Grammar: server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
\n Blocks: zone (static-stub)
\n-Tags: query, zone
\n+Tags: zone, query
\n Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
\n \n This option is only meaningful for static-stub zones. This is a list of IP addresses\n to which queries should be sent in recursive resolution for the zone.\n A non-empty list for this option internally configures the apex\n NS RR with associated glue A or AAAA RRs.
\n For example, if \u201cexample.com\u201d is configured as a static-stub zone\n@@ -10374,15 +10374,15 @@\n
Defines an address_match_list of clients that are allowed to perform recursive queries. \n | \n query | \n \n allow-recursion-on | \n Specifies which local addresses can accept recursive queries. \n | \n-query, server | \n+server, query | \n
\n allow-transfer | \n Defines an address_match_list of hosts that are allowed to transfer the zone information from this server. \n | \n transfer | \n
\n allow-update | \n@@ -10469,40 +10469,40 @@\n Controls flushing of log messages. \n | \n logging | \n
\n ca-file | \n Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates. \n | \n-security, server | \n+server, security | \n
\n catalog-zones | \n Configures catalog zones in named.conf . \n | \n zone | \n
\n category | \n Specifies the type of data logged to a particular channel. \n | \n logging | \n
\n cert-file | \n Specifies the path to a file containing the TLS certificate for a connection. \n | \n-security, server | \n+server, security | \n
\n channel | \n Defines a stream of data that can be independently logged. \n | \n logging | \n
\n check-dup-records | \n Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. \n | \n-query, dnssec | \n+dnssec, query | \n
\n check-integrity | \n Performs post-load zone integrity checks on primary zones. \n | \n zone | \n
\n check-mx | \n@@ -10514,15 +10514,15 @@\n Sets the response to MX records that refer to CNAMEs. \n | \n zone | \n
\n check-names | \n Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network. \n | \n-query, server | \n+server, query | \n
\n check-sibling | \n Specifies whether to check for sibling glue when performing integrity checks. \n | \n zone | \n
\n check-spf | \n@@ -10599,15 +10599,15 @@\n Rejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements. \n | \n query | \n
\n dhparam-file | \n Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites. \n | \n-security, server | \n+server, security | \n
\n dialup | \n Concentrates zone maintenance so that all transfers take place once every heartbeat-interval , ideally during a single call. \n | \n deprecated | \n
\n directory | \n@@ -10659,20 +10659,20 @@\n Specifies the time to live (TTL) for DNSKEY resource records. \n | \n dnssec | \n
\n dnsrps-enable | \n Turns on the DNS Response Policy Service (DNSRPS) interface. \n | \n-security, server | \n+server, security | \n
\n dnsrps-options | \n Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. \n | \n-security, server | \n+server, security | \n
\n dnssec-accept-expired | \n Instructs BIND 9 to accept expired DNSSEC signatures when validating. \n | \n dnssec | \n
\n dnssec-dnskey-kskonly | \n@@ -10729,15 +10729,15 @@\n Specifies a version string to send in dnstap messages. \n | \n logging | \n
\n dscp | \n Sets the Differentiated Services Code Point (DSCP) value (obsolete). \n | \n-query, server | \n+server, query | \n
\n dual-stack-servers | \n Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. \n | \n server | \n
\n dump-file | \n@@ -10779,15 +10779,15 @@\n Enables or disables all empty zones. \n | \n server, zone | \n
\n endpoints | \n Specifies a list of HTTP query paths on which to listen. \n | \n-query, server | \n+server, query | \n
\n errors-per-second | \n Limits the number of errors for a valid domain name and record type. \n | \n server | \n
\n exclude | \n@@ -10799,25 +10799,25 @@\n Exempts specific clients or client groups from rate limiting. \n | \n query | \n
\n fetch-quota-params | \n Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion. \n | \n-query, server | \n+server, query | \n
\n fetches-per-server | \n Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. \n | \n-query, server | \n+server, query | \n
\n fetches-per-zone | \n Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. \n | \n-query, server | \n+server, query | \n
\n file | \n Specifies the zone's filename. \n | \n zone | \n
\n files | \n@@ -10894,40 +10894,40 @@\n Specifies the hostname of the server to return in response to a hostname.bind query. \n | \n server | \n
\n http | \n Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries. \n | \n-query, server | \n+server, query | \n
\n http-listener-clients | \n Limits the number of active concurrent connections on a per-listener basis. \n | \n server | \n
\n http-port | \n Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP. \n | \n-query, server | \n+server, query | \n
\n http-streams-per-connection | \n Limits the number of active concurrent HTTP/2 streams on a per-connection basis. \n | \n server | \n
\n https-port | \n Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic. \n | \n-query, server | \n+server, query | \n
\n in-view | \n Specifies the view in which a given zone is defined. \n | \n-view, zone | \n+zone, view | \n
\n inet | \n Specifies a TCP socket as a control channel. \n | \n server | \n
\n inline-signing | \n@@ -10954,15 +10954,15 @@\n Enables automatic IPv4 zones if a dns64 block is configured. \n | \n query | \n
\n ipv4only-server | \n Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64 . \n | \n-query, server | \n+server, query | \n
\n ipv6-prefix-length | \n Specifies the prefix lengths of IPv6 address blocks. \n | \n server | \n
\n ixfr-from-differences | \n@@ -10989,20 +10989,20 @@\n Indicates the directory where public and private DNSSEC key files are found. \n | \n dnssec | \n
\n key-file | \n Specifies the path to a file containing the private TLS key for a connection. \n | \n-security, server | \n+server, security | \n
\n keys | \n Specifies one or more server_key s to be used with a remote server. \n | \n-security, server | \n+server, security | \n
\n lame-ttl | \n Sets the resolver's lame cache. \n | \n server | \n
\n listen-on | \n@@ -11014,30 +11014,30 @@\n Specifies the IPv6 addresses on which a server listens for DNS queries. \n | \n server | \n
\n listener-clients | \n Specifies a per-listener quota for active connections. \n | \n-query, server | \n+server, query | \n
\n lmdb-mapsize | \n Sets a maximum size for the memory map of the new-zone database in LMDB database format. \n | \n server | \n
\n lock-file | \n Sets the pathname of the file on which named attempts to acquire a file lock when starting for the first time. \n | \n server | \n
\n log-only | \n Tests rate-limiting parameters without actually dropping any requests. \n | \n-query, logging | \n+logging, query | \n
\n logging | \n Configures logging options for the name server. \n | \n logging | \n
\n managed-keys | \n@@ -11124,30 +11124,30 @@\n Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query. \n | \n server | \n
\n max-recursion-queries | \n Sets the maximum number of iterative queries while servicing a recursive query. \n | \n-query, server | \n+server, query | \n
\n max-refresh-time | \n Limits the zone refresh interval to no less often than the specified value, in seconds. \n | \n transfer | \n
\n max-retry-time | \n Limits the zone refresh retry interval to no less often than the specified value, in seconds. \n | \n transfer | \n
\n max-rsa-exponent-size | \n Sets the maximum RSA exponent size (in bits) when validating. \n | \n-query, dnssec | \n+dnssec, query | \n
\n max-stale-ttl | \n Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records. \n | \n server | \n
\n max-table-size | \n@@ -11179,15 +11179,15 @@\n Sets the maximum EDNS UDP message size sent by named . \n | \n query | \n
\n max-zone-ttl | \n Specifies a maximum permissible time-to-live (TTL) value, in seconds. \n | \n-query, zone | \n+zone, query | \n
\n memstatistics | \n Controls whether memory statistics are written to the file specified by memstatistics-file at exit. \n | \n logging, server | \n
\n memstatistics-file | \n@@ -11264,20 +11264,20 @@\n Controls whether NOTIFY messages are sent on zone changes. \n | \n transfer | \n
\n notify-delay | \n Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone. \n | \n-transfer, zone | \n+zone, transfer | \n
\n notify-rate | \n Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations. \n | \n-transfer, zone | \n+zone, transfer | \n
\n notify-source | \n Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages. \n | \n transfer | \n
\n notify-source-v6 | \n@@ -11364,20 +11364,20 @@\n Configures plugins in named.conf . \n | \n server | \n
\n port | \n Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic. \n | \n-query, server | \n+server, query | \n
\n prefer-server-ciphers | \n Specifies that server ciphers should be preferred over client ones. \n | \n-security, server | \n+server, security | \n
\n preferred-glue | \n Controls the order of glue records in an A or AAAA response. \n | \n query | \n
\n prefetch | \n@@ -11484,15 +11484,15 @@\n Specifies the expected hostname in the TLS certificate of the remote server. \n | \n security | \n
\n request-expire | \n Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary. \n | \n-transfer, query | \n+query, transfer | \n
\n request-ixfr | \n Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR). \n | \n transfer | \n
\n request-nsid | \n@@ -11519,25 +11519,25 @@\n Specifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing. \n | \n query | \n
\n resolver-retry-interval | \n Sets the base retry interval (in milliseconds). \n | \n-query, server | \n+server, query | \n
\n response-padding | \n Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size. \n | \n query | \n
\n response-policy | \n Specifies response policy zones for the view or among global options. \n | \n-security, query, server, zone | \n+server, zone, security, query | \n
\n responses-per-second | \n Limits the number of non-empty responses for a valid domain name and record type. \n | \n query | \n
\n retire-safety | \n@@ -11599,15 +11599,15 @@\n Defines characteristics to be associated with a remote name server. \n | \n server | \n
\n server-addresses | \n Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone. \n | \n-query, zone | \n+zone, query | \n
\n server-id | \n Specifies the ID of the server to return in response to a ID.SERVER query. \n | \n server | \n
\n server-names | \n@@ -11694,40 +11694,40 @@\n Sets the maximum amount of stack memory that can be used by the server. \n | \n deprecated | \n
\n stale-answer-client-timeout | \n Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache. \n | \n-query, server | \n+server, query | \n
\n stale-answer-enable | \n Enables the returning of "stale" cached answers when the name servers for a zone are not answering. \n | \n-query, server | \n+server, query | \n
\n stale-answer-ttl | \n Specifies the time to live (TTL) to be returned on stale answers, in seconds. \n | \n query | \n
\n stale-cache-enable | \n Enables the retention of "stale" cached answers. \n | \n-query, server | \n+server, query | \n
\n stale-refresh-time | \n Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding. \n | \n-query, server | \n+server, query | \n
\n startup-notify-rate | \n Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. \n | \n-transfer, zone | \n+zone, transfer | \n
\n statistics-channels | \n Specifies the communication channels to be used by system administrators to access statistics information on the name server. \n | \n logging | \n
\n statistics-file | \n@@ -11739,15 +11739,15 @@\n Directs the logging channel output to the server's standard error stream. \n | \n logging | \n
\n streams-per-connection | \n Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection. \n | \n-query, server | \n+server, query | \n
\n suffix | \n Defines trailing bits for mapped IPv4 address bits in dns64 . \n | \n query | \n
\n synth-from-dnssec | \n@@ -11774,15 +11774,15 @@\n Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use. \n | \n query | \n
\n tcp-initial-timeout | \n Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client. \n | \n-query, server | \n+server, query | \n
\n tcp-keepalive | \n Adds EDNS TCP keepalive to messages sent over TCP. \n | \n server | \n
\n tcp-keepalive-timeout | \n@@ -11834,15 +11834,15 @@\n Configures a TLS connection. \n | \n security | \n
\n tls-port | \n Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic. \n | \n-query, server | \n+server, query | \n
\n transfer-format | \n Controls whether multiple records can be packed into a message during zone transfers. \n | \n transfer | \n
\n transfer-message-size | \n@@ -11994,15 +11994,15 @@\n Specifies a list of ports that are valid sources for UDP/IPv6 messages. \n | \n deprecated | \n
\n v6-bias | \n Indicates the number of milliseconds of preference to give to IPv6 name servers. \n | \n-query, server | \n+server, query | \n
\n validate-except | \n Specifies a list of domain names at and beneath which DNSSEC validation should not be performed. \n | \n dnssec | \n
\n version | \n@@ -12019,20 +12019,20 @@\n Specifies the length of time during which responses are tracked. \n | \n query | \n
\n zero-no-soa-ttl | \n Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. \n | \n-server, query, zone | \n+server, zone, query | \n
\n zero-no-soa-ttl-cache | \n Sets the time to live (TTL) to zero when caching a negative response to an SOA query. \n | \n-server, query, zone | \n+server, zone, query | \n
\n zone | \n Specifies the zone in a BIND 9 configuration. \n | \n zone | \n
\n zone-propagation-delay | \n", "details": [{"source1": "html2text {}", "source2": "html2text {}", "unified_diff": "@@ -2397,1266 +2397,1266 @@\n Zone_Tag_Statements relate to or control zone behavior, and typically only\n appear in a zone block.\n Deprecated_Tag_Statements are those that are now deprecated, but are included\n here for historical reference.\n The following table lists all statements permissible in named.conf, with their\n associated tags; the next section groups the statements by tag. Please note\n that these sections are a work in progress.\n-Statement Description Tags\n-acl Assigns a symbolic name to server\n- an address match list.\n-algorithm Defines the algorithm to be security\n- used in a key clause.\n-all-per-second Limits UDP responses of all query\n- kinds.\n- Controls the ability to add\n-allow-new-zones zones at runtime via rndc server, zone\n- addzone.\n- Defines an\n- address_match_list that is\n- allowed to send NOTIFY\n-allow-notify messages for the zone, in transfer\n- addition to addresses\n- defined in the primaries\n- option for the zone.\n- Specifies which hosts (an\n-allow-query IP address list) are query\n- allowed to send queries to\n- this resolver.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache this server's cache and query\n- thus effectively controls\n- recursion.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache-on this server's cache. Used query\n- on servers with multiple\n- interfaces.\n- Specifies which local\n- addresses (an IP address\n-allow-query-on list) are allowed to send query\n- queries to this resolver.\n- Used in multi-homed\n- configurations.\n- Defines an\n-allow-recursion address_match_list of query\n- clients that are allowed to\n- perform recursive queries.\n- Specifies which local\n-allow-recursion-on addresses can accept query, server\n- recursive queries.\n- Defines an\n- address_match_list of hosts\n-allow-transfer that are allowed to transfer\n- transfer the zone\n- information from this\n- server.\n- Defines an\n- address_match_list of hosts\n-allow-update that are allowed to submit transfer\n- dynamic updates for primary\n- zones.\n- Defines an\n- address_match_list of hosts\n-allow-update-forwarding that are allowed to submit transfer\n- dynamic updates to a\n- secondary server for\n- transmission to a primary.\n- Defines one or more hosts\n-also-notify that are sent NOTIFY transfer\n- messages when zone changes\n- occur.\n- Defines alternate local\n- IPv4 address(es) to be used\n- by the server for inbound\n-alt-transfer-source zone transfers, if the deprecated\n- address(es) defined by\n- transfer-source fail and\n- use-alt-transfer-source is\n- enabled.\n- Defines alternate local\n-alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n- by the server for inbound\n- zone transfers.\n- Controls whether COOKIE\n-answer-cookie EDNS replies are sent in query\n- response to client queries.\n- Allows multiple views to\n-attach-cache share a single cache view\n- database.\n- Controls whether BIND,\n- acting as a resolver,\n-auth-nxdomain provides authoritative query\n- NXDOMAIN (domain does not\n- exist) answers.\n- Permits varying levels of\n-auto-dnssec automatic DNSSEC key dnssec\n- management.\n- Controls the automatic\n-automatic-interface-scan rescanning of network server\n- interfaces when addresses\n- are added or removed.\n- Specifies the range(s) of\n-avoid-v4-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv4\n- messages.\n- Specifies the range(s) of\n-avoid-v6-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv6\n- messages.\n- Specifies the pathname of a\n-bindkeys-file file to override the built- dnssec\n- in trusted keys provided by\n- named.\n- Defines an\n- address_match_list of hosts\n-blackhole to ignore. The server will query\n- neither respond to queries\n- from nor send queries to\n- these addresses.\n-bogus Allows a remote server to server\n- be ignored.\n- Enables dns64 synthesis\n-break-dnssec even if the validated query\n- result would cause a DNSSEC\n- validation failure.\n-buffered Controls flushing of log logging\n- messages.\n- Specifies the path to a\n- file containing TLS\n-ca-file certificates for trusted CA security, server\n- authorities, used to verify\n- remote peer certificates.\n-catalog-zones Configures catalog zones in zone\n- named.conf.\n- Specifies the type of data\n-category logged to a particular logging\n- channel.\n- Specifies the path to a\n-cert-file file containing the TLS security, server\n- certificate for a\n- connection.\n- Defines a stream of data\n-channel that can be independently logging\n- logged.\n- Checks primary zones for\n- records that are treated as\n-check-dup-records different by DNSSEC but are query, dnssec\n- semantically equal in plain\n- DNS.\n- Performs post-load zone\n-check-integrity integrity checks on primary zone\n- zones.\n- Checks whether an MX record\n-check-mx appears to refer to an IP zone\n- address.\n- Sets the response to MX\n-check-mx-cname records that refer to zone\n- CNAMEs.\n- Restricts the character set\n- and syntax of certain\n-check-names domain names in primary query, server\n- files and/or DNS responses\n- received from the network.\n- Specifies whether to check\n-check-sibling for sibling glue when zone\n- performing integrity\n- checks.\n- Specifies whether to check\n-check-spf for a TXT Sender Policy zone\n- Framework record, if an SPF\n- record is present.\n- Sets the response to SRV\n-check-srv-cname records that refer to zone\n- CNAMEs.\n-check-wildcard Checks for non-terminal zone\n- wildcards.\n-ciphers Specifies a list of allowed security\n- ciphers.\n- Specifies an access control\n-clients list (ACL) of clients that query\n- are affected by a given\n- dns64 directive.\n- Sets the initial minimum\n- number of simultaneous\n-clients-per-query recursive clients accepted server\n- by the server for any given\n- query before the server\n- drops additional clients.\n- Specifies control channels\n-controls to be used to manage the server\n- name server.\n- Sets the algorithm to be\n-cookie-algorithm used when generating a server\n- server cookie.\n- Specifies a shared secret\n- used for generating and\n-cookie-secret verifying EDNS COOKIE server\n- options within an anycast\n- cluster.\n-coresize Sets the maximum size of a deprecated\n- core dump.\n- Specifies the type of\n-database database to be used to zone\n- store zone data.\n- Sets the maximum amount of\n-datasize data memory that can be deprecated\n- used by the server.\n- Indicates that a forward,\n-delegation-only hint, or stub zone is to be deprecated\n- treated as a delegation-\n- only type zone.\n- Rejects A or AAAA records\n-deny-answer-addresses if the corresponding IPv4 query\n- or IPv6 addresses match a\n- given address_match_list.\n- Rejects CNAME or DNAME\n-deny-answer-aliases records if the \"alias\" name query\n- matches a given list of\n- domain_name elements.\n- Specifies the path to a\n-dhparam-file file containing Diffie- security, server\n- Hellman parameters, for\n- enabling cipher suites.\n- Concentrates zone\n- maintenance so that all\n-dialup transfers take place once deprecated\n- every heartbeat-interval,\n- ideally during a single\n- call.\n-directory Sets the server's working server\n- directory.\n-disable-algorithms Disables DNSSEC algorithms dnssec\n- from a specified zone.\n-disable-ds-digests Disables DS digest types zone, dnssec\n- from a specified zone.\n-disable-empty-zone Disables individual empty server, zone\n- zones.\n- Configures a Dynamically\n-dlz Loadable Zone (DLZ) zone\n- database in named.conf.\n- Instructs named to return\n-dns64 mapped IPv4 addresses to query\n- AAAA queries when there are\n- no AAAA records.\n-dns64-contact Specifies the name of the server\n- contact for dns64 zones.\n-dns64-server Specifies the name of the server\n- server for dns64 zones.\n- Specifies the number of\n-dnskey-sig-validity days in the future when dnssec\n- automatically generated\n- DNSSEC signatures expire.\n- Specifies the time to live\n-dnskey-ttl (TTL) for DNSKEY resource dnssec\n- records.\n- Turns on the DNS Response\n-dnsrps-enable Policy Service (DNSRPS) security, server\n- interface.\n- Provides additional RPZ\n- configuration settings,\n-dnsrps-options which are passed to the DNS security, server\n- Response Policy Service\n- (DNSRPS) provider library.\n- Instructs BIND 9 to accept\n-dnssec-accept-expired expired DNSSEC signatures dnssec\n- when validating.\n- Specifies that only key-\n- signing keys are used to\n-dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n- and CDS RRsets at a zone's\n- apex.\n- Sets the frequency of\n-dnssec-loadkeys-interval automatic checks of the dnssec\n- DNSSEC key repository.\n- Defines hierarchies that\n-dnssec-must-be-secure must or may not be secure deprecated\n- (signed and validated).\n-dnssec-policy Defines a key and signing dnssec\n- policy (KASP) for zones.\n- Allows a dynamic zone to\n-dnssec-secure-to-insecure transition from secure to dnssec\n- insecure by deleting all\n- DNSKEY records.\n- Controls the scheduled\n-dnssec-update-mode maintenance of DNSSEC dnssec\n- signatures.\n-dnssec-validation Enables DNSSEC validation dnssec\n- in named.\n-dnstap Enables logging of dnstap logging\n- messages.\n- Specifies an identity\n-dnstap-identity string to send in dnstap logging\n- messages.\n- Configures the path to\n-dnstap-output which the dnstap frame logging\n- stream is sent.\n-dnstap-version Specifies a version string logging\n- to send in dnstap messages.\n- Sets the Differentiated\n-dscp Services Code Point (DSCP) query, server\n- value (obsolete).\n- Specifies host names or\n-dual-stack-servers addresses of machines with server\n- access to both IPv4 and\n- IPv6 transports.\n- Indicates the pathname of\n-dump-file the file where the server logging\n- dumps the database after\n- rndc_dumpdb.\n-dyndb Configures a DynDB database zone\n- in named.conf.\n-edns Controls the use of the server\n- EDNS0 (RFC_2671) feature.\n- Sets the maximum advertised\n- EDNS UDP buffer size to\n-edns-udp-size control the size of packets query\n- received from authoritative\n- servers in response to\n- recursive queries.\n- Sets the maximum EDNS\n-edns-version VERSION that is sent to the server\n- server(s) by the resolver.\n- Specifies the contact name\n-empty-contact in the returned SOA record server, zone\n- for empty zones.\n- Specifies the server name\n-empty-server in the returned SOA record server, zone\n- for empty zones.\n-empty-zones-enable Enables or disables all server, zone\n- empty zones.\n- Specifies a list of HTTP\n-endpoints query paths on which to query, server\n- listen.\n- Limits the number of errors\n-errors-per-second for a valid domain name and server\n- record type.\n- Allows a list of IPv6\n- addresses to be ignored if\n-exclude they appear in a domain query\n- name's AAAA records in\n- dns64.\n- Exempts specific clients or\n-exempt-clients client groups from rate query\n- limiting.\n- Sets the parameters for\n- dynamic resizing of the\n-fetch-quota-params fetches-per-server quota in query, server\n- response to detected\n- congestion.\n- Sets the maximum number of\n- simultaneous iterative\n- queries allowed to be sent\n-fetches-per-server by a server to an upstream query, server\n- name server before the\n- server blocks additional\n- queries.\n- Sets the maximum number of\n- simultaneous iterative\n-fetches-per-zone queries allowed to any one query, server\n- domain before the server\n- blocks new queries for data\n- in or beneath that zone.\n-file Specifies the zone's zone\n- filename.\n- Sets the maximum number of\n-files files the server may have deprecated\n- open concurrently.\n- Controls whether pending\n-flush-zones-on-shutdown zone writes are flushed zone\n- when the name server exits.\n- Allows or disallows\n- fallback to recursion if\n-forward forwarding has failed; it query\n- is always used in\n- conjunction with the\n- forwarders statement.\n- Defines one or more hosts\n-forwarders to which queries are query\n- forwarded.\n- Sets the number of\n-fstrm-set-buffer-hint accumulated bytes in the logging\n- output buffer before\n- forcing a buffer flush.\n- Sets the number of seconds\n-fstrm-set-flush-timeout that unflushed data remains logging\n- in the output buffer.\n- Sets the number of queue\n-fstrm-set-input-queue-size entries to allocate for logging\n- each input queue.\n- Sets the number of\n-fstrm-set-output-notify- outstanding queue entries\n-threshold allowed on an input queue logging\n- before waking the I/\n- O thread.\n-fstrm-set-output-queue- Sets the queuing semantics logging\n-model to use for queue objects.\n-fstrm-set-output-queue- Sets the number of queue\n-size entries allocated for each logging\n- output queue.\n- Sets the number of seconds\n-fstrm-set-reopen-interval to wait between attempts to logging\n- reopen a closed output\n- stream.\n- Specifies the directory\n-geoip-directory containing GeoIP database server\n- files.\n-glue-cache Deprecated. deprecated\n- Sets the interval at which\n-heartbeat-interval the server performs zone deprecated\n- maintenance tasks for all\n- zones marked as dialup.\n- Specifies the hostname of\n-hostname the server to return in server\n- response to a hostname.bind\n- query.\n- Configures HTTP endpoints\n-http on which to listen for DNS- query, server\n- over-HTTPS (DoH) queries.\n- Limits the number of active\n-http-listener-clients concurrent connections on a server\n- per-listener basis.\n- Specifies the TCP port\n- number the server uses to\n-http-port receive and send query, server\n- unencrypted DNS traffic via\n- HTTP.\n-http-streams-per- Limits the number of active\n-connection concurrent HTTP/2 streams server\n- on a per-connection basis.\n- Specifies the TCP port\n-https-port number the server uses to query, server\n- receive and send DNS-over-\n- HTTPS protocol traffic.\n-in-view Specifies the view in which view, zone\n- a given zone is defined.\n-inet Specifies a TCP socket as a server\n- control channel.\n- Specifies whether BIND 9\n-inline-signing maintains a separate signed zone, dnssec\n- version of a zone.\n- Sets the interval at which\n-interface-interval the server scans the server\n- network interface list.\n- Specifies the prefix\n-ipv4-prefix-length lengths of IPv4 address server\n- blocks.\n- Specifies the contact for\n-ipv4only-contact the IPV4ONLY.ARPA zone server\n- created by dns64.\n- Enables automatic IPv4\n-ipv4only-enable zones if a dns64 block is query\n- configured.\n- Specifies the name of the\n-ipv4only-server server for the query, server\n- IPV4ONLY.ARPA zone created\n- by dns64.\n- Specifies the prefix\n-ipv6-prefix-length lengths of IPv6 address server\n- blocks.\n-ixfr-from-differences Controls how IXFR transfers transfer\n- are calculated.\n- Allows the default\n-journal journal's filename to be zone\n- overridden.\n- Defines an\n- address_match_list of\n-keep-response-order addresses which do not server\n- accept reordered answers\n- within a single TCP stream.\n- Defines a shared secret key\n-key for use with TSIG or the security\n- command channel.\n- Indicates the directory\n-key-directory where public and private dnssec\n- DNSSEC key files are found.\n- Specifies the path to a\n-key-file file containing the private security, server\n- TLS key for a connection.\n- Specifies one or more\n-keys server_key s to be used security, server\n- with a remote server.\n-lame-ttl Sets the resolver's lame server\n- cache.\n- Specifies the IPv4\n-listen-on addresses on which a server server\n- listens for DNS queries.\n- Specifies the IPv6\n-listen-on-v6 addresses on which a server server\n- listens for DNS queries.\n- Specifies a per-listener\n-listener-clients quota for active query, server\n- connections.\n- Sets a maximum size for the\n-lmdb-mapsize memory map of the new-zone server\n- database in LMDB database\n- format.\n- Sets the pathname of the\n- file on which named\n-lock-file attempts to acquire a file server\n- lock when starting for the\n- first time.\n- Tests rate-limiting\n-log-only parameters without actually query, logging\n- dropping any requests.\n-logging Configures logging options logging\n- for the name server.\n-managed-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies the directory in\n-managed-keys-directory which to store the files dnssec\n- that track managed DNSSEC\n- keys.\n- Specifies an access control\n- list (ACL) of IPv4\n-mapped addresses that are to be query\n- mapped to the corresponding\n- A RRset in dns64.\n-masterfile-format Specifies the file format server, zone\n- of zone files.\n- Specifies the format of\n-masterfile-style zone files during a dump, server\n- when the masterfile-format\n- is text.\n- Specifies a view of DNS\n-match-clients namespace for a given view\n- subset of client IP\n- addresses.\n- Specifies a view of DNS\n-match-destinations namespace for a given view\n- subset of destination IP\n- addresses.\n- Allows IPv4-mapped IPv6\n- addresses to match address-\n-match-mapped-addresses match list entries for server\n- corresponding IPv4\n- addresses.\n- Specifies that only\n-match-recursive-only recursive requests can view\n- match this view of the DNS\n- namespace.\n- Sets the maximum amount of\n- memory to use for an\n-max-cache-size individual cache database server\n- and its associated\n- metadata.\n- Specifies the maximum time\n-max-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Sets the maximum number of\n- simultaneous recursive\n-max-clients-per-query clients accepted by the server\n- server for any given query\n- before the server drops\n- additional clients.\n- Sets the maximum size for\n-max-ixfr-ratio IXFR responses to zone transfer\n- transfer requests.\n-max-journal-size Controls the size of transfer\n- journal files.\n- Specifies the maximum\n- retention time (in seconds)\n-max-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Sets the maximum number of\n-max-records records permitted in a server, zone\n- zone.\n- Sets the maximum number of\n- levels of recursion\n-max-recursion-depth permitted at any one time server\n- while servicing a recursive\n- query.\n- Sets the maximum number of\n-max-recursion-queries iterative queries while query, server\n- servicing a recursive\n- query.\n- Limits the zone refresh\n-max-refresh-time interval to no less often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-max-retry-time retry interval to no less transfer\n- often than the specified\n- value, in seconds.\n- Sets the maximum RSA\n-max-rsa-exponent-size exponent size (in bits) query, dnssec\n- when validating.\n- Specifies the maximum time\n- that the server retains\n-max-stale-ttl records past their normal server\n- expiry, to return them as\n- stale records.\n- Sets the maximum size of\n-max-table-size the table used to track server\n- requests and rate-limit\n- responses.\n- Specifies the number of\n-max-transfer-idle-in minutes after which inbound transfer\n- zone transfers making no\n- progress are terminated.\n- Specifies the number of\n- minutes after which\n-max-transfer-idle-out outbound zone transfers transfer\n- making no progress are\n- terminated.\n- Specifies the number of\n-max-transfer-time-in minutes after which inbound transfer\n- zone transfers are\n- terminated.\n- Specifies the number of\n-max-transfer-time-out minutes after which transfer\n- outbound zone transfers are\n- terminated.\n-max-udp-size Sets the maximum EDNS UDP query\n- message size sent by named.\n- Specifies a maximum\n-max-zone-ttl permissible time-to-live query, zone\n- (TTL) value, in seconds.\n- Controls whether memory\n-memstatistics statistics are written to logging, server\n- the file specified by\n- memstatistics-file at exit.\n- Sets the pathname of the\n-memstatistics-file file where the server logging\n- writes memory usage\n- statistics on exit.\n- Controls whether DNS name\n-message-compression compression is used in query\n- responses to regular\n- queries.\n- Specifies the minimum time\n-min-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Specifies the minimum\n- retention time (in seconds)\n-min-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Limits the zone refresh\n-min-refresh-time interval to no more often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-min-retry-time retry interval to no more transfer\n- often than the specified\n- value, in seconds.\n- Sets the minimum size of\n-min-table-size the table used to track query\n- requests and rate-limit\n- responses.\n- Controls whether the server\n- replies with only one of\n-minimal-any the RRsets for a query query\n- name, when generating a\n- positive response to a\n- query of type ANY over UDP.\n- Controls whether the server\n- only adds records to the\n- authority and additional\n-minimal-responses data sections when they are query\n- required (e.g. delegations,\n- negative responses). This\n- improves server\n- performance.\n- Controls whether serial\n-multi-master number mismatch errors are transfer\n- logged.\n- Specifies the directory\n- where configuration\n-new-zones-directory parameters are stored for zone\n- zones added by rndc\n- addzone.\n- Specifies a list of\n-no-case-compress addresses that require server\n- case-insensitive\n- compression in responses.\n- Sets the maximum size of\n-nocookie-udp-size UDP responses that are sent query\n- to queries without a valid\n- server COOKIE.\n- Limits the number of empty\n-nodata-per-second (NODATA) responses for a query\n- valid domain name.\n- Controls whether NOTIFY\n-notify messages are sent on zone transfer\n- changes.\n- Sets the delay (in seconds)\n-notify-delay between sending sets of transfer, zone\n- NOTIFY messages for a zone.\n- Specifies the rate at which\n-notify-rate NOTIFY requests are sent transfer, zone\n- during normal zone\n- maintenance operations.\n- Defines the IPv4 address\n-notify-source (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Defines the IPv6 address\n-notify-source-v6 (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Controls whether the name\n-notify-to-soa servers in the NS RRset are transfer\n- checked against the SOA\n- MNAME.\n- Specifies the use of NSEC3\n-nsec3param instead of NSEC, and sets dnssec\n- NSEC3 parameters.\n- Specifies the lifetime, in\n-nta-lifetime seconds, for negative trust dnssec\n- anchors added via rndc_nta.\n- Specifies the time interval\n- for checking whether\n-nta-recheck negative trust anchors dnssec\n- added via rndc_nta are\n- still necessary.\n- Causes all messages sent to\n-null the logging channel to be logging\n- discarded.\n- Appends the specified\n- suffix to the original\n-nxdomain-redirect query name, when replacing query\n- an NXDOMAIN with a redirect\n- namespace.\n- Limits the number of\n-nxdomains-per-second undefined subdomains for a query\n- valid domain name.\n-options Defines global options to server\n- be used by BIND 9.\n- Adds EDNS Padding options\n-padding to outgoing messages to server\n- increase the packet size.\n- Sets the time to live (TTL)\n-parent-ds-ttl of the DS RRset used by the dnssec\n- parent zone.\n- Sets the propagation delay\n- from the time the parent\n-parent-propagation-delay zone is updated to when the zone, dnssec\n- new version is served by\n- all of the parent zone's\n- name servers.\n- Defines a list of\n-parental-agents delegation agents to be zone\n- used by primary and\n- secondary zones.\n- Specifies which local IPv4\n-parental-source source address is used to dnssec\n- send parental DS queries.\n- Specifies which local IPv6\n-parental-source-v6 source address is used to dnssec\n- send parental DS queries.\n- Specifies the pathname of\n-pid-file the file where the server server\n- writes its process ID.\n-plugin Configures plugins in server\n- named.conf.\n- Specifies the UDP/TCP port\n-port number the server uses to query, server\n- receive and send DNS\n- protocol traffic.\n- Specifies that server\n-prefer-server-ciphers ciphers should be preferred security, server\n- over client ones.\n- Controls the order of glue\n-preferred-glue records in an A or AAAA query\n- response.\n- Specifies the \"trigger\"\n-prefetch time-to-live (TTL) value at query\n- which prefetch of the\n- current query takes place.\n-primaries Defines one or more primary zone\n- servers for a zone.\n-print-category Includes the category in logging\n- log messages.\n-print-severity Includes the severity in logging\n- log messages.\n-print-time Specifies the time format logging\n- for log messages.\n- Specifies the allowed\n-protocols versions of the TLS security\n- protocol.\n- Controls whether a primary\n- responds to an incremental\n-provide-ixfr zone request (IXFR) or only transfer\n- responds with a full zone\n- transfer (AXFR).\n- Increases the amount of\n- time between when keys are\n-publish-safety published and when they dnssec\n- become active, to allow for\n- unforeseen events.\n- Specifies the amount of\n- time after which DNSSEC\n-purge-keys keys that have been deleted dnssec\n- from the zone can be\n- removed from disk.\n- Controls QNAME minimization\n-qname-minimization behavior in the BIND 9 query\n- resolver.\n- Tightens defenses during\n-qps-scale DNS attacks by scaling back query\n- the ratio of the current\n- query-per-second rate.\n- Controls the IPv4 address\n-query-source from which queries are query\n- issued.\n- Controls the IPv6 address\n-query-source-v6 from which queries are query\n- issued.\n- Specifies whether query\n-querylog logging should be active logging, server\n- when named first starts.\n- Controls excessive UDP\n- responses, to prevent BIND\n-rate-limit 9 from being used to query\n- amplify reflection denial-\n- of-service (DoS) attacks.\n- Specifies the pathname of\n- the file where the server\n-recursing-file dumps queries that are server\n- currently recursing via\n- rndc_recursing.\n-recursion Defines whether recursion query\n- and caching are allowed.\n- Specifies the maximum\n-recursive-clients number of concurrent query\n- recursive queries the\n- server can perform.\n- Toggles whether dns64\n-recursive-only synthesis occurs only for query\n- recursive queries.\n- Limits the number of\n-referrals-per-second referrals or delegations to query\n- a server for a given\n- domain.\n- Specifies the expected\n-remote-hostname hostname in the TLS security\n- certificate of the remote\n- server.\n- Specifies whether the local\n-request-expire server requests the EDNS transfer, query\n- EXPIRE value, when acting\n- as a secondary.\n- Controls whether a\n- secondary requests an\n-request-ixfr incremental zone transfer transfer\n- (IXFR) or a full zone\n- transfer (AXFR).\n- Controls whether an empty\n- EDNS(0) NSID (Name Server\n- Identifier) option is sent\n-request-nsid with all queries to query\n- authoritative name servers\n- during iterative\n- resolution.\n- Controls whether a valid\n-require-server-cookie server cookie is required query\n- before sending a full\n- response to a UDP request.\n-reserved-sockets Deprecated. deprecated\n- Specifies the number of\n-resolver-nonbackoff-tries retries before exponential server\n- backoff.\n- Specifies the length of\n- time, in milliseconds, that\n-resolver-query-timeout a resolver attempts to query\n- resolve a recursive query\n- before failing.\n-resolver-retry-interval Sets the base retry query, server\n- interval (in milliseconds).\n- Adds an EDNS Padding option\n- to encrypted messages, to\n-response-padding reduce the chance of query\n- guessing the contents based\n- on size.\n- Specifies response policy security, query, server,\n-response-policy zones for the view or among zone\n- global options.\n- Limits the number of non-\n-responses-per-second empty responses for a valid query\n- domain name and record\n- type.\n- Increases the amount of\n- time a key remains\n-retire-safety published after it is no dnssec\n- longer active, to allow for\n- unforeseen events.\n-reuseport Enables kernel load- server\n- balancing of sockets.\n- Turns on enforcement of\n- delegation-only in top-\n-root-delegation-only level domains (TLDs) and deprecated\n- root zones with an optional\n- exclude list.\n- Controls whether BIND 9\n-root-key-sentinel responds to root key server\n- sentinel probes.\n- Defines the order in which\n-rrset-order equal RRs (RRsets) are query\n- returned.\n- Specifies whether a\n-search Dynamically Loadable Zone query\n- (DLZ) module is queried for\n- an answer to a query name.\n- Defines a Base64-encoded\n-secret string to be used as the security\n- secret by the algorithm.\n- Specifies the pathname of\n-secroots-file the file where the server dnssec\n- dumps security roots, when\n- using rndc_secroots.\n- Controls whether a COOKIE\n-send-cookie EDNS option is sent along query\n- with a query.\n- Defines an upper limit on\n- the number of queries per\n-serial-query-rate second issued by the transfer\n- server, when querying the\n- SOA RRs used for zone\n- transfers.\n- Specifies the update method\n-serial-update-method to be used for the zone zone\n- serial number in the SOA\n- record.\n- Defines characteristics to\n-server be associated with a remote server\n- name server.\n- Specifies a list of IP\n- addresses to which queries\n-server-addresses should be sent in recursive query, zone\n- resolution for a static-\n- stub zone.\n- Specifies the ID of the\n-server-id server to return in server\n- response to a ID.SERVER\n- query.\n- Specifies a list of domain\n- names of name servers that\n-server-names act as authoritative zone\n- servers of a static-stub\n- zone.\n- Sets the length of time (in\n-servfail-ttl seconds) that a SERVFAIL server\n- response is cached.\n- Specifies the algorithm to\n-session-keyalg use for the TSIG session security\n- key.\n- Specifies the pathname of\n- the file where a TSIG\n-session-keyfile session key is written, security\n- when generated by named for\n- use by nsupdate -l.\n-session-keyname Specifies the key name for security\n- the TSIG session key.\n- Enables or disables session\n-session-tickets resumption through TLS security\n- session tickets.\n-severity Defines the priority level logging\n- of log messages.\n- Specifies the maximum\n- number of nodes to be\n-sig-signing-nodes examined in each quantum, dnssec\n- when signing a zone with a\n- new DNSKEY.\n- Specifies the threshold for\n- the number of signatures\n-sig-signing-signatures that terminates processing dnssec\n- a quantum, when signing a\n- zone with a new DNSKEY.\n- Specifies a private RDATA\n-sig-signing-type type to use when generating dnssec\n- signing-state records.\n- Specifies the maximum\n-sig-validity-interval number of days that RRSIGs dnssec\n- generated by named are\n- valid.\n-signatures-refresh Specifies how frequently an dnssec\n- RRSIG record is refreshed.\n-signatures-validity Indicates the validity dnssec\n- period of an RRSIG record.\n-signatures-validity-dnskey Indicates the validity dnssec\n- period of DNSKEY records.\n- Sets the number of\n- \"slipped\" responses to\n-slip minimize the use of forged query\n- source addresses for an\n- attack.\n- Controls the ordering of\n-sortlist RRs returned to the client, query\n- based on the client's IP\n- address.\n- Sets the maximum amount of\n-stacksize stack memory that can be deprecated\n- used by the server.\n- Defines the amount of time\n- (in milliseconds) that\n-stale-answer-client- named waits before query, server\n-timeout attempting to answer a\n- query with a stale RRset\n- from cache.\n- Enables the returning of\n-stale-answer-enable \"stale\" cached answers when query, server\n- the name servers for a zone\n- are not answering.\n- Specifies the time to live\n-stale-answer-ttl (TTL) to be returned on query\n- stale answers, in seconds.\n-stale-cache-enable Enables the retention of query, server\n- \"stale\" cached answers.\n- Sets the time window for\n- the return of \"stale\"\n- cached answers before the\n-stale-refresh-time next attempt to contact, if query, server\n- the name servers for a\n- given zone are not\n- responding.\n- Specifies the rate at which\n- NOTIFY requests are sent\n-startup-notify-rate when the name server is transfer, zone\n- first starting, or when new\n- zones have been added.\n- Specifies the communication\n- channels to be used by\n-statistics-channels system administrators to logging\n- access statistics\n- information on the name\n- server.\n- Specifies the pathname of\n-statistics-file the file where the server logging, server\n- appends statistics, when\n- using rndc_stats.\n- Directs the logging channel\n-stderr output to the server's logging\n- standard error stream.\n- Specifies the maximum\n-streams-per-connection number of concurrent HTTP/ query, server\n- 2 streams over an HTTP/\n- 2 connection.\n- Defines trailing bits for\n-suffix mapped IPv4 address bits in query\n- dns64.\n- Enables support for RFC\n-synth-from-dnssec 8198, Aggressive Use of dnssec\n- DNSSEC-Validated Cache.\n-syslog Directs the logging channel logging\n- to the system log.\n- Sets the timeout value (in\n- milliseconds) that the\n-tcp-advertised-timeout server sends in responses query\n- containing the EDNS TCP\n- keepalive option.\n- Specifies the maximum\n-tcp-clients number of simultaneous server\n- client TCP connections\n- accepted by the server.\n- Sets the amount of time (in\n- milliseconds) that the\n- server waits on an idle TCP\n-tcp-idle-timeout connection before closing query\n- it, if the EDNS TCP\n- keepalive option is not in\n- use.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-initial-timeout server waits on a new TCP query, server\n- connection for the first\n- message from the client.\n-tcp-keepalive Adds EDNS TCP keepalive to server\n- messages sent over TCP.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-keepalive-timeout server waits on an idle TCP query\n- connection before closing\n- it, if the EDNS TCP\n- keepalive option is in use.\n-tcp-listen-queue Sets the listen-queue server\n- depth.\n-tcp-only Sets the transport protocol server\n- to TCP.\n- Sets the operating system's\n-tcp-receive-buffer receive buffer size for TCP server\n- sockets.\n- Sets the operating system's\n-tcp-send-buffer send buffer size for TCP server\n- sockets.\n- Sets the Diffie-Hellman key\n-tkey-dhkey used by the server to deprecated\n- generate shared keys.\n- Sets the domain appended to\n-tkey-domain the names of all shared security\n- keys generated with TKEY.\n- Sets the security\n- credential for\n-tkey-gssapi-credential authentication keys security\n- requested by the GSS-TSIG\n- protocol.\n- Sets the KRB5 keytab file\n-tkey-gssapi-keytab to use for GSS-TSIG security\n- updates.\n-tls Configures a TLS security\n- connection.\n- Specifies the TCP port\n-tls-port number the server uses to query, server\n- receive and send DNS-over-\n- TLS protocol traffic.\n- Controls whether multiple\n-transfer-format records can be packed into transfer\n- a message during zone\n- transfers.\n- Limits the uncompressed\n-transfer-message-size size of DNS messages used transfer\n- in zone transfers over TCP.\n- Defines which local IPv4\n- address(es) are bound to\n-transfer-source TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Defines which local IPv6\n- address(es) are bound to\n-transfer-source-v6 TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Limits the number of\n-transfers concurrent inbound zone server\n- transfers from a server.\n- Limits the number of\n-transfers-in concurrent inbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-out concurrent outbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-per-ns concurrent inbound zone transfer\n- transfers from a remote\n- server.\n- Instructs named to send\n- specially formed queries\n-trust-anchor-telemetry once per day to domains for dnssec\n- which trust anchors have\n- been configured.\n-trust-anchors Defines DNSSEC trust dnssec\n- anchors.\n-trusted-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies that BIND 9\n-try-tcp-refresh should attempt to refresh a transfer\n- zone using TCP if UDP\n- queries fail.\n-type Specifies the kind of zone zone\n- in a given configuration.\n- Enforces the delegation-\n-type_delegation-only only status of deprecated\n- infrastructure zones (COM,\n- NET, ORG, etc.).\n- Contains forwarding\n-type_forward statements that apply to zone\n- queries within a given\n- domain.\n- Contains the initial set of\n-type_hint root name servers to be zone\n- used at BIND 9 startup.\n- Contains a DNSSEC-validated\n-type_mirror duplicate of the main data zone\n- for a zone.\n-type_primary Contains the main copy of zone\n- the data for a zone.\n- Contains information to\n-type_redirect answer queries when normal zone\n- resolution would return\n- NXDOMAIN.\n- Contains a duplicate of the\n-type_secondary data for a zone that has zone\n- been transferred from a\n- primary server.\n- Contains a duplicate of the\n- NS records of a primary\n-type_static-stub zone, but statically zone\n- configured rather than\n- transferred from a primary\n- server.\n- Contains a duplicate of the\n-type_stub NS records of a primary zone\n- zone.\n- Sets the operating system's\n-udp-receive-buffer receive buffer size for UDP server\n- sockets.\n- Sets the operating system's\n-udp-send-buffer send buffer size for UDP server\n- sockets.\n- Specifies a Unix domain\n-unix socket as a control server\n- channel.\n- Specifies whether to check\n- the KSK bit to determine\n-update-check-ksk how a key should be used, zone, dnssec\n- when generating RRSIGs for\n- a secure zone.\n- Sets fine-grained rules to\n- allow or deny dynamic\n-update-policy updates (DDNS), based on transfer\n- requester identity, updated\n- content, etc.\n- Specifies the maximum\n-update-quota number of concurrent DNS server\n- UPDATE messages that can be\n- processed by the server.\n- Indicates whether alt-\n-use-alt-transfer-source transfer-source and alt- deprecated\n- transfer-source-v6 can be\n- used.\n- Specifies a list of ports\n-use-v4-udp-ports that are valid sources for deprecated\n- UDP/IPv4 messages.\n- Specifies a list of ports\n-use-v6-udp-ports that are valid sources for deprecated\n- UDP/IPv6 messages.\n- Indicates the number of\n-v6-bias milliseconds of preference query, server\n- to give to IPv6 name\n- servers.\n- Specifies a list of domain\n-validate-except names at and beneath which dnssec\n- DNSSEC validation should\n- not be performed.\n- Specifies the version\n-version number of the server to server\n- return in response to a\n- version.bind query.\n- Allows a name server to\n-view answer a DNS query view\n- differently depending on\n- who is asking.\n- Specifies the length of\n-window time during which responses query\n- are tracked.\n- Specifies whether to set\n- the time to live (TTL) of\n-zero-no-soa-ttl the SOA record to zero, server, query, zone\n- when returning\n- authoritative negative\n- responses to SOA queries.\n- Sets the time to live (TTL)\n-zero-no-soa-ttl-cache to zero when caching a server, query, zone\n- negative response to an SOA\n- query.\n-zone Specifies the zone in a zone\n- BIND 9 configuration.\n- Sets the propagation delay\n- from the time a zone is\n-zone-propagation-delay first updated to when the zone, dnssec\n- new version of the zone is\n- served by all secondary\n- servers.\n- Controls the level of\n-zone-statistics statistics gathered for all logging, zone\n- zones.\n+Statement Description Tags\n+acl Assigns a symbolic name to server\n+ an address match list.\n+algorithm Defines the algorithm to be security\n+ used in a key clause.\n+all-per-second Limits UDP responses of all query\n+ kinds.\n+ Controls the ability to add\n+allow-new-zones zones at runtime via rndc server, zone\n+ addzone.\n+ Defines an\n+ address_match_list that is\n+ allowed to send NOTIFY\n+allow-notify messages for the zone, in transfer\n+ addition to addresses\n+ defined in the primaries\n+ option for the zone.\n+ Specifies which hosts (an\n+allow-query IP address list) are query\n+ allowed to send queries to\n+ this resolver.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache this server's cache and query\n+ thus effectively controls\n+ recursion.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache-on this server's cache. Used query\n+ on servers with multiple\n+ interfaces.\n+ Specifies which local\n+ addresses (an IP address\n+allow-query-on list) are allowed to send query\n+ queries to this resolver.\n+ Used in multi-homed\n+ configurations.\n+ Defines an\n+allow-recursion address_match_list of query\n+ clients that are allowed to\n+ perform recursive queries.\n+ Specifies which local\n+allow-recursion-on addresses can accept server, query\n+ recursive queries.\n+ Defines an\n+ address_match_list of hosts\n+allow-transfer that are allowed to transfer\n+ transfer the zone\n+ information from this\n+ server.\n+ Defines an\n+ address_match_list of hosts\n+allow-update that are allowed to submit transfer\n+ dynamic updates for primary\n+ zones.\n+ Defines an\n+ address_match_list of hosts\n+allow-update-forwarding that are allowed to submit transfer\n+ dynamic updates to a\n+ secondary server for\n+ transmission to a primary.\n+ Defines one or more hosts\n+also-notify that are sent NOTIFY transfer\n+ messages when zone changes\n+ occur.\n+ Defines alternate local\n+ IPv4 address(es) to be used\n+ by the server for inbound\n+alt-transfer-source zone transfers, if the deprecated\n+ address(es) defined by\n+ transfer-source fail and\n+ use-alt-transfer-source is\n+ enabled.\n+ Defines alternate local\n+alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n+ by the server for inbound\n+ zone transfers.\n+ Controls whether COOKIE\n+answer-cookie EDNS replies are sent in query\n+ response to client queries.\n+ Allows multiple views to\n+attach-cache share a single cache view\n+ database.\n+ Controls whether BIND,\n+ acting as a resolver,\n+auth-nxdomain provides authoritative query\n+ NXDOMAIN (domain does not\n+ exist) answers.\n+ Permits varying levels of\n+auto-dnssec automatic DNSSEC key dnssec\n+ management.\n+ Controls the automatic\n+automatic-interface-scan rescanning of network server\n+ interfaces when addresses\n+ are added or removed.\n+ Specifies the range(s) of\n+avoid-v4-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv4\n+ messages.\n+ Specifies the range(s) of\n+avoid-v6-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv6\n+ messages.\n+ Specifies the pathname of a\n+bindkeys-file file to override the built- dnssec\n+ in trusted keys provided by\n+ named.\n+ Defines an\n+ address_match_list of hosts\n+blackhole to ignore. The server will query\n+ neither respond to queries\n+ from nor send queries to\n+ these addresses.\n+bogus Allows a remote server to server\n+ be ignored.\n+ Enables dns64 synthesis\n+break-dnssec even if the validated query\n+ result would cause a DNSSEC\n+ validation failure.\n+buffered Controls flushing of log logging\n+ messages.\n+ Specifies the path to a\n+ file containing TLS\n+ca-file certificates for trusted CA server, security\n+ authorities, used to verify\n+ remote peer certificates.\n+catalog-zones Configures catalog zones in zone\n+ named.conf.\n+ Specifies the type of data\n+category logged to a particular logging\n+ channel.\n+ Specifies the path to a\n+cert-file file containing the TLS server, security\n+ certificate for a\n+ connection.\n+ Defines a stream of data\n+channel that can be independently logging\n+ logged.\n+ Checks primary zones for\n+ records that are treated as\n+check-dup-records different by DNSSEC but are dnssec, query\n+ semantically equal in plain\n+ DNS.\n+ Performs post-load zone\n+check-integrity integrity checks on primary zone\n+ zones.\n+ Checks whether an MX record\n+check-mx appears to refer to an IP zone\n+ address.\n+ Sets the response to MX\n+check-mx-cname records that refer to zone\n+ CNAMEs.\n+ Restricts the character set\n+ and syntax of certain\n+check-names domain names in primary server, query\n+ files and/or DNS responses\n+ received from the network.\n+ Specifies whether to check\n+check-sibling for sibling glue when zone\n+ performing integrity\n+ checks.\n+ Specifies whether to check\n+check-spf for a TXT Sender Policy zone\n+ Framework record, if an SPF\n+ record is present.\n+ Sets the response to SRV\n+check-srv-cname records that refer to zone\n+ CNAMEs.\n+check-wildcard Checks for non-terminal zone\n+ wildcards.\n+ciphers Specifies a list of allowed security\n+ ciphers.\n+ Specifies an access control\n+clients list (ACL) of clients that query\n+ are affected by a given\n+ dns64 directive.\n+ Sets the initial minimum\n+ number of simultaneous\n+clients-per-query recursive clients accepted server\n+ by the server for any given\n+ query before the server\n+ drops additional clients.\n+ Specifies control channels\n+controls to be used to manage the server\n+ name server.\n+ Sets the algorithm to be\n+cookie-algorithm used when generating a server\n+ server cookie.\n+ Specifies a shared secret\n+ used for generating and\n+cookie-secret verifying EDNS COOKIE server\n+ options within an anycast\n+ cluster.\n+coresize Sets the maximum size of a deprecated\n+ core dump.\n+ Specifies the type of\n+database database to be used to zone\n+ store zone data.\n+ Sets the maximum amount of\n+datasize data memory that can be deprecated\n+ used by the server.\n+ Indicates that a forward,\n+delegation-only hint, or stub zone is to be deprecated\n+ treated as a delegation-\n+ only type zone.\n+ Rejects A or AAAA records\n+deny-answer-addresses if the corresponding IPv4 query\n+ or IPv6 addresses match a\n+ given address_match_list.\n+ Rejects CNAME or DNAME\n+deny-answer-aliases records if the \"alias\" name query\n+ matches a given list of\n+ domain_name elements.\n+ Specifies the path to a\n+dhparam-file file containing Diffie- server, security\n+ Hellman parameters, for\n+ enabling cipher suites.\n+ Concentrates zone\n+ maintenance so that all\n+dialup transfers take place once deprecated\n+ every heartbeat-interval,\n+ ideally during a single\n+ call.\n+directory Sets the server's working server\n+ directory.\n+disable-algorithms Disables DNSSEC algorithms dnssec\n+ from a specified zone.\n+disable-ds-digests Disables DS digest types zone, dnssec\n+ from a specified zone.\n+disable-empty-zone Disables individual empty server, zone\n+ zones.\n+ Configures a Dynamically\n+dlz Loadable Zone (DLZ) zone\n+ database in named.conf.\n+ Instructs named to return\n+dns64 mapped IPv4 addresses to query\n+ AAAA queries when there are\n+ no AAAA records.\n+dns64-contact Specifies the name of the server\n+ contact for dns64 zones.\n+dns64-server Specifies the name of the server\n+ server for dns64 zones.\n+ Specifies the number of\n+dnskey-sig-validity days in the future when dnssec\n+ automatically generated\n+ DNSSEC signatures expire.\n+ Specifies the time to live\n+dnskey-ttl (TTL) for DNSKEY resource dnssec\n+ records.\n+ Turns on the DNS Response\n+dnsrps-enable Policy Service (DNSRPS) server, security\n+ interface.\n+ Provides additional RPZ\n+ configuration settings,\n+dnsrps-options which are passed to the DNS server, security\n+ Response Policy Service\n+ (DNSRPS) provider library.\n+ Instructs BIND 9 to accept\n+dnssec-accept-expired expired DNSSEC signatures dnssec\n+ when validating.\n+ Specifies that only key-\n+ signing keys are used to\n+dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n+ and CDS RRsets at a zone's\n+ apex.\n+ Sets the frequency of\n+dnssec-loadkeys-interval automatic checks of the dnssec\n+ DNSSEC key repository.\n+ Defines hierarchies that\n+dnssec-must-be-secure must or may not be secure deprecated\n+ (signed and validated).\n+dnssec-policy Defines a key and signing dnssec\n+ policy (KASP) for zones.\n+ Allows a dynamic zone to\n+dnssec-secure-to-insecure transition from secure to dnssec\n+ insecure by deleting all\n+ DNSKEY records.\n+ Controls the scheduled\n+dnssec-update-mode maintenance of DNSSEC dnssec\n+ signatures.\n+dnssec-validation Enables DNSSEC validation dnssec\n+ in named.\n+dnstap Enables logging of dnstap logging\n+ messages.\n+ Specifies an identity\n+dnstap-identity string to send in dnstap logging\n+ messages.\n+ Configures the path to\n+dnstap-output which the dnstap frame logging\n+ stream is sent.\n+dnstap-version Specifies a version string logging\n+ to send in dnstap messages.\n+ Sets the Differentiated\n+dscp Services Code Point (DSCP) server, query\n+ value (obsolete).\n+ Specifies host names or\n+dual-stack-servers addresses of machines with server\n+ access to both IPv4 and\n+ IPv6 transports.\n+ Indicates the pathname of\n+dump-file the file where the server logging\n+ dumps the database after\n+ rndc_dumpdb.\n+dyndb Configures a DynDB database zone\n+ in named.conf.\n+edns Controls the use of the server\n+ EDNS0 (RFC_2671) feature.\n+ Sets the maximum advertised\n+ EDNS UDP buffer size to\n+edns-udp-size control the size of packets query\n+ received from authoritative\n+ servers in response to\n+ recursive queries.\n+ Sets the maximum EDNS\n+edns-version VERSION that is sent to the server\n+ server(s) by the resolver.\n+ Specifies the contact name\n+empty-contact in the returned SOA record server, zone\n+ for empty zones.\n+ Specifies the server name\n+empty-server in the returned SOA record server, zone\n+ for empty zones.\n+empty-zones-enable Enables or disables all server, zone\n+ empty zones.\n+ Specifies a list of HTTP\n+endpoints query paths on which to server, query\n+ listen.\n+ Limits the number of errors\n+errors-per-second for a valid domain name and server\n+ record type.\n+ Allows a list of IPv6\n+ addresses to be ignored if\n+exclude they appear in a domain query\n+ name's AAAA records in\n+ dns64.\n+ Exempts specific clients or\n+exempt-clients client groups from rate query\n+ limiting.\n+ Sets the parameters for\n+ dynamic resizing of the\n+fetch-quota-params fetches-per-server quota in server, query\n+ response to detected\n+ congestion.\n+ Sets the maximum number of\n+ simultaneous iterative\n+ queries allowed to be sent\n+fetches-per-server by a server to an upstream server, query\n+ name server before the\n+ server blocks additional\n+ queries.\n+ Sets the maximum number of\n+ simultaneous iterative\n+fetches-per-zone queries allowed to any one server, query\n+ domain before the server\n+ blocks new queries for data\n+ in or beneath that zone.\n+file Specifies the zone's zone\n+ filename.\n+ Sets the maximum number of\n+files files the server may have deprecated\n+ open concurrently.\n+ Controls whether pending\n+flush-zones-on-shutdown zone writes are flushed zone\n+ when the name server exits.\n+ Allows or disallows\n+ fallback to recursion if\n+forward forwarding has failed; it query\n+ is always used in\n+ conjunction with the\n+ forwarders statement.\n+ Defines one or more hosts\n+forwarders to which queries are query\n+ forwarded.\n+ Sets the number of\n+fstrm-set-buffer-hint accumulated bytes in the logging\n+ output buffer before\n+ forcing a buffer flush.\n+ Sets the number of seconds\n+fstrm-set-flush-timeout that unflushed data remains logging\n+ in the output buffer.\n+ Sets the number of queue\n+fstrm-set-input-queue-size entries to allocate for logging\n+ each input queue.\n+ Sets the number of\n+fstrm-set-output-notify- outstanding queue entries\n+threshold allowed on an input queue logging\n+ before waking the I/\n+ O thread.\n+fstrm-set-output-queue- Sets the queuing semantics logging\n+model to use for queue objects.\n+ Sets the number of queue\n+fstrm-set-output-queue-size entries allocated for each logging\n+ output queue.\n+ Sets the number of seconds\n+fstrm-set-reopen-interval to wait between attempts to logging\n+ reopen a closed output\n+ stream.\n+ Specifies the directory\n+geoip-directory containing GeoIP database server\n+ files.\n+glue-cache Deprecated. deprecated\n+ Sets the interval at which\n+heartbeat-interval the server performs zone deprecated\n+ maintenance tasks for all\n+ zones marked as dialup.\n+ Specifies the hostname of\n+hostname the server to return in server\n+ response to a hostname.bind\n+ query.\n+ Configures HTTP endpoints\n+http on which to listen for DNS- server, query\n+ over-HTTPS (DoH) queries.\n+ Limits the number of active\n+http-listener-clients concurrent connections on a server\n+ per-listener basis.\n+ Specifies the TCP port\n+ number the server uses to\n+http-port receive and send server, query\n+ unencrypted DNS traffic via\n+ HTTP.\n+ Limits the number of active\n+http-streams-per-connection concurrent HTTP/2 streams server\n+ on a per-connection basis.\n+ Specifies the TCP port\n+https-port number the server uses to server, query\n+ receive and send DNS-over-\n+ HTTPS protocol traffic.\n+in-view Specifies the view in which zone, view\n+ a given zone is defined.\n+inet Specifies a TCP socket as a server\n+ control channel.\n+ Specifies whether BIND 9\n+inline-signing maintains a separate signed zone, dnssec\n+ version of a zone.\n+ Sets the interval at which\n+interface-interval the server scans the server\n+ network interface list.\n+ Specifies the prefix\n+ipv4-prefix-length lengths of IPv4 address server\n+ blocks.\n+ Specifies the contact for\n+ipv4only-contact the IPV4ONLY.ARPA zone server\n+ created by dns64.\n+ Enables automatic IPv4\n+ipv4only-enable zones if a dns64 block is query\n+ configured.\n+ Specifies the name of the\n+ipv4only-server server for the server, query\n+ IPV4ONLY.ARPA zone created\n+ by dns64.\n+ Specifies the prefix\n+ipv6-prefix-length lengths of IPv6 address server\n+ blocks.\n+ixfr-from-differences Controls how IXFR transfers transfer\n+ are calculated.\n+ Allows the default\n+journal journal's filename to be zone\n+ overridden.\n+ Defines an\n+ address_match_list of\n+keep-response-order addresses which do not server\n+ accept reordered answers\n+ within a single TCP stream.\n+ Defines a shared secret key\n+key for use with TSIG or the security\n+ command channel.\n+ Indicates the directory\n+key-directory where public and private dnssec\n+ DNSSEC key files are found.\n+ Specifies the path to a\n+key-file file containing the private server, security\n+ TLS key for a connection.\n+ Specifies one or more\n+keys server_key s to be used server, security\n+ with a remote server.\n+lame-ttl Sets the resolver's lame server\n+ cache.\n+ Specifies the IPv4\n+listen-on addresses on which a server server\n+ listens for DNS queries.\n+ Specifies the IPv6\n+listen-on-v6 addresses on which a server server\n+ listens for DNS queries.\n+ Specifies a per-listener\n+listener-clients quota for active server, query\n+ connections.\n+ Sets a maximum size for the\n+lmdb-mapsize memory map of the new-zone server\n+ database in LMDB database\n+ format.\n+ Sets the pathname of the\n+ file on which named\n+lock-file attempts to acquire a file server\n+ lock when starting for the\n+ first time.\n+ Tests rate-limiting\n+log-only parameters without actually logging, query\n+ dropping any requests.\n+logging Configures logging options logging\n+ for the name server.\n+managed-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies the directory in\n+managed-keys-directory which to store the files dnssec\n+ that track managed DNSSEC\n+ keys.\n+ Specifies an access control\n+ list (ACL) of IPv4\n+mapped addresses that are to be query\n+ mapped to the corresponding\n+ A RRset in dns64.\n+masterfile-format Specifies the file format server, zone\n+ of zone files.\n+ Specifies the format of\n+masterfile-style zone files during a dump, server\n+ when the masterfile-format\n+ is text.\n+ Specifies a view of DNS\n+match-clients namespace for a given view\n+ subset of client IP\n+ addresses.\n+ Specifies a view of DNS\n+match-destinations namespace for a given view\n+ subset of destination IP\n+ addresses.\n+ Allows IPv4-mapped IPv6\n+ addresses to match address-\n+match-mapped-addresses match list entries for server\n+ corresponding IPv4\n+ addresses.\n+ Specifies that only\n+match-recursive-only recursive requests can view\n+ match this view of the DNS\n+ namespace.\n+ Sets the maximum amount of\n+ memory to use for an\n+max-cache-size individual cache database server\n+ and its associated\n+ metadata.\n+ Specifies the maximum time\n+max-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Sets the maximum number of\n+ simultaneous recursive\n+max-clients-per-query clients accepted by the server\n+ server for any given query\n+ before the server drops\n+ additional clients.\n+ Sets the maximum size for\n+max-ixfr-ratio IXFR responses to zone transfer\n+ transfer requests.\n+max-journal-size Controls the size of transfer\n+ journal files.\n+ Specifies the maximum\n+ retention time (in seconds)\n+max-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Sets the maximum number of\n+max-records records permitted in a server, zone\n+ zone.\n+ Sets the maximum number of\n+ levels of recursion\n+max-recursion-depth permitted at any one time server\n+ while servicing a recursive\n+ query.\n+ Sets the maximum number of\n+max-recursion-queries iterative queries while server, query\n+ servicing a recursive\n+ query.\n+ Limits the zone refresh\n+max-refresh-time interval to no less often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+max-retry-time retry interval to no less transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the maximum RSA\n+max-rsa-exponent-size exponent size (in bits) dnssec, query\n+ when validating.\n+ Specifies the maximum time\n+ that the server retains\n+max-stale-ttl records past their normal server\n+ expiry, to return them as\n+ stale records.\n+ Sets the maximum size of\n+max-table-size the table used to track server\n+ requests and rate-limit\n+ responses.\n+ Specifies the number of\n+max-transfer-idle-in minutes after which inbound transfer\n+ zone transfers making no\n+ progress are terminated.\n+ Specifies the number of\n+ minutes after which\n+max-transfer-idle-out outbound zone transfers transfer\n+ making no progress are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-in minutes after which inbound transfer\n+ zone transfers are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-out minutes after which transfer\n+ outbound zone transfers are\n+ terminated.\n+max-udp-size Sets the maximum EDNS UDP query\n+ message size sent by named.\n+ Specifies a maximum\n+max-zone-ttl permissible time-to-live zone, query\n+ (TTL) value, in seconds.\n+ Controls whether memory\n+memstatistics statistics are written to logging, server\n+ the file specified by\n+ memstatistics-file at exit.\n+ Sets the pathname of the\n+memstatistics-file file where the server logging\n+ writes memory usage\n+ statistics on exit.\n+ Controls whether DNS name\n+message-compression compression is used in query\n+ responses to regular\n+ queries.\n+ Specifies the minimum time\n+min-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Specifies the minimum\n+ retention time (in seconds)\n+min-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Limits the zone refresh\n+min-refresh-time interval to no more often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+min-retry-time retry interval to no more transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the minimum size of\n+min-table-size the table used to track query\n+ requests and rate-limit\n+ responses.\n+ Controls whether the server\n+ replies with only one of\n+minimal-any the RRsets for a query query\n+ name, when generating a\n+ positive response to a\n+ query of type ANY over UDP.\n+ Controls whether the server\n+ only adds records to the\n+ authority and additional\n+minimal-responses data sections when they are query\n+ required (e.g. delegations,\n+ negative responses). This\n+ improves server\n+ performance.\n+ Controls whether serial\n+multi-master number mismatch errors are transfer\n+ logged.\n+ Specifies the directory\n+ where configuration\n+new-zones-directory parameters are stored for zone\n+ zones added by rndc\n+ addzone.\n+ Specifies a list of\n+no-case-compress addresses that require server\n+ case-insensitive\n+ compression in responses.\n+ Sets the maximum size of\n+nocookie-udp-size UDP responses that are sent query\n+ to queries without a valid\n+ server COOKIE.\n+ Limits the number of empty\n+nodata-per-second (NODATA) responses for a query\n+ valid domain name.\n+ Controls whether NOTIFY\n+notify messages are sent on zone transfer\n+ changes.\n+ Sets the delay (in seconds)\n+notify-delay between sending sets of zone, transfer\n+ NOTIFY messages for a zone.\n+ Specifies the rate at which\n+notify-rate NOTIFY requests are sent zone, transfer\n+ during normal zone\n+ maintenance operations.\n+ Defines the IPv4 address\n+notify-source (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Defines the IPv6 address\n+notify-source-v6 (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Controls whether the name\n+notify-to-soa servers in the NS RRset are transfer\n+ checked against the SOA\n+ MNAME.\n+ Specifies the use of NSEC3\n+nsec3param instead of NSEC, and sets dnssec\n+ NSEC3 parameters.\n+ Specifies the lifetime, in\n+nta-lifetime seconds, for negative trust dnssec\n+ anchors added via rndc_nta.\n+ Specifies the time interval\n+ for checking whether\n+nta-recheck negative trust anchors dnssec\n+ added via rndc_nta are\n+ still necessary.\n+ Causes all messages sent to\n+null the logging channel to be logging\n+ discarded.\n+ Appends the specified\n+ suffix to the original\n+nxdomain-redirect query name, when replacing query\n+ an NXDOMAIN with a redirect\n+ namespace.\n+ Limits the number of\n+nxdomains-per-second undefined subdomains for a query\n+ valid domain name.\n+options Defines global options to server\n+ be used by BIND 9.\n+ Adds EDNS Padding options\n+padding to outgoing messages to server\n+ increase the packet size.\n+ Sets the time to live (TTL)\n+parent-ds-ttl of the DS RRset used by the dnssec\n+ parent zone.\n+ Sets the propagation delay\n+ from the time the parent\n+parent-propagation-delay zone is updated to when the zone, dnssec\n+ new version is served by\n+ all of the parent zone's\n+ name servers.\n+ Defines a list of\n+parental-agents delegation agents to be zone\n+ used by primary and\n+ secondary zones.\n+ Specifies which local IPv4\n+parental-source source address is used to dnssec\n+ send parental DS queries.\n+ Specifies which local IPv6\n+parental-source-v6 source address is used to dnssec\n+ send parental DS queries.\n+ Specifies the pathname of\n+pid-file the file where the server server\n+ writes its process ID.\n+plugin Configures plugins in server\n+ named.conf.\n+ Specifies the UDP/TCP port\n+port number the server uses to server, query\n+ receive and send DNS\n+ protocol traffic.\n+ Specifies that server\n+prefer-server-ciphers ciphers should be preferred server, security\n+ over client ones.\n+ Controls the order of glue\n+preferred-glue records in an A or AAAA query\n+ response.\n+ Specifies the \"trigger\"\n+prefetch time-to-live (TTL) value at query\n+ which prefetch of the\n+ current query takes place.\n+primaries Defines one or more primary zone\n+ servers for a zone.\n+print-category Includes the category in logging\n+ log messages.\n+print-severity Includes the severity in logging\n+ log messages.\n+print-time Specifies the time format logging\n+ for log messages.\n+ Specifies the allowed\n+protocols versions of the TLS security\n+ protocol.\n+ Controls whether a primary\n+ responds to an incremental\n+provide-ixfr zone request (IXFR) or only transfer\n+ responds with a full zone\n+ transfer (AXFR).\n+ Increases the amount of\n+ time between when keys are\n+publish-safety published and when they dnssec\n+ become active, to allow for\n+ unforeseen events.\n+ Specifies the amount of\n+ time after which DNSSEC\n+purge-keys keys that have been deleted dnssec\n+ from the zone can be\n+ removed from disk.\n+ Controls QNAME minimization\n+qname-minimization behavior in the BIND 9 query\n+ resolver.\n+ Tightens defenses during\n+qps-scale DNS attacks by scaling back query\n+ the ratio of the current\n+ query-per-second rate.\n+ Controls the IPv4 address\n+query-source from which queries are query\n+ issued.\n+ Controls the IPv6 address\n+query-source-v6 from which queries are query\n+ issued.\n+ Specifies whether query\n+querylog logging should be active logging, server\n+ when named first starts.\n+ Controls excessive UDP\n+ responses, to prevent BIND\n+rate-limit 9 from being used to query\n+ amplify reflection denial-\n+ of-service (DoS) attacks.\n+ Specifies the pathname of\n+ the file where the server\n+recursing-file dumps queries that are server\n+ currently recursing via\n+ rndc_recursing.\n+recursion Defines whether recursion query\n+ and caching are allowed.\n+ Specifies the maximum\n+recursive-clients number of concurrent query\n+ recursive queries the\n+ server can perform.\n+ Toggles whether dns64\n+recursive-only synthesis occurs only for query\n+ recursive queries.\n+ Limits the number of\n+referrals-per-second referrals or delegations to query\n+ a server for a given\n+ domain.\n+ Specifies the expected\n+remote-hostname hostname in the TLS security\n+ certificate of the remote\n+ server.\n+ Specifies whether the local\n+request-expire server requests the EDNS query, transfer\n+ EXPIRE value, when acting\n+ as a secondary.\n+ Controls whether a\n+ secondary requests an\n+request-ixfr incremental zone transfer transfer\n+ (IXFR) or a full zone\n+ transfer (AXFR).\n+ Controls whether an empty\n+ EDNS(0) NSID (Name Server\n+ Identifier) option is sent\n+request-nsid with all queries to query\n+ authoritative name servers\n+ during iterative\n+ resolution.\n+ Controls whether a valid\n+require-server-cookie server cookie is required query\n+ before sending a full\n+ response to a UDP request.\n+reserved-sockets Deprecated. deprecated\n+ Specifies the number of\n+resolver-nonbackoff-tries retries before exponential server\n+ backoff.\n+ Specifies the length of\n+ time, in milliseconds, that\n+resolver-query-timeout a resolver attempts to query\n+ resolve a recursive query\n+ before failing.\n+resolver-retry-interval Sets the base retry server, query\n+ interval (in milliseconds).\n+ Adds an EDNS Padding option\n+ to encrypted messages, to\n+response-padding reduce the chance of query\n+ guessing the contents based\n+ on size.\n+ Specifies response policy server, zone, security,\n+response-policy zones for the view or among query\n+ global options.\n+ Limits the number of non-\n+responses-per-second empty responses for a valid query\n+ domain name and record\n+ type.\n+ Increases the amount of\n+ time a key remains\n+retire-safety published after it is no dnssec\n+ longer active, to allow for\n+ unforeseen events.\n+reuseport Enables kernel load- server\n+ balancing of sockets.\n+ Turns on enforcement of\n+ delegation-only in top-\n+root-delegation-only level domains (TLDs) and deprecated\n+ root zones with an optional\n+ exclude list.\n+ Controls whether BIND 9\n+root-key-sentinel responds to root key server\n+ sentinel probes.\n+ Defines the order in which\n+rrset-order equal RRs (RRsets) are query\n+ returned.\n+ Specifies whether a\n+search Dynamically Loadable Zone query\n+ (DLZ) module is queried for\n+ an answer to a query name.\n+ Defines a Base64-encoded\n+secret string to be used as the security\n+ secret by the algorithm.\n+ Specifies the pathname of\n+secroots-file the file where the server dnssec\n+ dumps security roots, when\n+ using rndc_secroots.\n+ Controls whether a COOKIE\n+send-cookie EDNS option is sent along query\n+ with a query.\n+ Defines an upper limit on\n+ the number of queries per\n+serial-query-rate second issued by the transfer\n+ server, when querying the\n+ SOA RRs used for zone\n+ transfers.\n+ Specifies the update method\n+serial-update-method to be used for the zone zone\n+ serial number in the SOA\n+ record.\n+ Defines characteristics to\n+server be associated with a remote server\n+ name server.\n+ Specifies a list of IP\n+ addresses to which queries\n+server-addresses should be sent in recursive zone, query\n+ resolution for a static-\n+ stub zone.\n+ Specifies the ID of the\n+server-id server to return in server\n+ response to a ID.SERVER\n+ query.\n+ Specifies a list of domain\n+ names of name servers that\n+server-names act as authoritative zone\n+ servers of a static-stub\n+ zone.\n+ Sets the length of time (in\n+servfail-ttl seconds) that a SERVFAIL server\n+ response is cached.\n+ Specifies the algorithm to\n+session-keyalg use for the TSIG session security\n+ key.\n+ Specifies the pathname of\n+ the file where a TSIG\n+session-keyfile session key is written, security\n+ when generated by named for\n+ use by nsupdate -l.\n+session-keyname Specifies the key name for security\n+ the TSIG session key.\n+ Enables or disables session\n+session-tickets resumption through TLS security\n+ session tickets.\n+severity Defines the priority level logging\n+ of log messages.\n+ Specifies the maximum\n+ number of nodes to be\n+sig-signing-nodes examined in each quantum, dnssec\n+ when signing a zone with a\n+ new DNSKEY.\n+ Specifies the threshold for\n+ the number of signatures\n+sig-signing-signatures that terminates processing dnssec\n+ a quantum, when signing a\n+ zone with a new DNSKEY.\n+ Specifies a private RDATA\n+sig-signing-type type to use when generating dnssec\n+ signing-state records.\n+ Specifies the maximum\n+sig-validity-interval number of days that RRSIGs dnssec\n+ generated by named are\n+ valid.\n+signatures-refresh Specifies how frequently an dnssec\n+ RRSIG record is refreshed.\n+signatures-validity Indicates the validity dnssec\n+ period of an RRSIG record.\n+signatures-validity-dnskey Indicates the validity dnssec\n+ period of DNSKEY records.\n+ Sets the number of\n+ \"slipped\" responses to\n+slip minimize the use of forged query\n+ source addresses for an\n+ attack.\n+ Controls the ordering of\n+sortlist RRs returned to the client, query\n+ based on the client's IP\n+ address.\n+ Sets the maximum amount of\n+stacksize stack memory that can be deprecated\n+ used by the server.\n+ Defines the amount of time\n+ (in milliseconds) that\n+stale-answer-client-timeout named waits before server, query\n+ attempting to answer a\n+ query with a stale RRset\n+ from cache.\n+ Enables the returning of\n+stale-answer-enable \"stale\" cached answers when server, query\n+ the name servers for a zone\n+ are not answering.\n+ Specifies the time to live\n+stale-answer-ttl (TTL) to be returned on query\n+ stale answers, in seconds.\n+stale-cache-enable Enables the retention of server, query\n+ \"stale\" cached answers.\n+ Sets the time window for\n+ the return of \"stale\"\n+ cached answers before the\n+stale-refresh-time next attempt to contact, if server, query\n+ the name servers for a\n+ given zone are not\n+ responding.\n+ Specifies the rate at which\n+ NOTIFY requests are sent\n+startup-notify-rate when the name server is zone, transfer\n+ first starting, or when new\n+ zones have been added.\n+ Specifies the communication\n+ channels to be used by\n+statistics-channels system administrators to logging\n+ access statistics\n+ information on the name\n+ server.\n+ Specifies the pathname of\n+statistics-file the file where the server logging, server\n+ appends statistics, when\n+ using rndc_stats.\n+ Directs the logging channel\n+stderr output to the server's logging\n+ standard error stream.\n+ Specifies the maximum\n+streams-per-connection number of concurrent HTTP/ server, query\n+ 2 streams over an HTTP/\n+ 2 connection.\n+ Defines trailing bits for\n+suffix mapped IPv4 address bits in query\n+ dns64.\n+ Enables support for RFC\n+synth-from-dnssec 8198, Aggressive Use of dnssec\n+ DNSSEC-Validated Cache.\n+syslog Directs the logging channel logging\n+ to the system log.\n+ Sets the timeout value (in\n+ milliseconds) that the\n+tcp-advertised-timeout server sends in responses query\n+ containing the EDNS TCP\n+ keepalive option.\n+ Specifies the maximum\n+tcp-clients number of simultaneous server\n+ client TCP connections\n+ accepted by the server.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+ server waits on an idle TCP\n+tcp-idle-timeout connection before closing query\n+ it, if the EDNS TCP\n+ keepalive option is not in\n+ use.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-initial-timeout server waits on a new TCP server, query\n+ connection for the first\n+ message from the client.\n+tcp-keepalive Adds EDNS TCP keepalive to server\n+ messages sent over TCP.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-keepalive-timeout server waits on an idle TCP query\n+ connection before closing\n+ it, if the EDNS TCP\n+ keepalive option is in use.\n+tcp-listen-queue Sets the listen-queue server\n+ depth.\n+tcp-only Sets the transport protocol server\n+ to TCP.\n+ Sets the operating system's\n+tcp-receive-buffer receive buffer size for TCP server\n+ sockets.\n+ Sets the operating system's\n+tcp-send-buffer send buffer size for TCP server\n+ sockets.\n+ Sets the Diffie-Hellman key\n+tkey-dhkey used by the server to deprecated\n+ generate shared keys.\n+ Sets the domain appended to\n+tkey-domain the names of all shared security\n+ keys generated with TKEY.\n+ Sets the security\n+ credential for\n+tkey-gssapi-credential authentication keys security\n+ requested by the GSS-TSIG\n+ protocol.\n+ Sets the KRB5 keytab file\n+tkey-gssapi-keytab to use for GSS-TSIG security\n+ updates.\n+tls Configures a TLS security\n+ connection.\n+ Specifies the TCP port\n+tls-port number the server uses to server, query\n+ receive and send DNS-over-\n+ TLS protocol traffic.\n+ Controls whether multiple\n+transfer-format records can be packed into transfer\n+ a message during zone\n+ transfers.\n+ Limits the uncompressed\n+transfer-message-size size of DNS messages used transfer\n+ in zone transfers over TCP.\n+ Defines which local IPv4\n+ address(es) are bound to\n+transfer-source TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Defines which local IPv6\n+ address(es) are bound to\n+transfer-source-v6 TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Limits the number of\n+transfers concurrent inbound zone server\n+ transfers from a server.\n+ Limits the number of\n+transfers-in concurrent inbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-out concurrent outbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-per-ns concurrent inbound zone transfer\n+ transfers from a remote\n+ server.\n+ Instructs named to send\n+ specially formed queries\n+trust-anchor-telemetry once per day to domains for dnssec\n+ which trust anchors have\n+ been configured.\n+trust-anchors Defines DNSSEC trust dnssec\n+ anchors.\n+trusted-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies that BIND 9\n+try-tcp-refresh should attempt to refresh a transfer\n+ zone using TCP if UDP\n+ queries fail.\n+type Specifies the kind of zone zone\n+ in a given configuration.\n+ Enforces the delegation-\n+type_delegation-only only status of deprecated\n+ infrastructure zones (COM,\n+ NET, ORG, etc.).\n+ Contains forwarding\n+type_forward statements that apply to zone\n+ queries within a given\n+ domain.\n+ Contains the initial set of\n+type_hint root name servers to be zone\n+ used at BIND 9 startup.\n+ Contains a DNSSEC-validated\n+type_mirror duplicate of the main data zone\n+ for a zone.\n+type_primary Contains the main copy of zone\n+ the data for a zone.\n+ Contains information to\n+type_redirect answer queries when normal zone\n+ resolution would return\n+ NXDOMAIN.\n+ Contains a duplicate of the\n+type_secondary data for a zone that has zone\n+ been transferred from a\n+ primary server.\n+ Contains a duplicate of the\n+ NS records of a primary\n+type_static-stub zone, but statically zone\n+ configured rather than\n+ transferred from a primary\n+ server.\n+ Contains a duplicate of the\n+type_stub NS records of a primary zone\n+ zone.\n+ Sets the operating system's\n+udp-receive-buffer receive buffer size for UDP server\n+ sockets.\n+ Sets the operating system's\n+udp-send-buffer send buffer size for UDP server\n+ sockets.\n+ Specifies a Unix domain\n+unix socket as a control server\n+ channel.\n+ Specifies whether to check\n+ the KSK bit to determine\n+update-check-ksk how a key should be used, zone, dnssec\n+ when generating RRSIGs for\n+ a secure zone.\n+ Sets fine-grained rules to\n+ allow or deny dynamic\n+update-policy updates (DDNS), based on transfer\n+ requester identity, updated\n+ content, etc.\n+ Specifies the maximum\n+update-quota number of concurrent DNS server\n+ UPDATE messages that can be\n+ processed by the server.\n+ Indicates whether alt-\n+use-alt-transfer-source transfer-source and alt- deprecated\n+ transfer-source-v6 can be\n+ used.\n+ Specifies a list of ports\n+use-v4-udp-ports that are valid sources for deprecated\n+ UDP/IPv4 messages.\n+ Specifies a list of ports\n+use-v6-udp-ports that are valid sources for deprecated\n+ UDP/IPv6 messages.\n+ Indicates the number of\n+v6-bias milliseconds of preference server, query\n+ to give to IPv6 name\n+ servers.\n+ Specifies a list of domain\n+validate-except names at and beneath which dnssec\n+ DNSSEC validation should\n+ not be performed.\n+ Specifies the version\n+version number of the server to server\n+ return in response to a\n+ version.bind query.\n+ Allows a name server to\n+view answer a DNS query view\n+ differently depending on\n+ who is asking.\n+ Specifies the length of\n+window time during which responses query\n+ are tracked.\n+ Specifies whether to set\n+ the time to live (TTL) of\n+zero-no-soa-ttl the SOA record to zero, server, zone, query\n+ when returning\n+ authoritative negative\n+ responses to SOA queries.\n+ Sets the time to live (TTL)\n+zero-no-soa-ttl-cache to zero when caching a server, zone, query\n+ negative response to an SOA\n+ query.\n+zone Specifies the zone in a zone\n+ BIND 9 configuration.\n+ Sets the propagation delay\n+ from the time a zone is\n+zone-propagation-delay first updated to when the zone, dnssec\n+ new version of the zone is\n+ served by all secondary\n+ servers.\n+ Controls the level of\n+zone-statistics statistics gathered for all logging, zone\n+ zones.\n \n ***** 8.4. Statements by Tag\u00ef\u0083\u0081 *****\n These tables group the various statements permissible in named.conf by their\n corresponding tag.\n **** 8.4.1. DNSSEC Tag Statements\u00ef\u0083\u0081 ****\n Statement Description\n auto-dnssec Permits varying levels of automatic DNSSEC key\n"}]}]}]}]}]}