>. Files in other formats than <code class="constant">text</code> are typically expected to be generated by the - <span><strong class="command">named-compilezone</strong></span> tool, or dumped by - <span><strong class="command">named</strong></span>. + <span class="command"><strong>named-compilezone</strong></span> tool, or dumped by + <span class="command"><strong>named</strong></span>. </p> <p> Note that when a zone file in a different format than - <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> + <code class="constant">text</code> is loaded, <span class="command"><strong>named</strong></span> may omit some of the checks which would be performed for a file in the <code class="constant">text</code> format. In particular, - <span><strong class="command">check-names</strong></span> checks do not apply + <span class="command"><strong>check-names</strong></span> checks do not apply for the <code class="constant">raw</code> format. This means a zone file in the <code class="constant">raw</code> format must be generated with the same check level as that - specified in the <span><strong class="command">named</strong></span> configuration + specified in the <span class="command"><strong>named</strong></span> configuration file. This statement sets the - <span><strong class="command">masterfile-format</strong></span> for all zones, + <span class="command"><strong>masterfile-format</strong></span> for all zones, but can be overridden on a per-zone or per-view basis - by including a <span><strong class="command">masterfile-format</strong></span> - statement within the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration + by including a <span class="command"><strong>masterfile-format</strong></span> + statement within the <span class="command"><strong>zone</strong></span> or + <span class="command"><strong>view</strong></span> block in the configuration file. </p> </dd> <dt> -<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span> +<a name="max-recursion-depth"></a><span class="term"><span class="command"><strong>max-recursion-depth</strong></span></span> </dt> <dd><p> Sets the maximum number of levels of recursion @@ -5641,7 +5712,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; default is 7. </p></dd> <dt> -<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span> +<a name="max-recursion-queries"></a><span class="term"><span class="command"><strong>max-recursion-queries</strong></span></span> </dt> <dd><p> Sets the maximum number of iterative queries that @@ -5652,7 +5723,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; and the DNS root zone are exempt from this limitation. The default is 75. </p></dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt> <dd> <p> The delay, in seconds, between sending sets of notify @@ -5660,10 +5731,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The overall rate that NOTIFY messages are sent for all - zones is controlled by <span><strong class="command">serial-query-rate</strong></span>. + zones is controlled by <span class="command"><strong>serial-query-rate</strong></span>. </p> </dd> -<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-rsa-exponent-size</strong></span></span></dt> <dd><p> The maximum RSA exponent size, in bits, that will be accepted when validating. Valid values are 35 @@ -5672,73 +5743,73 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="builtin"></a>Built-in server information zones</h4></div></div></div> <p> The server provides some helpful diagnostic information through a number of built-in zones under the pseudo-top-level-domain <code class="literal">bind</code> in the - <span><strong class="command">CHAOS</strong></span> class. These zones are part + <span class="command"><strong>CHAOS</strong></span> class. These zones are part of a - built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of + built-in view (see <a class="xref" href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span class="command"><strong>view</strong></span> Statement Grammar”</a>) of class - <span><strong class="command">CHAOS</strong></span> which is separate from the - default view of class <span><strong class="command">IN</strong></span>. Most global - configuration options (<span><strong class="command">allow-query</strong></span>, + <span class="command"><strong>CHAOS</strong></span> which is separate from the + default view of class <span class="command"><strong>IN</strong></span>. Most global + configuration options (<span class="command"><strong>allow-query</strong></span>, etc) will apply to this view, but some are locally - overridden: <span><strong class="command">notify</strong></span>, - <span><strong class="command">recursion</strong></span> and - <span><strong class="command">allow-new-zones</strong></span> are + overridden: <span class="command"><strong>notify</strong></span>, + <span class="command"><strong>recursion</strong></span> and + <span class="command"><strong>allow-new-zones</strong></span> are always set to <strong class="userinput"><code>no</code></strong>. </p> <p> If you need to disable these zones, use the options - below, or hide the built-in <span><strong class="command">CHAOS</strong></span> + below, or hide the built-in <span class="command"><strong>CHAOS</strong></span> view by - defining an explicit view of class <span><strong class="command">CHAOS</strong></span> + defining an explicit view of class <span class="command"><strong>CHAOS</strong></span> that matches all clients. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>version</strong></span></span></dt> <dd><p> The version the server should report via a query of the name <code class="literal">version.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. The default is the real version number of this server. - Specifying <span><strong class="command">version none</strong></span> + Specifying <span class="command"><strong>version none</strong></span> disables processing of the queries. </p></dd> -<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>hostname</strong></span></span></dt> <dd><p> The hostname the server should report via a query of the name <code class="filename">hostname.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + with type <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. This defaults to the hostname of the machine hosting the name server as found by the gethostname() function. The primary purpose of such queries is to identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> + answering your queries. Specifying <span class="command"><strong>hostname none;</strong></span> disables processing of the queries. </p></dd> -<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-id</strong></span></span></dt> <dd><p> The ID the server should report when receiving a Name Server Identifier (NSID) query, or a query of the name <code class="filename">ID.SERVER</code> with type - <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + <span class="command"><strong>TXT</strong></span>, class <span class="command"><strong>CHAOS</strong></span>. The primary purpose of such queries is to identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> + answering your queries. Specifying <span class="command"><strong>server-id none;</strong></span> disables processing of the queries. - Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to + Specifying <span class="command"><strong>server-id hostname;</strong></span> will cause <span class="command"><strong>named</strong></span> to use the hostname as found by the gethostname() function. - The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. + The default <span class="command"><strong>server-id</strong></span> is <span class="command"><strong>none</strong></span>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="empty"></a>Built-in Empty Zones</h4></div></div></div> <p> @@ -5761,104 +5832,104 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <p> The current list of empty zones is: </p> -<div class="itemizedlist"><ul type="disc"> -<li>10.IN-ADDR.ARPA</li> -<li>16.172.IN-ADDR.ARPA</li> -<li>17.172.IN-ADDR.ARPA</li> -<li>18.172.IN-ADDR.ARPA</li> -<li>19.172.IN-ADDR.ARPA</li> -<li>20.172.IN-ADDR.ARPA</li> -<li>21.172.IN-ADDR.ARPA</li> -<li>22.172.IN-ADDR.ARPA</li> -<li>23.172.IN-ADDR.ARPA</li> -<li>24.172.IN-ADDR.ARPA</li> -<li>25.172.IN-ADDR.ARPA</li> -<li>26.172.IN-ADDR.ARPA</li> -<li>27.172.IN-ADDR.ARPA</li> -<li>28.172.IN-ADDR.ARPA</li> -<li>29.172.IN-ADDR.ARPA</li> -<li>30.172.IN-ADDR.ARPA</li> -<li>31.172.IN-ADDR.ARPA</li> -<li>168.192.IN-ADDR.ARPA</li> -<li>64.100.IN-ADDR.ARPA</li> -<li>65.100.IN-ADDR.ARPA</li> -<li>66.100.IN-ADDR.ARPA</li> -<li>67.100.IN-ADDR.ARPA</li> -<li>68.100.IN-ADDR.ARPA</li> -<li>69.100.IN-ADDR.ARPA</li> -<li>70.100.IN-ADDR.ARPA</li> -<li>71.100.IN-ADDR.ARPA</li> -<li>72.100.IN-ADDR.ARPA</li> -<li>73.100.IN-ADDR.ARPA</li> -<li>74.100.IN-ADDR.ARPA</li> -<li>75.100.IN-ADDR.ARPA</li> -<li>76.100.IN-ADDR.ARPA</li> -<li>77.100.IN-ADDR.ARPA</li> -<li>78.100.IN-ADDR.ARPA</li> -<li>79.100.IN-ADDR.ARPA</li> -<li>80.100.IN-ADDR.ARPA</li> -<li>81.100.IN-ADDR.ARPA</li> -<li>82.100.IN-ADDR.ARPA</li> -<li>83.100.IN-ADDR.ARPA</li> -<li>84.100.IN-ADDR.ARPA</li> -<li>85.100.IN-ADDR.ARPA</li> -<li>86.100.IN-ADDR.ARPA</li> -<li>87.100.IN-ADDR.ARPA</li> -<li>88.100.IN-ADDR.ARPA</li> -<li>89.100.IN-ADDR.ARPA</li> -<li>90.100.IN-ADDR.ARPA</li> -<li>91.100.IN-ADDR.ARPA</li> -<li>92.100.IN-ADDR.ARPA</li> -<li>93.100.IN-ADDR.ARPA</li> -<li>94.100.IN-ADDR.ARPA</li> -<li>95.100.IN-ADDR.ARPA</li> -<li>96.100.IN-ADDR.ARPA</li> -<li>97.100.IN-ADDR.ARPA</li> -<li>98.100.IN-ADDR.ARPA</li> -<li>99.100.IN-ADDR.ARPA</li> -<li>100.100.IN-ADDR.ARPA</li> -<li>101.100.IN-ADDR.ARPA</li> -<li>102.100.IN-ADDR.ARPA</li> -<li>103.100.IN-ADDR.ARPA</li> -<li>104.100.IN-ADDR.ARPA</li> -<li>105.100.IN-ADDR.ARPA</li> -<li>106.100.IN-ADDR.ARPA</li> -<li>107.100.IN-ADDR.ARPA</li> -<li>108.100.IN-ADDR.ARPA</li> -<li>109.100.IN-ADDR.ARPA</li> -<li>110.100.IN-ADDR.ARPA</li> -<li>111.100.IN-ADDR.ARPA</li> -<li>112.100.IN-ADDR.ARPA</li> -<li>113.100.IN-ADDR.ARPA</li> -<li>114.100.IN-ADDR.ARPA</li> -<li>115.100.IN-ADDR.ARPA</li> -<li>116.100.IN-ADDR.ARPA</li> -<li>117.100.IN-ADDR.ARPA</li> -<li>118.100.IN-ADDR.ARPA</li> -<li>119.100.IN-ADDR.ARPA</li> -<li>120.100.IN-ADDR.ARPA</li> -<li>121.100.IN-ADDR.ARPA</li> -<li>122.100.IN-ADDR.ARPA</li> -<li>123.100.IN-ADDR.ARPA</li> -<li>124.100.IN-ADDR.ARPA</li> -<li>125.100.IN-ADDR.ARPA</li> -<li>126.100.IN-ADDR.ARPA</li> -<li>127.100.IN-ADDR.ARPA</li> -<li>0.IN-ADDR.ARPA</li> -<li>127.IN-ADDR.ARPA</li> -<li>254.169.IN-ADDR.ARPA</li> -<li>2.0.192.IN-ADDR.ARPA</li> -<li>100.51.198.IN-ADDR.ARPA</li> -<li>113.0.203.IN-ADDR.ARPA</li> -<li>255.255.255.255.IN-ADDR.ARPA</li> -<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>8.B.D.0.1.0.0.2.IP6.ARPA</li> -<li>D.F.IP6.ARPA</li> -<li>8.E.F.IP6.ARPA</li> -<li>9.E.F.IP6.ARPA</li> -<li>A.E.F.IP6.ARPA</li> -<li>B.E.F.IP6.ARPA</li> +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">10.IN-ADDR.ARPA</li> +<li class="listitem">16.172.IN-ADDR.ARPA</li> +<li class="listitem">17.172.IN-ADDR.ARPA</li> +<li class="listitem">18.172.IN-ADDR.ARPA</li> +<li class="listitem">19.172.IN-ADDR.ARPA</li> +<li class="listitem">20.172.IN-ADDR.ARPA</li> +<li class="listitem">21.172.IN-ADDR.ARPA</li> +<li class="listitem">22.172.IN-ADDR.ARPA</li> +<li class="listitem">23.172.IN-ADDR.ARPA</li> +<li class="listitem">24.172.IN-ADDR.ARPA</li> +<li class="listitem">25.172.IN-ADDR.ARPA</li> +<li class="listitem">26.172.IN-ADDR.ARPA</li> +<li class="listitem">27.172.IN-ADDR.ARPA</li> +<li class="listitem">28.172.IN-ADDR.ARPA</li> +<li class="listitem">29.172.IN-ADDR.ARPA</li> +<li class="listitem">30.172.IN-ADDR.ARPA</li> +<li class="listitem">31.172.IN-ADDR.ARPA</li> +<li class="listitem">168.192.IN-ADDR.ARPA</li> +<li class="listitem">64.100.IN-ADDR.ARPA</li> +<li class="listitem">65.100.IN-ADDR.ARPA</li> +<li class="listitem">66.100.IN-ADDR.ARPA</li> +<li class="listitem">67.100.IN-ADDR.ARPA</li> +<li class="listitem">68.100.IN-ADDR.ARPA</li> +<li class="listitem">69.100.IN-ADDR.ARPA</li> +<li class="listitem">70.100.IN-ADDR.ARPA</li> +<li class="listitem">71.100.IN-ADDR.ARPA</li> +<li class="listitem">72.100.IN-ADDR.ARPA</li> +<li class="listitem">73.100.IN-ADDR.ARPA</li> +<li class="listitem">74.100.IN-ADDR.ARPA</li> +<li class="listitem">75.100.IN-ADDR.ARPA</li> +<li class="listitem">76.100.IN-ADDR.ARPA</li> +<li class="listitem">77.100.IN-ADDR.ARPA</li> +<li class="listitem">78.100.IN-ADDR.ARPA</li> +<li class="listitem">79.100.IN-ADDR.ARPA</li> +<li class="listitem">80.100.IN-ADDR.ARPA</li> +<li class="listitem">81.100.IN-ADDR.ARPA</li> +<li class="listitem">82.100.IN-ADDR.ARPA</li> +<li class="listitem">83.100.IN-ADDR.ARPA</li> +<li class="listitem">84.100.IN-ADDR.ARPA</li> +<li class="listitem">85.100.IN-ADDR.ARPA</li> +<li class="listitem">86.100.IN-ADDR.ARPA</li> +<li class="listitem">87.100.IN-ADDR.ARPA</li> +<li class="listitem">88.100.IN-ADDR.ARPA</li> +<li class="listitem">89.100.IN-ADDR.ARPA</li> +<li class="listitem">90.100.IN-ADDR.ARPA</li> +<li class="listitem">91.100.IN-ADDR.ARPA</li> +<li class="listitem">92.100.IN-ADDR.ARPA</li> +<li class="listitem">93.100.IN-ADDR.ARPA</li> +<li class="listitem">94.100.IN-ADDR.ARPA</li> +<li class="listitem">95.100.IN-ADDR.ARPA</li> +<li class="listitem">96.100.IN-ADDR.ARPA</li> +<li class="listitem">97.100.IN-ADDR.ARPA</li> +<li class="listitem">98.100.IN-ADDR.ARPA</li> +<li class="listitem">99.100.IN-ADDR.ARPA</li> +<li class="listitem">100.100.IN-ADDR.ARPA</li> +<li class="listitem">101.100.IN-ADDR.ARPA</li> +<li class="listitem">102.100.IN-ADDR.ARPA</li> +<li class="listitem">103.100.IN-ADDR.ARPA</li> +<li class="listitem">104.100.IN-ADDR.ARPA</li> +<li class="listitem">105.100.IN-ADDR.ARPA</li> +<li class="listitem">106.100.IN-ADDR.ARPA</li> +<li class="listitem">107.100.IN-ADDR.ARPA</li> +<li class="listitem">108.100.IN-ADDR.ARPA</li> +<li class="listitem">109.100.IN-ADDR.ARPA</li> +<li class="listitem">110.100.IN-ADDR.ARPA</li> +<li class="listitem">111.100.IN-ADDR.ARPA</li> +<li class="listitem">112.100.IN-ADDR.ARPA</li> +<li class="listitem">113.100.IN-ADDR.ARPA</li> +<li class="listitem">114.100.IN-ADDR.ARPA</li> +<li class="listitem">115.100.IN-ADDR.ARPA</li> +<li class="listitem">116.100.IN-ADDR.ARPA</li> +<li class="listitem">117.100.IN-ADDR.ARPA</li> +<li class="listitem">118.100.IN-ADDR.ARPA</li> +<li class="listitem">119.100.IN-ADDR.ARPA</li> +<li class="listitem">120.100.IN-ADDR.ARPA</li> +<li class="listitem">121.100.IN-ADDR.ARPA</li> +<li class="listitem">122.100.IN-ADDR.ARPA</li> +<li class="listitem">123.100.IN-ADDR.ARPA</li> +<li class="listitem">124.100.IN-ADDR.ARPA</li> +<li class="listitem">125.100.IN-ADDR.ARPA</li> +<li class="listitem">126.100.IN-ADDR.ARPA</li> +<li class="listitem">127.100.IN-ADDR.ARPA</li> +<li class="listitem">0.IN-ADDR.ARPA</li> +<li class="listitem">127.IN-ADDR.ARPA</li> +<li class="listitem">254.169.IN-ADDR.ARPA</li> +<li class="listitem">2.0.192.IN-ADDR.ARPA</li> +<li class="listitem">100.51.198.IN-ADDR.ARPA</li> +<li class="listitem">113.0.203.IN-ADDR.ARPA</li> +<li class="listitem">255.255.255.255.IN-ADDR.ARPA</li> +<li class="listitem">0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li class="listitem">1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li class="listitem">8.B.D.0.1.0.0.2.IP6.ARPA</li> +<li class="listitem">D.F.IP6.ARPA</li> +<li class="listitem">8.E.F.IP6.ARPA</li> +<li class="listitem">9.E.F.IP6.ARPA</li> +<li class="listitem">A.E.F.IP6.ARPA</li> +<li class="listitem">B.E.F.IP6.ARPA</li> </ul></div> <p> </p> @@ -5885,46 +5956,48 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> +<p> The real parent servers for these zones should disable all empty zone under the parent zone they serve. For the real root servers, this is all built-in empty zones. This will enable them to return referrals to deeper in the tree. - </div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt> + </p> +</div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>empty-server</strong></span></span></dt> <dd><p> Specify what server name will appear in the returned SOA record for empty zones. If none is specified, then the zone's name will be used. </p></dd> -<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>empty-contact</strong></span></span></dt> <dd><p> Specify what contact name will appear in the returned SOA record for empty zones. If none is specified, then "." will be used. </p></dd> -<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>empty-zones-enable</strong></span></span></dt> <dd><p> Enable or disable all empty zones. By default, they are enabled. </p></dd> -<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>disable-empty-zone</strong></span></span></dt> <dd><p> Disable individual empty zones. By default, none are disabled. This option can be specified multiple times. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="acache"></a>Additional Section Caching</h4></div></div></div> <p> - The additional section cache, also called <span><strong class="command">acache</strong></span>, + The additional section cache, also called <span class="command"><strong>acache</strong></span>, is an internal cache to improve the response performance of BIND 9. When additional section caching is enabled, BIND 9 will cache an internal short-cut to the additional section content for each answer RR. - Note that <span><strong class="command">acache</strong></span> is an internal caching + Note that <span class="command"><strong>acache</strong></span> is an internal caching mechanism of BIND 9, and is not related to the DNS caching server function. </p> @@ -5939,35 +6012,35 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; <p> In order to obtain the maximum performance improvement from additional section caching, setting - <span><strong class="command">additional-from-cache</strong></span> - to <span><strong class="command">no</strong></span> is recommended, since the current - implementation of <span><strong class="command">acache</strong></span> + <span class="command"><strong>additional-from-cache</strong></span> + to <span class="command"><strong>no</strong></span> is recommended, since the current + implementation of <span class="command"><strong>acache</strong></span> does not short-cut of additional section information from the DNS cache data. </p> <p> - One obvious disadvantage of <span><strong class="command">acache</strong></span> is + One obvious disadvantage of <span class="command"><strong>acache</strong></span> is that it requires much more memory for the internal cached data. Thus, if the response performance does not matter and memory consumption is much more critical, the - <span><strong class="command">acache</strong></span> mechanism can be - disabled by setting <span><strong class="command">acache-enable</strong></span> to - <span><strong class="command">no</strong></span>. + <span class="command"><strong>acache</strong></span> mechanism can be + disabled by setting <span class="command"><strong>acache-enable</strong></span> to + <span class="command"><strong>no</strong></span>. It is also possible to specify the upper limit of memory consumption - for acache by using <span><strong class="command">max-acache-size</strong></span>. + for acache by using <span class="command"><strong>max-acache-size</strong></span>. </p> <p> Additional section caching also has a minor effect on the RRset ordering in the additional section. - Without <span><strong class="command">acache</strong></span>, - <span><strong class="command">cyclic</strong></span> order is effective for the additional + Without <span class="command"><strong>acache</strong></span>, + <span class="command"><strong>cyclic</strong></span> order is effective for the additional section as well as the answer and authority sections. However, additional section caching fixes the ordering when it first caches an RRset for the additional section, and the same ordering will be kept in succeeding responses, regardless of the - setting of <span><strong class="command">rrset-order</strong></span>. + setting of <span class="command"><strong>rrset-order</strong></span>. The effect of this should be minor, however, since an RRset in the additional section typically only contains a small number of RRs (and in many cases @@ -5976,23 +6049,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> The following is a summary of options related to - <span><strong class="command">acache</strong></span>. + <span class="command"><strong>acache</strong></span>. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>acache-enable</strong></span></span></dt> <dd><p> - If <span><strong class="command">yes</strong></span>, additional section caching is - enabled. The default value is <span><strong class="command">no</strong></span>. + If <span class="command"><strong>yes</strong></span>, additional section caching is + enabled. The default value is <span class="command"><strong>no</strong></span>. </p></dd> -<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>acache-cleaning-interval</strong></span></span></dt> <dd><p> The server will remove stale cache entries, based on an LRU based - algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes. + algorithm, every <span class="command"><strong>acache-cleaning-interval</strong></span> minutes. The default is 60 minutes. If set to 0, no periodic cleaning will occur. </p></dd> -<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-acache-size</strong></span></span></dt> <dd><p> The maximum amount of memory in bytes to use for the server's acache. When the amount of data in the acache reaches this limit, @@ -6006,9 +6079,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2588923"></a>Content Filtering</h4></div></div></div> +<a name="content_filtering"></a>Content Filtering</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 provides the ability to filter out DNS responses from external DNS servers containing @@ -6016,23 +6089,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; Specifically, it can reject address (A or AAAA) records if the corresponding IPv4 or IPv6 addresses match the given <code class="varname">address_match_list</code> of the - <span><strong class="command">deny-answer-addresses</strong></span> option. + <span class="command"><strong>deny-answer-addresses</strong></span> option. It can also reject CNAME or DNAME records if the "alias" name (i.e., the CNAME alias or the substituted query name due to DNAME) matches the given <code class="varname">namelist</code> of the - <span><strong class="command">deny-answer-aliases</strong></span> option, where + <span class="command"><strong>deny-answer-aliases</strong></span> option, where "match" means the alias name is a subdomain of one of the <code class="varname">name_list</code> elements. If the optional <code class="varname">namelist</code> is specified - with <span><strong class="command">except-from</strong></span>, records whose query name + with <span class="command"><strong>except-from</strong></span>, records whose query name matches the list will be accepted regardless of the filter setting. Likewise, if the alias name is a subdomain of the - corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span> + corresponding zone, the <span class="command"><strong>deny-answer-aliases</strong></span> filter will not apply; for example, even if "example.com" is specified for - <span><strong class="command">deny-answer-aliases</strong></span>, + <span class="command"><strong>deny-answer-aliases</strong></span>, </p> <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre> <p> @@ -6040,7 +6113,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; </p> <p> In the <code class="varname">address_match_list</code> of the - <span><strong class="command">deny-answer-addresses</strong></span> option, only + <span class="command"><strong>deny-answer-addresses</strong></span> option, only <code class="varname">ip_addr</code> and <code class="varname">ip_prefix</code> are meaningful; @@ -6061,7 +6134,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; to get access to an internal node of your local network that couldn't be externally accessed otherwise. See the paper available at - <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> + <a class="link" href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> http://portal.acm.org/citation.cfm?id=1315245.1315298 </a> for more details about the attacks. @@ -6095,7 +6168,7 @@ deny-answer-aliases { "example.net"; }; <pre class="programlisting">www.example.net. A 192.0.2.2</pre> <p> it will be accepted since the owner name "www.example.net" - matches the <span><strong class="command">except-from</strong></span> element, + matches the <span class="command"><strong>except-from</strong></span> element, "example.net". </p> <p> @@ -6129,9 +6202,9 @@ deny-answer-aliases { "example.net"; }; spuriously can break such applications. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2589049"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> +<a name="rpz"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> <p> <acronym class="acronym">BIND</acronym> 9 includes a limited mechanism to modify DNS responses for requests @@ -6142,12 +6215,12 @@ deny-answer-aliases { "example.net"; }; </p> <p> Response policy zones are named in the - <span><strong class="command">response-policy</strong></span> option for the view or among the + <span class="command"><strong>response-policy</strong></span> option for the view or among the global options if there is no response-policy option for the view. RPZs are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like - <span><strong class="command">allow-query { localhost; };</strong></span>. + <span class="command"><strong>allow-query { localhost; };</strong></span>. </p> <p> Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, @@ -6193,8 +6266,8 @@ deny-answer-aliases { "example.net"; }; NSIP triggers are encoded like IP triggers except as subdomains of <strong class="userinput"><code>rpz-nsip</code></strong>. NSDNAME and NSIP triggers are checked only for names with at - least <span><strong class="command">min-ns-dots</strong></span> dots. - The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to + least <span class="command"><strong>min-ns-dots</strong></span> dots. + The default value of <span class="command"><strong>min-ns-dots</strong></span> is 1 to exclude top level domains. </p> <p> @@ -6202,24 +6275,24 @@ deny-answer-aliases { "example.net"; }; two or more policy records can be triggered by a response. Because DNS responses can be rewritten according to at most one policy record, a single record encoding an action (other than - <span><strong class="command">DISABLED</strong></span> actions) must be chosen. + <span class="command"><strong>DISABLED</strong></span> actions) must be chosen. Triggers or the records that encode them are chosen in the following order: </p> -<div class="itemizedlist"><ul type="disc"> -<li>Choose the triggered record in the zone that appears +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">Choose the triggered record in the zone that appears first in the response-policy option. </li> -<li>Prefer QNAME to IP to NSDNAME to NSIP triggers +<li class="listitem">Prefer QNAME to IP to NSDNAME to NSIP triggers in a single zone. </li> -<li>Among NSDNAME triggers, prefer the +<li class="listitem">Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. </li> -<li>Among IP or NSIP triggers, prefer the trigger +<li class="listitem">Among IP or NSIP triggers, prefer the trigger with the longest prefix. </li> -<li>Among triggers with the same prefix length, +<li class="listitem">Among triggers with the same prefix length, prefer the IP or NSIP trigger that matches the smallest IP address. </li> @@ -6237,15 +6310,15 @@ deny-answer-aliases { "example.net"; }; RPZ record sets are sets of any types of DNS record except DNAME or DNSSEC that encode actions or responses to queries. </p> -<div class="itemizedlist"><ul type="disc"> -<li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem">The <span class="command"><strong>NXDOMAIN</strong></span> response is encoded by a CNAME whose target is the root domain (.) </li> -<li>A CNAME whose target is the wildcard top-level - domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action, +<li class="listitem">A CNAME whose target is the wildcard top-level + domain (*.) specifies the <span class="command"><strong>NODATA</strong></span> action, which rewrites the response to NODATA or ANCOUNT=1. </li> -<li>The <span><strong class="command">Local Data</strong></span> action is +<li class="listitem">The <span class="command"><strong>Local Data</strong></span> action is represented by a set ordinary DNS records that are used to answer queries. Queries for record types not the set are answered with NODATA. @@ -6257,8 +6330,8 @@ deny-answer-aliases { "example.net"; }; The purpose for this special form is query logging in the walled garden's authority DNS server. </li> -<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified - by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span> +<li class="listitem">The <span class="command"><strong>PASSTHRU</strong></span> policy is specified + by a CNAME whose target is <span class="command"><strong>rpz-passthru.</strong></span> It causes the response to not be rewritten and is most often used to "poke holes" in policies for CIDR blocks. @@ -6270,18 +6343,18 @@ deny-answer-aliases { "example.net"; }; </p> <p> The actions specified in an RPZ can be overridden with a - <span><strong class="command">policy</strong></span> clause in the - <span><strong class="command">response-policy</strong></span> option. + <span class="command"><strong>policy</strong></span> clause in the + <span class="command"><strong>response-policy</strong></span> option. An organization using an RPZ provided by another organization might use this mechanism to redirect domains to its own walled garden. </p> -<div class="itemizedlist"><ul type="disc"> -<li> -<span><strong class="command">GIVEN</strong></span> says "do not override but +<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> +<li class="listitem"> +<span class="command"><strong>GIVEN</strong></span> says "do not override but perform the action specified in the zone." </li> -<li> -<span><strong class="command">DISABLED</strong></span> causes policy records to do +<li class="listitem"> +<span class="command"><strong>DISABLED</strong></span> causes policy records to do nothing but log what they might have done. The response to the DNS query will be written according to any triggered policy records that are not disabled. @@ -6289,22 +6362,22 @@ deny-answer-aliases { "example.net"; }; because they will often not be logged if a higher precedence trigger is found first. </li> -<li> -<span><strong class="command">PASSTHRU</strong></span> causes all policy records +<li class="listitem"> +<span class="command"><strong>PASSTHRU</strong></span> causes all policy records to act as if they were CNAME records with targets the variable part of their owner name. They protect the response from being changed. </li> -<li> -<span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records +<li class="listitem"> +<span class="command"><strong>NXDOMAIN</strong></span> causes all RPZ records to specify NXDOMAIN policies. </li> -<li> -<span><strong class="command">NODATA</strong></span> overrides with the +<li class="listitem"> +<span class="command"><strong>NODATA</strong></span> overrides with the NODATA policy </li> -<li> -<span><strong class="command">CNAME domain</strong></span> causes all RPZ +<li class="listitem"> +<span class="command"><strong>CNAME domain</strong></span> causes all RPZ policy records to act as if they were "cname domain" records. </li> </ul></div> @@ -6314,7 +6387,7 @@ deny-answer-aliases { "example.net"; }; By default, the actions encoded in an RPZ are applied only to queries that ask for recursion (RD=1). That default can be changed for a single RPZ or all RPZs in a view - with a <span><strong class="command">recursive-only no</strong></span> clause. + with a <span class="command"><strong>recursive-only no</strong></span> clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to delete answers that would otherwise contain RFC 1918 values @@ -6326,7 +6399,7 @@ deny-answer-aliases { "example.net"; }; records are available for request name in the original zone (not the response policy zone). This default can be changed for all RPZs in a view with a - <span><strong class="command">break-dnssec yes</strong></span> clause. + <span class="command"><strong>break-dnssec yes</strong></span> clause. In that case, RPZ actions are applied regardless of DNSSEC. The name of the clause option reflects the fact that results rewritten by RPZ actions cannot verify. @@ -6335,7 +6408,7 @@ deny-answer-aliases { "example.net"; }; The TTL of a record modified by RPZ policies is set from the TTL of the relevant record in policy zone. It is then limited to a maximum value. - The <span><strong class="command">max-policy-ttl</strong></span> clause changes that + The <span class="command"><strong>max-policy-ttl</strong></span> clause changes that maximum from its default of 5. </p> <p> @@ -6393,12 +6466,12 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> Responses rewritten by RPZ are counted in the - <span><strong class="command">RPZRewrites</strong></span> statistics. + <span class="command"><strong>RPZRewrites</strong></span> statistics. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2589479"></a>Response Rate Limiting</h4></div></div></div> +<a name="rrl"></a>Response Rate Limiting</h4></div></div></div> <p> This feature is only available when <acronym class="acronym">BIND</acronym> 9 is compiled with the <strong class="userinput"><code>--enable-rrl</code></strong> @@ -6407,8 +6480,8 @@ ns.domain.com.rpz-nsdname CNAME . <p> Excessive almost identical UDP <span class="emphasis"><em>responses</em></span> can be controlled by configuring a - <span><strong class="command">rate-limit</strong></span> clause in an - <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement. + <span class="command"><strong>rate-limit</strong></span> clause in an + <span class="command"><strong>options</strong></span> or <span class="command"><strong>view</strong></span> statement. This mechanism keeps authoritative BIND 9 from being used in amplifying reflection denial of service (DoS) attacks. Short truncated (TC=1) responses can be sent to provide @@ -6435,11 +6508,11 @@ ns.domain.com.rpz-nsdname CNAME . while the account is negative. Responses are tracked within a rolling window of time which defaults to 15 seconds, but can be configured with - the <span><strong class="command">window</strong></span> option to any value from + the <span class="command"><strong>window</strong></span> option to any value from 1 to 3600 seconds (1 hour). The account cannot become more positive than the per-second limit - or more negative than <span><strong class="command">window</strong></span> + or more negative than <span class="command"><strong>window</strong></span> times the per-second limit. When the specified number of credits for a class of responses is set to 0, those responses are not rate limited. @@ -6450,32 +6523,32 @@ ns.domain.com.rpz-nsdname CNAME . All responses to an address block are counted as if to a single client. The prefix lengths of addresses blocks are - specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24) - and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56). + specified with <span class="command"><strong>ipv4-prefix-length</strong></span> (default 24) + and <span class="command"><strong>ipv6-prefix-length</strong></span> (default 56). </p> <p> All non-empty responses for a valid domain name (qname) and record type (qtype) are identical and have a limit specified - with <span><strong class="command">responses-per-second</strong></span> + with <span class="command"><strong>responses-per-second</strong></span> (default 0 or no limit). All empty (NODATA) responses for a valid domain, regardless of query type, are identical. Responses in the NODATA class are limited by - <span><strong class="command">nodata-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + <span class="command"><strong>nodata-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). Requests for any and all undefined subdomains of a given valid domain result in NXDOMAIN errors, and are identical regardless of query type. - They are limited by <span><strong class="command">nxdomain-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + They are limited by <span class="command"><strong>nxdomain-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). This controls some attacks using random names, but can be relaxed or turned off (set to 0) on servers that expect many legitimate NXDOMAIN responses, such as from anti-spam blacklists. Referrals or delegations to the server of a given domain are identical and are limited by - <span><strong class="command">referrals-per-second</strong></span> - (default <span><strong class="command">responses-per-second</strong></span>). + <span class="command"><strong>referrals-per-second</strong></span> + (default <span class="command"><strong>responses-per-second</strong></span>). </p> <p> Responses generated from local wildcards are counted and limited @@ -6489,9 +6562,9 @@ ns.domain.com.rpz-nsdname CNAME . This controls attacks using invalid requests or distant, broken authoritative servers. By default the limit on errors is the same as the - <span><strong class="command">responses-per-second</strong></span> value, + <span class="command"><strong>responses-per-second</strong></span> value, but it can be set separately with - <span><strong class="command">errors-per-second</strong></span>. + <span class="command"><strong>errors-per-second</strong></span>. </p> <p> Many attacks using DNS involve UDP requests with forged source @@ -6501,13 +6574,13 @@ ns.domain.com.rpz-nsdname CNAME . but could let a third party block responses to legitimate requests. There is a mechanism that can answer some legitimate requests from a client whose address is being forged in a flood. - Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every + Setting <span class="command"><strong>slip</strong></span> to 2 (its default) causes every other UDP request to be answered with a small truncated (TC=1) response. The small size and reduced frequency, and so lack of amplification, of "slipped" responses make them unattractive for reflection DoS attacks. - <span><strong class="command">slip</strong></span> must be between 0 and 10. + <span class="command"><strong>slip</strong></span> must be between 0 and 10. A value of 0 does not "slip": no truncated responses are sent due to rate limiting, all responses are dropped. @@ -6515,7 +6588,7 @@ ns.domain.com.rpz-nsdname CNAME . values between 2 and 10 cause every n'th response to slip. Some error responses including REFUSED and SERVFAIL cannot be replaced with truncated responses and are instead - leaked at the <span><strong class="command">slip</strong></span> rate. + leaked at the <span class="command"><strong>slip</strong></span> rate. </p> <p> (NOTE: Dropped responses from an authoritative server may @@ -6526,21 +6599,21 @@ ns.domain.com.rpz-nsdname CNAME . to validate the responses. When this is not an option, operators who are more concerned with response integrity than with flood mitigation may consider setting - <span><strong class="command">slip</strong></span> to 1, causing all rate-limited + <span class="command"><strong>slip</strong></span> to 1, causing all rate-limited responses to be truncated rather than dropped. This reduces the effectiveness of rate-limiting against reflection attacks.) </p> <p> When the approximate query per second rate exceeds - the <span><strong class="command">qps-scale</strong></span> value, - then the <span><strong class="command">responses-per-second</strong></span>, - <span><strong class="command">errors-per-second</strong></span>, - <span><strong class="command">nxdomains-per-second</strong></span> and - <span><strong class="command">all-per-second</strong></span> values are reduced by the - ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value. + the <span class="command"><strong>qps-scale</strong></span> value, + then the <span class="command"><strong>responses-per-second</strong></span>, + <span class="command"><strong>errors-per-second</strong></span>, + <span class="command"><strong>nxdomains-per-second</strong></span> and + <span class="command"><strong>all-per-second</strong></span> values are reduced by the + ratio of the current rate to the <span class="command"><strong>qps-scale</strong></span> value. This feature can tighten defenses during attacks. For example, with - <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and + <span class="command"><strong>qps-scale 250; responses-per-second 20;</strong></span> and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP, then the effective responses/second limit changes to @@ -6551,30 +6624,30 @@ ns.domain.com.rpz-nsdname CNAME . <p> Communities of DNS clients can be given their own parameters or no rate limiting by putting - <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span> - statements instead of the global <span><strong class="command">option</strong></span> + <span class="command"><strong>rate-limit</strong></span> statements in <span class="command"><strong>view</strong></span> + statements instead of the global <span class="command"><strong>option</strong></span> statement. - A <span><strong class="command">rate-limit</strong></span> statement in a view replaces, - rather than supplementing, a <span><strong class="command">rate-limit</strong></span> + A <span class="command"><strong>rate-limit</strong></span> statement in a view replaces, + rather than supplementing, a <span class="command"><strong>rate-limit</strong></span> statement among the main options. DNS clients within a view can be exempted from rate limits - with the <span><strong class="command">exempt-clients</strong></span> clause. + with the <span class="command"><strong>exempt-clients</strong></span> clause. </p> <p> UDP responses of all kinds can be limited with the - <span><strong class="command">all-per-second</strong></span> phrase. + <span class="command"><strong>all-per-second</strong></span> phrase. This rate limiting is unlike the rate limiting provided by - <span><strong class="command">responses-per-second</strong></span>, - <span><strong class="command">errors-per-second</strong></span>, and - <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server + <span class="command"><strong>responses-per-second</strong></span>, + <span class="command"><strong>errors-per-second</strong></span>, and + <span class="command"><strong>nxdomains-per-second</strong></span> on a DNS server which are often invisible to the victim of a DNS reflection attack. Unless the forged requests of the attack are the same as the legitimate requests of the victim, the victim's requests are not affected. - Responses affected by an <span><strong class="command">all-per-second</strong></span> limit - are always dropped; the <span><strong class="command">slip</strong></span> value has no + Responses affected by an <span class="command"><strong>all-per-second</strong></span> limit + are always dropped; the <span class="command"><strong>slip</strong></span> value has no effect. - An <span><strong class="command">all-per-second</strong></span> limit should be + An <span class="command"><strong>all-per-second</strong></span> limit should be at least 4 times as large as the other limits, because single DNS clients often send bursts of legitimate requests. @@ -6582,11 +6655,11 @@ ns.domain.com.rpz-nsdname CNAME . requests from an SMTP server for NS, PTR, A, and AAAA records as the incoming SMTP/TCP/IP connection is considered. The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF - records as it considers the STMP <span><strong class="command">Mail From</strong></span> + records as it considers the STMP <span class="command"><strong>Mail From</strong></span> command. Web browsers often repeatedly resolve the same names that are repeated in HTML <IMG> tags in a page. - <span><strong class="command">All-per-second</strong></span> is similar to the + <span class="command"><strong>All-per-second</strong></span> is similar to the rate limiting offered by firewalls but often inferior. Attacks that justify ignoring the contents of DNS responses are likely to be attacks on the @@ -6598,35 +6671,35 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> The maximum size of the table used to track requests and - rate limit responses is set with <span><strong class="command">max-table-size</strong></span>. + rate limit responses is set with <span class="command"><strong>max-table-size</strong></span>. Each entry in the table is between 40 and 80 bytes. The table needs approximately as many entries as the number of requests received per second. The default is 20,000. To reduce the cold start of growing the table, - <span><strong class="command">min-table-size</strong></span> (default 500) + <span class="command"><strong>min-table-size</strong></span> (default 500) can set the minimum table size. - Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor + Enable <span class="command"><strong>rate-limit</strong></span> category logging to monitor expansions of the table and inform choices for the initial and maximum table size. </p> <p> - Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters + Use <span class="command"><strong>log-only yes</strong></span> to test rate limiting parameters without actually dropping any requests. </p> <p> Responses dropped by rate limits are included in the - <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span> + <span class="command"><strong>RateDropped</strong></span> and <span class="command"><strong>QryDropped</strong></span> statistics. Responses that truncated by rate limits are included in - <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>. + <span class="command"><strong>RateSlipped</strong></span> and <span class="command"><strong>RespTruncated</strong></span>. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { +<a name="server_statement_grammar"></a><span class="command"><strong>server</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] @@ -6651,12 +6724,12 @@ ns.domain.com.rpz-nsdname CNAME . }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and +<a name="server_statement_definition_and_usage"></a><span class="command"><strong>server</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">server</strong></span> statement defines + The <span class="command"><strong>server</strong></span> statement defines characteristics to be associated with a remote name server. If a prefix length is specified, then a range of servers is covered. Only the most @@ -6665,17 +6738,17 @@ ns.domain.com.rpz-nsdname CNAME . <code class="filename">named.conf</code>. </p> <p> - The <span><strong class="command">server</strong></span> statement can occur at + The <span class="command"><strong>server</strong></span> statement can occur at the top level of the - configuration file or inside a <span><strong class="command">view</strong></span> + configuration file or inside a <span class="command"><strong>view</strong></span> statement. - If a <span><strong class="command">view</strong></span> statement contains - one or more <span><strong class="command">server</strong></span> statements, only + If a <span class="command"><strong>view</strong></span> statement contains + one or more <span class="command"><strong>server</strong></span> statements, only those apply to the view and any top-level ones are ignored. - If a view contains no <span><strong class="command">server</strong></span> + If a view contains no <span class="command"><strong>server</strong></span> statements, - any top-level <span><strong class="command">server</strong></span> statements are + any top-level <span class="command"><strong>server</strong></span> statements are used as defaults. </p> @@ -6683,30 +6756,30 @@ ns.domain.com.rpz-nsdname CNAME . If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default - value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>. + value of <span class="command"><strong>bogus</strong></span> is <span class="command"><strong>no</strong></span>. </p> <p> - The <span><strong class="command">provide-ixfr</strong></span> clause determines + The <span class="command"><strong>provide-ixfr</strong></span> clause determines whether the local server, acting as master, will respond with an incremental zone transfer when the given remote server, a slave, requests it. - If set to <span><strong class="command">yes</strong></span>, incremental transfer + If set to <span class="command"><strong>yes</strong></span>, incremental transfer will be provided - whenever possible. If set to <span><strong class="command">no</strong></span>, + whenever possible. If set to <span class="command"><strong>no</strong></span>, all transfers to the remote server will be non-incremental. If not set, the value - of the <span><strong class="command">provide-ixfr</strong></span> option in the + of the <span class="command"><strong>provide-ixfr</strong></span> option in the view or global options block is used as a default. </p> <p> - The <span><strong class="command">request-ixfr</strong></span> clause determines + The <span class="command"><strong>request-ixfr</strong></span> clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the - value of the <span><strong class="command">request-ixfr</strong></span> option in + value of the <span class="command"><strong>request-ixfr</strong></span> option in the view or global options block is used as a default. It may also be set in the zone block and, if set there, it will override the global or view setting for that zone. @@ -6717,22 +6790,22 @@ ns.domain.com.rpz-nsdname CNAME . fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default - of <span><strong class="command">yes</strong></span> should always work. - The purpose of the <span><strong class="command">provide-ixfr</strong></span> and - <span><strong class="command">request-ixfr</strong></span> clauses is + of <span class="command"><strong>yes</strong></span> should always work. + The purpose of the <span class="command"><strong>provide-ixfr</strong></span> and + <span class="command"><strong>request-ixfr</strong></span> clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used. </p> <p> - The <span><strong class="command">edns</strong></span> clause determines whether + The <span class="command"><strong>edns</strong></span> clause determines whether the local server will attempt to use EDNS when communicating - with the remote server. The default is <span><strong class="command">yes</strong></span>. + with the remote server. The default is <span class="command"><strong>yes</strong></span>. </p> <p> - The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size - that is advertised by <span><strong class="command">named</strong></span> when querying the remote server. + The <span class="command"><strong>edns-udp-size</strong></span> option sets the EDNS UDP size + that is advertised by <span class="command"><strong>named</strong></span> when querying the remote server. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you wish to advertises a different value to this server than the value you @@ -6740,38 +6813,38 @@ ns.domain.com.rpz-nsdname CNAME . remote site that is blocking large replies. </p> <p> - The <span><strong class="command">max-udp-size</strong></span> option sets the - maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid + The <span class="command"><strong>max-udp-size</strong></span> option sets the + maximum EDNS UDP message size <span class="command"><strong>named</strong></span> will send. Valid values are 512 to 4096 bytes (values outside this range will be silently adjusted). This option is useful when you know that there is a firewall that is blocking large - replies from <span><strong class="command">named</strong></span>. + replies from <span class="command"><strong>named</strong></span>. </p> <p> - The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, - uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs - as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is + The server supports two zone transfer methods. The first, <span class="command"><strong>one-answer</strong></span>, + uses one DNS message per resource record transferred. <span class="command"><strong>many-answers</strong></span> packs + as many resource records as possible into a message. <span class="command"><strong>many-answers</strong></span> is more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 8.x, and patched versions of <acronym class="acronym">BIND</acronym> 4.9.5. You can specify which method - to use for a server with the <span><strong class="command">transfer-format</strong></span> option. - If <span><strong class="command">transfer-format</strong></span> is not - specified, the <span><strong class="command">transfer-format</strong></span> + to use for a server with the <span class="command"><strong>transfer-format</strong></span> option. + If <span class="command"><strong>transfer-format</strong></span> is not + specified, the <span class="command"><strong>transfer-format</strong></span> specified - by the <span><strong class="command">options</strong></span> statement will be + by the <span class="command"><strong>options</strong></span> statement will be used. </p> -<p><span><strong class="command">transfers</strong></span> +<p><span class="command"><strong>transfers</strong></span> is used to limit the number of concurrent inbound zone transfers from the specified server. If no - <span><strong class="command">transfers</strong></span> clause is specified, the + <span class="command"><strong>transfers</strong></span> clause is specified, the limit is set according to the - <span><strong class="command">transfers-per-ns</strong></span> option. + <span class="command"><strong>transfers-per-ns</strong></span> option. </p> <p> - The <span><strong class="command">keys</strong></span> clause identifies a - <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, - to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + The <span class="command"><strong>keys</strong></span> clause identifies a + <span class="command"><strong>key_id</strong></span> defined by the <span class="command"><strong>key</strong></span> statement, + to be used for transaction security (TSIG, <a class="xref" href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) when talking to the remote server. When a request is sent to the remote server, a request signature will be generated using the key specified here and appended to the @@ -6783,63 +6856,63 @@ ns.domain.com.rpz-nsdname CNAME . Only a single key per server is currently supported. </p> <p> - The <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> clauses specify + The <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for zone transfer with the remote server, respectively. - For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can + For an IPv4 remote server, only <span class="command"><strong>transfer-source</strong></span> can be specified. Similarly, for an IPv6 remote server, only - <span><strong class="command">transfer-source-v6</strong></span> can be + <span class="command"><strong>transfer-source-v6</strong></span> can be specified. For more details, see the description of - <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> in - <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source</strong></span> and + <span class="command"><strong>transfer-source-v6</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p> <p> - The <span><strong class="command">notify-source</strong></span> and - <span><strong class="command">notify-source-v6</strong></span> clauses specify the + The <span class="command"><strong>notify-source</strong></span> and + <span class="command"><strong>notify-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for notify messages sent to remote servers, respectively. For an - IPv4 remote server, only <span><strong class="command">notify-source</strong></span> + IPv4 remote server, only <span class="command"><strong>notify-source</strong></span> can be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">notify-source-v6</strong></span> can be specified. + only <span class="command"><strong>notify-source-v6</strong></span> can be specified. </p> <p> - The <span><strong class="command">query-source</strong></span> and - <span><strong class="command">query-source-v6</strong></span> clauses specify the + The <span class="command"><strong>query-source</strong></span> and + <span class="command"><strong>query-source-v6</strong></span> clauses specify the IPv4 and IPv6 source address to be used for queries sent to remote servers, respectively. For an IPv4 - remote server, only <span><strong class="command">query-source</strong></span> can + remote server, only <span class="command"><strong>query-source</strong></span> can be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">query-source-v6</strong></span> can be specified. + only <span class="command"><strong>query-source-v6</strong></span> can be specified. </p> <p> - The <span><strong class="command">request-nsid</strong></span> clause determines + The <span class="command"><strong>request-nsid</strong></span> clause determines whether the local server will add a NSID EDNS option to requests sent to the server. This overrides - <span><strong class="command">request-nsid</strong></span> set at the view or + <span class="command"><strong>request-nsid</strong></span> set at the view or option level. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> { +<a name="statschannels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>statistics-channels</strong></span> { [ inet ( ip_addr | * ) [ port ip_port ] [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ] [ inet ...; ] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2590832"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and +<a name="statistics_channels"></a><span class="command"><strong>statistics-channels</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">statistics-channels</strong></span> statement + The <span class="command"><strong>statistics-channels</strong></span> statement declares communication channels to be used by system administrators to get access to statistics information of the name server. @@ -6849,46 +6922,46 @@ ns.domain.com.rpz-nsdname CNAME . communication protocols in the future, but currently only HTTP access is supported. It requires that BIND 9 be compiled with libxml2; - the <span><strong class="command">statistics-channels</strong></span> statement is + the <span class="command"><strong>statistics-channels</strong></span> statement is still accepted even if it is built without the library, but any HTTP access will fail with an error. </p> <p> - An <span><strong class="command">inet</strong></span> control channel is a TCP socket - listening at the specified <span><strong class="command">ip_port</strong></span> on the - specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 - address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + An <span class="command"><strong>inet</strong></span> control channel is a TCP socket + listening at the specified <span class="command"><strong>ip_port</strong></span> on the + specified <span class="command"><strong>ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span class="command"><strong>ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is interpreted as the IPv4 wildcard address; connections will be accepted on any of the system's IPv4 addresses. To listen on the IPv6 wildcard address, - use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. + use an <span class="command"><strong>ip_addr</strong></span> of <code class="literal">::</code>. </p> <p> If no port is specified, port 80 is used for HTTP channels. The asterisk "<code class="literal">*</code>" cannot be used for - <span><strong class="command">ip_port</strong></span>. + <span class="command"><strong>ip_port</strong></span>. </p> <p> The attempt of opening a statistics channel is - restricted by the optional <span><strong class="command">allow</strong></span> clause. + restricted by the optional <span class="command"><strong>allow</strong></span> clause. Connections to the statistics channel are permitted based on the - <span><strong class="command">address_match_list</strong></span>. - If no <span><strong class="command">allow</strong></span> clause is present, - <span><strong class="command">named</strong></span> accepts connection + <span class="command"><strong>address_match_list</strong></span>. + If no <span class="command"><strong>allow</strong></span> clause is present, + <span class="command"><strong>named</strong></span> accepts connection attempts from any address; since the statistics may contain sensitive internal information, it is highly recommended to restrict the source of connection requests appropriately. </p> <p> - If no <span><strong class="command">statistics-channels</strong></span> statement is present, - <span><strong class="command">named</strong></span> will not open any communication channels. + If no <span class="command"><strong>statistics-channels</strong></span> statement is present, + <span class="command"><strong>named</strong></span> will not open any communication channels. </p> <p> If the statistics channel is configured to listen on 127.0.0.1 port 8888, then the statistics are accessible in XML format at - <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or - <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is + <a class="link" href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or + <a class="link" href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is included which can format the XML statistics into tables when viewed with a stylesheet-capable browser. When <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, @@ -6901,30 +6974,30 @@ ns.domain.com.rpz-nsdname CNAME . <p> Applications that depend on a particular XML schema can request - <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 + <a class="link" href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 of the statistics XML schema or - <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. + <a class="link" href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. If the requested schema is supported by the server, then it will respond; if not, it will return a "page not found" error. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> { +<a name="trusted-keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>trusted-keys</strong></span> { <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591139"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition +<a name="trusted_keys"></a><span class="command"><strong>trusted-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">trusted-keys</strong></span> statement defines - DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the + The <span class="command"><strong>trusted-keys</strong></span> statement defines + DNSSEC security roots. DNSSEC is described in <a class="xref" href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the public key for a non-authoritative zone is known, but cannot be securely obtained through DNS, either because it is the DNS root zone or because its parent zone is @@ -6935,14 +7008,14 @@ ns.domain.com.rpz-nsdname CNAME . </p> <p> All keys (and corresponding zones) listed in - <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless + <span class="command"><strong>trusted-keys</strong></span> are deemed to exist regardless of what parent zones say. Similarly for all keys listed in - <span><strong class="command">trusted-keys</strong></span> only those keys are + <span class="command"><strong>trusted-keys</strong></span> only those keys are used to validate the DNSKEY RRset. The parent's DS RRset will not be used. </p> <p> - The <span><strong class="command">trusted-keys</strong></span> statement can contain + The <span class="command"><strong>trusted-keys</strong></span> statement can contain multiple key entries, each consisting of the key's domain name, flags, protocol, algorithm, and the Base-64 representation of the key data. @@ -6951,31 +7024,31 @@ ns.domain.com.rpz-nsdname CNAME . multiple lines. </p> <p> - <span><strong class="command">trusted-keys</strong></span> may be set at the top level + <span class="command"><strong>trusted-keys</strong></span> may be set at the top level of <code class="filename">named.conf</code> or within a view. If it is set in both places, they are additive: keys defined at the top level are inherited by all views, but keys defined in a view are only used within that view. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591186"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { +<a name="managed_keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>managed-keys</strong></span> { <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>] }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition +<a name="managed-keys"></a><span class="command"><strong>managed-keys</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">managed-keys</strong></span> statement, like - <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC + The <span class="command"><strong>managed-keys</strong></span> statement, like + <span class="command"><strong>trusted-keys</strong></span>, defines DNSSEC security roots. The difference is that - <span><strong class="command">managed-keys</strong></span> can be kept up to date + <span class="command"><strong>managed-keys</strong></span> can be kept up to date automatically, without intervention from the resolver operator. </p> @@ -6983,76 +7056,76 @@ ns.domain.com.rpz-nsdname CNAME . Suppose, for example, that a zone's key-signing key was compromised, and the zone owner had to revoke and replace the key. A resolver which had the old key in a - <span><strong class="command">trusted-keys</strong></span> statement would be + <span class="command"><strong>trusted-keys</strong></span> statement would be unable to validate this zone any longer; it would reply with a SERVFAIL response code. This would continue until the resolver operator had updated the - <span><strong class="command">trusted-keys</strong></span> statement with the new key. + <span class="command"><strong>trusted-keys</strong></span> statement with the new key. </p> <p> If, however, the zone were listed in a - <span><strong class="command">managed-keys</strong></span> statement instead, then the + <span class="command"><strong>managed-keys</strong></span> statement instead, then the zone owner could add a "stand-by" key to the zone in advance. - <span><strong class="command">named</strong></span> would store the stand-by key, and - when the original key was revoked, <span><strong class="command">named</strong></span> + <span class="command"><strong>named</strong></span> would store the stand-by key, and + when the original key was revoked, <span class="command"><strong>named</strong></span> would be able to transition smoothly to the new key. It would also recognize that the old key had been revoked, and cease using that key to validate answers, minimizing the damage that the compromised key could do. </p> <p> - A <span><strong class="command">managed-keys</strong></span> statement contains a list of + A <span class="command"><strong>managed-keys</strong></span> statement contains a list of the keys to be managed, along with information about how the keys are to be initialized for the first time. The only initialization method currently supported (as of <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>. - This means the <span><strong class="command">managed-keys</strong></span> statement must + This means the <span class="command"><strong>managed-keys</strong></span> statement must contain a copy of the initializing key. (Future releases may allow keys to be initialized by other methods, eliminating this requirement.) </p> <p> - Consequently, a <span><strong class="command">managed-keys</strong></span> statement - appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing + Consequently, a <span class="command"><strong>managed-keys</strong></span> statement + appears similar to a <span class="command"><strong>trusted-keys</strong></span>, differing in the presence of the second field, containing the keyword <code class="literal">initial-key</code>. The difference is, whereas the - keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be + keys listed in a <span class="command"><strong>trusted-keys</strong></span> continue to be trusted until they are removed from <code class="filename">named.conf</code>, an initializing key listed - in a <span><strong class="command">managed-keys</strong></span> statement is only trusted + in a <span class="command"><strong>managed-keys</strong></span> statement is only trusted <span class="emphasis"><em>once</em></span>: for as long as it takes to load the managed key database and start the RFC 5011 key maintenance process. </p> <p> - The first time <span><strong class="command">named</strong></span> runs with a managed key + The first time <span class="command"><strong>named</strong></span> runs with a managed key configured in <code class="filename">named.conf</code>, it fetches the DNSKEY RRset directly from the zone apex, and validates it - using the key specified in the <span><strong class="command">managed-keys</strong></span> + using the key specified in the <span class="command"><strong>managed-keys</strong></span> statement. If the DNSKEY RRset is validly signed, then it is used as the basis for a new managed keys database. </p> <p> - From that point on, whenever <span><strong class="command">named</strong></span> runs, it - sees the <span><strong class="command">managed-keys</strong></span> statement, checks to + From that point on, whenever <span class="command"><strong>named</strong></span> runs, it + sees the <span class="command"><strong>managed-keys</strong></span> statement, checks to make sure RFC 5011 key maintenance has already been initialized for the specified domain, and if so, it simply moves on. The - key specified in the <span><strong class="command">managed-keys</strong></span> is not + key specified in the <span class="command"><strong>managed-keys</strong></span> is not used to validate answers; it has been superseded by the key or keys stored in the managed keys database. </p> <p> - The next time <span><strong class="command">named</strong></span> runs after a name + The next time <span class="command"><strong>named</strong></span> runs after a name has been <span class="emphasis"><em>removed</em></span> from the - <span><strong class="command">managed-keys</strong></span> statement, the corresponding + <span class="command"><strong>managed-keys</strong></span> statement, the corresponding zone will be removed from the managed keys database, and RFC 5011 key maintenance will no longer be used for that domain. </p> <p> - <span><strong class="command">named</strong></span> only maintains a single managed keys - database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>, - <span><strong class="command">managed-keys</strong></span> may only be set at the top + <span class="command"><strong>named</strong></span> only maintains a single managed keys + database; consequently, unlike <span class="command"><strong>trusted-keys</strong></span>, + <span class="command"><strong>managed-keys</strong></span> may only be set at the top level of <code class="filename">named.conf</code>, not within a view. </p> <p> @@ -7064,29 +7137,29 @@ ns.domain.com.rpz-nsdname CNAME . <code class="filename">managed-keys.bind.jnl</code>. They are committed to the master file as soon as possible afterward; in the case of the managed key database, this will usually occur within 30 - seconds. So, whenever <span><strong class="command">named</strong></span> is using + seconds. So, whenever <span class="command"><strong>named</strong></span> is using automatic key maintenance, those two files can be expected to exist in the working directory. (For this reason among others, the working directory should be always be writable by - <span><strong class="command">named</strong></span>.) + <span class="command"><strong>named</strong></span>.) </p> <p> - If the <span><strong class="command">dnssec-validation</strong></span> option is - set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span> + If the <span class="command"><strong>dnssec-validation</strong></span> option is + set to <strong class="userinput"><code>auto</code></strong>, <span class="command"><strong>named</strong></span> will automatically initialize a managed key for the - root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span> + root zone. Similarly, if the <span class="command"><strong>dnssec-lookaside</strong></span> option is set to <strong class="userinput"><code>auto</code></strong>, - <span><strong class="command">named</strong></span> will automatically initialize + <span class="command"><strong>named</strong></span> will automatically initialize a managed key for the zone <code class="literal">dlv.isc.org</code>. In both cases, the key that is used to initialize the key - maintenance process is built into <span><strong class="command">named</strong></span>, - and can be overridden from <span><strong class="command">bindkeys-file</strong></span>. + maintenance process is built into <span class="command"><strong>named</strong></span>, + and can be overridden from <span class="command"><strong>bindkeys-file</strong></span>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em> +<a name="view_statement_grammar"></a><span class="command"><strong>view</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span class="command"><strong>view</strong></span> <em class="replaceable"><code>view_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { match-clients { <em class="replaceable"><code>address_match_list</code></em> }; match-destinations { <em class="replaceable"><code>address_match_list</code></em> }; @@ -7096,11 +7169,11 @@ ns.domain.com.rpz-nsdname CNAME . }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2591553"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<a name="view_statement"></a><span class="command"><strong>view</strong></span> Statement Definition and Usage</h3></div></div></div> <p> - The <span><strong class="command">view</strong></span> statement is a powerful + The <span class="command"><strong>view</strong></span> statement is a powerful feature of <acronym class="acronym">BIND</acronym> 9 that lets a name server answer a DNS query differently @@ -7109,54 +7182,54 @@ ns.domain.com.rpz-nsdname CNAME . split DNS setups without having to run multiple servers. </p> <p> - Each <span><strong class="command">view</strong></span> statement defines a view + Each <span class="command"><strong>view</strong></span> statement defines a view of the DNS namespace that will be seen by a subset of clients. A client matches a view if its source IP address matches the <code class="varname">address_match_list</code> of the view's - <span><strong class="command">match-clients</strong></span> clause and its + <span class="command"><strong>match-clients</strong></span> clause and its destination IP address matches the <code class="varname">address_match_list</code> of the view's - <span><strong class="command">match-destinations</strong></span> clause. If not + <span class="command"><strong>match-destinations</strong></span> clause. If not specified, both - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> + <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span> default to matching all addresses. In addition to checking IP addresses - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> - can also take <span><strong class="command">keys</strong></span> which provide an + <span class="command"><strong>match-clients</strong></span> and <span class="command"><strong>match-destinations</strong></span> + can also take <span class="command"><strong>keys</strong></span> which provide an mechanism for the client to select the view. A view can also be specified - as <span><strong class="command">match-recursive-only</strong></span>, which + as <span class="command"><strong>match-recursive-only</strong></span>, which means that only recursive requests from matching clients will match that view. - The order of the <span><strong class="command">view</strong></span> statements is + The order of the <span class="command"><strong>view</strong></span> statements is significant — a client request will be resolved in the context of the first - <span><strong class="command">view</strong></span> that it matches. + <span class="command"><strong>view</strong></span> that it matches. </p> <p> - Zones defined within a <span><strong class="command">view</strong></span> + Zones defined within a <span class="command"><strong>view</strong></span> statement will - only be accessible to clients that match the <span><strong class="command">view</strong></span>. + only be accessible to clients that match the <span class="command"><strong>view</strong></span>. By defining a zone of the same name in multiple views, different zone data can be given to different clients, for example, "internal" and "external" clients in a split DNS setup. </p> <p> - Many of the options given in the <span><strong class="command">options</strong></span> statement - can also be used within a <span><strong class="command">view</strong></span> + Many of the options given in the <span class="command"><strong>options</strong></span> statement + can also be used within a <span class="command"><strong>view</strong></span> statement, and then apply only when resolving queries with that view. When no view-specific - value is given, the value in the <span><strong class="command">options</strong></span> statement + value is given, the value in the <span class="command"><strong>options</strong></span> statement is used as a default. Also, zone options can have default values specified - in the <span><strong class="command">view</strong></span> statement; these + in the <span class="command"><strong>view</strong></span> statement; these view-specific defaults - take precedence over those in the <span><strong class="command">options</strong></span> statement. + take precedence over those in the <span class="command"><strong>options</strong></span> statement. </p> <p> Views are class specific. If no class is given, class IN @@ -7164,24 +7237,24 @@ ns.domain.com.rpz-nsdname CNAME . since only the IN class has compiled-in default hints. </p> <p> - If there are no <span><strong class="command">view</strong></span> statements in + If there are no <span class="command"><strong>view</strong></span> statements in the config file, a default view that matches any client is automatically created - in class IN. Any <span><strong class="command">zone</strong></span> statements + in class IN. Any <span class="command"><strong>zone</strong></span> statements specified on the top level of the configuration file are considered to be part of - this default view, and the <span><strong class="command">options</strong></span> + this default view, and the <span class="command"><strong>options</strong></span> statement will - apply to the default view. If any explicit <span><strong class="command">view</strong></span> - statements are present, all <span><strong class="command">zone</strong></span> + apply to the default view. If any explicit <span class="command"><strong>view</strong></span> + statements are present, all <span class="command"><strong>zone</strong></span> statements must - occur inside <span><strong class="command">view</strong></span> statements. + occur inside <span class="command"><strong>view</strong></span> statements. </p> <p> Here is an example of a typical split DNS setup implemented - using <span><strong class="command">view</strong></span> statements: + using <span class="command"><strong>view</strong></span> statements: </p> <pre class="programlisting">view "internal" { // This should match our internal networks. @@ -7216,11 +7289,11 @@ view "external" { }; </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> +<a name="zone_statement_grammar"></a><span class="command"><strong>zone</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { +<pre class="programlisting"><span class="command"><strong>zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { type master; [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] @@ -7230,8 +7303,6 @@ view "external" { [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; - [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] @@ -7371,7 +7442,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] @@ -7385,7 +7456,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>] [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] }; zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { @@ -7408,16 +7479,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </pre> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2593398"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> -<div class="sect3" lang="en"> +<a name="zone_statement"></a><span class="command"><strong>zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2593405"></a>Zone Types</h4></div></div></div> +<a name="zone_types"></a>Zone Types</h4></div></div></div> +<p> + The <span class="command"><strong>type</strong></span> keyword is required + for the <span class="command"><strong>zone</strong></span> configuration. Its + acceptable values include: <code class="varname">delegation-only</code>, + <code class="varname">forward</code>, <code class="varname">hint</code>, + <code class="varname">master</code>, <code class="varname">redirect</code>, + <code class="varname">slave</code>, <code class="varname">static-stub</code>, + and <code class="varname">stub</code>. + </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col class="1"> +<col width="4.017in" class="2"> </colgroup> <tbody> <tr> @@ -7444,7 +7524,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <td> <p> A slave zone is a replica of a master - zone. The <span><strong class="command">masters</strong></span> list + zone. The <span class="command"><strong>masters</strong></span> list specifies one or more IP addresses of master servers that the slave contacts to update its copy of the zone. @@ -7559,14 +7639,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" </p> <p> Zone data is configured via the - <span><strong class="command">server-addresses</strong></span> and - <span><strong class="command">server-names</strong></span> zone options. + <span class="command"><strong>server-addresses</strong></span> and + <span class="command"><strong>server-names</strong></span> zone options. </p> <p> The zone data is maintained in the form of NS and (if necessary) glue A or AAAA RRs internally, which can be seen by dumping zone - databases by <span><strong class="command">rndc dumpdb -all</strong></span>. + databases by <span class="command"><strong>rndc dumpdb -all</strong></span>. The configured RRs are considered local configuration parameters rather than public data. Non recursive queries (i.e., those with the RD @@ -7597,22 +7677,22 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <td> <p> A "forward zone" is a way to configure - forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement - of type <span><strong class="command">forward</strong></span> can - contain a <span><strong class="command">forward</strong></span> - and/or <span><strong class="command">forwarders</strong></span> + forwarding on a per-domain basis. A <span class="command"><strong>zone</strong></span> statement + of type <span class="command"><strong>forward</strong></span> can + contain a <span class="command"><strong>forward</strong></span> + and/or <span class="command"><strong>forwarders</strong></span> statement, which will apply to queries within the domain given by the zone - name. If no <span><strong class="command">forwarders</strong></span> + name. If no <span class="command"><strong>forwarders</strong></span> statement is present or - an empty list for <span><strong class="command">forwarders</strong></span> is given, then no + an empty list for <span class="command"><strong>forwarders</strong></span> is given, then no forwarding will be done for the domain, canceling the effects of - any forwarders in the <span><strong class="command">options</strong></span> statement. Thus + any forwarders in the <span class="command"><strong>options</strong></span> statement. Thus if you want to use this type of zone to change the behavior of the - global <span><strong class="command">forward</strong></span> option + global <span class="command"><strong>forward</strong></span> option (that is, "forward first" to, then "forward only", or vice versa, but want to use the same @@ -7654,7 +7734,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" queries when normal resolution would result in NXDOMAIN being returned. Only one redirect zone is supported - per view. <span><strong class="command">allow-query</strong></span> can be + per view. <span class="command"><strong>allow-query</strong></span> can be used to restrict which clients see these answers. </p> <p> @@ -7691,10 +7771,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" zone lookup table with normal master and slave zones. Consequently, it is not currently possible to use - <span><strong class="command">rndc reload + <span class="command"><strong>rndc reload <em class="replaceable"><code>zonename</code></em></strong></span> to reload a redirect zone. However, when using - <span><strong class="command">rndc reload</strong></span> without specifying + <span class="command"><strong>rndc reload</strong></span> without specifying a zone name, redirect zones will be reloaded along with other zones. </p> @@ -7722,16 +7802,16 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" effect on answers received from forwarders. </p> <p> - See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2594150"></a>Class</h4></div></div></div> +<a name="class"></a>Class</h4></div></div></div> <p> The zone's name may optionally be followed by a class. If a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), @@ -7751,48 +7831,48 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2594183"></a>Zone Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<a name="zone_options"></a>Zone Options</h4></div></div></div> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>allow-notify</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-query</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-query-on</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + <span class="command"><strong>allow-query-on</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-transfer</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-transfer</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-update</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-update</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-policy</strong></span></span></dt> <dd><p> Specifies a "Simple Secure Update" policy. See - <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. + <a class="xref" href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>allow-update-forwarding</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">allow-update-forwarding</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + See the description of <span class="command"><strong>allow-update-forwarding</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>also-notify</strong></span></span></dt> <dd><p> - Only meaningful if <span><strong class="command">notify</strong></span> + Only meaningful if <span class="command"><strong>notify</strong></span> is active for this zone. The set of machines that will receive a @@ -7801,85 +7881,90 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" (other than the primary master) for the zone plus any IP addresses specified - with <span><strong class="command">also-notify</strong></span>. A port + with <span class="command"><strong>also-notify</strong></span>. A port may be specified - with each <span><strong class="command">also-notify</strong></span> + with each <span class="command"><strong>also-notify</strong></span> address to send the notify messages to a port other than the default of 53. A TSIG key may also be specified to cause the <code class="literal">NOTIFY</code> to be signed by the given key. - <span><strong class="command">also-notify</strong></span> is not + <span class="command"><strong>also-notify</strong></span> is not meaningful for stub zones. The default is the empty list. </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-names</strong></span></span></dt> <dd><p> This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the - network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> - zones the default is <span><strong class="command">warn</strong></span>. - It is not implemented for <span><strong class="command">hint</strong></span> zones. + network. The default varies according to zone type. For <span class="command"><strong>master</strong></span> zones the default is <span class="command"><strong>fail</strong></span>. For <span class="command"><strong>slave</strong></span> + zones the default is <span class="command"><strong>warn</strong></span>. + It is not implemented for <span class="command"><strong>hint</strong></span> zones. </p></dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-mx</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-mx</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-spf</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-spf</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-wildcard</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-wildcard</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-integrity</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-integrity</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>check-sibling</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>check-sibling</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zero-no-soa-ttl</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>zero-no-soa-ttl</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>update-check-ksk</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>update-check-ksk</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>dnssec-loadkeys-interval</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>dnssec-loadkeys-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-update-mode</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and - Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + <span class="command"><strong>dnssec-update-mode</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-dnskey-kskonly</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dnssec-dnskey-kskonly</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>try-tcp-refresh</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>try-tcp-refresh</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>database</strong></span></span></dt> <dd> <p> Specify the type of database to be used for storing the - zone data. The string following the <span><strong class="command">database</strong></span> keyword + zone data. The string following the <span class="command"><strong>database</strong></span> keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are @@ -7901,12 +7986,12 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" with the distribution but none are linked in by default. </p> </dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dialup</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dialup</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>delegation-only</strong></span></span></dt> <dd> <p> The flag only applies to forward, hint and stub @@ -7915,25 +8000,25 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" also a delegation-only type zone. </p> <p> - See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + See caveats in <a class="xref" href="Bv9ARM.ch06.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>. </p> </dd> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt> <dd><p> Only meaningful if the zone has a forwarders - list. The <span><strong class="command">only</strong></span> value causes + list. The <span class="command"><strong>only</strong></span> value causes the lookup to fail - after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would + after trying the forwarders and getting no answer, while <span class="command"><strong>first</strong></span> would allow a normal lookup to be tried. </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>forwarders</strong></span></span></dt> <dd><p> Used to override the list of global forwarders. - If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, + If it is not specified in a zone of type <span class="command"><strong>forward</strong></span>, no forwarding is done for the zone and the global options are not used. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-base</strong></span></span></dt> <dd><p> Was used in <acronym class="acronym">BIND</acronym> 8 to specify the name @@ -7945,59 +8030,59 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" to the name of the zone file. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-tmp-file</strong></span></span></dt> <dd><p> Was an undocumented option in <acronym class="acronym">BIND</acronym> 8. Ignored in <acronym class="acronym">BIND</acronym> 9. </p></dd> -<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>journal</strong></span></span></dt> <dd><p> Allow the default journal's filename to be overridden. The default is the zone's filename with "<code class="filename">.jnl</code>" appended. - This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones. + This is applicable to <span class="command"><strong>master</strong></span> and <span class="command"><strong>slave</strong></span> zones. </p></dd> -<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-journal-size</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. + <span class="command"><strong>max-journal-size</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-in</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-time-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-in</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-idle-in</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-time-out</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-time-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>max-transfer-idle-out</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>max-transfer-idle-out</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>notify</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-delay</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>notify-delay</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-to-soa</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-to-soa</strong></span> in - <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>notify-to-soa</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>pubkey</strong></span></span></dt> <dd><p> In <acronym class="acronym">BIND</acronym> 8, this option was intended for specifying @@ -8006,15 +8091,14 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures on load and ignores the option. </p></dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>zone-statistics</strong></span></span></dt> <dd><p> - If <strong class="userinput"><code>yes</code></strong>, the server will keep - statistical - information for this zone, which can be dumped to the - <span><strong class="command">statistics-file</strong></span> defined in - the server options. + See the description of + <span class="command"><strong>zone-statistics</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-addresses</strong></span></span></dt> <dd> <p> Only meaningful for static-stub zones. @@ -8028,7 +8112,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional" <p> For example, if "example.com" is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 - in a <span><strong class="command">server-addresses</strong></span> option, + in a <span class="command"><strong>server-addresses</strong></span> option, the following RRs will be internally configured. </p> <pre class="programlisting">example.com. NS example.com. @@ -8043,7 +8127,7 @@ example.com. AAAA 2001:db8::1234</pre> queries to 192.0.2.1 and/or 2001:db8::1234. </p> </dd> -<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>server-names</strong></span></span></dt> <dd> <p> Only meaningful for static-stub zones. @@ -8051,7 +8135,7 @@ example.com. AAAA 2001:db8::1234</pre> act as authoritative servers of the static-stub zone. These names will be resolved to IP addresses when - <span><strong class="command">named</strong></span> needs to send queries to + <span class="command"><strong>named</strong></span> needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin @@ -8059,7 +8143,7 @@ example.com. AAAA 2001:db8::1234</pre> That is, when "example.net" is the origin of a static-stub zone, "ns.example" and "master.example.com" can be specified in the - <span><strong class="command">server-names</strong></span> option, but + <span class="command"><strong>server-names</strong></span> option, but "ns.example.net" cannot, and will be rejected by the configuration parser. </p> @@ -8069,7 +8153,7 @@ example.com. AAAA 2001:db8::1234</pre> For example, if "example.com" is configured as a static-stub zone with "ns1.example.net" and "ns2.example.net" - in a <span><strong class="command">server-names</strong></span> option, + in a <span class="command"><strong>server-names</strong></span> option, the following RRs will be internally configured. </p> <pre class="programlisting">example.com. NS ns1.example.net. @@ -8086,146 +8170,97 @@ example.com. NS ns2.example.net. queries to (one or more of) these addresses. </p> </dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-validity-interval</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-validity-interval</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-nodes</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-nodes</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-signatures</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-signatures</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>sig-signing-type</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + <span class="command"><strong>sig-signing-type</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>transfer-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>alt-transfer-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>alt-transfer-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>use-alt-transfer-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>use-alt-transfer-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>notify-source</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>notify-source-v6</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + <span class="command"><strong>notify-source-v6</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. </p></dd> <dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +<span class="term"><span class="command"><strong>min-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>max-refresh-time</strong></span>, </span><span class="term"><span class="command"><strong>min-retry-time</strong></span>, </span><span class="term"><span class="command"><strong>max-retry-time</strong></span></span> </dt> <dd><p> - See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + See the description in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ixfr-from-differences</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - (Note that the <span><strong class="command">ixfr-from-differences</strong></span> + <span class="command"><strong>ixfr-from-differences</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + (Note that the <span class="command"><strong>ixfr-from-differences</strong></span> <strong class="userinput"><code>master</code></strong> and <strong class="userinput"><code>slave</code></strong> choices are not available at the zone level.) </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>key-directory</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and - Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + <span class="command"><strong>key-directory</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and Usage”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt> -<dd> -<p> - Zones configured for dynamic DNS may also use this - option to allow varying levels of automatic DNSSEC key - management. There are three possible settings: - </p> -<p> - <span><strong class="command">auto-dnssec allow;</strong></span> permits - keys to be updated and the zone fully re-signed - whenever the user issues the command <span><strong class="command">rndc sign - <em class="replaceable"><code>zonename</code></em></strong></span>. - </p> -<p> - <span><strong class="command">auto-dnssec maintain;</strong></span> includes the - above, but also automatically adjusts the zone's DNSSEC - keys on schedule, according to the keys' timing metadata - (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and - <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command - <span><strong class="command">rndc sign - <em class="replaceable"><code>zonename</code></em></strong></span> causes - <span><strong class="command">named</strong></span> to load keys from the key - repository and sign the zone with all keys that are - active. - <span><strong class="command">rndc loadkeys - <em class="replaceable"><code>zonename</code></em></strong></span> causes - <span><strong class="command">named</strong></span> to load keys from the key - repository and schedule key maintenance events to occur - in the future, but it does not sign the full zone - immediately. Note: once keys have been loaded for a - zone the first time, the repository will be searched - for changes periodically, regardless of whether - <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck - interval is defined by - <span><strong class="command">dnssec-loadkeys-interval</strong></span>.) - </p> -<p> - The default setting is <span><strong class="command">auto-dnssec off</strong></span>. - </p> -</dd> -<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt> -<dd> -<p> - Zones configured for dynamic DNS may use this - option to set the update method that will be used for - the zone serial number in the SOA record. - </p> -<p> - With the default setting of - <span><strong class="command">serial-update-method increment;</strong></span>, the - SOA serial number will be incremented by one each time - the zone is updated. - </p> -<p> - When set to - <span><strong class="command">serial-update-method unixtime;</strong></span>, the - SOA serial number will be set to the number of seconds - since the UNIX epoch, unless the serial number is - already greater than or equal to that value, in which - case it is simply incremented by one. - </p> -</dd> -<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>auto-dnssec</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>auto-dnssec</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>serial-update-method</strong></span></span></dt> +<dd><p> + See the description of + <span class="command"><strong>serial-update-method</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span class="command"><strong>inline-signing</strong></span></span></dt> <dd><p> If <code class="literal">yes</code>, this enables "bump in the wire" signing of a zone, where a @@ -8234,40 +8269,40 @@ example.com. NS ns2.example.net. with possibly, a different serial number. This behaviour is disabled by default. </p></dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">multi-master</strong></span> in - <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + See the description of <span class="command"><strong>multi-master</strong></span> in + <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>masterfile-format</strong></span></span></dt> <dd><p> - See the description of <span><strong class="command">masterfile-format</strong></span> - in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + See the description of <span class="command"><strong>masterfile-format</strong></span> + in <a class="xref" href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>dnssec-secure-to-insecure</strong></span></span></dt> <dd><p> See the description of - <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + <span class="command"><strong>dnssec-secure-to-insecure</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. </p></dd> </dl></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> <p><acronym class="acronym">BIND</acronym> 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the - <span><strong class="command">allow-update</strong></span> and - <span><strong class="command">update-policy</strong></span> option, respectively. + <span class="command"><strong>allow-update</strong></span> and + <span class="command"><strong>update-policy</strong></span> option, respectively. </p> <p> - The <span><strong class="command">allow-update</strong></span> clause works the + The <span class="command"><strong>allow-update</strong></span> clause works the same way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the permission to update any record of any name in the zone. </p> <p> - The <span><strong class="command">update-policy</strong></span> clause + The <span class="command"><strong>update-policy</strong></span> clause allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more @@ -8277,29 +8312,29 @@ example.com. NS ns2.example.net. identity of the signer can be determined. </p> <p> - Rules are specified in the <span><strong class="command">update-policy</strong></span> + Rules are specified in the <span class="command"><strong>update-policy</strong></span> zone option, and are only meaningful for master zones. - When the <span><strong class="command">update-policy</strong></span> statement + When the <span class="command"><strong>update-policy</strong></span> statement is present, it is a configuration error for the - <span><strong class="command">allow-update</strong></span> statement to be - present. The <span><strong class="command">update-policy</strong></span> statement + <span class="command"><strong>allow-update</strong></span> statement to be + present. The <span class="command"><strong>update-policy</strong></span> statement only examines the signer of a message; the source address is not relevant. </p> <p> - There is a pre-defined <span><strong class="command">update-policy</strong></span> + There is a pre-defined <span class="command"><strong>update-policy</strong></span> rule which can be switched on with the command - <span><strong class="command">update-policy local;</strong></span>. + <span class="command"><strong>update-policy local;</strong></span>. Switching on this rule in a zone causes - <span><strong class="command">named</strong></span> to generate a TSIG session + <span class="command"><strong>named</strong></span> to generate a TSIG session key and place it in a file, and to allow that key to update the zone. (By default, the file is <code class="filename">/var/run/named/session.key</code>, the key name is "local-ddns" and the key algorithm is HMAC-SHA256, but these values are configurable with the - <span><strong class="command">session-keyfile</strong></span>, - <span><strong class="command">session-keyname</strong></span> and - <span><strong class="command">session-keyalg</strong></span> options, respectively). + <span class="command"><strong>session-keyfile</strong></span>, + <span class="command"><strong>session-keyname</strong></span> and + <span class="command"><strong>session-keyalg</strong></span> options, respectively). </p> <p> A client running on the local system, and with appropriate @@ -8311,14 +8346,14 @@ example.com. NS ns2.example.net. <pre class="programlisting">update-policy { grant local-ddns zonesub any; }; </pre> <p> - The command <span><strong class="command">nsupdate -l</strong></span> sends update + The command <span class="command"><strong>nsupdate -l</strong></span> sends update requests to localhost, and signs them using the session key. </p> <p> Other rule definitions look like this: </p> <pre class="programlisting"> -( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] +( <span class="command"><strong>grant</strong></span> | <span class="command"><strong>deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] </pre> <p> Each rule grants or denies privileges. Once a message has @@ -8373,8 +8408,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.819in" class="1"> +<col width="3.681in" class="2"> </colgroup> <tbody> <tr> @@ -8418,10 +8453,10 @@ example.com. NS ns2.example.net. This rule is similar to subdomain, except that it matches when the name being updated is a subdomain of the zone in which the - <span><strong class="command">update-policy</strong></span> statement + <span class="command"><strong>update-policy</strong></span> statement appears. This obviates the need to type the zone name twice, and enables the use of a standard - <span><strong class="command">update-policy</strong></span> statement in + <span class="command"><strong>update-policy</strong></span> statement in multiple zones without modification. </p> <p> @@ -8441,7 +8476,7 @@ example.com. NS ns2.example.net. The <em class="replaceable"><code>name</code></em> field is subject to DNS wildcard expansion, and this rule matches when the name being updated - name is a valid expansion of the wildcard. + is a valid expansion of the wildcard. </p> </td> </tr> @@ -8614,7 +8649,7 @@ example.com. NS ns2.example.net. </td> <td> <p> - This rule allows <span><strong class="command">named</strong></span> + This rule allows <span class="command"><strong>named</strong></span> to defer the decision of whether to allow a given update to an external daemon. </p> @@ -8668,10 +8703,10 @@ example.com. NS ns2.example.net. </div> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2597084"></a>Zone File</h2></div></div></div> -<div class="sect2" lang="en"> +<a name="zone_file"></a>Zone File</h2></div></div></div> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> <p> @@ -8681,9 +8716,9 @@ example.com. NS ns2.example.net. identified and implemented in the DNS. These are also included. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2597102"></a>Resource Records</h4></div></div></div> +<a name="id-1.7.6.2.3"></a>Resource Records</h4></div></div></div> <p> A domain name identifies a node. Each node has a set of resource information, which may be empty. The set of resource @@ -8692,15 +8727,15 @@ example.com. NS ns2.example.net. need not be preserved by name servers, resolvers, or other parts of the DNS. However, sorting of multiple RRs is permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. + that a particular nearby server be tried first. See <a class="xref" href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span class="command"><strong>sortlist</strong></span> Statement”</a> and <a class="xref" href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. </p> <p> The components of a Resource Record are: </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.000in" class="1"> +<col width="3.500in" class="2"> </colgroup> <tbody> <tr> @@ -8778,8 +8813,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="3.625in" class="2"> </colgroup> <tbody> <tr> @@ -8864,6 +8899,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + AVC + </p> + </td> +<td> + <p> + Application Visibility and Control record. + </p> + </td> +</tr> +<tr> +<td> + <p> CAA </p> </td> @@ -8930,6 +8977,19 @@ example.com. NS ns2.example.net. <tr> <td> <p> + CSYNC + </p> + </td> +<td> + <p> + Child-to-Parent Synchronization in DNS as described + in RFC 7477. + </p> + </td> +</tr> +<tr> +<td> + <p> DHCID </p> </td> @@ -9308,6 +9368,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + NINFO + </p> + </td> +<td> + <p> + Contains zone status information. + </p> + </td> +</tr> +<tr> +<td> + <p> NIMLOC </p> </td> @@ -9478,6 +9550,18 @@ example.com. NS ns2.example.net. <tr> <td> <p> + RKEY + </p> + </td> +<td> + <p> + Resource key. + </p> + </td> +</tr> +<tr> +<td> + <p> RP </p> </td> @@ -9534,6 +9618,30 @@ example.com. NS ns2.example.net. <tr> <td> <p> + SINK + </p> + </td> +<td> + <p> + The kitchen sink record. + </p> + </td> +</tr> +<tr> +<td> + <p> + SMIMEA + </p> + </td> +<td> + <p> + The S/MIME Security Certificate Association. + </p> + </td> +</tr> +<tr> +<td> + <p> SOA </p> </td> @@ -9586,6 +9694,30 @@ example.com. NS ns2.example.net. <tr> <td> <p> + TA + </p> + </td> +<td> + <p> + Trust Anchor. Experimental. + </p> + </td> +</tr> +<tr> +<td> + <p> + TALINK + </p> + </td> +<td> + <p> + Trust Anchor Link. Experimental. + </p> + </td> +</tr> +<tr> +<td> + <p> TLSA </p> </td> @@ -9691,8 +9823,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="3.625in" class="2"> </colgroup> <tbody> <tr> @@ -9781,9 +9913,9 @@ example.com. NS ns2.example.net. used as "pointers" to other data in the DNS. </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2599413"></a>Textual expression of RRs</h4></div></div></div> +<a name="rr_text"></a>Textual expression of RRs</h4></div></div></div> <p> RRs are represented in binary form in the packets of the DNS protocol, and are usually represented in highly encoded form @@ -9823,9 +9955,9 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.381in" class="1"> +<col width="1.020in" class="2"> +<col width="2.099in" class="3"> </colgroup> <tbody> <tr> @@ -9941,9 +10073,9 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.491in" class="1"> +<col width="1.067in" class="2"> +<col width="2.067in" class="3"> </colgroup> <tbody> <tr> @@ -9984,9 +10116,9 @@ example.com. NS ns2.example.net. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600002"></a>Discussion of MX Records</h3></div></div></div> +<a name="mx_records"></a>Discussion of MX Records</h3></div></div></div> <p> As described above, domain servers store information as a series of resource records, each of which contains a particular @@ -10024,11 +10156,11 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> -<col> -<col> +<col width="1.708in" class="1"> +<col width="0.444in" class="2"> +<col width="0.444in" class="3"> +<col width="0.976in" class="4"> +<col width="1.553in" class="5"> </colgroup> <tbody> <tr> @@ -10167,7 +10299,7 @@ example.com. NS ns2.example.net. be attempted. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> <p> @@ -10180,8 +10312,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.750in" class="1"> +<col width="4.375in" class="2"> </colgroup> <tbody> <tr> @@ -10239,9 +10371,9 @@ example.com. NS ns2.example.net. can be explicitly specified, for example, <code class="literal">1h30m</code>. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600549"></a>Inverse Mapping in IPv4</h3></div></div></div> +<a name="ipv4_reverse"></a>Inverse Mapping in IPv4</h3></div></div></div> <p> Reverse name resolution (that is, translation from IP address to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain @@ -10259,8 +10391,8 @@ example.com. NS ns2.example.net. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.125in" class="1"> +<col width="4.000in" class="2"> </colgroup> <tbody> <tr> @@ -10292,7 +10424,7 @@ example.com. NS ns2.example.net. <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> <h3 class="title">Note</h3> <p> - The <span><strong class="command">$ORIGIN</strong></span> lines in the examples + The <span class="command"><strong>$ORIGIN</strong></span> lines in the examples are for providing context to the examples only — they do not necessarily appear in the actual usage. They are only used here to indicate @@ -10300,9 +10432,9 @@ example.com. NS ns2.example.net. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2600812"></a>Other Zone File Directives</h3></div></div></div> +<a name="zone_directives"></a>Other Zone File Directives</h3></div></div></div> <p> The Master File Format was initially defined in RFC 1035 and has subsequently been extended. While the Master File Format @@ -10312,12 +10444,12 @@ example.com. NS ns2.example.net. class. </p> <p> - Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, - and <span><strong class="command">$TTL.</strong></span> + Master File Directives include <span class="command"><strong>$ORIGIN</strong></span>, <span class="command"><strong>$INCLUDE</strong></span>, + and <span class="command"><strong>$TTL.</strong></span> </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600835"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> +<a name="atsign"></a>The <span class="command"><strong>@</strong></span> (at-sign)</h4></div></div></div> <p> When used in the label (or name) field, the asperand or at-sign (@) symbol represents the current origin. @@ -10326,22 +10458,22 @@ example.com. NS ns2.example.net. trailing dot). </p> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600851"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<a name="origin_directive"></a>The <span class="command"><strong>$ORIGIN</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$ORIGIN</strong></span> + Syntax: <span class="command"><strong>$ORIGIN</strong></span> <em class="replaceable"><code>domain-name</code></em> [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] </p> -<p><span><strong class="command">$ORIGIN</strong></span> +<p><span class="command"><strong>$ORIGIN</strong></span> sets the domain name that will be appended to any unqualified records. When a zone is first read in there - is an implicit <span><strong class="command">$ORIGIN</strong></span> - <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span> + is an implicit <span class="command"><strong>$ORIGIN</strong></span> + <<code class="varname">zone_name</code>><span class="command"><strong>.</strong></span> (followed by trailing dot). - The current <span><strong class="command">$ORIGIN</strong></span> is appended to - the domain specified in the <span><strong class="command">$ORIGIN</strong></span> + The current <span class="command"><strong>$ORIGIN</strong></span> is appended to + the domain specified in the <span class="command"><strong>$ORIGIN</strong></span> argument if it is not absolute. </p> <pre class="programlisting"> @@ -10355,11 +10487,11 @@ WWW CNAME MAIN-SERVER WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </pre> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600912"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<a name="include_directive"></a>The <span class="command"><strong>$INCLUDE</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$INCLUDE</strong></span> + Syntax: <span class="command"><strong>$INCLUDE</strong></span> <em class="replaceable"><code>filename</code></em> [<span class="optional"> <em class="replaceable"><code>origin</code></em> </span>] @@ -10367,14 +10499,14 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </p> <p> Read and process the file <code class="filename">filename</code> as - if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is - specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set - to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is + if it were included into the file at this point. If <span class="command"><strong>origin</strong></span> is + specified the file is processed with <span class="command"><strong>$ORIGIN</strong></span> set + to that value, otherwise the current <span class="command"><strong>$ORIGIN</strong></span> is used. </p> <p> The origin and the current domain name - revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once + revert to the values they had prior to the <span class="command"><strong>$INCLUDE</strong></span> once the file has been read. </p> <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> @@ -10382,7 +10514,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. <p> RFC 1035 specifies that the current origin should be restored after - an <span><strong class="command">$INCLUDE</strong></span>, but it is silent + an <span class="command"><strong>$INCLUDE</strong></span>, but it is silent on whether the current domain name should also be restored. BIND 9 restores both of them. @@ -10391,11 +10523,11 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. </p> </div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2600981"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<a name="ttl_directive"></a>The <span class="command"><strong>$TTL</strong></span> Directive</h4></div></div></div> <p> - Syntax: <span><strong class="command">$TTL</strong></span> + Syntax: <span class="command"><strong>$TTL</strong></span> <em class="replaceable"><code>default-ttl</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>] @@ -10405,16 +10537,16 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds. </p> -<p><span><strong class="command">$TTL</strong></span> +<p><span class="command"><strong>$TTL</strong></span> is defined in RFC 2308. </p> </div> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> -<a name="id2601017"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<a name="generate_directive"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span class="command"><strong>$GENERATE</strong></span> Directive</h3></div></div></div> <p> - Syntax: <span><strong class="command">$GENERATE</strong></span> + Syntax: <span class="command"><strong>$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] @@ -10423,10 +10555,10 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. <em class="replaceable"><code>rhs</code></em> [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] </p> -<p><span><strong class="command">$GENERATE</strong></span> +<p><span class="command"><strong>$GENERATE</strong></span> is used to create a series of resource records that only differ from each other by an - iterator. <span><strong class="command">$GENERATE</strong></span> can be used to + iterator. <span class="command"><strong>$GENERATE</strong></span> can be used to easily generate the sets of records required to support sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA delegation. @@ -10468,13 +10600,13 @@ HOST-127.EXAMPLE. MX 0 . </pre> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="0.875in" class="1"> +<col width="4.250in" class="2"> </colgroup> <tbody> <tr> <td> - <p><span><strong class="command">range</strong></span></p> + <p><span class="command"><strong>range</strong></span></p> </td> <td> <p> @@ -10488,43 +10620,43 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">lhs</strong></span></p> + <p><span class="command"><strong>lhs</strong></span></p> </td> <td> <p>This describes the owner name of the resource records - to be created. Any single <span><strong class="command">$</strong></span> + to be created. Any single <span class="command"><strong>$</strong></span> (dollar sign) - symbols within the <span><strong class="command">lhs</strong></span> string + symbols within the <span class="command"><strong>lhs</strong></span> string are replaced by the iterator value. To get a $ in the output, you need to escape the - <span><strong class="command">$</strong></span> using a backslash - <span><strong class="command">\</strong></span>, - e.g. <span><strong class="command">\$</strong></span>. The - <span><strong class="command">$</strong></span> may optionally be followed + <span class="command"><strong>$</strong></span> using a backslash + <span class="command"><strong>\</strong></span>, + e.g. <span class="command"><strong>\$</strong></span>. The + <span class="command"><strong>$</strong></span> may optionally be followed by modifiers which change the offset from the iterator, field width and base. Modifiers are introduced by a - <span><strong class="command">{</strong></span> (left brace) immediately following the - <span><strong class="command">$</strong></span> as - <span><strong class="command">${offset[,width[,base]]}</strong></span>. - For example, <span><strong class="command">${-20,3,d}</strong></span> + <span class="command"><strong>{</strong></span> (left brace) immediately following the + <span class="command"><strong>$</strong></span> as + <span class="command"><strong>${offset[,width[,base]]}</strong></span>. + For example, <span class="command"><strong>${-20,3,d}</strong></span> subtracts 20 from the current value, prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal - (<span><strong class="command">d</strong></span>), octal - (<span><strong class="command">o</strong></span>), hexadecimal - (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> + (<span class="command"><strong>d</strong></span>), octal + (<span class="command"><strong>o</strong></span>), hexadecimal + (<span class="command"><strong>x</strong></span> or <span class="command"><strong>X</strong></span> for uppercase) and nibble - (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\ + (<span class="command"><strong>n</strong></span> or <span class="command"><strong>N</strong></span>\ for uppercase). The default modifier is - <span><strong class="command">${0,0,d}</strong></span>. If the - <span><strong class="command">lhs</strong></span> is not absolute, the - current <span><strong class="command">$ORIGIN</strong></span> is appended + <span class="command"><strong>${0,0,d}</strong></span>. If the + <span class="command"><strong>lhs</strong></span> is not absolute, the + current <span class="command"><strong>$ORIGIN</strong></span> is appended to the name. </p> <p> @@ -10536,14 +10668,14 @@ HOST-127.EXAMPLE. MX 0 . </p> <p> For compatibility with earlier versions, - <span><strong class="command">$$</strong></span> is still recognized as + <span class="command"><strong>$$</strong></span> is still recognized as indicating a literal $ in the output. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">ttl</strong></span></p> + <p><span class="command"><strong>ttl</strong></span></p> </td> <td> <p> @@ -10551,15 +10683,15 @@ HOST-127.EXAMPLE. MX 0 . not specified this will be inherited using the normal TTL inheritance rules. </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be + <p><span class="command"><strong>class</strong></span> + and <span class="command"><strong>ttl</strong></span> can be entered in either order. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">class</strong></span></p> + <p><span class="command"><strong>class</strong></span></p> </td> <td> <p> @@ -10567,15 +10699,15 @@ HOST-127.EXAMPLE. MX 0 . This must match the zone class if it is specified. </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be + <p><span class="command"><strong>class</strong></span> + and <span class="command"><strong>ttl</strong></span> can be entered in either order. </p> </td> </tr> <tr> <td> - <p><span><strong class="command">type</strong></span></p> + <p><span class="command"><strong>type</strong></span></p> </td> <td> <p> @@ -10585,25 +10717,25 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">rhs</strong></span></p> + <p><span class="command"><strong>rhs</strong></span></p> </td> <td> <p> - <span><strong class="command">rhs</strong></span>, optionally, quoted string. + <span class="command"><strong>rhs</strong></span>, optionally, quoted string. </p> </td> </tr> </tbody> </table></div> <p> - The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension + The <span class="command"><strong>$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension and not part of the standard zone file format. </p> <p> BIND 8 does not support the optional TTL and CLASS fields. </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div> <p> @@ -10619,20 +10751,20 @@ HOST-127.EXAMPLE. MX 0 . For a primary server, a zone file in the <code class="constant">raw</code> format is expected to be generated from a textual zone file by the - <span><strong class="command">named-compilezone</strong></span> command. For a + <span class="command"><strong>named-compilezone</strong></span> command. For a secondary server or for a dynamic zone, it is automatically generated (if this format is specified by the - <span><strong class="command">masterfile-format</strong></span> option) when - <span><strong class="command">named</strong></span> dumps the zone contents after + <span class="command"><strong>masterfile-format</strong></span> option) when + <span class="command"><strong>named</strong></span> dumps the zone contents after zone transfer or when applying prior updates. </p> <p> If a zone file in a binary format needs manual modification, it first must be converted to a textual form by the - <span><strong class="command">named-compilezone</strong></span> command. All + <span class="command"><strong>named-compilezone</strong></span> command. All necessary modification should go to the text file, which should then be converted to the binary form by the - <span><strong class="command">named-compilezone</strong></span> command again. + <span class="command"><strong>named-compilezone</strong></span> command again. </p> <p> Although the <code class="constant">raw</code> format uses the @@ -10646,7 +10778,7 @@ HOST-127.EXAMPLE. MX 0 . </p> </div> </div> -<div class="sect1" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> <a name="statistics"></a>BIND9 Statistics</h2></div></div></div> <p> @@ -10664,8 +10796,8 @@ HOST-127.EXAMPLE. MX 0 . </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="3.300in" class="1"> +<col width="2.625in" class="2"> </colgroup> <tbody> <tr> @@ -10764,30 +10896,35 @@ HOST-127.EXAMPLE. MX 0 . <p> A subset of Name Server Statistics is collected and shown per zone for which the server has the authority when - <span><strong class="command">zone-statistics</strong></span> is set to - <strong class="userinput"><code>yes</code></strong>. - These statistics counters are shown with their zone and view - names. - In some cases the view names are omitted for the default view. + <span class="command"><strong>zone-statistics</strong></span> is set to + <strong class="userinput"><code>full</code></strong> (or <strong class="userinput"><code>yes</code></strong> + for backward compatibility. See the description of + <span class="command"><strong>zone-statistics</strong></span> in <a class="xref" href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called “<span class="command"><strong>options</strong></span> Statement Definition and + Usage”</a> + for further details. </p> <p> + These statistics counters are shown with their zone and + view names. The view name is omitted when the server is + not configured with explicit views.</p> +<p> There are currently two user interfaces to get access to the statistics. One is in the plain text format dumped to the file specified - by the <span><strong class="command">statistics-file</strong></span> configuration option. + by the <span class="command"><strong>statistics-file</strong></span> configuration option. The other is remotely accessible via a statistics channel - when the <span><strong class="command">statistics-channels</strong></span> statement + when the <span class="command"><strong>statistics-channels</strong></span> statement is specified in the configuration file - (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.) + (see <a class="xref" href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span class="command"><strong>statistics-channels</strong></span> Statement Grammar”</a>.) </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="statsfile"></a>The Statistics File</h4></div></div></div> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="statsfile"></a>The Statistics File</h3></div></div></div> <p> The text format statistics dump begins with a line, like: </p> <p> - <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span> + <span class="command"><strong>+++ Statistics Dump +++ (973798949)</strong></span> </p> <p> The number in parentheses is a standard @@ -10799,7 +10936,7 @@ HOST-127.EXAMPLE. MX 0 . Each section begins with a line, like: </p> <p> - <span><strong class="command">++ Name Server Statistics ++</strong></span> + <span class="command"><strong>++ Name Server Statistics ++</strong></span> </p> <p> Each section consists of lines, each containing the statistics @@ -10813,10 +10950,10 @@ HOST-127.EXAMPLE. MX 0 . number is identical to the number in the beginning line; for example: </p> <p> - <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span> + <span class="command"><strong>--- Statistics Dump --- (973798949)</strong></span> </p> </div> -<div class="sect2" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div> <p> @@ -10835,14 +10972,14 @@ HOST-127.EXAMPLE. MX 0 . it gives the corresponding counter name of the <acronym class="acronym">BIND</acronym> 8 statistics, if applicable. </p> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2602039"></a>Name Server Statistics Counters</h4></div></div></div> +<a name="stats_counters"></a>Name Server Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="3.350in" class="3"> </colgroup> <tbody> <tr> @@ -10864,10 +11001,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Requestv4</strong></span></p> + <p><span class="command"><strong>Requestv4</strong></span></p> </td> <td> - <p><span><strong class="command">RQ</strong></span></p> + <p><span class="command"><strong>RQ</strong></span></p> </td> <td> <p> @@ -10878,10 +11015,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Requestv6</strong></span></p> + <p><span class="command"><strong>Requestv6</strong></span></p> </td> <td> - <p><span><strong class="command">RQ</strong></span></p> + <p><span class="command"><strong>RQ</strong></span></p> </td> <td> <p> @@ -10892,10 +11029,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqEdns0</strong></span></p> + <p><span class="command"><strong>ReqEdns0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10905,10 +11042,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqBadEDNSVer</strong></span></p> + <p><span class="command"><strong>ReqBadEDNSVer</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10918,10 +11055,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqTSIG</strong></span></p> + <p><span class="command"><strong>ReqTSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10931,10 +11068,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqSIG0</strong></span></p> + <p><span class="command"><strong>ReqSIG0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10944,10 +11081,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqBadSIG</strong></span></p> + <p><span class="command"><strong>ReqBadSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -10957,10 +11094,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ReqTCP</strong></span></p> + <p><span class="command"><strong>ReqTCP</strong></span></p> </td> <td> - <p><span><strong class="command">RTCP</strong></span></p> + <p><span class="command"><strong>RTCP</strong></span></p> </td> <td> <p> @@ -10970,10 +11107,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AuthQryRej</strong></span></p> + <p><span class="command"><strong>AuthQryRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUQ</strong></span></p> + <p><span class="command"><strong>RUQ</strong></span></p> </td> <td> <p> @@ -10983,10 +11120,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RecQryRej</strong></span></p> + <p><span class="command"><strong>RecQryRej</strong></span></p> </td> <td> - <p><span><strong class="command">RURQ</strong></span></p> + <p><span class="command"><strong>RURQ</strong></span></p> </td> <td> <p> @@ -10996,10 +11133,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrRej</strong></span></p> + <p><span class="command"><strong>XfrRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUXFR</strong></span></p> + <p><span class="command"><strong>RUXFR</strong></span></p> </td> <td> <p> @@ -11009,10 +11146,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateRej</strong></span></p> + <p><span class="command"><strong>UpdateRej</strong></span></p> </td> <td> - <p><span><strong class="command">RUUpd</strong></span></p> + <p><span class="command"><strong>RUUpd</strong></span></p> </td> <td> <p> @@ -11022,10 +11159,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Response</strong></span></p> + <p><span class="command"><strong>Response</strong></span></p> </td> <td> - <p><span><strong class="command">SAns</strong></span></p> + <p><span class="command"><strong>SAns</strong></span></p> </td> <td> <p> @@ -11035,10 +11172,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespTruncated</strong></span></p> + <p><span class="command"><strong>RespTruncated</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11048,10 +11185,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespEDNS0</strong></span></p> + <p><span class="command"><strong>RespEDNS0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11061,10 +11198,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespTSIG</strong></span></p> + <p><span class="command"><strong>RespTSIG</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11074,10 +11211,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RespSIG0</strong></span></p> + <p><span class="command"><strong>RespSIG0</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11087,10 +11224,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QrySuccess</strong></span></p> + <p><span class="command"><strong>QrySuccess</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11098,7 +11235,7 @@ HOST-127.EXAMPLE. MX 0 . This means the query which returns a NOERROR response with at least one answer RR. This corresponds to the - <span><strong class="command">success</strong></span> counter + <span class="command"><strong>success</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11106,10 +11243,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryAuthAns</strong></span></p> + <p><span class="command"><strong>QryAuthAns</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11119,10 +11256,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNoauthAns</strong></span></p> + <p><span class="command"><strong>QryNoauthAns</strong></span></p> </td> <td> - <p><span><strong class="command">SNaAns</strong></span></p> + <p><span class="command"><strong>SNaAns</strong></span></p> </td> <td> <p> @@ -11132,16 +11269,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryReferral</strong></span></p> + <p><span class="command"><strong>QryReferral</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Queries resulted in referral answer. This corresponds to the - <span><strong class="command">referral</strong></span> counter + <span class="command"><strong>referral</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11149,16 +11286,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNxrrset</strong></span></p> + <p><span class="command"><strong>QryNxrrset</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Queries resulted in NOERROR responses with no data. This corresponds to the - <span><strong class="command">nxrrset</strong></span> counter + <span class="command"><strong>nxrrset</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11166,10 +11303,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QrySERVFAIL</strong></span></p> + <p><span class="command"><strong>QrySERVFAIL</strong></span></p> </td> <td> - <p><span><strong class="command">SFail</strong></span></p> + <p><span class="command"><strong>SFail</strong></span></p> </td> <td> <p> @@ -11179,10 +11316,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryFORMERR</strong></span></p> + <p><span class="command"><strong>QryFORMERR</strong></span></p> </td> <td> - <p><span><strong class="command">SFErr</strong></span></p> + <p><span class="command"><strong>SFErr</strong></span></p> </td> <td> <p> @@ -11192,16 +11329,16 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryNXDOMAIN</strong></span></p> + <p><span class="command"><strong>QryNXDOMAIN</strong></span></p> </td> <td> - <p><span><strong class="command">SNXD</strong></span></p> + <p><span class="command"><strong>SNXD</strong></span></p> </td> <td> <p> Queries resulted in NXDOMAIN. This corresponds to the - <span><strong class="command">nxdomain</strong></span> counter + <span class="command"><strong>nxdomain</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11209,17 +11346,17 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryRecursion</strong></span></p> + <p><span class="command"><strong>QryRecursion</strong></span></p> </td> <td> - <p><span><strong class="command">RFwdQ</strong></span></p> + <p><span class="command"><strong>RFwdQ</strong></span></p> </td> <td> <p> Queries which caused the server to perform recursion in order to find the final answer. This corresponds to the - <span><strong class="command">recursion</strong></span> counter + <span class="command"><strong>recursion</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11227,10 +11364,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryDuplicate</strong></span></p> + <p><span class="command"><strong>QryDuplicate</strong></span></p> </td> <td> - <p><span><strong class="command">RDupQ</strong></span></p> + <p><span class="command"><strong>RDupQ</strong></span></p> </td> <td> <p> @@ -11239,7 +11376,7 @@ HOST-127.EXAMPLE. MX 0 . IP address, port, query ID, name, type and class already being processed. This corresponds to the - <span><strong class="command">duplicate</strong></span> counter + <span class="command"><strong>duplicate</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11247,10 +11384,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryDropped</strong></span></p> + <p><span class="command"><strong>QryDropped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11260,14 +11397,14 @@ HOST-127.EXAMPLE. MX 0 . class and were subsequently dropped. This is the number of dropped queries due to the reason explained with the - <span><strong class="command">clients-per-query</strong></span> + <span class="command"><strong>clients-per-query</strong></span> and - <span><strong class="command">max-clients-per-query</strong></span> + <span class="command"><strong>max-clients-per-query</strong></span> options (see the description about - <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.) + <a class="xref" href="Bv9ARM.ch06.html#clients-per-query"><span class="command"><strong>clients-per-query</strong></span></a>.) This corresponds to the - <span><strong class="command">dropped</strong></span> counter + <span class="command"><strong>dropped</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. </p> @@ -11275,23 +11412,23 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryFailure</strong></span></p> + <p><span class="command"><strong>QryFailure</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Other query failures. This corresponds to the - <span><strong class="command">failure</strong></span> counter + <span class="command"><strong>failure</strong></span> counter of previous versions of <acronym class="acronym">BIND</acronym> 9. Note: this counter is provided mainly for backward compatibility with the previous versions. Normally a more fine-grained counters such as - <span><strong class="command">AuthQryRej</strong></span> and - <span><strong class="command">RecQryRej</strong></span> + <span class="command"><strong>AuthQryRej</strong></span> and + <span class="command"><strong>RecQryRej</strong></span> that would also fall into this counter are provided, and so this counter would not be of much interest in practice. @@ -11300,10 +11437,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrReqDone</strong></span></p> + <p><span class="command"><strong>XfrReqDone</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11313,10 +11450,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateReqFwd</strong></span></p> + <p><span class="command"><strong>UpdateReqFwd</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11326,10 +11463,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateRespFwd</strong></span></p> + <p><span class="command"><strong>UpdateRespFwd</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11339,10 +11476,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateFwdFail</strong></span></p> + <p><span class="command"><strong>UpdateFwdFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11352,10 +11489,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateDone</strong></span></p> + <p><span class="command"><strong>UpdateDone</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11365,10 +11502,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateFail</strong></span></p> + <p><span class="command"><strong>UpdateFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11378,10 +11515,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">UpdateBadPrereq</strong></span></p> + <p><span class="command"><strong>UpdateBadPrereq</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11391,10 +11528,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RPZRewrites</strong></span></p> + <p><span class="command"><strong>RPZRewrites</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11404,10 +11541,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RateDropped</strong></span></p> + <p><span class="command"><strong>RateDropped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11417,10 +11554,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">RateSlipped</strong></span></p> + <p><span class="command"><strong>RateSlipped</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11431,13 +11568,13 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2603745"></a>Zone Maintenance Statistics Counters</h4></div></div></div> +<a name="zone_stats"></a>Zone Maintenance Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -11454,7 +11591,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyOutv4</strong></span></p> + <p><span class="command"><strong>NotifyOutv4</strong></span></p> </td> <td> <p> @@ -11464,7 +11601,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyOutv6</strong></span></p> + <p><span class="command"><strong>NotifyOutv6</strong></span></p> </td> <td> <p> @@ -11474,7 +11611,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyInv4</strong></span></p> + <p><span class="command"><strong>NotifyInv4</strong></span></p> </td> <td> <p> @@ -11484,7 +11621,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyInv6</strong></span></p> + <p><span class="command"><strong>NotifyInv6</strong></span></p> </td> <td> <p> @@ -11494,7 +11631,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NotifyRej</strong></span></p> + <p><span class="command"><strong>NotifyRej</strong></span></p> </td> <td> <p> @@ -11504,7 +11641,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SOAOutv4</strong></span></p> + <p><span class="command"><strong>SOAOutv4</strong></span></p> </td> <td> <p> @@ -11514,7 +11651,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SOAOutv6</strong></span></p> + <p><span class="command"><strong>SOAOutv6</strong></span></p> </td> <td> <p> @@ -11524,7 +11661,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AXFRReqv4</strong></span></p> + <p><span class="command"><strong>AXFRReqv4</strong></span></p> </td> <td> <p> @@ -11534,7 +11671,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">AXFRReqv6</strong></span></p> + <p><span class="command"><strong>AXFRReqv6</strong></span></p> </td> <td> <p> @@ -11544,7 +11681,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">IXFRReqv4</strong></span></p> + <p><span class="command"><strong>IXFRReqv4</strong></span></p> </td> <td> <p> @@ -11554,7 +11691,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">IXFRReqv6</strong></span></p> + <p><span class="command"><strong>IXFRReqv6</strong></span></p> </td> <td> <p> @@ -11564,7 +11701,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrSuccess</strong></span></p> + <p><span class="command"><strong>XfrSuccess</strong></span></p> </td> <td> <p> @@ -11574,7 +11711,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">XfrFail</strong></span></p> + <p><span class="command"><strong>XfrFail</strong></span></p> </td> <td> <p> @@ -11585,14 +11722,14 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2604128"></a>Resolver Statistics Counters</h4></div></div></div> +<a name="resolver_stats"></a>Resolver Statistics Counters</h4></div></div></div> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> -<col> +<col width="1.150in" class="1"> +<col width="1.150in" class="2"> +<col width="3.350in" class="3"> </colgroup> <tbody> <tr> @@ -11614,10 +11751,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Queryv4</strong></span></p> + <p><span class="command"><strong>Queryv4</strong></span></p> </td> <td> - <p><span><strong class="command">SFwdQ</strong></span></p> + <p><span class="command"><strong>SFwdQ</strong></span></p> </td> <td> <p> @@ -11627,10 +11764,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Queryv6</strong></span></p> + <p><span class="command"><strong>Queryv6</strong></span></p> </td> <td> - <p><span><strong class="command">SFwdQ</strong></span></p> + <p><span class="command"><strong>SFwdQ</strong></span></p> </td> <td> <p> @@ -11640,10 +11777,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Responsev4</strong></span></p> + <p><span class="command"><strong>Responsev4</strong></span></p> </td> <td> - <p><span><strong class="command">RR</strong></span></p> + <p><span class="command"><strong>RR</strong></span></p> </td> <td> <p> @@ -11653,10 +11790,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Responsev6</strong></span></p> + <p><span class="command"><strong>Responsev6</strong></span></p> </td> <td> - <p><span><strong class="command">RR</strong></span></p> + <p><span class="command"><strong>RR</strong></span></p> </td> <td> <p> @@ -11666,10 +11803,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">NXDOMAIN</strong></span></p> + <p><span class="command"><strong>NXDOMAIN</strong></span></p> </td> <td> - <p><span><strong class="command">RNXD</strong></span></p> + <p><span class="command"><strong>RNXD</strong></span></p> </td> <td> <p> @@ -11679,10 +11816,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">SERVFAIL</strong></span></p> + <p><span class="command"><strong>SERVFAIL</strong></span></p> </td> <td> - <p><span><strong class="command">RFail</strong></span></p> + <p><span class="command"><strong>RFail</strong></span></p> </td> <td> <p> @@ -11692,10 +11829,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">FORMERR</strong></span></p> + <p><span class="command"><strong>FORMERR</strong></span></p> </td> <td> - <p><span><strong class="command">RFErr</strong></span></p> + <p><span class="command"><strong>RFErr</strong></span></p> </td> <td> <p> @@ -11705,10 +11842,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">OtherError</strong></span></p> + <p><span class="command"><strong>OtherError</strong></span></p> </td> <td> - <p><span><strong class="command">RErr</strong></span></p> + <p><span class="command"><strong>RErr</strong></span></p> </td> <td> <p> @@ -11718,10 +11855,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">EDNS0Fail</strong></span></p> + <p><span class="command"><strong>EDNS0Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11731,10 +11868,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Mismatch</strong></span></p> + <p><span class="command"><strong>Mismatch</strong></span></p> </td> <td> - <p><span><strong class="command">RDupR</strong></span></p> + <p><span class="command"><strong>RDupR</strong></span></p> </td> <td> <p> @@ -11743,7 +11880,7 @@ HOST-127.EXAMPLE. MX 0 . and/or the response's source port does not match what was expected. (The port must be 53 or as defined by - the <span><strong class="command">port</strong></span> option.) + the <span class="command"><strong>port</strong></span> option.) This may be an indication of a cache poisoning attempt. </p> @@ -11751,10 +11888,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Truncated</strong></span></p> + <p><span class="command"><strong>Truncated</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11764,10 +11901,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Lame</strong></span></p> + <p><span class="command"><strong>Lame</strong></span></p> </td> <td> - <p><span><strong class="command">RLame</strong></span></p> + <p><span class="command"><strong>RLame</strong></span></p> </td> <td> <p> @@ -11777,10 +11914,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">Retry</strong></span></p> + <p><span class="command"><strong>Retry</strong></span></p> </td> <td> - <p><span><strong class="command">SDupQ</strong></span></p> + <p><span class="command"><strong>SDupQ</strong></span></p> </td> <td> <p> @@ -11790,10 +11927,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QueryAbort</strong></span></p> + <p><span class="command"><strong>QueryAbort</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11803,10 +11940,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QuerySockFail</strong></span></p> + <p><span class="command"><strong>QuerySockFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11819,10 +11956,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QueryTimeout</strong></span></p> + <p><span class="command"><strong>QueryTimeout</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11832,10 +11969,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv4</strong></span></p> + <p><span class="command"><strong>GlueFetchv4</strong></span></p> </td> <td> - <p><span><strong class="command">SSysQ</strong></span></p> + <p><span class="command"><strong>SSysQ</strong></span></p> </td> <td> <p> @@ -11845,10 +11982,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv6</strong></span></p> + <p><span class="command"><strong>GlueFetchv6</strong></span></p> </td> <td> - <p><span><strong class="command">SSysQ</strong></span></p> + <p><span class="command"><strong>SSysQ</strong></span></p> </td> <td> <p> @@ -11858,10 +11995,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv4Fail</strong></span></p> + <p><span class="command"><strong>GlueFetchv4Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11871,10 +12008,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">GlueFetchv6Fail</strong></span></p> + <p><span class="command"><strong>GlueFetchv6Fail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11884,10 +12021,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValAttempt</strong></span></p> + <p><span class="command"><strong>ValAttempt</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11897,10 +12034,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValOk</strong></span></p> + <p><span class="command"><strong>ValOk</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11910,10 +12047,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValNegOk</strong></span></p> + <p><span class="command"><strong>ValNegOk</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11923,10 +12060,10 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">ValFail</strong></span></p> + <p><span class="command"><strong>ValFail</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> @@ -11936,60 +12073,60 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command">QryRTTnn</strong></span></p> + <p><span class="command"><strong>QryRTTnn</strong></span></p> </td> <td> - <p><span><strong class="command"></strong></span></p> + <p><span class="command"><strong></strong></span></p> </td> <td> <p> Frequency table on round trip times (RTTs) of queries. - Each <span><strong class="command">nn</strong></span> specifies the corresponding + Each <span class="command"><strong>nn</strong></span> specifies the corresponding frequency. In the sequence of - <span><strong class="command">nn_1</strong></span>, - <span><strong class="command">nn_2</strong></span>, + <span class="command"><strong>nn_1</strong></span>, + <span class="command"><strong>nn_2</strong></span>, ..., - <span><strong class="command">nn_m</strong></span>, - the value of <span><strong class="command">nn_i</strong></span> is the + <span class="command"><strong>nn_m</strong></span>, + the value of <span class="command"><strong>nn_i</strong></span> is the number of queries whose RTTs are between - <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and - <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds. + <span class="command"><strong>nn_(i-1)</strong></span> (inclusive) and + <span class="command"><strong>nn_i</strong></span> (exclusive) milliseconds. For the sake of convenience we define - <span><strong class="command">nn_0</strong></span> to be 0. + <span class="command"><strong>nn_0</strong></span> to be 0. The last entry should be represented as - <span><strong class="command">nn_m+</strong></span>, which means the + <span class="command"><strong>nn_m+</strong></span>, which means the number of queries whose RTTs are equal to or over - <span><strong class="command">nn_m</strong></span> milliseconds. + <span class="command"><strong>nn_m</strong></span> milliseconds. </p> </td> </tr> </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2605149"></a>Socket I/O Statistics Counters</h4></div></div></div> +<a name="socket_stats"></a>Socket I/O Statistics Counters</h4></div></div></div> <p> Socket I/O statistics counters are defined per socket types, which are - <span><strong class="command">UDP4</strong></span> (UDP/IPv4), - <span><strong class="command">UDP6</strong></span> (UDP/IPv6), - <span><strong class="command">TCP4</strong></span> (TCP/IPv4), - <span><strong class="command">TCP6</strong></span> (TCP/IPv6), - <span><strong class="command">Unix</strong></span> (Unix Domain), and - <span><strong class="command">FDwatch</strong></span> (sockets opened outside the + <span class="command"><strong>UDP4</strong></span> (UDP/IPv4), + <span class="command"><strong>UDP6</strong></span> (UDP/IPv6), + <span class="command"><strong>TCP4</strong></span> (TCP/IPv4), + <span class="command"><strong>TCP6</strong></span> (TCP/IPv6), + <span class="command"><strong>Unix</strong></span> (Unix Domain), and + <span class="command"><strong>FDwatch</strong></span> (sockets opened outside the socket module). - In the following table <span><strong class="command"><TYPE></strong></span> + In the following table <span class="command"><strong><TYPE></strong></span> represents a socket type. Not all counters are available for all socket types; exceptions are noted in the description field. </p> <div class="informaltable"><table border="1"> <colgroup> -<col> -<col> +<col width="1.150in" class="1"> +<col width="3.350in" class="2"> </colgroup> <tbody> <tr> @@ -12006,31 +12143,31 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Open</strong></span></p> + <p><span class="command"><strong><TYPE>Open</strong></span></p> </td> <td> <p> Sockets opened successfully. This counter is not applicable to the - <span><strong class="command">FDwatch</strong></span> type. + <span class="command"><strong>FDwatch</strong></span> type. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>OpenFail</strong></span></p> + <p><span class="command"><strong><TYPE>OpenFail</strong></span></p> </td> <td> <p> Failures of opening sockets. This counter is not applicable to the - <span><strong class="command">FDwatch</strong></span> type. + <span class="command"><strong>FDwatch</strong></span> type. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Close</strong></span></p> + <p><span class="command"><strong><TYPE>Close</strong></span></p> </td> <td> <p> @@ -12040,7 +12177,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>BindFail</strong></span></p> + <p><span class="command"><strong><TYPE>BindFail</strong></span></p> </td> <td> <p> @@ -12050,7 +12187,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>ConnFail</strong></span></p> + <p><span class="command"><strong><TYPE>ConnFail</strong></span></p> </td> <td> <p> @@ -12060,7 +12197,7 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Conn</strong></span></p> + <p><span class="command"><strong><TYPE>Conn</strong></span></p> </td> <td> <p> @@ -12070,46 +12207,46 @@ HOST-127.EXAMPLE. MX 0 . </tr> <tr> <td> - <p><span><strong class="command"><TYPE>AcceptFail</strong></span></p> + <p><span class="command"><strong><TYPE>AcceptFail</strong></span></p> </td> <td> <p> Failures of accepting incoming connection requests. This counter is not applicable to the - <span><strong class="command">UDP</strong></span> and - <span><strong class="command">FDwatch</strong></span> types. + <span class="command"><strong>UDP</strong></span> and + <span class="command"><strong>FDwatch</strong></span> types. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>Accept</strong></span></p> + <p><span class="command"><strong><TYPE>Accept</strong></span></p> </td> <td> <p> Incoming connections successfully accepted. This counter is not applicable to the - <span><strong class="command">UDP</strong></span> and - <span><strong class="command">FDwatch</strong></span> types. + <span class="command"><strong>UDP</strong></span> and + <span class="command"><strong>FDwatch</strong></span> types. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>SendErr</strong></span></p> + <p><span class="command"><strong><TYPE>SendErr</strong></span></p> </td> <td> <p> Errors in socket send operations. This counter corresponds - to <span><strong class="command">SErr</strong></span> counter of - <span><strong class="command">BIND</strong></span> 8. + to <span class="command"><strong>SErr</strong></span> counter of + <span class="command"><strong>BIND</strong></span> 8. </p> </td> </tr> <tr> <td> - <p><span><strong class="command"><TYPE>RecvErr</strong></span></p> + <p><span class="command"><strong><TYPE>RecvErr</strong></span></p> </td> <td> <p> @@ -12123,36 +12260,36 @@ HOST-127.EXAMPLE. MX 0 . </tbody> </table></div> </div> -<div class="sect3" lang="en"> +<div class="section"> <div class="titlepage"><div><div><h4 class="title"> -<a name="id2605523"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> +<a name="bind8_compatibility"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> <p> Most statistics counters that were available - in <span><strong class="command">BIND</strong></span> 8 are also supported in - <span><strong class="command">BIND</strong></span> 9 as shown in the above tables. + in <span class="command"><strong>BIND</strong></span> 8 are also supported in + <span class="command"><strong>BIND</strong></span> 9 as shown in the above tables. Here are notes about other counters that do not appear in these tables. </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt> +<div class="variablelist"><dl class="variablelist"> +<dt><span class="term"><span class="command"><strong>RFwdR,SFwdR</strong></span></span></dt> <dd><p> These counters are not supported - because <span><strong class="command">BIND</strong></span> 9 does not adopt + because <span class="command"><strong>BIND</strong></span> 9 does not adopt the notion of <span class="emphasis"><em>forwarding</em></span> - as <span><strong class="command">BIND</strong></span> 8 did. + as <span class="command"><strong>BIND</strong></span> 8 did. </p></dd> -<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>RAXFR</strong></span></span></dt> <dd><p> This counter is accessible in the Incoming Queries section. </p></dd> -<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>RIQ</strong></span></span></dt> <dd><p> This counter is accessible in the Incoming Requests section. </p></dd> -<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt> +<dt><span class="term"><span class="command"><strong>ROpts</strong></span></span></dt> <dd><p> This counter is not supported - because <span><strong class="command">BIND</strong></span> 9 does not care + because <span class="command"><strong>BIND</strong></span> 9 does not care about IP options in the first place. </p></dd> </dl></div> @@ -12177,6 +12314,6 @@ HOST-127.EXAMPLE. MX 0 . </tr> </table> </div> -<p style="text-align: center;">BIND 9.9.8-P4 (Extended Support Version)</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.9.9-P3 (Extended Support Version)</p> </body> </html> |