{"diffoscope-json-version": 1, "source1": "/srv/reproducible-results/rbuild-debian/r-b-build.5dBVlSRY/b1/bind9_9.18.28-1~deb12u2_amd64.changes", "source2": "/srv/reproducible-results/rbuild-debian/r-b-build.5dBVlSRY/b2/bind9_9.18.28-1~deb12u2_amd64.changes", "unified_diff": null, "details": [{"source1": "Files", "source2": "Files", "unified_diff": "@@ -1,13 +1,13 @@\n \n c76f3d9997280dba497f6a8b13cdf15a 643200 debug optional bind9-dbgsym_9.18.28-1~deb12u2_amd64.deb\n 722c043269cba8bc3cac855f64493763 519100 devel optional bind9-dev_9.18.28-1~deb12u2_amd64.deb\n c7471ea5d3e38514d1192098072f12b9 391948 debug optional bind9-dnsutils-dbgsym_9.18.28-1~deb12u2_amd64.deb\n 7e1459aef92219f2191fb09cf39d5123 406340 net standard bind9-dnsutils_9.18.28-1~deb12u2_amd64.deb\n- c0a14a15ca256e7c1c6b28abfe51aedf 3451924 doc optional bind9-doc_9.18.28-1~deb12u2_all.deb\n+ 1ffecf23974aff64a3f54595de149213 3451936 doc optional bind9-doc_9.18.28-1~deb12u2_all.deb\n 20563dd6b2d6939351e2924fb514b393 103920 debug optional bind9-host-dbgsym_9.18.28-1~deb12u2_amd64.deb\n 4fa2eb6e1904ae16f6d3ad225f0c7966 307268 net standard bind9-host_9.18.28-1~deb12u2_amd64.deb\n c63bb78cf76e729404669cc87bba5047 3701008 debug optional bind9-libs-dbgsym_9.18.28-1~deb12u2_amd64.deb\n 327e9e48735526bd7d9de91e21fff632 1425792 libs standard bind9-libs_9.18.28-1~deb12u2_amd64.deb\n a8fe4b021e570e5bd068757b16e2cfea 385636 debug optional bind9-utils-dbgsym_9.18.28-1~deb12u2_amd64.deb\n 3815cc8d073cc99bba9b18782ca4d2fc 411284 net optional bind9-utils_9.18.28-1~deb12u2_amd64.deb\n 0848aabd7cd2e9c95aad7d4839e04c99 499572 net optional bind9_9.18.28-1~deb12u2_amd64.deb\n"}, {"source1": "bind9-doc_9.18.28-1~deb12u2_all.deb", "source2": "bind9-doc_9.18.28-1~deb12u2_all.deb", "unified_diff": null, "details": [{"source1": "file list", "source2": "file list", "unified_diff": "@@ -1,3 +1,3 @@\n -rw-r--r-- 0 0 0 4 2024-07-27 03:13:42.000000 debian-binary\n -rw-r--r-- 0 0 0 2036 2024-07-27 03:13:42.000000 control.tar.xz\n--rw-r--r-- 0 0 0 3449696 2024-07-27 03:13:42.000000 data.tar.xz\n+-rw-r--r-- 0 0 0 3449708 2024-07-27 03:13:42.000000 data.tar.xz\n"}, {"source1": "control.tar.xz", "source2": "control.tar.xz", "unified_diff": null, "details": [{"source1": "control.tar", "source2": "control.tar", "unified_diff": null, "details": [{"source1": "./md5sums", "source2": "./md5sums", "unified_diff": null, "details": [{"source1": "./md5sums", "source2": "./md5sums", "comments": ["Files differ"], "unified_diff": null}]}]}]}, {"source1": "data.tar.xz", "source2": "data.tar.xz", "unified_diff": null, "details": [{"source1": "data.tar", "source2": "data.tar", "unified_diff": null, "details": [{"source1": "./usr/share/doc/bind9-doc/arm/reference.html", "source2": "./usr/share/doc/bind9-doc/arm/reference.html", "unified_diff": "@@ -2270,53 +2270,53 @@\n \n \n
\n
\n port\uf0c1
\n

Grammar: port <integer>;

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.

\n

\n

This is the UDP/TCP port number the server uses to receive and send DNS\n protocol traffic. The default is 53. This option is mainly intended\n for server testing; a server using a port other than 53 is not\n able to communicate with the global DNS.

\n
\n \n
\n
\n tls-port\uf0c1
\n

Grammar: tls-port <integer>;

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.

\n

\n

This is the TCP port number the server uses to receive and send\n DNS-over-TLS protocol traffic. The default is 853.

\n
\n \n
\n
\n https-port\uf0c1
\n

Grammar: https-port <integer>;

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.

\n

\n

This is the TCP port number the server uses to receive and send\n DNS-over-HTTPS protocol traffic. The default is 443.

\n
\n \n
\n
\n http-port\uf0c1
\n

Grammar: http-port <integer>;

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.

\n

\n

This is the TCP port number the server uses to receive and send\n unencrypted DNS traffic via HTTP (a configuration that may be useful\n when encryption is handled by third-party software or by a reverse\n proxy).

\n
\n@@ -2349,15 +2349,15 @@\n \n \n
\n
\n dscp\uf0c1
\n

Grammar: dscp <integer>; // obsolete

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the Differentiated Services Code Point (DSCP) value (obsolete).

\n

\n

This option used to set the global Differentiated Services Code Point\n (DSCP) value to classify outgoing DNS traffic. It is now obsolete and\n has no effect.

\n
\n \n@@ -2637,15 +2637,15 @@\n \n \n
\n
\n ipv4only-server\uf0c1
\n

Grammar: ipv4only-server <string>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64.

\n

\n
\n \n
\n
\n ipv4only-contact\uf0c1
\n@@ -2825,15 +2825,15 @@\n
\n \n
\n
\n zone-statistics\uf0c1
\n

Grammar: zone-statistics ( full | terse | none | <boolean> );

\n

Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)

\n-

Tags: logging, zone

\n+

Tags: zone, logging

\n

Controls the level of statistics gathered for all zones.

\n

\n

If full, the server collects statistical data on all zones,\n unless specifically turned off on a per-zone basis by specifying\n zone-statistics terse or zone-statistics none in the zone\n statement. The statistical data includes, for example, DNSSEC signing\n operations and the number of authoritative answers per query type. The\n@@ -3303,15 +3303,15 @@\n

\n \n
\n
\n stale-answer-enable\uf0c1
\n

Grammar: stale-answer-enable <boolean>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Enables the returning of \u201cstale\u201d cached answers when the name servers for a zone are not answering.

\n

\n

If yes, enable the returning of \u201cstale\u201d cached answers when the name\n servers for a zone are not answering and the stale-cache-enable option is\n also enabled. The default is not to return stale answers.

\n

Stale answers can also be enabled or disabled at runtime via\n rndc serve-stale on or rndc serve-stale off; these override\n@@ -3326,15 +3326,15 @@\n

\n \n
\n
\n stale-answer-client-timeout\uf0c1
\n

Grammar: stale-answer-client-timeout ( disabled | off | <integer> );

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.

\n

\n

This option defines the amount of time (in milliseconds) that named\n waits before attempting to answer the query with a stale RRset from cache.\n If a stale answer is found, named continues the ongoing fetches,\n attempting to refresh the RRset in cache until the\n resolver-query-timeout interval is reached.

\n@@ -3349,26 +3349,26 @@\n
\n \n
\n
\n stale-cache-enable\uf0c1
\n

Grammar: stale-cache-enable <boolean>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Enables the retention of \u201cstale\u201d cached answers.

\n

\n

If yes, enable the retaining of \u201cstale\u201d cached answers. Default no.

\n
\n \n
\n
\n stale-refresh-time\uf0c1
\n

Grammar: stale-refresh-time <duration>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the time window for the return of \u201cstale\u201d cached answers before the next attempt to contact, if the name servers for a given zone are not responding.

\n

\n

If the name servers for a given zone are not answering, this sets the time\n window for which named will promptly return \u201cstale\u201d cached answers for\n that RRSet being requested before a new attempt in contacting the servers\n is made. For convenience, TTL-style time-unit suffixes may be used to\n specify the value. It also accepts ISO 8601 duration formats.

\n@@ -3724,15 +3724,15 @@\n \n
\n
\n check-names\uf0c1
\n

Grammar zone (hint, mirror, primary, secondary, stub): check-names ( fail | warn | ignore );

\n

Grammar options, view: check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times

\n

Blocks: options, view, zone (hint, mirror, primary, secondary, stub)

\n-

Tags: query, server

\n+

Tags: server, query

\n

Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.

\n

\n

This option is used to restrict the character set and syntax of\n certain domain names in primary files and/or DNS responses received\n from the network. The default varies according to usage area. For\n type primary zones the default is fail. For type secondary zones the\n default is warn. For answers received from the network\n@@ -3747,15 +3747,15 @@\n

\n \n
\n
\n check-dup-records\uf0c1
\n

Grammar: check-dup-records ( fail | warn | ignore );

\n

Blocks: options, view, zone (primary)

\n-

Tags: query, dnssec

\n+

Tags: dnssec, query

\n

Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.

\n

\n

This checks primary zones for records that are treated as different by\n DNSSEC but are semantically equal in plain DNS. The default is to\n warn. Other possible values are fail and ignore.

\n
\n \n@@ -3860,28 +3860,28 @@\n
\n \n
\n
\n zero-no-soa-ttl\uf0c1
\n

Grammar: zero-no-soa-ttl <boolean>;

\n

Blocks: options, view, zone (mirror, primary, secondary)

\n-

Tags: query, server, zone

\n+

Tags: server, zone, query

\n

Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.

\n

\n

If yes, when returning authoritative negative responses to SOA queries, set\n the TTL of the SOA record returned in the authority section to zero.\n The default is yes.

\n
\n \n
\n
\n zero-no-soa-ttl-cache\uf0c1
\n

Grammar: zero-no-soa-ttl-cache <boolean>;

\n

Blocks: options, view

\n-

Tags: query, server, zone

\n+

Tags: server, zone, query

\n

Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

\n

\n

If yes, when caching a negative response to an SOA query set the TTL to zero.\n The default is no.

\n
\n \n
\n@@ -4175,15 +4175,15 @@\n
\n \n
\n
\n allow-recursion-on\uf0c1
\n

Grammar: allow-recursion-on { <address_match_element>; ... };

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies which local addresses can accept recursive queries.

\n

\n

This specifies which local addresses can accept recursive queries. If\n allow-recursion-on is not set, then allow-query-cache-on is\n used if set; otherwise, the default is to allow recursive queries on\n all addresses. Any client permitted to send recursive queries can\n send them to any address on which named is listening. Note: both\n@@ -4717,30 +4717,30 @@\n

\n \n
\n
\n notify-rate\uf0c1
\n

Grammar: notify-rate <integer>;

\n

Blocks: options

\n-

Tags: transfer, zone

\n+

Tags: zone, transfer

\n

Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.

\n

\n

This specifies the rate at which NOTIFY requests are sent during normal zone\n maintenance operations. (NOTIFY requests due to initial zone loading\n are subject to a separate rate limit; see below.) The default is 20\n per second. The lowest possible rate is one per second; when set to\n zero, it is silently raised to one.

\n
\n \n
\n
\n startup-notify-rate\uf0c1
\n

Grammar: startup-notify-rate <integer>;

\n

Blocks: options

\n-

Tags: transfer, zone

\n+

Tags: zone, transfer

\n

Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.

\n

\n

This is the rate at which NOTIFY requests are sent when the name server\n is first starting up, or when zones have been newly added to the\n name server. The default is 20 per second. The lowest possible rate is\n one per second; when set to zero, it is silently raised to one.

\n
\n@@ -5244,15 +5244,15 @@\n \n \n
\n
\n fetches-per-zone\uf0c1
\n

Grammar: fetches-per-zone <integer> [ ( drop | fail ) ];

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.

\n

\n

This sets the maximum number of simultaneous iterative queries to any one\n domain that the server permits before blocking new queries for\n data in or beneath that zone. This value should reflect how many\n fetches would normally be sent to any one zone in the time it would\n take to resolve them. It should be smaller than\n@@ -5282,15 +5282,15 @@\n

\n \n
\n
\n fetches-per-server\uf0c1
\n

Grammar: fetches-per-server <integer> [ ( drop | fail ) ];

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.

\n

\n

This sets the maximum number of simultaneous iterative queries that the server\n allows to be sent to a single upstream name server before\n blocking additional queries. This value should reflect how many\n fetches would normally be sent to any one server in the time it would\n take to resolve them. It should be smaller than\n@@ -5315,15 +5315,15 @@\n

\n \n
\n
\n fetch-quota-params\uf0c1
\n

Grammar: fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.

\n

\n

This sets the parameters to use for dynamic resizing of the\n fetches-per-server quota in response to detected congestion.

\n

The first argument is an integer value indicating how frequently to\n recalculate the moving average of the ratio of timeouts to responses\n for each server. The default is 100, meaning that BIND recalculates the\n@@ -5426,15 +5426,15 @@\n

\n \n
\n
\n tcp-initial-timeout\uf0c1
\n

Grammar: tcp-initial-timeout <integer>;

\n

Blocks: options

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.

\n

\n

This sets the amount of time (in units of 100 milliseconds) that the server waits on\n a new TCP connection for the first message from the client. The\n default is 300 (30 seconds), the minimum is 25 (2.5 seconds), and the\n maximum is 1200 (two minutes). Values above the maximum or below the\n minimum are adjusted with a logged warning. (Note: this value\n@@ -6224,28 +6224,28 @@\n

\n \n
\n
\n max-recursion-queries\uf0c1
\n

Grammar: max-recursion-queries <integer>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Sets the maximum number of iterative queries while servicing a recursive query.

\n

\n

This sets the maximum number of iterative queries that may be sent while\n servicing a recursive query. If more queries are sent, the recursive\n query is terminated and returns SERVFAIL. The default is 100.

\n
\n \n
\n
\n notify-delay\uf0c1
\n

Grammar: notify-delay <integer>;

\n

Blocks: options, view, zone (mirror, primary, secondary)

\n-

Tags: transfer, zone

\n+

Tags: zone, transfer

\n

Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.

\n

\n

This sets the delay, in seconds, between sending sets of NOTIFY messages\n for a zone. Whenever a NOTIFY message is sent for a zone, a timer will\n be set for this duration. If the zone is updated again before the timer\n expires, the NOTIFY for that update will be postponed. The default is 5\n seconds.

\n@@ -6254,15 +6254,15 @@\n
\n \n
\n
\n max-rsa-exponent-size\uf0c1
\n

Grammar: max-rsa-exponent-size <integer>;

\n

Blocks: options

\n-

Tags: query, dnssec

\n+

Tags: dnssec, query

\n

Sets the maximum RSA exponent size (in bits) when validating.

\n

\n

This sets the maximum RSA exponent size, in bits, that is accepted when\n validating. Valid values are 35 to 4096 bits. The default, zero, is\n also accepted and is equivalent to 4096.

\n
\n \n@@ -6292,15 +6292,15 @@\n \n \n
\n
\n v6-bias\uf0c1
\n

Grammar: v6-bias <integer>;

\n

Blocks: options, view

\n-

Tags: query, server

\n+

Tags: server, query

\n

Indicates the number of milliseconds of preference to give to IPv6 name servers.

\n

\n

When determining the next name server to try, this indicates by how many\n milliseconds to prefer IPv6 name servers. The default is 50\n milliseconds.

\n
\n \n@@ -6724,15 +6724,15 @@\n deny the existence of domains (NXDOMAIN), deny the existence of IP\n addresses for domains (NODATA), or contain other IP addresses or data.

\n
\n
\n response-policy\uf0c1
\n

Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];

\n

Blocks: options, view

\n-

Tags: query, security, server, zone

\n+

Tags: server, security, zone, query

\n

Specifies response policy zones for the view or among global options.

\n

\n

Response policy zones are named in the response-policy option for\n the view, or among the global options if there is no response-policy\n option for the view. Response policy zones are ordinary DNS zones\n containing RRsets that can be queried normally if allowed. It is usually\n best to restrict those queries with something like\n@@ -6932,28 +6932,28 @@\n such as SERVFAIL to appear to be rewritten, since no recursion is being\n done to discover problems at the authoritative server.

\n
\n
\n dnsrps-enable\uf0c1
\n

Grammar: dnsrps-enable <boolean>;

\n

Blocks: options, view

\n-

Tags: security, server

\n+

Tags: server, security

\n

Turns on the DNS Response Policy Service (DNSRPS) interface.

\n

\n

The dnsrps-enable yes option turns on the DNS Response Policy Service\n (DNSRPS) interface, if it has been compiled in named using\n configure --enable-dnsrps.

\n
\n \n
\n
\n dnsrps-options\uf0c1
\n

Grammar: dnsrps-options { <unspecified-text> };

\n

Blocks: options, view

\n-

Tags: security, server

\n+

Tags: server, security

\n

Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.

\n

\n

The block provides additional RPZ configuration\n settings, which are passed through to the DNSRPS provider library.\n Multiple DNSRPS settings in an dnsrps-options string should be\n separated with semi-colons (;). The DNSRPS provider, librpz, is passed a\n configuration string consisting of the dnsrps-options text,\n@@ -7561,15 +7561,15 @@\n option.

\n
\n \n
\n
\n keys\uf0c1
\n

Blocks: dnssec-policy, server, view.server

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies one or more server_key s to be used with a remote server.

\n

\n
\n

Warning

\n

Not to be confused with keys in dnssec-policy specification.\n Although statements with the same name exist in both contexts, they refer\n to fundamentally incompatible concepts.

\n@@ -7722,43 +7722,43 @@\n

tls can only be set at the top level of named.conf.

\n

The following options can be specified in a tls statement:

\n
\n
\n key-file\uf0c1
\n

Grammar: key-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing the private TLS key for a connection.

\n

\n
\n

Path to a file containing the private TLS key to be used for\n the connection.

\n
\n
\n \n
\n
\n cert-file\uf0c1
\n

Grammar: cert-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing the TLS certificate for a connection.

\n

\n
\n

Path to a file containing the TLS certificate to be used for\n the connection.

\n
\n
\n \n
\n
\n ca-file\uf0c1
\n

Grammar: ca-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.

\n

\n
\n

Path to a file containing trusted CA authorities\u2019 TLS\n certificates used to verify remote peer certificates. Specifying\n this option enables remote peer certificates\u2019 verification. For\n incoming connections, specifying this option makes BIND require\n@@ -7769,15 +7769,15 @@\n

\n \n
\n
\n dhparam-file\uf0c1
\n

Grammar: dhparam-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.

\n

\n
\n

Path to a file containing Diffie-Hellman parameters,\n which is needed to enable the cipher suites depending on the\n Diffie-Hellman ephemeral key exchange (DHE). Having these parameters\n specified is essential for enabling perfect forward secrecy capable\n@@ -7838,15 +7838,15 @@\n

\n \n
\n
\n prefer-server-ciphers\uf0c1
\n

Grammar: prefer-server-ciphers <boolean>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies that server ciphers should be preferred over client ones.

\n

\n
\n

Specifies that server ciphers should be preferred over client ones.

\n
\n
\n \n@@ -7977,15 +7977,15 @@\n \tlistener-clients <integer>;\n \tstreams-per-connection <integer>;\n }; // may occur multiple times\n
\n \n

\n

Blocks: topmost

\n-

Tags: query, server

\n+

Tags: server, query

\n

Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.

\n

\n
\n \n \n
\n

8.2.22. http Block Definition and Usage\uf0c1

\n@@ -7996,15 +7996,15 @@\n

http can only be set at the top level of named.conf.

\n

The following options can be specified in an http statement:

\n
\n
\n endpoints\uf0c1
\n

Grammar: endpoints { <quoted_string>; ... };

\n

Blocks: http

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies a list of HTTP query paths on which to listen.

\n

\n
\n

A list of HTTP query paths on which to listen. This is the portion\n of an RFC 3986-compliant URI following the hostname; it must be\n an absolute path, beginning with \u201c/\u201d. The default value\n is "/dns-query", if omitted.

\n@@ -8012,28 +8012,28 @@\n
\n \n
\n
\n listener-clients\uf0c1
\n

Grammar: listener-clients <integer>;

\n

Blocks: http

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies a per-listener quota for active connections.

\n

\n
\n

The option specifies a per-listener quota for active connections.

\n
\n
\n \n
\n
\n streams-per-connection\uf0c1
\n

Grammar: streams-per-connection <integer>;

\n

Blocks: http

\n-

Tags: query, server

\n+

Tags: server, query

\n

Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.

\n

\n
\n

The option specifies the hard limit on the number of concurrent\n HTTP/2 streams over an HTTP/2 connection.

\n
\n
\n@@ -8477,15 +8477,15 @@\n \n
\n
\n max-zone-ttl\uf0c1
\n

Grammar dnssec-policy: max-zone-ttl <duration>;

\n

Grammar options, view, zone (primary, redirect): max-zone-ttl ( unlimited | <duration> );

\n

Blocks: dnssec-policy, options, view, zone (primary, redirect)

\n-

Tags: query, zone

\n+

Tags: zone, query

\n

Specifies a maximum permissible time-to-live (TTL) value, in seconds.

\n

\n

This specifies the maximum permissible TTL value for the zone. When\n a zone file is loaded, any record encountered with a TTL higher than\n max-zone-ttl causes the zone to be rejected.

\n

This ensures that when rolling to a new DNSKEY, the old key will remain\n available until RRSIG records have expired from caches. The\n@@ -9846,15 +9846,15 @@\n \tin-view <string>;\n };\n \n \n

\n

Grammar zone (in-view): in-view <string>;

\n

Blocks: zone, zone (in-view), view.zone

\n-

Tags: view, zone

\n+

Tags: zone, view

\n

Specifies the view in which a given zone is defined.

\n

\n

When using multiple views, a type primary or type secondary zone configured\n in one view can be referenced in a subsequent view. This allows both views\n to use the same zone without the overhead of loading it more than once. This\n is configured using a zone statement, with an in-view option\n specifying the view in which the zone is defined. A zone statement\n@@ -10042,15 +10042,15 @@\n

\n
\n
\n
\n server-addresses\uf0c1
\n

Grammar: server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };

\n

Blocks: zone (static-stub)

\n-

Tags: query, zone

\n+

Tags: zone, query

\n

Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.

\n

\n

This option is only meaningful for static-stub zones. This is a list of IP addresses\n to which queries should be sent in recursive resolution for the zone.\n A non-empty list for this option internally configures the apex\n NS RR with associated glue A or AAAA RRs.

\n

For example, if \u201cexample.com\u201d is configured as a static-stub zone\n@@ -10497,15 +10497,15 @@\n

Defines an address_match_list of clients that are allowed to perform recursive queries.

\n

\n

query

\n \n allow-recursion-on\n

Specifies which local addresses can accept recursive queries.

\n

\n-

query, server

\n+

server, query

\n \n allow-transfer\n

Defines an address_match_list of hosts that are allowed to transfer the zone information from this server.

\n

\n

transfer

\n \n allow-update\n@@ -10592,40 +10592,40 @@\n

Controls flushing of log messages.

\n

\n

logging

\n \n ca-file\n

Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.

\n

\n-

security, server

\n+

server, security

\n \n catalog-zones\n

Configures catalog zones in named.conf.

\n

\n

zone

\n \n category\n

Specifies the type of data logged to a particular channel.

\n

\n

logging

\n \n cert-file\n

Specifies the path to a file containing the TLS certificate for a connection.

\n

\n-

security, server

\n+

server, security

\n \n channel\n

Defines a stream of data that can be independently logged.

\n

\n

logging

\n \n check-dup-records\n

Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.

\n

\n-

query, dnssec

\n+

dnssec, query

\n \n check-integrity\n

Performs post-load zone integrity checks on primary zones.

\n

\n

zone

\n \n check-mx\n@@ -10637,15 +10637,15 @@\n

Sets the response to MX records that refer to CNAMEs.

\n

\n

zone

\n \n check-names\n

Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.

\n

\n-

query, server

\n+

server, query

\n \n check-sibling\n

Specifies whether to check for sibling glue when performing integrity checks.

\n

\n

zone

\n \n check-spf\n@@ -10722,15 +10722,15 @@\n

Rejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements.

\n

\n

query

\n \n dhparam-file\n

Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.

\n

\n-

security, server

\n+

server, security

\n \n dialup\n

Concentrates zone maintenance so that all transfers take place once every heartbeat-interval, ideally during a single call.

\n

\n

deprecated

\n \n directory\n@@ -10782,20 +10782,20 @@\n

Specifies the time to live (TTL) for DNSKEY resource records.

\n

\n

dnssec

\n \n dnsrps-enable\n

Turns on the DNS Response Policy Service (DNSRPS) interface.

\n

\n-

security, server

\n+

server, security

\n \n dnsrps-options\n

Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.

\n

\n-

security, server

\n+

server, security

\n \n dnssec-accept-expired\n

Instructs BIND 9 to accept expired DNSSEC signatures when validating.

\n

\n

dnssec

\n \n dnssec-dnskey-kskonly\n@@ -10852,15 +10852,15 @@\n

Specifies a version string to send in dnstap messages.

\n

\n

logging

\n \n dscp\n

Sets the Differentiated Services Code Point (DSCP) value (obsolete).

\n

\n-

query, server

\n+

server, query

\n \n dual-stack-servers\n

Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports.

\n

\n

server

\n \n dump-file\n@@ -10902,15 +10902,15 @@\n

Enables or disables all empty zones.

\n

\n

server, zone

\n \n endpoints\n

Specifies a list of HTTP query paths on which to listen.

\n

\n-

query, server

\n+

server, query

\n \n errors-per-second\n

Limits the number of errors for a valid domain name and record type.

\n

\n

server

\n \n exclude\n@@ -10922,25 +10922,25 @@\n

Exempts specific clients or client groups from rate limiting.

\n

\n

query

\n \n fetch-quota-params\n

Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.

\n

\n-

query, server

\n+

server, query

\n \n fetches-per-server\n

Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.

\n

\n-

query, server

\n+

server, query

\n \n fetches-per-zone\n

Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.

\n

\n-

query, server

\n+

server, query

\n \n file\n

Specifies the zone's filename.

\n

\n

zone

\n \n files\n@@ -11017,40 +11017,40 @@\n

Specifies the hostname of the server to return in response to a hostname.bind query.

\n

\n

server

\n \n http\n

Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.

\n

\n-

query, server

\n+

server, query

\n \n http-listener-clients\n

Limits the number of active concurrent connections on a per-listener basis.

\n

\n

server

\n \n http-port\n

Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.

\n

\n-

query, server

\n+

server, query

\n \n http-streams-per-connection\n

Limits the number of active concurrent HTTP/2 streams on a per-connection basis.

\n

\n

server

\n \n https-port\n

Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.

\n

\n-

query, server

\n+

server, query

\n \n in-view\n

Specifies the view in which a given zone is defined.

\n

\n-

view, zone

\n+

zone, view

\n \n inet\n

Specifies a TCP socket as a control channel.

\n

\n

server

\n \n inline-signing\n@@ -11077,15 +11077,15 @@\n

Enables automatic IPv4 zones if a dns64 block is configured.

\n

\n

query

\n \n ipv4only-server\n

Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64.

\n

\n-

query, server

\n+

server, query

\n \n ipv6-prefix-length\n

Specifies the prefix lengths of IPv6 address blocks.

\n

\n

server

\n \n ixfr-from-differences\n@@ -11112,20 +11112,20 @@\n

Indicates the directory where public and private DNSSEC key files are found.

\n

\n

dnssec

\n \n key-file\n

Specifies the path to a file containing the private TLS key for a connection.

\n

\n-

security, server

\n+

server, security

\n \n keys\n

Specifies one or more server_key s to be used with a remote server.

\n

\n-

security, server

\n+

server, security

\n \n lame-ttl\n

Sets the resolver's lame cache.

\n

\n

server

\n \n listen-on\n@@ -11137,15 +11137,15 @@\n

Specifies the IPv6 addresses on which a server listens for DNS queries.

\n

\n

server

\n \n listener-clients\n

Specifies a per-listener quota for active connections.

\n

\n-

query, server

\n+

server, query

\n \n lmdb-mapsize\n

Sets a maximum size for the memory map of the new-zone database in LMDB database format.

\n

\n

server

\n \n lock-file\n@@ -11252,30 +11252,30 @@\n

Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query.

\n

\n

server

\n \n max-recursion-queries\n

Sets the maximum number of iterative queries while servicing a recursive query.

\n

\n-

query, server

\n+

server, query

\n \n max-refresh-time\n

Limits the zone refresh interval to no less often than the specified value, in seconds.

\n

\n

transfer

\n \n max-retry-time\n

Limits the zone refresh retry interval to no less often than the specified value, in seconds.

\n

\n

transfer

\n \n max-rsa-exponent-size\n

Sets the maximum RSA exponent size (in bits) when validating.

\n

\n-

query, dnssec

\n+

dnssec, query

\n \n max-stale-ttl\n

Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records.

\n

\n

server

\n \n max-table-size\n@@ -11312,15 +11312,15 @@\n

Sets the maximum EDNS UDP message size sent by named.

\n

\n

query

\n \n max-zone-ttl\n

Specifies a maximum permissible time-to-live (TTL) value, in seconds.

\n

\n-

query, zone

\n+

zone, query

\n \n memstatistics\n

Controls whether memory statistics are written to the file specified by memstatistics-file at exit.

\n

\n

server, logging

\n \n memstatistics-file\n@@ -11397,20 +11397,20 @@\n

Controls whether NOTIFY messages are sent on zone changes.

\n

\n

transfer

\n \n notify-delay\n

Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.

\n

\n-

transfer, zone

\n+

zone, transfer

\n \n notify-rate\n

Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.

\n

\n-

transfer, zone

\n+

zone, transfer

\n \n notify-source\n

Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.

\n

\n

transfer

\n \n notify-source-v6\n@@ -11497,20 +11497,20 @@\n

Configures plugins in named.conf.

\n

\n

server

\n \n port\n

Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.

\n

\n-

query, server

\n+

server, query

\n \n prefer-server-ciphers\n

Specifies that server ciphers should be preferred over client ones.

\n

\n-

security, server

\n+

server, security

\n \n preferred-glue\n

Controls the order of glue records in an A or AAAA response.

\n

\n

query

\n \n prefetch\n@@ -11662,15 +11662,15 @@\n

Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.

\n

\n

query

\n \n response-policy\n

Specifies response policy zones for the view or among global options.

\n

\n-

query, security, server, zone

\n+

server, security, zone, query

\n \n responses-per-second\n

Limits the number of non-empty responses for a valid domain name and record type.

\n

\n

query

\n \n retire-safety\n@@ -11732,15 +11732,15 @@\n

Defines characteristics to be associated with a remote name server.

\n

\n

server

\n \n server-addresses\n

Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.

\n

\n-

query, zone

\n+

zone, query

\n \n server-id\n

Specifies the ID of the server to return in response to a ID.SERVER query.

\n

\n

server

\n \n server-names\n@@ -11832,40 +11832,40 @@\n

Sets the maximum amount of stack memory that can be used by the server.

\n

\n

deprecated

\n \n stale-answer-client-timeout\n

Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.

\n

\n-

query, server

\n+

server, query

\n \n stale-answer-enable\n

Enables the returning of "stale" cached answers when the name servers for a zone are not answering.

\n

\n-

query, server

\n+

server, query

\n \n stale-answer-ttl\n

Specifies the time to live (TTL) to be returned on stale answers, in seconds.

\n

\n

query

\n \n stale-cache-enable\n

Enables the retention of "stale" cached answers.

\n

\n-

query, server

\n+

server, query

\n \n stale-refresh-time\n

Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.

\n

\n-

query, server

\n+

server, query

\n \n startup-notify-rate\n

Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.

\n

\n-

transfer, zone

\n+

zone, transfer

\n \n statistics-channels\n

Specifies the communication channels to be used by system administrators to access statistics information on the name server.

\n

\n

logging

\n \n statistics-file\n@@ -11877,15 +11877,15 @@\n

Directs the logging channel output to the server's standard error stream.

\n

\n

logging

\n \n streams-per-connection\n

Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.

\n

\n-

query, server

\n+

server, query

\n \n suffix\n

Defines trailing bits for mapped IPv4 address bits in dns64.

\n

\n

query

\n \n synth-from-dnssec\n@@ -11912,15 +11912,15 @@\n

Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use.

\n

\n

query

\n \n tcp-initial-timeout\n

Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.

\n

\n-

query, server

\n+

server, query

\n \n tcp-keepalive\n

Adds EDNS TCP keepalive to messages sent over TCP.

\n

\n

server

\n \n tcp-keepalive-timeout\n@@ -11972,15 +11972,15 @@\n

Configures a TLS connection.

\n

\n

security

\n \n tls-port\n

Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.

\n

\n-

query, server

\n+

server, query

\n \n transfer-format\n

Controls whether multiple records can be packed into a message during zone transfers.

\n

\n

transfer

\n \n transfer-message-size\n@@ -12132,15 +12132,15 @@\n

Specifies a list of ports that are valid sources for UDP/IPv6 messages.

\n

\n

deprecated

\n \n v6-bias\n

Indicates the number of milliseconds of preference to give to IPv6 name servers.

\n

\n-

query, server

\n+

server, query

\n \n validate-except\n

Specifies a list of domain names at and beneath which DNSSEC validation should not be performed.

\n

\n

dnssec

\n \n version\n@@ -12157,35 +12157,35 @@\n

Specifies the length of time during which responses are tracked.

\n

\n

query

\n \n zero-no-soa-ttl\n

Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.

\n

\n-

query, server, zone

\n+

server, zone, query

\n \n zero-no-soa-ttl-cache\n

Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

\n

\n-

query, server, zone

\n+

server, zone, query

\n \n zone\n

Specifies the zone in a BIND 9 configuration.

\n

\n

zone

\n \n zone-propagation-delay\n

Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.

\n

\n

dnssec, zone

\n \n zone-statistics\n

Controls the level of statistics gathered for all zones.

\n

\n-

logging, zone

\n+

zone, logging

\n \n \n \n
\n
\n

8.4. Statements by Tag\uf0c1

\n

These tables group the various statements permissible in named.conf by\n", "details": [{"source1": "html2text {}", "source2": "html2text {}", "unified_diff": "@@ -2414,1274 +2414,1274 @@\n Zone_Tag_Statements relate to or control zone behavior, and typically only\n appear in a zone block.\n Deprecated_Tag_Statements are those that are now deprecated, but are included\n here for historical reference.\n The following table lists all statements permissible in named.conf, with their\n associated tags; the next section groups the statements by tag. Please note\n that these sections are a work in progress.\n-Statement Description Tags\n-acl Assigns a symbolic name to server\n- an address match list.\n-algorithm Defines the algorithm to be security\n- used in a key clause.\n-all-per-second Limits UDP responses of all query\n- kinds.\n- Controls the ability to add\n-allow-new-zones zones at runtime via rndc server, zone\n- addzone.\n- Defines an\n- address_match_list that is\n- allowed to send NOTIFY\n-allow-notify messages for the zone, in transfer\n- addition to addresses\n- defined in the primaries\n- option for the zone.\n- Specifies which hosts (an\n-allow-query IP address list) are query\n- allowed to send queries to\n- this resolver.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache this server's cache and query\n- thus effectively controls\n- recursion.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache-on this server's cache. Used query\n- on servers with multiple\n- interfaces.\n- Specifies which local\n- addresses (an IP address\n-allow-query-on list) are allowed to send query\n- queries to this resolver.\n- Used in multi-homed\n- configurations.\n- Defines an\n-allow-recursion address_match_list of query\n- clients that are allowed to\n- perform recursive queries.\n- Specifies which local\n-allow-recursion-on addresses can accept query, server\n- recursive queries.\n- Defines an\n- address_match_list of hosts\n-allow-transfer that are allowed to transfer\n- transfer the zone\n- information from this\n- server.\n- Defines an\n- address_match_list of hosts\n-allow-update that are allowed to submit transfer\n- dynamic updates for primary\n- zones.\n- Defines an\n- address_match_list of hosts\n-allow-update-forwarding that are allowed to submit transfer\n- dynamic updates to a\n- secondary server for\n- transmission to a primary.\n- Defines one or more hosts\n-also-notify that are sent NOTIFY transfer\n- messages when zone changes\n- occur.\n- Defines alternate local\n- IPv4 address(es) to be used\n- by the server for inbound\n-alt-transfer-source zone transfers, if the deprecated\n- address(es) defined by\n- transfer-source fail and\n- use-alt-transfer-source is\n- enabled.\n- Defines alternate local\n-alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n- by the server for inbound\n- zone transfers.\n- Controls whether COOKIE\n-answer-cookie EDNS replies are sent in query\n- response to client queries.\n- Allows multiple views to\n-attach-cache share a single cache view\n- database.\n- Controls whether BIND,\n- acting as a resolver,\n-auth-nxdomain provides authoritative query\n- NXDOMAIN (domain does not\n- exist) answers.\n- Permits varying levels of\n-auto-dnssec automatic DNSSEC key dnssec\n- management.\n- Controls the automatic\n-automatic-interface-scan rescanning of network server\n- interfaces when addresses\n- are added or removed.\n- Specifies the range(s) of\n-avoid-v4-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv4\n- messages.\n- Specifies the range(s) of\n-avoid-v6-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv6\n- messages.\n- Specifies the pathname of a\n-bindkeys-file file to override the built- dnssec\n- in trusted keys provided by\n- named.\n- Defines an\n- address_match_list of hosts\n-blackhole to ignore. The server will query\n- neither respond to queries\n- from nor send queries to\n- these addresses.\n-bogus Allows a remote server to server\n- be ignored.\n- Enables dns64 synthesis\n-break-dnssec even if the validated query\n- result would cause a DNSSEC\n- validation failure.\n-buffered Controls flushing of log logging\n- messages.\n- Specifies the path to a\n- file containing TLS\n-ca-file certificates for trusted CA security, server\n- authorities, used to verify\n- remote peer certificates.\n-catalog-zones Configures catalog zones in zone\n- named.conf.\n- Specifies the type of data\n-category logged to a particular logging\n- channel.\n- Specifies the path to a\n-cert-file file containing the TLS security, server\n- certificate for a\n- connection.\n- Defines a stream of data\n-channel that can be independently logging\n- logged.\n- Checks primary zones for\n- records that are treated as\n-check-dup-records different by DNSSEC but are query, dnssec\n- semantically equal in plain\n- DNS.\n- Performs post-load zone\n-check-integrity integrity checks on primary zone\n- zones.\n- Checks whether an MX record\n-check-mx appears to refer to an IP zone\n- address.\n- Sets the response to MX\n-check-mx-cname records that refer to zone\n- CNAMEs.\n- Restricts the character set\n- and syntax of certain\n-check-names domain names in primary query, server\n- files and/or DNS responses\n- received from the network.\n- Specifies whether to check\n-check-sibling for sibling glue when zone\n- performing integrity\n- checks.\n- Specifies whether to check\n-check-spf for a TXT Sender Policy zone\n- Framework record, if an SPF\n- record is present.\n- Sets the response to SRV\n-check-srv-cname records that refer to zone\n- CNAMEs.\n-check-wildcard Checks for non-terminal zone\n- wildcards.\n-ciphers Specifies a list of allowed security\n- ciphers.\n- Specifies an access control\n-clients list (ACL) of clients that query\n- are affected by a given\n- dns64 directive.\n- Sets the initial minimum\n- number of simultaneous\n-clients-per-query recursive clients accepted server\n- by the server for any given\n- query before the server\n- drops additional clients.\n- Specifies control channels\n-controls to be used to manage the server\n- name server.\n- Sets the algorithm to be\n-cookie-algorithm used when generating a server\n- server cookie.\n- Specifies a shared secret\n- used for generating and\n-cookie-secret verifying EDNS COOKIE server\n- options within an anycast\n- cluster.\n-coresize Sets the maximum size of a deprecated\n- core dump.\n- Specifies the type of\n-database database to be used to zone\n- store zone data.\n- Sets the maximum amount of\n-datasize data memory that can be deprecated\n- used by the server.\n- Indicates that a forward,\n-delegation-only hint, or stub zone is to be deprecated\n- treated as a delegation-\n- only type zone.\n- Rejects A or AAAA records\n-deny-answer-addresses if the corresponding IPv4 query\n- or IPv6 addresses match a\n- given address_match_list.\n- Rejects CNAME or DNAME\n-deny-answer-aliases records if the \"alias\" name query\n- matches a given list of\n- domain_name elements.\n- Specifies the path to a\n-dhparam-file file containing Diffie- security, server\n- Hellman parameters, for\n- enabling cipher suites.\n- Concentrates zone\n- maintenance so that all\n-dialup transfers take place once deprecated\n- every heartbeat-interval,\n- ideally during a single\n- call.\n-directory Sets the server's working server\n- directory.\n-disable-algorithms Disables DNSSEC algorithms dnssec\n- from a specified zone.\n-disable-ds-digests Disables DS digest types dnssec, zone\n- from a specified zone.\n-disable-empty-zone Disables individual empty server, zone\n- zones.\n- Configures a Dynamically\n-dlz Loadable Zone (DLZ) zone\n- database in named.conf.\n- Instructs named to return\n-dns64 mapped IPv4 addresses to query\n- AAAA queries when there are\n- no AAAA records.\n-dns64-contact Specifies the name of the server\n- contact for dns64 zones.\n-dns64-server Specifies the name of the server\n- server for dns64 zones.\n- Specifies the number of\n-dnskey-sig-validity days in the future when dnssec\n- automatically generated\n- DNSSEC signatures expire.\n- Specifies the time to live\n-dnskey-ttl (TTL) for DNSKEY resource dnssec\n- records.\n- Turns on the DNS Response\n-dnsrps-enable Policy Service (DNSRPS) security, server\n- interface.\n- Provides additional RPZ\n- configuration settings,\n-dnsrps-options which are passed to the DNS security, server\n- Response Policy Service\n- (DNSRPS) provider library.\n- Instructs BIND 9 to accept\n-dnssec-accept-expired expired DNSSEC signatures dnssec\n- when validating.\n- Specifies that only key-\n- signing keys are used to\n-dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n- and CDS RRsets at a zone's\n- apex.\n- Sets the frequency of\n-dnssec-loadkeys-interval automatic checks of the dnssec\n- DNSSEC key repository.\n- Defines hierarchies that\n-dnssec-must-be-secure must or may not be secure deprecated\n- (signed and validated).\n-dnssec-policy Defines a key and signing dnssec\n- policy (KASP) for zones.\n- Allows a dynamic zone to\n-dnssec-secure-to-insecure transition from secure to dnssec\n- insecure by deleting all\n- DNSKEY records.\n- Controls the scheduled\n-dnssec-update-mode maintenance of DNSSEC dnssec\n- signatures.\n-dnssec-validation Enables DNSSEC validation dnssec\n- in named.\n-dnstap Enables logging of dnstap logging\n- messages.\n- Specifies an identity\n-dnstap-identity string to send in dnstap logging\n- messages.\n- Configures the path to\n-dnstap-output which the dnstap frame logging\n- stream is sent.\n-dnstap-version Specifies a version string logging\n- to send in dnstap messages.\n- Sets the Differentiated\n-dscp Services Code Point (DSCP) query, server\n- value (obsolete).\n- Specifies host names or\n-dual-stack-servers addresses of machines with server\n- access to both IPv4 and\n- IPv6 transports.\n- Indicates the pathname of\n-dump-file the file where the server logging\n- dumps the database after\n- rndc_dumpdb.\n-dyndb Configures a DynDB database zone\n- in named.conf.\n-edns Controls the use of the server\n- EDNS0 (RFC_2671) feature.\n- Sets the maximum advertised\n- EDNS UDP buffer size to\n-edns-udp-size control the size of packets query\n- received from authoritative\n- servers in response to\n- recursive queries.\n- Sets the maximum EDNS\n-edns-version VERSION that is sent to the server\n- server(s) by the resolver.\n- Specifies the contact name\n-empty-contact in the returned SOA record server, zone\n- for empty zones.\n- Specifies the server name\n-empty-server in the returned SOA record server, zone\n- for empty zones.\n-empty-zones-enable Enables or disables all server, zone\n- empty zones.\n- Specifies a list of HTTP\n-endpoints query paths on which to query, server\n- listen.\n- Limits the number of errors\n-errors-per-second for a valid domain name and server\n- record type.\n- Allows a list of IPv6\n- addresses to be ignored if\n-exclude they appear in a domain query\n- name's AAAA records in\n- dns64.\n- Exempts specific clients or\n-exempt-clients client groups from rate query\n- limiting.\n- Sets the parameters for\n- dynamic resizing of the\n-fetch-quota-params fetches-per-server quota in query, server\n- response to detected\n- congestion.\n- Sets the maximum number of\n- simultaneous iterative\n- queries allowed to be sent\n-fetches-per-server by a server to an upstream query, server\n- name server before the\n- server blocks additional\n- queries.\n- Sets the maximum number of\n- simultaneous iterative\n-fetches-per-zone queries allowed to any one query, server\n- domain before the server\n- blocks new queries for data\n- in or beneath that zone.\n-file Specifies the zone's zone\n- filename.\n- Sets the maximum number of\n-files files the server may have deprecated\n- open concurrently.\n- Controls whether pending\n-flush-zones-on-shutdown zone writes are flushed zone\n- when the name server exits.\n- Allows or disallows\n- fallback to recursion if\n-forward forwarding has failed; it query\n- is always used in\n- conjunction with the\n- forwarders statement.\n- Defines one or more hosts\n-forwarders to which queries are query\n- forwarded.\n- Sets the number of\n-fstrm-set-buffer-hint accumulated bytes in the logging\n- output buffer before\n- forcing a buffer flush.\n- Sets the number of seconds\n-fstrm-set-flush-timeout that unflushed data remains logging\n- in the output buffer.\n- Sets the number of queue\n-fstrm-set-input-queue-size entries to allocate for logging\n- each input queue.\n- Sets the number of\n-fstrm-set-output-notify- outstanding queue entries\n-threshold allowed on an input queue logging\n- before waking the I/\n- O thread.\n-fstrm-set-output-queue- Sets the queuing semantics logging\n-model to use for queue objects.\n-fstrm-set-output-queue- Sets the number of queue\n-size entries allocated for each logging\n- output queue.\n- Sets the number of seconds\n-fstrm-set-reopen-interval to wait between attempts to logging\n- reopen a closed output\n- stream.\n- Specifies the directory\n-geoip-directory containing GeoIP database server\n- files.\n-glue-cache Deprecated. deprecated\n- Sets the interval at which\n-heartbeat-interval the server performs zone deprecated\n- maintenance tasks for all\n- zones marked as dialup.\n- Specifies the hostname of\n-hostname the server to return in server\n- response to a hostname.bind\n- query.\n- Configures HTTP endpoints\n-http on which to listen for DNS- query, server\n- over-HTTPS (DoH) queries.\n- Limits the number of active\n-http-listener-clients concurrent connections on a server\n- per-listener basis.\n- Specifies the TCP port\n- number the server uses to\n-http-port receive and send query, server\n- unencrypted DNS traffic via\n- HTTP.\n-http-streams-per- Limits the number of active\n-connection concurrent HTTP/2 streams server\n- on a per-connection basis.\n- Specifies the TCP port\n-https-port number the server uses to query, server\n- receive and send DNS-over-\n- HTTPS protocol traffic.\n-in-view Specifies the view in which view, zone\n- a given zone is defined.\n-inet Specifies a TCP socket as a server\n- control channel.\n- Specifies whether BIND 9\n-inline-signing maintains a separate signed dnssec, zone\n- version of a zone.\n- Sets the interval at which\n-interface-interval the server scans the server\n- network interface list.\n- Specifies the prefix\n-ipv4-prefix-length lengths of IPv4 address server\n- blocks.\n- Specifies the contact for\n-ipv4only-contact the IPV4ONLY.ARPA zone server\n- created by dns64.\n- Enables automatic IPv4\n-ipv4only-enable zones if a dns64 block is query\n- configured.\n- Specifies the name of the\n-ipv4only-server server for the query, server\n- IPV4ONLY.ARPA zone created\n- by dns64.\n- Specifies the prefix\n-ipv6-prefix-length lengths of IPv6 address server\n- blocks.\n-ixfr-from-differences Controls how IXFR transfers transfer\n- are calculated.\n- Allows the default\n-journal journal's filename to be zone\n- overridden.\n- Defines an\n- address_match_list of\n-keep-response-order addresses which do not server\n- accept reordered answers\n- within a single TCP stream.\n- Defines a shared secret key\n-key for use with TSIG or the security\n- command channel.\n- Indicates the directory\n-key-directory where public and private dnssec\n- DNSSEC key files are found.\n- Specifies the path to a\n-key-file file containing the private security, server\n- TLS key for a connection.\n- Specifies one or more\n-keys server_key s to be used security, server\n- with a remote server.\n-lame-ttl Sets the resolver's lame server\n- cache.\n- Specifies the IPv4\n-listen-on addresses on which a server server\n- listens for DNS queries.\n- Specifies the IPv6\n-listen-on-v6 addresses on which a server server\n- listens for DNS queries.\n- Specifies a per-listener\n-listener-clients quota for active query, server\n- connections.\n- Sets a maximum size for the\n-lmdb-mapsize memory map of the new-zone server\n- database in LMDB database\n- format.\n- Sets the pathname of the\n- file on which named\n-lock-file attempts to acquire a file server\n- lock when starting for the\n- first time.\n- Tests rate-limiting\n-log-only parameters without actually query, logging\n- dropping any requests.\n-logging Configures logging options logging\n- for the name server.\n-managed-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies the directory in\n-managed-keys-directory which to store the files dnssec\n- that track managed DNSSEC\n- keys.\n- Specifies an access control\n- list (ACL) of IPv4\n-mapped addresses that are to be query\n- mapped to the corresponding\n- A RRset in dns64.\n-masterfile-format Specifies the file format server, zone\n- of zone files.\n- Specifies the format of\n-masterfile-style zone files during a dump, server\n- when the masterfile-format\n- is text.\n- Specifies a view of DNS\n-match-clients namespace for a given view\n- subset of client IP\n- addresses.\n- Specifies a view of DNS\n-match-destinations namespace for a given view\n- subset of destination IP\n- addresses.\n- Allows IPv4-mapped IPv6\n- addresses to match address-\n-match-mapped-addresses match list entries for server\n- corresponding IPv4\n- addresses.\n- Specifies that only\n-match-recursive-only recursive requests can view\n- match this view of the DNS\n- namespace.\n- Sets the maximum amount of\n- memory to use for an\n-max-cache-size individual cache database server\n- and its associated\n- metadata.\n- Specifies the maximum time\n-max-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Sets the maximum number of\n- simultaneous recursive\n-max-clients-per-query clients accepted by the server\n- server for any given query\n- before the server drops\n- additional clients.\n- Sets the maximum size for\n-max-ixfr-ratio IXFR responses to zone transfer\n- transfer requests.\n-max-journal-size Controls the size of transfer\n- journal files.\n- Specifies the maximum\n- retention time (in seconds)\n-max-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Sets the maximum number of\n-max-records records permitted in a server, zone\n- zone.\n- Sets the maximum number of\n-max-records-per-type records that can be stored server\n- in an RRset\n- Sets the maximum number of\n- levels of recursion\n-max-recursion-depth permitted at any one time server\n- while servicing a recursive\n- query.\n- Sets the maximum number of\n-max-recursion-queries iterative queries while query, server\n- servicing a recursive\n- query.\n- Limits the zone refresh\n-max-refresh-time interval to no less often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-max-retry-time retry interval to no less transfer\n- often than the specified\n- value, in seconds.\n- Sets the maximum RSA\n-max-rsa-exponent-size exponent size (in bits) query, dnssec\n- when validating.\n- Specifies the maximum time\n- that the server retains\n-max-stale-ttl records past their normal server\n- expiry, to return them as\n- stale records.\n- Sets the maximum size of\n-max-table-size the table used to track server\n- requests and rate-limit\n- responses.\n- Specifies the number of\n-max-transfer-idle-in minutes after which inbound transfer\n- zone transfers making no\n- progress are terminated.\n- Specifies the number of\n- minutes after which\n-max-transfer-idle-out outbound zone transfers transfer\n- making no progress are\n- terminated.\n- Specifies the number of\n-max-transfer-time-in minutes after which inbound transfer\n- zone transfers are\n- terminated.\n- Specifies the number of\n-max-transfer-time-out minutes after which transfer\n- outbound zone transfers are\n- terminated.\n- Sets the maximum number of\n-max-types-per-name RR types that can be stored server\n- for an owner name\n-max-udp-size Sets the maximum EDNS UDP query\n- message size sent by named.\n- Specifies a maximum\n-max-zone-ttl permissible time-to-live query, zone\n- (TTL) value, in seconds.\n- Controls whether memory\n-memstatistics statistics are written to server, logging\n- the file specified by\n- memstatistics-file at exit.\n- Sets the pathname of the\n-memstatistics-file file where the server logging\n- writes memory usage\n- statistics on exit.\n- Controls whether DNS name\n-message-compression compression is used in query\n- responses to regular\n- queries.\n- Specifies the minimum time\n-min-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Specifies the minimum\n- retention time (in seconds)\n-min-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Limits the zone refresh\n-min-refresh-time interval to no more often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-min-retry-time retry interval to no more transfer\n- often than the specified\n- value, in seconds.\n- Sets the minimum size of\n-min-table-size the table used to track query\n- requests and rate-limit\n- responses.\n- Controls whether the server\n- replies with only one of\n-minimal-any the RRsets for a query query\n- name, when generating a\n- positive response to a\n- query of type ANY over UDP.\n- Controls whether the server\n- only adds records to the\n- authority and additional\n-minimal-responses data sections when they are query\n- required (e.g. delegations,\n- negative responses). This\n- improves server\n- performance.\n- Controls whether serial\n-multi-master number mismatch errors are transfer\n- logged.\n- Specifies the directory\n- where configuration\n-new-zones-directory parameters are stored for zone\n- zones added by rndc\n- addzone.\n- Specifies a list of\n-no-case-compress addresses that require server\n- case-insensitive\n- compression in responses.\n- Sets the maximum size of\n-nocookie-udp-size UDP responses that are sent query\n- to queries without a valid\n- server COOKIE.\n- Limits the number of empty\n-nodata-per-second (NODATA) responses for a query\n- valid domain name.\n- Controls whether NOTIFY\n-notify messages are sent on zone transfer\n- changes.\n- Sets the delay (in seconds)\n-notify-delay between sending sets of transfer, zone\n- NOTIFY messages for a zone.\n- Specifies the rate at which\n-notify-rate NOTIFY requests are sent transfer, zone\n- during normal zone\n- maintenance operations.\n- Defines the IPv4 address\n-notify-source (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Defines the IPv6 address\n-notify-source-v6 (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Controls whether the name\n-notify-to-soa servers in the NS RRset are transfer\n- checked against the SOA\n- MNAME.\n- Specifies the use of NSEC3\n-nsec3param instead of NSEC, and sets dnssec\n- NSEC3 parameters.\n- Specifies the lifetime, in\n-nta-lifetime seconds, for negative trust dnssec\n- anchors added via rndc_nta.\n- Specifies the time interval\n- for checking whether\n-nta-recheck negative trust anchors dnssec\n- added via rndc_nta are\n- still necessary.\n- Causes all messages sent to\n-null the logging channel to be logging\n- discarded.\n- Appends the specified\n- suffix to the original\n-nxdomain-redirect query name, when replacing query\n- an NXDOMAIN with a redirect\n- namespace.\n- Limits the number of\n-nxdomains-per-second undefined subdomains for a query\n- valid domain name.\n-options Defines global options to server\n- be used by BIND 9.\n- Adds EDNS Padding options\n-padding to outgoing messages to server\n- increase the packet size.\n- Sets the time to live (TTL)\n-parent-ds-ttl of the DS RRset used by the dnssec\n- parent zone.\n- Sets the propagation delay\n- from the time the parent\n-parent-propagation-delay zone is updated to when the dnssec, zone\n- new version is served by\n- all of the parent zone's\n- name servers.\n- Defines a list of\n-parental-agents delegation agents to be zone\n- used by primary and\n- secondary zones.\n- Specifies which local IPv4\n-parental-source source address is used to dnssec\n- send parental DS queries.\n- Specifies which local IPv6\n-parental-source-v6 source address is used to dnssec\n- send parental DS queries.\n- Specifies the pathname of\n-pid-file the file where the server server\n- writes its process ID.\n-plugin Configures plugins in server\n- named.conf.\n- Specifies the UDP/TCP port\n-port number the server uses to query, server\n- receive and send DNS\n- protocol traffic.\n- Specifies that server\n-prefer-server-ciphers ciphers should be preferred security, server\n- over client ones.\n- Controls the order of glue\n-preferred-glue records in an A or AAAA query\n- response.\n- Specifies the \"trigger\"\n-prefetch time-to-live (TTL) value at query\n- which prefetch of the\n- current query takes place.\n-primaries Defines one or more primary zone\n- servers for a zone.\n-print-category Includes the category in logging\n- log messages.\n-print-severity Includes the severity in logging\n- log messages.\n-print-time Specifies the time format logging\n- for log messages.\n- Specifies the allowed\n-protocols versions of the TLS security\n- protocol.\n- Controls whether a primary\n- responds to an incremental\n-provide-ixfr zone request (IXFR) or only transfer\n- responds with a full zone\n- transfer (AXFR).\n- Increases the amount of\n- time between when keys are\n-publish-safety published and when they dnssec\n- become active, to allow for\n- unforeseen events.\n- Specifies the amount of\n- time after which DNSSEC\n-purge-keys keys that have been deleted dnssec\n- from the zone can be\n- removed from disk.\n- Controls QNAME minimization\n-qname-minimization behavior in the BIND 9 query\n- resolver.\n- Tightens defenses during\n-qps-scale DNS attacks by scaling back query\n- the ratio of the current\n- query-per-second rate.\n- Controls the IPv4 address\n-query-source from which queries are query\n- issued.\n- Controls the IPv6 address\n-query-source-v6 from which queries are query\n- issued.\n- Specifies whether query\n-querylog logging should be active server, logging\n- when named first starts.\n- Controls excessive UDP\n- responses, to prevent BIND\n-rate-limit 9 from being used to query\n- amplify reflection denial-\n- of-service (DoS) attacks.\n- Specifies the pathname of\n- the file where the server\n-recursing-file dumps queries that are server\n- currently recursing via\n- rndc_recursing.\n-recursion Defines whether recursion query\n- and caching are allowed.\n- Specifies the maximum\n-recursive-clients number of concurrent query\n- recursive queries the\n- server can perform.\n- Toggles whether dns64\n-recursive-only synthesis occurs only for query\n- recursive queries.\n- Limits the number of\n-referrals-per-second referrals or delegations to query\n- a server for a given\n- domain.\n- Specifies the expected\n-remote-hostname hostname in the TLS security\n- certificate of the remote\n- server.\n- Specifies whether the local\n-request-expire server requests the EDNS query, transfer\n- EXPIRE value, when acting\n- as a secondary.\n- Controls whether a\n- secondary requests an\n-request-ixfr incremental zone transfer transfer\n- (IXFR) or a full zone\n- transfer (AXFR).\n- Controls whether an empty\n- EDNS(0) NSID (Name Server\n- Identifier) option is sent\n-request-nsid with all queries to query\n- authoritative name servers\n- during iterative\n- resolution.\n- Controls whether a valid\n-require-server-cookie server cookie is required query\n- before sending a full\n- response to a UDP request.\n-reserved-sockets Deprecated. deprecated\n- Specifies the number of\n-resolver-nonbackoff-tries retries before exponential deprecated.\n- backoff.\n- Specifies the length of\n- time, in milliseconds, that\n-resolver-query-timeout a resolver attempts to query\n- resolve a recursive query\n- before failing.\n-resolver-retry-interval Sets the base retry deprecated\n- interval (in milliseconds).\n- Adds an EDNS Padding option\n- to encrypted messages, to\n-response-padding reduce the chance of query\n- guessing the contents based\n- on size.\n- Specifies response policy query, security, server,\n-response-policy zones for the view or among zone\n- global options.\n- Limits the number of non-\n-responses-per-second empty responses for a valid query\n- domain name and record\n- type.\n- Increases the amount of\n- time a key remains\n-retire-safety published after it is no dnssec\n- longer active, to allow for\n- unforeseen events.\n-reuseport Enables kernel load- server\n- balancing of sockets.\n- Turns on enforcement of\n- delegation-only in top-\n-root-delegation-only level domains (TLDs) and deprecated\n- root zones with an optional\n- exclude list.\n- Controls whether BIND 9\n-root-key-sentinel responds to root key server\n- sentinel probes.\n- Defines the order in which\n-rrset-order equal RRs (RRsets) are query\n- returned.\n- Specifies whether a\n-search Dynamically Loadable Zone query\n- (DLZ) module is queried for\n- an answer to a query name.\n- Defines a Base64-encoded\n-secret string to be used as the security\n- secret by the algorithm.\n- Specifies the pathname of\n-secroots-file the file where the server dnssec\n- dumps security roots, when\n- using rndc_secroots.\n- Controls whether a COOKIE\n-send-cookie EDNS option is sent along query\n- with a query.\n- Defines an upper limit on\n- the number of queries per\n-serial-query-rate second issued by the transfer\n- server, when querying the\n- SOA RRs used for zone\n- transfers.\n- Specifies the update method\n-serial-update-method to be used for the zone zone\n- serial number in the SOA\n- record.\n- Defines characteristics to\n-server be associated with a remote server\n- name server.\n- Specifies a list of IP\n- addresses to which queries\n-server-addresses should be sent in recursive query, zone\n- resolution for a static-\n- stub zone.\n- Specifies the ID of the\n-server-id server to return in server\n- response to a ID.SERVER\n- query.\n- Specifies a list of domain\n- names of name servers that\n-server-names act as authoritative zone\n- servers of a static-stub\n- zone.\n- Sets the length of time (in\n-servfail-ttl seconds) that a SERVFAIL server\n- response is cached.\n- Specifies the algorithm to\n-session-keyalg use for the TSIG session security\n- key.\n- Specifies the pathname of\n- the file where a TSIG\n-session-keyfile session key is written, security\n- when generated by named for\n- use by nsupdate -l.\n-session-keyname Specifies the key name for security\n- the TSIG session key.\n- Enables or disables session\n-session-tickets resumption through TLS security\n- session tickets.\n-severity Defines the priority level logging\n- of log messages.\n- Specifies the maximum\n- number of nodes to be\n-sig-signing-nodes examined in each quantum, dnssec\n- when signing a zone with a\n- new DNSKEY.\n- Specifies the threshold for\n- the number of signatures\n-sig-signing-signatures that terminates processing dnssec\n- a quantum, when signing a\n- zone with a new DNSKEY.\n- Specifies a private RDATA\n-sig-signing-type type to use when generating dnssec\n- signing-state records.\n- Specifies the maximum\n-sig-validity-interval number of days that RRSIGs dnssec\n- generated by named are\n- valid.\n-signatures-jitter Specifies a range for dnssec\n- signatures expirations.\n-signatures-refresh Specifies how frequently an dnssec\n- RRSIG record is refreshed.\n-signatures-validity Indicates the validity dnssec\n- period of an RRSIG record.\n-signatures-validity-dnskey Indicates the validity dnssec\n- period of DNSKEY records.\n- Sets the number of\n- \"slipped\" responses to\n-slip minimize the use of forged query\n- source addresses for an\n- attack.\n- Controls the ordering of\n-sortlist RRs returned to the client, query\n- based on the client's IP\n- address.\n- Sets the maximum amount of\n-stacksize stack memory that can be deprecated\n- used by the server.\n- Defines the amount of time\n- (in milliseconds) that\n-stale-answer-client- named waits before query, server\n-timeout attempting to answer a\n- query with a stale RRset\n- from cache.\n- Enables the returning of\n-stale-answer-enable \"stale\" cached answers when query, server\n- the name servers for a zone\n- are not answering.\n- Specifies the time to live\n-stale-answer-ttl (TTL) to be returned on query\n- stale answers, in seconds.\n-stale-cache-enable Enables the retention of query, server\n- \"stale\" cached answers.\n- Sets the time window for\n- the return of \"stale\"\n- cached answers before the\n-stale-refresh-time next attempt to contact, if query, server\n- the name servers for a\n- given zone are not\n- responding.\n- Specifies the rate at which\n- NOTIFY requests are sent\n-startup-notify-rate when the name server is transfer, zone\n- first starting, or when new\n- zones have been added.\n- Specifies the communication\n- channels to be used by\n-statistics-channels system administrators to logging\n- access statistics\n- information on the name\n- server.\n- Specifies the pathname of\n-statistics-file the file where the server server, logging\n- appends statistics, when\n- using rndc_stats.\n- Directs the logging channel\n-stderr output to the server's logging\n- standard error stream.\n- Specifies the maximum\n-streams-per-connection number of concurrent HTTP/ query, server\n- 2 streams over an HTTP/\n- 2 connection.\n- Defines trailing bits for\n-suffix mapped IPv4 address bits in query\n- dns64.\n- Enables support for RFC\n-synth-from-dnssec 8198, Aggressive Use of dnssec\n- DNSSEC-Validated Cache.\n-syslog Directs the logging channel logging\n- to the system log.\n- Sets the timeout value (in\n- milliseconds) that the\n-tcp-advertised-timeout server sends in responses query\n- containing the EDNS TCP\n- keepalive option.\n- Specifies the maximum\n-tcp-clients number of simultaneous server\n- client TCP connections\n- accepted by the server.\n- Sets the amount of time (in\n- milliseconds) that the\n- server waits on an idle TCP\n-tcp-idle-timeout connection before closing query\n- it, if the EDNS TCP\n- keepalive option is not in\n- use.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-initial-timeout server waits on a new TCP query, server\n- connection for the first\n- message from the client.\n-tcp-keepalive Adds EDNS TCP keepalive to server\n- messages sent over TCP.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-keepalive-timeout server waits on an idle TCP query\n- connection before closing\n- it, if the EDNS TCP\n- keepalive option is in use.\n-tcp-listen-queue Sets the listen-queue server\n- depth.\n-tcp-only Sets the transport protocol server\n- to TCP.\n- Sets the operating system's\n-tcp-receive-buffer receive buffer size for TCP server\n- sockets.\n- Sets the operating system's\n-tcp-send-buffer send buffer size for TCP server\n- sockets.\n- Sets the Diffie-Hellman key\n-tkey-dhkey used by the server to deprecated\n- generate shared keys.\n- Sets the domain appended to\n-tkey-domain the names of all shared security\n- keys generated with TKEY.\n- Sets the security\n- credential for\n-tkey-gssapi-credential authentication keys security\n- requested by the GSS-TSIG\n- protocol.\n- Sets the KRB5 keytab file\n-tkey-gssapi-keytab to use for GSS-TSIG security\n- updates.\n-tls Configures a TLS security\n- connection.\n- Specifies the TCP port\n-tls-port number the server uses to query, server\n- receive and send DNS-over-\n- TLS protocol traffic.\n- Controls whether multiple\n-transfer-format records can be packed into transfer\n- a message during zone\n- transfers.\n- Limits the uncompressed\n-transfer-message-size size of DNS messages used transfer\n- in zone transfers over TCP.\n- Defines which local IPv4\n- address(es) are bound to\n-transfer-source TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Defines which local IPv6\n- address(es) are bound to\n-transfer-source-v6 TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Limits the number of\n-transfers concurrent inbound zone server\n- transfers from a server.\n- Limits the number of\n-transfers-in concurrent inbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-out concurrent outbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-per-ns concurrent inbound zone transfer\n- transfers from a remote\n- server.\n- Instructs named to send\n- specially formed queries\n-trust-anchor-telemetry once per day to domains for dnssec\n- which trust anchors have\n- been configured.\n-trust-anchors Defines DNSSEC trust dnssec\n- anchors.\n-trusted-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies that BIND 9\n-try-tcp-refresh should attempt to refresh a transfer\n- zone using TCP if UDP\n- queries fail.\n-type Specifies the kind of zone zone\n- in a given configuration.\n- Enforces the delegation-\n-type_delegation-only only status of deprecated\n- infrastructure zones (COM,\n- NET, ORG, etc.).\n- Contains forwarding\n-type_forward statements that apply to zone\n- queries within a given\n- domain.\n- Contains the initial set of\n-type_hint root name servers to be zone\n- used at BIND 9 startup.\n- Contains a DNSSEC-validated\n-type_mirror duplicate of the main data zone\n- for a zone.\n-type_primary Contains the main copy of zone\n- the data for a zone.\n- Contains information to\n-type_redirect answer queries when normal zone\n- resolution would return\n- NXDOMAIN.\n- Contains a duplicate of the\n-type_secondary data for a zone that has zone\n- been transferred from a\n- primary server.\n- Contains a duplicate of the\n- NS records of a primary\n-type_static-stub zone, but statically zone\n- configured rather than\n- transferred from a primary\n- server.\n- Contains a duplicate of the\n-type_stub NS records of a primary zone\n- zone.\n- Sets the operating system's\n-udp-receive-buffer receive buffer size for UDP server\n- sockets.\n- Sets the operating system's\n-udp-send-buffer send buffer size for UDP server\n- sockets.\n- Specifies a Unix domain\n-unix socket as a control server\n- channel.\n- Specifies whether to check\n- the KSK bit to determine\n-update-check-ksk how a key should be used, dnssec, zone\n- when generating RRSIGs for\n- a secure zone.\n- Sets fine-grained rules to\n- allow or deny dynamic\n-update-policy updates (DDNS), based on transfer\n- requester identity, updated\n- content, etc.\n- Specifies the maximum\n-update-quota number of concurrent DNS server\n- UPDATE messages that can be\n- processed by the server.\n- Indicates whether alt-\n-use-alt-transfer-source transfer-source and alt- deprecated\n- transfer-source-v6 can be\n- used.\n- Specifies a list of ports\n-use-v4-udp-ports that are valid sources for deprecated\n- UDP/IPv4 messages.\n- Specifies a list of ports\n-use-v6-udp-ports that are valid sources for deprecated\n- UDP/IPv6 messages.\n- Indicates the number of\n-v6-bias milliseconds of preference query, server\n- to give to IPv6 name\n- servers.\n- Specifies a list of domain\n-validate-except names at and beneath which dnssec\n- DNSSEC validation should\n- not be performed.\n- Specifies the version\n-version number of the server to server\n- return in response to a\n- version.bind query.\n- Allows a name server to\n-view answer a DNS query view\n- differently depending on\n- who is asking.\n- Specifies the length of\n-window time during which responses query\n- are tracked.\n- Specifies whether to set\n- the time to live (TTL) of\n-zero-no-soa-ttl the SOA record to zero, query, server, zone\n- when returning\n- authoritative negative\n- responses to SOA queries.\n- Sets the time to live (TTL)\n-zero-no-soa-ttl-cache to zero when caching a query, server, zone\n- negative response to an SOA\n- query.\n-zone Specifies the zone in a zone\n- BIND 9 configuration.\n- Sets the propagation delay\n- from the time a zone is\n-zone-propagation-delay first updated to when the dnssec, zone\n- new version of the zone is\n- served by all secondary\n- servers.\n- Controls the level of\n-zone-statistics statistics gathered for all logging, zone\n- zones.\n+Statement Description Tags\n+acl Assigns a symbolic name to server\n+ an address match list.\n+algorithm Defines the algorithm to be security\n+ used in a key clause.\n+all-per-second Limits UDP responses of all query\n+ kinds.\n+ Controls the ability to add\n+allow-new-zones zones at runtime via rndc server, zone\n+ addzone.\n+ Defines an\n+ address_match_list that is\n+ allowed to send NOTIFY\n+allow-notify messages for the zone, in transfer\n+ addition to addresses\n+ defined in the primaries\n+ option for the zone.\n+ Specifies which hosts (an\n+allow-query IP address list) are query\n+ allowed to send queries to\n+ this resolver.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache this server's cache and query\n+ thus effectively controls\n+ recursion.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache-on this server's cache. Used query\n+ on servers with multiple\n+ interfaces.\n+ Specifies which local\n+ addresses (an IP address\n+allow-query-on list) are allowed to send query\n+ queries to this resolver.\n+ Used in multi-homed\n+ configurations.\n+ Defines an\n+allow-recursion address_match_list of query\n+ clients that are allowed to\n+ perform recursive queries.\n+ Specifies which local\n+allow-recursion-on addresses can accept server, query\n+ recursive queries.\n+ Defines an\n+ address_match_list of hosts\n+allow-transfer that are allowed to transfer\n+ transfer the zone\n+ information from this\n+ server.\n+ Defines an\n+ address_match_list of hosts\n+allow-update that are allowed to submit transfer\n+ dynamic updates for primary\n+ zones.\n+ Defines an\n+ address_match_list of hosts\n+allow-update-forwarding that are allowed to submit transfer\n+ dynamic updates to a\n+ secondary server for\n+ transmission to a primary.\n+ Defines one or more hosts\n+also-notify that are sent NOTIFY transfer\n+ messages when zone changes\n+ occur.\n+ Defines alternate local\n+ IPv4 address(es) to be used\n+ by the server for inbound\n+alt-transfer-source zone transfers, if the deprecated\n+ address(es) defined by\n+ transfer-source fail and\n+ use-alt-transfer-source is\n+ enabled.\n+ Defines alternate local\n+alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n+ by the server for inbound\n+ zone transfers.\n+ Controls whether COOKIE\n+answer-cookie EDNS replies are sent in query\n+ response to client queries.\n+ Allows multiple views to\n+attach-cache share a single cache view\n+ database.\n+ Controls whether BIND,\n+ acting as a resolver,\n+auth-nxdomain provides authoritative query\n+ NXDOMAIN (domain does not\n+ exist) answers.\n+ Permits varying levels of\n+auto-dnssec automatic DNSSEC key dnssec\n+ management.\n+ Controls the automatic\n+automatic-interface-scan rescanning of network server\n+ interfaces when addresses\n+ are added or removed.\n+ Specifies the range(s) of\n+avoid-v4-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv4\n+ messages.\n+ Specifies the range(s) of\n+avoid-v6-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv6\n+ messages.\n+ Specifies the pathname of a\n+bindkeys-file file to override the built- dnssec\n+ in trusted keys provided by\n+ named.\n+ Defines an\n+ address_match_list of hosts\n+blackhole to ignore. The server will query\n+ neither respond to queries\n+ from nor send queries to\n+ these addresses.\n+bogus Allows a remote server to server\n+ be ignored.\n+ Enables dns64 synthesis\n+break-dnssec even if the validated query\n+ result would cause a DNSSEC\n+ validation failure.\n+buffered Controls flushing of log logging\n+ messages.\n+ Specifies the path to a\n+ file containing TLS\n+ca-file certificates for trusted CA server, security\n+ authorities, used to verify\n+ remote peer certificates.\n+catalog-zones Configures catalog zones in zone\n+ named.conf.\n+ Specifies the type of data\n+category logged to a particular logging\n+ channel.\n+ Specifies the path to a\n+cert-file file containing the TLS server, security\n+ certificate for a\n+ connection.\n+ Defines a stream of data\n+channel that can be independently logging\n+ logged.\n+ Checks primary zones for\n+ records that are treated as\n+check-dup-records different by DNSSEC but are dnssec, query\n+ semantically equal in plain\n+ DNS.\n+ Performs post-load zone\n+check-integrity integrity checks on primary zone\n+ zones.\n+ Checks whether an MX record\n+check-mx appears to refer to an IP zone\n+ address.\n+ Sets the response to MX\n+check-mx-cname records that refer to zone\n+ CNAMEs.\n+ Restricts the character set\n+ and syntax of certain\n+check-names domain names in primary server, query\n+ files and/or DNS responses\n+ received from the network.\n+ Specifies whether to check\n+check-sibling for sibling glue when zone\n+ performing integrity\n+ checks.\n+ Specifies whether to check\n+check-spf for a TXT Sender Policy zone\n+ Framework record, if an SPF\n+ record is present.\n+ Sets the response to SRV\n+check-srv-cname records that refer to zone\n+ CNAMEs.\n+check-wildcard Checks for non-terminal zone\n+ wildcards.\n+ciphers Specifies a list of allowed security\n+ ciphers.\n+ Specifies an access control\n+clients list (ACL) of clients that query\n+ are affected by a given\n+ dns64 directive.\n+ Sets the initial minimum\n+ number of simultaneous\n+clients-per-query recursive clients accepted server\n+ by the server for any given\n+ query before the server\n+ drops additional clients.\n+ Specifies control channels\n+controls to be used to manage the server\n+ name server.\n+ Sets the algorithm to be\n+cookie-algorithm used when generating a server\n+ server cookie.\n+ Specifies a shared secret\n+ used for generating and\n+cookie-secret verifying EDNS COOKIE server\n+ options within an anycast\n+ cluster.\n+coresize Sets the maximum size of a deprecated\n+ core dump.\n+ Specifies the type of\n+database database to be used to zone\n+ store zone data.\n+ Sets the maximum amount of\n+datasize data memory that can be deprecated\n+ used by the server.\n+ Indicates that a forward,\n+delegation-only hint, or stub zone is to be deprecated\n+ treated as a delegation-\n+ only type zone.\n+ Rejects A or AAAA records\n+deny-answer-addresses if the corresponding IPv4 query\n+ or IPv6 addresses match a\n+ given address_match_list.\n+ Rejects CNAME or DNAME\n+deny-answer-aliases records if the \"alias\" name query\n+ matches a given list of\n+ domain_name elements.\n+ Specifies the path to a\n+dhparam-file file containing Diffie- server, security\n+ Hellman parameters, for\n+ enabling cipher suites.\n+ Concentrates zone\n+ maintenance so that all\n+dialup transfers take place once deprecated\n+ every heartbeat-interval,\n+ ideally during a single\n+ call.\n+directory Sets the server's working server\n+ directory.\n+disable-algorithms Disables DNSSEC algorithms dnssec\n+ from a specified zone.\n+disable-ds-digests Disables DS digest types dnssec, zone\n+ from a specified zone.\n+disable-empty-zone Disables individual empty server, zone\n+ zones.\n+ Configures a Dynamically\n+dlz Loadable Zone (DLZ) zone\n+ database in named.conf.\n+ Instructs named to return\n+dns64 mapped IPv4 addresses to query\n+ AAAA queries when there are\n+ no AAAA records.\n+dns64-contact Specifies the name of the server\n+ contact for dns64 zones.\n+dns64-server Specifies the name of the server\n+ server for dns64 zones.\n+ Specifies the number of\n+dnskey-sig-validity days in the future when dnssec\n+ automatically generated\n+ DNSSEC signatures expire.\n+ Specifies the time to live\n+dnskey-ttl (TTL) for DNSKEY resource dnssec\n+ records.\n+ Turns on the DNS Response\n+dnsrps-enable Policy Service (DNSRPS) server, security\n+ interface.\n+ Provides additional RPZ\n+ configuration settings,\n+dnsrps-options which are passed to the DNS server, security\n+ Response Policy Service\n+ (DNSRPS) provider library.\n+ Instructs BIND 9 to accept\n+dnssec-accept-expired expired DNSSEC signatures dnssec\n+ when validating.\n+ Specifies that only key-\n+ signing keys are used to\n+dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n+ and CDS RRsets at a zone's\n+ apex.\n+ Sets the frequency of\n+dnssec-loadkeys-interval automatic checks of the dnssec\n+ DNSSEC key repository.\n+ Defines hierarchies that\n+dnssec-must-be-secure must or may not be secure deprecated\n+ (signed and validated).\n+dnssec-policy Defines a key and signing dnssec\n+ policy (KASP) for zones.\n+ Allows a dynamic zone to\n+dnssec-secure-to-insecure transition from secure to dnssec\n+ insecure by deleting all\n+ DNSKEY records.\n+ Controls the scheduled\n+dnssec-update-mode maintenance of DNSSEC dnssec\n+ signatures.\n+dnssec-validation Enables DNSSEC validation dnssec\n+ in named.\n+dnstap Enables logging of dnstap logging\n+ messages.\n+ Specifies an identity\n+dnstap-identity string to send in dnstap logging\n+ messages.\n+ Configures the path to\n+dnstap-output which the dnstap frame logging\n+ stream is sent.\n+dnstap-version Specifies a version string logging\n+ to send in dnstap messages.\n+ Sets the Differentiated\n+dscp Services Code Point (DSCP) server, query\n+ value (obsolete).\n+ Specifies host names or\n+dual-stack-servers addresses of machines with server\n+ access to both IPv4 and\n+ IPv6 transports.\n+ Indicates the pathname of\n+dump-file the file where the server logging\n+ dumps the database after\n+ rndc_dumpdb.\n+dyndb Configures a DynDB database zone\n+ in named.conf.\n+edns Controls the use of the server\n+ EDNS0 (RFC_2671) feature.\n+ Sets the maximum advertised\n+ EDNS UDP buffer size to\n+edns-udp-size control the size of packets query\n+ received from authoritative\n+ servers in response to\n+ recursive queries.\n+ Sets the maximum EDNS\n+edns-version VERSION that is sent to the server\n+ server(s) by the resolver.\n+ Specifies the contact name\n+empty-contact in the returned SOA record server, zone\n+ for empty zones.\n+ Specifies the server name\n+empty-server in the returned SOA record server, zone\n+ for empty zones.\n+empty-zones-enable Enables or disables all server, zone\n+ empty zones.\n+ Specifies a list of HTTP\n+endpoints query paths on which to server, query\n+ listen.\n+ Limits the number of errors\n+errors-per-second for a valid domain name and server\n+ record type.\n+ Allows a list of IPv6\n+ addresses to be ignored if\n+exclude they appear in a domain query\n+ name's AAAA records in\n+ dns64.\n+ Exempts specific clients or\n+exempt-clients client groups from rate query\n+ limiting.\n+ Sets the parameters for\n+ dynamic resizing of the\n+fetch-quota-params fetches-per-server quota in server, query\n+ response to detected\n+ congestion.\n+ Sets the maximum number of\n+ simultaneous iterative\n+ queries allowed to be sent\n+fetches-per-server by a server to an upstream server, query\n+ name server before the\n+ server blocks additional\n+ queries.\n+ Sets the maximum number of\n+ simultaneous iterative\n+fetches-per-zone queries allowed to any one server, query\n+ domain before the server\n+ blocks new queries for data\n+ in or beneath that zone.\n+file Specifies the zone's zone\n+ filename.\n+ Sets the maximum number of\n+files files the server may have deprecated\n+ open concurrently.\n+ Controls whether pending\n+flush-zones-on-shutdown zone writes are flushed zone\n+ when the name server exits.\n+ Allows or disallows\n+ fallback to recursion if\n+forward forwarding has failed; it query\n+ is always used in\n+ conjunction with the\n+ forwarders statement.\n+ Defines one or more hosts\n+forwarders to which queries are query\n+ forwarded.\n+ Sets the number of\n+fstrm-set-buffer-hint accumulated bytes in the logging\n+ output buffer before\n+ forcing a buffer flush.\n+ Sets the number of seconds\n+fstrm-set-flush-timeout that unflushed data remains logging\n+ in the output buffer.\n+ Sets the number of queue\n+fstrm-set-input-queue-size entries to allocate for logging\n+ each input queue.\n+ Sets the number of\n+fstrm-set-output-notify- outstanding queue entries\n+threshold allowed on an input queue logging\n+ before waking the I/\n+ O thread.\n+fstrm-set-output-queue- Sets the queuing semantics logging\n+model to use for queue objects.\n+ Sets the number of queue\n+fstrm-set-output-queue-size entries allocated for each logging\n+ output queue.\n+ Sets the number of seconds\n+fstrm-set-reopen-interval to wait between attempts to logging\n+ reopen a closed output\n+ stream.\n+ Specifies the directory\n+geoip-directory containing GeoIP database server\n+ files.\n+glue-cache Deprecated. deprecated\n+ Sets the interval at which\n+heartbeat-interval the server performs zone deprecated\n+ maintenance tasks for all\n+ zones marked as dialup.\n+ Specifies the hostname of\n+hostname the server to return in server\n+ response to a hostname.bind\n+ query.\n+ Configures HTTP endpoints\n+http on which to listen for DNS- server, query\n+ over-HTTPS (DoH) queries.\n+ Limits the number of active\n+http-listener-clients concurrent connections on a server\n+ per-listener basis.\n+ Specifies the TCP port\n+ number the server uses to\n+http-port receive and send server, query\n+ unencrypted DNS traffic via\n+ HTTP.\n+ Limits the number of active\n+http-streams-per-connection concurrent HTTP/2 streams server\n+ on a per-connection basis.\n+ Specifies the TCP port\n+https-port number the server uses to server, query\n+ receive and send DNS-over-\n+ HTTPS protocol traffic.\n+in-view Specifies the view in which zone, view\n+ a given zone is defined.\n+inet Specifies a TCP socket as a server\n+ control channel.\n+ Specifies whether BIND 9\n+inline-signing maintains a separate signed dnssec, zone\n+ version of a zone.\n+ Sets the interval at which\n+interface-interval the server scans the server\n+ network interface list.\n+ Specifies the prefix\n+ipv4-prefix-length lengths of IPv4 address server\n+ blocks.\n+ Specifies the contact for\n+ipv4only-contact the IPV4ONLY.ARPA zone server\n+ created by dns64.\n+ Enables automatic IPv4\n+ipv4only-enable zones if a dns64 block is query\n+ configured.\n+ Specifies the name of the\n+ipv4only-server server for the server, query\n+ IPV4ONLY.ARPA zone created\n+ by dns64.\n+ Specifies the prefix\n+ipv6-prefix-length lengths of IPv6 address server\n+ blocks.\n+ixfr-from-differences Controls how IXFR transfers transfer\n+ are calculated.\n+ Allows the default\n+journal journal's filename to be zone\n+ overridden.\n+ Defines an\n+ address_match_list of\n+keep-response-order addresses which do not server\n+ accept reordered answers\n+ within a single TCP stream.\n+ Defines a shared secret key\n+key for use with TSIG or the security\n+ command channel.\n+ Indicates the directory\n+key-directory where public and private dnssec\n+ DNSSEC key files are found.\n+ Specifies the path to a\n+key-file file containing the private server, security\n+ TLS key for a connection.\n+ Specifies one or more\n+keys server_key s to be used server, security\n+ with a remote server.\n+lame-ttl Sets the resolver's lame server\n+ cache.\n+ Specifies the IPv4\n+listen-on addresses on which a server server\n+ listens for DNS queries.\n+ Specifies the IPv6\n+listen-on-v6 addresses on which a server server\n+ listens for DNS queries.\n+ Specifies a per-listener\n+listener-clients quota for active server, query\n+ connections.\n+ Sets a maximum size for the\n+lmdb-mapsize memory map of the new-zone server\n+ database in LMDB database\n+ format.\n+ Sets the pathname of the\n+ file on which named\n+lock-file attempts to acquire a file server\n+ lock when starting for the\n+ first time.\n+ Tests rate-limiting\n+log-only parameters without actually query, logging\n+ dropping any requests.\n+logging Configures logging options logging\n+ for the name server.\n+managed-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies the directory in\n+managed-keys-directory which to store the files dnssec\n+ that track managed DNSSEC\n+ keys.\n+ Specifies an access control\n+ list (ACL) of IPv4\n+mapped addresses that are to be query\n+ mapped to the corresponding\n+ A RRset in dns64.\n+masterfile-format Specifies the file format server, zone\n+ of zone files.\n+ Specifies the format of\n+masterfile-style zone files during a dump, server\n+ when the masterfile-format\n+ is text.\n+ Specifies a view of DNS\n+match-clients namespace for a given view\n+ subset of client IP\n+ addresses.\n+ Specifies a view of DNS\n+match-destinations namespace for a given view\n+ subset of destination IP\n+ addresses.\n+ Allows IPv4-mapped IPv6\n+ addresses to match address-\n+match-mapped-addresses match list entries for server\n+ corresponding IPv4\n+ addresses.\n+ Specifies that only\n+match-recursive-only recursive requests can view\n+ match this view of the DNS\n+ namespace.\n+ Sets the maximum amount of\n+ memory to use for an\n+max-cache-size individual cache database server\n+ and its associated\n+ metadata.\n+ Specifies the maximum time\n+max-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Sets the maximum number of\n+ simultaneous recursive\n+max-clients-per-query clients accepted by the server\n+ server for any given query\n+ before the server drops\n+ additional clients.\n+ Sets the maximum size for\n+max-ixfr-ratio IXFR responses to zone transfer\n+ transfer requests.\n+max-journal-size Controls the size of transfer\n+ journal files.\n+ Specifies the maximum\n+ retention time (in seconds)\n+max-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Sets the maximum number of\n+max-records records permitted in a server, zone\n+ zone.\n+ Sets the maximum number of\n+max-records-per-type records that can be stored server\n+ in an RRset\n+ Sets the maximum number of\n+ levels of recursion\n+max-recursion-depth permitted at any one time server\n+ while servicing a recursive\n+ query.\n+ Sets the maximum number of\n+max-recursion-queries iterative queries while server, query\n+ servicing a recursive\n+ query.\n+ Limits the zone refresh\n+max-refresh-time interval to no less often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+max-retry-time retry interval to no less transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the maximum RSA\n+max-rsa-exponent-size exponent size (in bits) dnssec, query\n+ when validating.\n+ Specifies the maximum time\n+ that the server retains\n+max-stale-ttl records past their normal server\n+ expiry, to return them as\n+ stale records.\n+ Sets the maximum size of\n+max-table-size the table used to track server\n+ requests and rate-limit\n+ responses.\n+ Specifies the number of\n+max-transfer-idle-in minutes after which inbound transfer\n+ zone transfers making no\n+ progress are terminated.\n+ Specifies the number of\n+ minutes after which\n+max-transfer-idle-out outbound zone transfers transfer\n+ making no progress are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-in minutes after which inbound transfer\n+ zone transfers are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-out minutes after which transfer\n+ outbound zone transfers are\n+ terminated.\n+ Sets the maximum number of\n+max-types-per-name RR types that can be stored server\n+ for an owner name\n+max-udp-size Sets the maximum EDNS UDP query\n+ message size sent by named.\n+ Specifies a maximum\n+max-zone-ttl permissible time-to-live zone, query\n+ (TTL) value, in seconds.\n+ Controls whether memory\n+memstatistics statistics are written to server, logging\n+ the file specified by\n+ memstatistics-file at exit.\n+ Sets the pathname of the\n+memstatistics-file file where the server logging\n+ writes memory usage\n+ statistics on exit.\n+ Controls whether DNS name\n+message-compression compression is used in query\n+ responses to regular\n+ queries.\n+ Specifies the minimum time\n+min-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Specifies the minimum\n+ retention time (in seconds)\n+min-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Limits the zone refresh\n+min-refresh-time interval to no more often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+min-retry-time retry interval to no more transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the minimum size of\n+min-table-size the table used to track query\n+ requests and rate-limit\n+ responses.\n+ Controls whether the server\n+ replies with only one of\n+minimal-any the RRsets for a query query\n+ name, when generating a\n+ positive response to a\n+ query of type ANY over UDP.\n+ Controls whether the server\n+ only adds records to the\n+ authority and additional\n+minimal-responses data sections when they are query\n+ required (e.g. delegations,\n+ negative responses). This\n+ improves server\n+ performance.\n+ Controls whether serial\n+multi-master number mismatch errors are transfer\n+ logged.\n+ Specifies the directory\n+ where configuration\n+new-zones-directory parameters are stored for zone\n+ zones added by rndc\n+ addzone.\n+ Specifies a list of\n+no-case-compress addresses that require server\n+ case-insensitive\n+ compression in responses.\n+ Sets the maximum size of\n+nocookie-udp-size UDP responses that are sent query\n+ to queries without a valid\n+ server COOKIE.\n+ Limits the number of empty\n+nodata-per-second (NODATA) responses for a query\n+ valid domain name.\n+ Controls whether NOTIFY\n+notify messages are sent on zone transfer\n+ changes.\n+ Sets the delay (in seconds)\n+notify-delay between sending sets of zone, transfer\n+ NOTIFY messages for a zone.\n+ Specifies the rate at which\n+notify-rate NOTIFY requests are sent zone, transfer\n+ during normal zone\n+ maintenance operations.\n+ Defines the IPv4 address\n+notify-source (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Defines the IPv6 address\n+notify-source-v6 (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Controls whether the name\n+notify-to-soa servers in the NS RRset are transfer\n+ checked against the SOA\n+ MNAME.\n+ Specifies the use of NSEC3\n+nsec3param instead of NSEC, and sets dnssec\n+ NSEC3 parameters.\n+ Specifies the lifetime, in\n+nta-lifetime seconds, for negative trust dnssec\n+ anchors added via rndc_nta.\n+ Specifies the time interval\n+ for checking whether\n+nta-recheck negative trust anchors dnssec\n+ added via rndc_nta are\n+ still necessary.\n+ Causes all messages sent to\n+null the logging channel to be logging\n+ discarded.\n+ Appends the specified\n+ suffix to the original\n+nxdomain-redirect query name, when replacing query\n+ an NXDOMAIN with a redirect\n+ namespace.\n+ Limits the number of\n+nxdomains-per-second undefined subdomains for a query\n+ valid domain name.\n+options Defines global options to server\n+ be used by BIND 9.\n+ Adds EDNS Padding options\n+padding to outgoing messages to server\n+ increase the packet size.\n+ Sets the time to live (TTL)\n+parent-ds-ttl of the DS RRset used by the dnssec\n+ parent zone.\n+ Sets the propagation delay\n+ from the time the parent\n+parent-propagation-delay zone is updated to when the dnssec, zone\n+ new version is served by\n+ all of the parent zone's\n+ name servers.\n+ Defines a list of\n+parental-agents delegation agents to be zone\n+ used by primary and\n+ secondary zones.\n+ Specifies which local IPv4\n+parental-source source address is used to dnssec\n+ send parental DS queries.\n+ Specifies which local IPv6\n+parental-source-v6 source address is used to dnssec\n+ send parental DS queries.\n+ Specifies the pathname of\n+pid-file the file where the server server\n+ writes its process ID.\n+plugin Configures plugins in server\n+ named.conf.\n+ Specifies the UDP/TCP port\n+port number the server uses to server, query\n+ receive and send DNS\n+ protocol traffic.\n+ Specifies that server\n+prefer-server-ciphers ciphers should be preferred server, security\n+ over client ones.\n+ Controls the order of glue\n+preferred-glue records in an A or AAAA query\n+ response.\n+ Specifies the \"trigger\"\n+prefetch time-to-live (TTL) value at query\n+ which prefetch of the\n+ current query takes place.\n+primaries Defines one or more primary zone\n+ servers for a zone.\n+print-category Includes the category in logging\n+ log messages.\n+print-severity Includes the severity in logging\n+ log messages.\n+print-time Specifies the time format logging\n+ for log messages.\n+ Specifies the allowed\n+protocols versions of the TLS security\n+ protocol.\n+ Controls whether a primary\n+ responds to an incremental\n+provide-ixfr zone request (IXFR) or only transfer\n+ responds with a full zone\n+ transfer (AXFR).\n+ Increases the amount of\n+ time between when keys are\n+publish-safety published and when they dnssec\n+ become active, to allow for\n+ unforeseen events.\n+ Specifies the amount of\n+ time after which DNSSEC\n+purge-keys keys that have been deleted dnssec\n+ from the zone can be\n+ removed from disk.\n+ Controls QNAME minimization\n+qname-minimization behavior in the BIND 9 query\n+ resolver.\n+ Tightens defenses during\n+qps-scale DNS attacks by scaling back query\n+ the ratio of the current\n+ query-per-second rate.\n+ Controls the IPv4 address\n+query-source from which queries are query\n+ issued.\n+ Controls the IPv6 address\n+query-source-v6 from which queries are query\n+ issued.\n+ Specifies whether query\n+querylog logging should be active server, logging\n+ when named first starts.\n+ Controls excessive UDP\n+ responses, to prevent BIND\n+rate-limit 9 from being used to query\n+ amplify reflection denial-\n+ of-service (DoS) attacks.\n+ Specifies the pathname of\n+ the file where the server\n+recursing-file dumps queries that are server\n+ currently recursing via\n+ rndc_recursing.\n+recursion Defines whether recursion query\n+ and caching are allowed.\n+ Specifies the maximum\n+recursive-clients number of concurrent query\n+ recursive queries the\n+ server can perform.\n+ Toggles whether dns64\n+recursive-only synthesis occurs only for query\n+ recursive queries.\n+ Limits the number of\n+referrals-per-second referrals or delegations to query\n+ a server for a given\n+ domain.\n+ Specifies the expected\n+remote-hostname hostname in the TLS security\n+ certificate of the remote\n+ server.\n+ Specifies whether the local\n+request-expire server requests the EDNS query, transfer\n+ EXPIRE value, when acting\n+ as a secondary.\n+ Controls whether a\n+ secondary requests an\n+request-ixfr incremental zone transfer transfer\n+ (IXFR) or a full zone\n+ transfer (AXFR).\n+ Controls whether an empty\n+ EDNS(0) NSID (Name Server\n+ Identifier) option is sent\n+request-nsid with all queries to query\n+ authoritative name servers\n+ during iterative\n+ resolution.\n+ Controls whether a valid\n+require-server-cookie server cookie is required query\n+ before sending a full\n+ response to a UDP request.\n+reserved-sockets Deprecated. deprecated\n+ Specifies the number of\n+resolver-nonbackoff-tries retries before exponential deprecated.\n+ backoff.\n+ Specifies the length of\n+ time, in milliseconds, that\n+resolver-query-timeout a resolver attempts to query\n+ resolve a recursive query\n+ before failing.\n+resolver-retry-interval Sets the base retry deprecated\n+ interval (in milliseconds).\n+ Adds an EDNS Padding option\n+ to encrypted messages, to\n+response-padding reduce the chance of query\n+ guessing the contents based\n+ on size.\n+ Specifies response policy server, security, zone,\n+response-policy zones for the view or among query\n+ global options.\n+ Limits the number of non-\n+responses-per-second empty responses for a valid query\n+ domain name and record\n+ type.\n+ Increases the amount of\n+ time a key remains\n+retire-safety published after it is no dnssec\n+ longer active, to allow for\n+ unforeseen events.\n+reuseport Enables kernel load- server\n+ balancing of sockets.\n+ Turns on enforcement of\n+ delegation-only in top-\n+root-delegation-only level domains (TLDs) and deprecated\n+ root zones with an optional\n+ exclude list.\n+ Controls whether BIND 9\n+root-key-sentinel responds to root key server\n+ sentinel probes.\n+ Defines the order in which\n+rrset-order equal RRs (RRsets) are query\n+ returned.\n+ Specifies whether a\n+search Dynamically Loadable Zone query\n+ (DLZ) module is queried for\n+ an answer to a query name.\n+ Defines a Base64-encoded\n+secret string to be used as the security\n+ secret by the algorithm.\n+ Specifies the pathname of\n+secroots-file the file where the server dnssec\n+ dumps security roots, when\n+ using rndc_secroots.\n+ Controls whether a COOKIE\n+send-cookie EDNS option is sent along query\n+ with a query.\n+ Defines an upper limit on\n+ the number of queries per\n+serial-query-rate second issued by the transfer\n+ server, when querying the\n+ SOA RRs used for zone\n+ transfers.\n+ Specifies the update method\n+serial-update-method to be used for the zone zone\n+ serial number in the SOA\n+ record.\n+ Defines characteristics to\n+server be associated with a remote server\n+ name server.\n+ Specifies a list of IP\n+ addresses to which queries\n+server-addresses should be sent in recursive zone, query\n+ resolution for a static-\n+ stub zone.\n+ Specifies the ID of the\n+server-id server to return in server\n+ response to a ID.SERVER\n+ query.\n+ Specifies a list of domain\n+ names of name servers that\n+server-names act as authoritative zone\n+ servers of a static-stub\n+ zone.\n+ Sets the length of time (in\n+servfail-ttl seconds) that a SERVFAIL server\n+ response is cached.\n+ Specifies the algorithm to\n+session-keyalg use for the TSIG session security\n+ key.\n+ Specifies the pathname of\n+ the file where a TSIG\n+session-keyfile session key is written, security\n+ when generated by named for\n+ use by nsupdate -l.\n+session-keyname Specifies the key name for security\n+ the TSIG session key.\n+ Enables or disables session\n+session-tickets resumption through TLS security\n+ session tickets.\n+severity Defines the priority level logging\n+ of log messages.\n+ Specifies the maximum\n+ number of nodes to be\n+sig-signing-nodes examined in each quantum, dnssec\n+ when signing a zone with a\n+ new DNSKEY.\n+ Specifies the threshold for\n+ the number of signatures\n+sig-signing-signatures that terminates processing dnssec\n+ a quantum, when signing a\n+ zone with a new DNSKEY.\n+ Specifies a private RDATA\n+sig-signing-type type to use when generating dnssec\n+ signing-state records.\n+ Specifies the maximum\n+sig-validity-interval number of days that RRSIGs dnssec\n+ generated by named are\n+ valid.\n+signatures-jitter Specifies a range for dnssec\n+ signatures expirations.\n+signatures-refresh Specifies how frequently an dnssec\n+ RRSIG record is refreshed.\n+signatures-validity Indicates the validity dnssec\n+ period of an RRSIG record.\n+signatures-validity-dnskey Indicates the validity dnssec\n+ period of DNSKEY records.\n+ Sets the number of\n+ \"slipped\" responses to\n+slip minimize the use of forged query\n+ source addresses for an\n+ attack.\n+ Controls the ordering of\n+sortlist RRs returned to the client, query\n+ based on the client's IP\n+ address.\n+ Sets the maximum amount of\n+stacksize stack memory that can be deprecated\n+ used by the server.\n+ Defines the amount of time\n+ (in milliseconds) that\n+stale-answer-client-timeout named waits before server, query\n+ attempting to answer a\n+ query with a stale RRset\n+ from cache.\n+ Enables the returning of\n+stale-answer-enable \"stale\" cached answers when server, query\n+ the name servers for a zone\n+ are not answering.\n+ Specifies the time to live\n+stale-answer-ttl (TTL) to be returned on query\n+ stale answers, in seconds.\n+stale-cache-enable Enables the retention of server, query\n+ \"stale\" cached answers.\n+ Sets the time window for\n+ the return of \"stale\"\n+ cached answers before the\n+stale-refresh-time next attempt to contact, if server, query\n+ the name servers for a\n+ given zone are not\n+ responding.\n+ Specifies the rate at which\n+ NOTIFY requests are sent\n+startup-notify-rate when the name server is zone, transfer\n+ first starting, or when new\n+ zones have been added.\n+ Specifies the communication\n+ channels to be used by\n+statistics-channels system administrators to logging\n+ access statistics\n+ information on the name\n+ server.\n+ Specifies the pathname of\n+statistics-file the file where the server server, logging\n+ appends statistics, when\n+ using rndc_stats.\n+ Directs the logging channel\n+stderr output to the server's logging\n+ standard error stream.\n+ Specifies the maximum\n+streams-per-connection number of concurrent HTTP/ server, query\n+ 2 streams over an HTTP/\n+ 2 connection.\n+ Defines trailing bits for\n+suffix mapped IPv4 address bits in query\n+ dns64.\n+ Enables support for RFC\n+synth-from-dnssec 8198, Aggressive Use of dnssec\n+ DNSSEC-Validated Cache.\n+syslog Directs the logging channel logging\n+ to the system log.\n+ Sets the timeout value (in\n+ milliseconds) that the\n+tcp-advertised-timeout server sends in responses query\n+ containing the EDNS TCP\n+ keepalive option.\n+ Specifies the maximum\n+tcp-clients number of simultaneous server\n+ client TCP connections\n+ accepted by the server.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+ server waits on an idle TCP\n+tcp-idle-timeout connection before closing query\n+ it, if the EDNS TCP\n+ keepalive option is not in\n+ use.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-initial-timeout server waits on a new TCP server, query\n+ connection for the first\n+ message from the client.\n+tcp-keepalive Adds EDNS TCP keepalive to server\n+ messages sent over TCP.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-keepalive-timeout server waits on an idle TCP query\n+ connection before closing\n+ it, if the EDNS TCP\n+ keepalive option is in use.\n+tcp-listen-queue Sets the listen-queue server\n+ depth.\n+tcp-only Sets the transport protocol server\n+ to TCP.\n+ Sets the operating system's\n+tcp-receive-buffer receive buffer size for TCP server\n+ sockets.\n+ Sets the operating system's\n+tcp-send-buffer send buffer size for TCP server\n+ sockets.\n+ Sets the Diffie-Hellman key\n+tkey-dhkey used by the server to deprecated\n+ generate shared keys.\n+ Sets the domain appended to\n+tkey-domain the names of all shared security\n+ keys generated with TKEY.\n+ Sets the security\n+ credential for\n+tkey-gssapi-credential authentication keys security\n+ requested by the GSS-TSIG\n+ protocol.\n+ Sets the KRB5 keytab file\n+tkey-gssapi-keytab to use for GSS-TSIG security\n+ updates.\n+tls Configures a TLS security\n+ connection.\n+ Specifies the TCP port\n+tls-port number the server uses to server, query\n+ receive and send DNS-over-\n+ TLS protocol traffic.\n+ Controls whether multiple\n+transfer-format records can be packed into transfer\n+ a message during zone\n+ transfers.\n+ Limits the uncompressed\n+transfer-message-size size of DNS messages used transfer\n+ in zone transfers over TCP.\n+ Defines which local IPv4\n+ address(es) are bound to\n+transfer-source TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Defines which local IPv6\n+ address(es) are bound to\n+transfer-source-v6 TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Limits the number of\n+transfers concurrent inbound zone server\n+ transfers from a server.\n+ Limits the number of\n+transfers-in concurrent inbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-out concurrent outbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-per-ns concurrent inbound zone transfer\n+ transfers from a remote\n+ server.\n+ Instructs named to send\n+ specially formed queries\n+trust-anchor-telemetry once per day to domains for dnssec\n+ which trust anchors have\n+ been configured.\n+trust-anchors Defines DNSSEC trust dnssec\n+ anchors.\n+trusted-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies that BIND 9\n+try-tcp-refresh should attempt to refresh a transfer\n+ zone using TCP if UDP\n+ queries fail.\n+type Specifies the kind of zone zone\n+ in a given configuration.\n+ Enforces the delegation-\n+type_delegation-only only status of deprecated\n+ infrastructure zones (COM,\n+ NET, ORG, etc.).\n+ Contains forwarding\n+type_forward statements that apply to zone\n+ queries within a given\n+ domain.\n+ Contains the initial set of\n+type_hint root name servers to be zone\n+ used at BIND 9 startup.\n+ Contains a DNSSEC-validated\n+type_mirror duplicate of the main data zone\n+ for a zone.\n+type_primary Contains the main copy of zone\n+ the data for a zone.\n+ Contains information to\n+type_redirect answer queries when normal zone\n+ resolution would return\n+ NXDOMAIN.\n+ Contains a duplicate of the\n+type_secondary data for a zone that has zone\n+ been transferred from a\n+ primary server.\n+ Contains a duplicate of the\n+ NS records of a primary\n+type_static-stub zone, but statically zone\n+ configured rather than\n+ transferred from a primary\n+ server.\n+ Contains a duplicate of the\n+type_stub NS records of a primary zone\n+ zone.\n+ Sets the operating system's\n+udp-receive-buffer receive buffer size for UDP server\n+ sockets.\n+ Sets the operating system's\n+udp-send-buffer send buffer size for UDP server\n+ sockets.\n+ Specifies a Unix domain\n+unix socket as a control server\n+ channel.\n+ Specifies whether to check\n+ the KSK bit to determine\n+update-check-ksk how a key should be used, dnssec, zone\n+ when generating RRSIGs for\n+ a secure zone.\n+ Sets fine-grained rules to\n+ allow or deny dynamic\n+update-policy updates (DDNS), based on transfer\n+ requester identity, updated\n+ content, etc.\n+ Specifies the maximum\n+update-quota number of concurrent DNS server\n+ UPDATE messages that can be\n+ processed by the server.\n+ Indicates whether alt-\n+use-alt-transfer-source transfer-source and alt- deprecated\n+ transfer-source-v6 can be\n+ used.\n+ Specifies a list of ports\n+use-v4-udp-ports that are valid sources for deprecated\n+ UDP/IPv4 messages.\n+ Specifies a list of ports\n+use-v6-udp-ports that are valid sources for deprecated\n+ UDP/IPv6 messages.\n+ Indicates the number of\n+v6-bias milliseconds of preference server, query\n+ to give to IPv6 name\n+ servers.\n+ Specifies a list of domain\n+validate-except names at and beneath which dnssec\n+ DNSSEC validation should\n+ not be performed.\n+ Specifies the version\n+version number of the server to server\n+ return in response to a\n+ version.bind query.\n+ Allows a name server to\n+view answer a DNS query view\n+ differently depending on\n+ who is asking.\n+ Specifies the length of\n+window time during which responses query\n+ are tracked.\n+ Specifies whether to set\n+ the time to live (TTL) of\n+zero-no-soa-ttl the SOA record to zero, server, zone, query\n+ when returning\n+ authoritative negative\n+ responses to SOA queries.\n+ Sets the time to live (TTL)\n+zero-no-soa-ttl-cache to zero when caching a server, zone, query\n+ negative response to an SOA\n+ query.\n+zone Specifies the zone in a zone\n+ BIND 9 configuration.\n+ Sets the propagation delay\n+ from the time a zone is\n+zone-propagation-delay first updated to when the dnssec, zone\n+ new version of the zone is\n+ served by all secondary\n+ servers.\n+ Controls the level of\n+zone-statistics statistics gathered for all zone, logging\n+ zones.\n \n ***** 8.4. Statements by Tag\u00ef\u0083\u0081 *****\n These tables group the various statements permissible in named.conf by their\n corresponding tag.\n **** 8.4.1. DNSSEC Tag Statements\u00ef\u0083\u0081 ****\n Statement Description\n auto-dnssec Permits varying levels of automatic DNSSEC key\n"}]}]}]}]}]}