{"diffoscope-json-version": 1, "source1": "/srv/reproducible-results/rbuild-debian/r-b-build.CXyWkONA/b1/bind9_9.18.28-1~deb12u2_i386.changes", "source2": "/srv/reproducible-results/rbuild-debian/r-b-build.CXyWkONA/b2/bind9_9.18.28-1~deb12u2_i386.changes", "unified_diff": null, "details": [{"source1": "Files", "source2": "Files", "unified_diff": "@@ -1,13 +1,13 @@\n \n a0672330c4b9bee62ad4a1f44501af6f 580040 debug optional bind9-dbgsym_9.18.28-1~deb12u2_i386.deb\n 833f1d7da1224eabddc24d2541d53c86 519100 devel optional bind9-dev_9.18.28-1~deb12u2_i386.deb\n bd6af18ea1b56a7ebdd154745cb0a367 353280 debug optional bind9-dnsutils-dbgsym_9.18.28-1~deb12u2_i386.deb\n b7dbe8cc206d5eec3a008bb411c3cea9 411736 net standard bind9-dnsutils_9.18.28-1~deb12u2_i386.deb\n- 33c00ee3a6aae488af07fd65ebaca2ef 3451920 doc optional bind9-doc_9.18.28-1~deb12u2_all.deb\n+ bf9d0b27bc225cc34f6a9a42db8b704e 3451928 doc optional bind9-doc_9.18.28-1~deb12u2_all.deb\n 4fa2a72e863f37e808698e92deb46149 90784 debug optional bind9-host-dbgsym_9.18.28-1~deb12u2_i386.deb\n b8c17f363dc9c3bc8bf5dd3d2df4df63 309280 net standard bind9-host_9.18.28-1~deb12u2_i386.deb\n 070a200d633740d16c8b7bccc8384f49 3062020 debug optional bind9-libs-dbgsym_9.18.28-1~deb12u2_i386.deb\n 2383edd039604efb9c69bc0584d3df01 1501800 libs standard bind9-libs_9.18.28-1~deb12u2_i386.deb\n 7661ddf77cab5b5afbcde15ef06e11a7 352804 debug optional bind9-utils-dbgsym_9.18.28-1~deb12u2_i386.deb\n f2b5f1823fb867fbf1f42ef59df2f7fa 413252 net optional bind9-utils_9.18.28-1~deb12u2_i386.deb\n e177e24c9927660b2a152ede9ce0fef5 509072 net optional bind9_9.18.28-1~deb12u2_i386.deb\n"}, {"source1": "bind9-doc_9.18.28-1~deb12u2_all.deb", "source2": "bind9-doc_9.18.28-1~deb12u2_all.deb", "unified_diff": null, "details": [{"source1": "file list", "source2": "file list", "unified_diff": "@@ -1,3 +1,3 @@\n -rw-r--r-- 0 0 0 4 2024-07-27 03:13:42.000000 debian-binary\n -rw-r--r-- 0 0 0 2036 2024-07-27 03:13:42.000000 control.tar.xz\n--rw-r--r-- 0 0 0 3449692 2024-07-27 03:13:42.000000 data.tar.xz\n+-rw-r--r-- 0 0 0 3449700 2024-07-27 03:13:42.000000 data.tar.xz\n"}, {"source1": "control.tar.xz", "source2": "control.tar.xz", "unified_diff": null, "details": [{"source1": "control.tar", "source2": "control.tar", "unified_diff": null, "details": [{"source1": "./md5sums", "source2": "./md5sums", "unified_diff": null, "details": [{"source1": "./md5sums", "source2": "./md5sums", "comments": ["Files differ"], "unified_diff": null}]}]}]}, {"source1": "data.tar.xz", "source2": "data.tar.xz", "unified_diff": null, "details": [{"source1": "data.tar", "source2": "data.tar", "unified_diff": null, "details": [{"source1": "./usr/share/doc/bind9-doc/arm/reference.html", "source2": "./usr/share/doc/bind9-doc/arm/reference.html", "unified_diff": "@@ -2438,15 +2438,15 @@\n \n \n
\n
\n disable-ds-digests\uf0c1
\n

Grammar: disable-ds-digests <string> { <string>; ... }; // may occur multiple times

\n

Blocks: options, view

\n-

Tags: zone, dnssec

\n+

Tags: dnssec, zone

\n

Disables DS digest types from a specified zone.

\n

\n

This disables the specified DS digest types at and below the specified\n name. Multiple disable-ds-digests statements are allowed. Only\n the best-match disable-ds-digests clause is used to\n determine the digest types.

\n

If all supported digest types are disabled, the zones covered by\n@@ -2825,15 +2825,15 @@\n

\n \n
\n
\n zone-statistics\uf0c1
\n

Grammar: zone-statistics ( full | terse | none | <boolean> );

\n

Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)

\n-

Tags: zone, logging

\n+

Tags: logging, zone

\n

Controls the level of statistics gathered for all zones.

\n

\n

If full, the server collects statistical data on all zones,\n unless specifically turned off on a per-zone basis by specifying\n zone-statistics terse or zone-statistics none in the zone\n statement. The statistical data includes, for example, DNSSEC signing\n operations and the number of authoritative answers per query type. The\n@@ -2871,15 +2871,15 @@\n

\n \n
\n
\n allow-new-zones\uf0c1
\n

Grammar: allow-new-zones <boolean>;

\n

Blocks: options, view

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Controls the ability to add zones at runtime via rndc addzone.

\n

\n

If yes, then zones can be added at runtime via rndc addzone.\n The default is no.

\n

Newly added zones\u2019 configuration parameters are stored so that they\n can persist after the server is restarted. The configuration\n information is saved in a file called viewname.nzf (or, if\n@@ -3514,15 +3514,15 @@\n

\n \n
\n
\n request-expire\uf0c1
\n

Grammar: request-expire <boolean>;

\n

Blocks: options, server, view, zone (mirror, secondary), view.server

\n-

Tags: transfer, query

\n+

Tags: query, transfer

\n

Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.

\n

\n

The request-expire statement determines whether the local server, when\n acting as a secondary, requests the EDNS EXPIRE value. The EDNS EXPIRE\n value indicates the remaining time before the zone data expires and\n needs to be refreshed. This is used when a secondary server transfers\n a zone from another secondary server; when transferring from the\n@@ -3747,15 +3747,15 @@\n

\n \n
\n
\n check-dup-records\uf0c1
\n

Grammar: check-dup-records ( fail | warn | ignore );

\n

Blocks: options, view, zone (primary)

\n-

Tags: dnssec, query

\n+

Tags: query, dnssec

\n

Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.

\n

\n

This checks primary zones for records that are treated as different by\n DNSSEC but are semantically equal in plain DNS. The default is to\n warn. Other possible values are fail and ignore.

\n
\n \n@@ -3860,40 +3860,40 @@\n \n \n
\n
\n zero-no-soa-ttl\uf0c1
\n

Grammar: zero-no-soa-ttl <boolean>;

\n

Blocks: options, view, zone (mirror, primary, secondary)

\n-

Tags: zone, server, query

\n+

Tags: server, query, zone

\n

Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.

\n

\n

If yes, when returning authoritative negative responses to SOA queries, set\n the TTL of the SOA record returned in the authority section to zero.\n The default is yes.

\n
\n \n
\n
\n zero-no-soa-ttl-cache\uf0c1
\n

Grammar: zero-no-soa-ttl-cache <boolean>;

\n

Blocks: options, view

\n-

Tags: zone, server, query

\n+

Tags: server, query, zone

\n

Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

\n

\n

If yes, when caching a negative response to an SOA query set the TTL to zero.\n The default is no.

\n
\n \n
\n
\n update-check-ksk\uf0c1
\n

Grammar: update-check-ksk <boolean>;

\n

Blocks: options, view, zone (primary, secondary)

\n-

Tags: zone, dnssec

\n+

Tags: dnssec, zone

\n

Specifies whether to check the KSK bit to determine how a key should be used, when generating RRSIGs for a secure zone.

\n

\n

When set to the default value of yes, check the KSK bit in each\n key to determine how the key should be used when generating RRSIGs\n for a secure zone.

\n

Ordinarily, zone-signing keys (that is, keys without the KSK bit set)\n are used to sign the entire zone, while key-signing keys (keys with\n@@ -5107,15 +5107,15 @@\n

\n \n
\n
\n max-records\uf0c1
\n

Grammar: max-records <integer>;

\n

Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Sets the maximum number of records permitted in a zone.

\n

\n

This sets the maximum number of records permitted in a zone. The default is\n zero, which means the maximum is unlimited.

\n
\n \n
\n@@ -6161,15 +6161,15 @@\n
\n \n
\n
\n masterfile-format\uf0c1
\n

Grammar: masterfile-format ( raw | text );

\n

Blocks: options, view, zone (mirror, primary, redirect, secondary, stub)

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Specifies the file format of zone files.

\n

\n

This specifies the file format of zone files (see Additional File Formats\n for details). The default value is text, which is the standard\n textual representation, except for secondary zones, in which the default\n value is raw. Files in formats other than text are typically\n expected to be generated by the named-compilezone tool, or dumped by\n@@ -6254,15 +6254,15 @@\n

\n \n
\n
\n max-rsa-exponent-size\uf0c1
\n

Grammar: max-rsa-exponent-size <integer>;

\n

Blocks: options

\n-

Tags: dnssec, query

\n+

Tags: query, dnssec

\n

Sets the maximum RSA exponent size (in bits) when validating.

\n

\n

This sets the maximum RSA exponent size, in bits, that is accepted when\n validating. Valid values are 35 to 4096 bits. The default, zero, is\n also accepted and is equivalent to 4096.

\n
\n \n@@ -6570,50 +6570,50 @@\n to deeper in the tree.

\n \n
\n
\n empty-server\uf0c1
\n

Grammar: empty-server <string>;

\n

Blocks: options, view

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Specifies the server name in the returned SOA record for empty zones.

\n

\n

This specifies the server name that appears in the returned SOA record for\n empty zones. If none is specified, the zone\u2019s name is used.

\n
\n \n
\n
\n empty-contact\uf0c1
\n

Grammar: empty-contact <string>;

\n

Blocks: options, view

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Specifies the contact name in the returned SOA record for empty zones.

\n

\n

This specifies the contact name that appears in the returned SOA record for\n empty zones. If none is specified, \u201c.\u201d is used.

\n
\n \n
\n
\n empty-zones-enable\uf0c1
\n

Grammar: empty-zones-enable <boolean>;

\n

Blocks: options, view

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Enables or disables all empty zones.

\n

\n

This enables or disables all empty zones. By default, they are enabled.

\n
\n \n
\n
\n disable-empty-zone\uf0c1
\n

Grammar: disable-empty-zone <string>; // may occur multiple times

\n

Blocks: options, view

\n-

Tags: zone, server

\n+

Tags: server, zone

\n

Disables individual empty zones.

\n

\n

This disables individual empty zones. By default, none are disabled. This\n option can be specified multiple times.

\n
\n \n \n@@ -6724,15 +6724,15 @@\n deny the existence of domains (NXDOMAIN), deny the existence of IP\n addresses for domains (NODATA), or contain other IP addresses or data.

\n
\n
\n response-policy\uf0c1
\n

Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];

\n

Blocks: options, view

\n-

Tags: zone, security, server, query

\n+

Tags: server, query, security, zone

\n

Specifies response policy zones for the view or among global options.

\n

\n

Response policy zones are named in the response-policy option for\n the view, or among the global options if there is no response-policy\n option for the view. Response policy zones are ordinary DNS zones\n containing RRsets that can be queried normally if allowed. It is usually\n best to restrict those queries with something like\n@@ -6932,28 +6932,28 @@\n such as SERVFAIL to appear to be rewritten, since no recursion is being\n done to discover problems at the authoritative server.

\n
\n
\n dnsrps-enable\uf0c1
\n

Grammar: dnsrps-enable <boolean>;

\n

Blocks: options, view

\n-

Tags: security, server

\n+

Tags: server, security

\n

Turns on the DNS Response Policy Service (DNSRPS) interface.

\n

\n

The dnsrps-enable yes option turns on the DNS Response Policy Service\n (DNSRPS) interface, if it has been compiled in named using\n configure --enable-dnsrps.

\n
\n \n
\n
\n dnsrps-options\uf0c1
\n

Grammar: dnsrps-options { <unspecified-text> };

\n

Blocks: options, view

\n-

Tags: security, server

\n+

Tags: server, security

\n

Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.

\n

\n

The block provides additional RPZ configuration\n settings, which are passed through to the DNSRPS provider library.\n Multiple DNSRPS settings in an dnsrps-options string should be\n separated with semi-colons (;). The DNSRPS provider, librpz, is passed a\n configuration string consisting of the dnsrps-options text,\n@@ -7357,15 +7357,15 @@\n

\n \n
\n
\n log-only\uf0c1
\n

Grammar: log-only <boolean>;

\n

Blocks: options.rate-limit, view.rate-limit

\n-

Tags: logging, query

\n+

Tags: query, logging

\n

Tests rate-limiting parameters without actually dropping any requests.

\n

\n

Use log-only yes to test rate-limiting parameters without actually\n dropping any requests.

\n
\n \n

Responses dropped by rate limits are included in the RateDropped and\n@@ -7561,15 +7561,15 @@\n option.

\n
\n \n
\n
\n keys\uf0c1
\n

Blocks: dnssec-policy, server, view.server

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies one or more server_key s to be used with a remote server.

\n

\n
\n

Warning

\n

Not to be confused with keys in dnssec-policy specification.\n Although statements with the same name exist in both contexts, they refer\n to fundamentally incompatible concepts.

\n@@ -7722,43 +7722,43 @@\n

tls can only be set at the top level of named.conf.

\n

The following options can be specified in a tls statement:

\n
\n
\n key-file\uf0c1
\n

Grammar: key-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing the private TLS key for a connection.

\n

\n
\n

Path to a file containing the private TLS key to be used for\n the connection.

\n
\n
\n \n
\n
\n cert-file\uf0c1
\n

Grammar: cert-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing the TLS certificate for a connection.

\n

\n
\n

Path to a file containing the TLS certificate to be used for\n the connection.

\n
\n
\n \n
\n
\n ca-file\uf0c1
\n

Grammar: ca-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.

\n

\n
\n

Path to a file containing trusted CA authorities\u2019 TLS\n certificates used to verify remote peer certificates. Specifying\n this option enables remote peer certificates\u2019 verification. For\n incoming connections, specifying this option makes BIND require\n@@ -7769,15 +7769,15 @@\n

\n \n
\n
\n dhparam-file\uf0c1
\n

Grammar: dhparam-file <quoted_string>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.

\n

\n
\n

Path to a file containing Diffie-Hellman parameters,\n which is needed to enable the cipher suites depending on the\n Diffie-Hellman ephemeral key exchange (DHE). Having these parameters\n specified is essential for enabling perfect forward secrecy capable\n@@ -7838,15 +7838,15 @@\n

\n \n
\n
\n prefer-server-ciphers\uf0c1
\n

Grammar: prefer-server-ciphers <boolean>;

\n

Blocks: tls

\n-

Tags: security, server

\n+

Tags: server, security

\n

Specifies that server ciphers should be preferred over client ones.

\n

\n
\n

Specifies that server ciphers should be preferred over client ones.

\n
\n
\n \n@@ -8477,15 +8477,15 @@\n \n
\n
\n max-zone-ttl\uf0c1
\n

Grammar dnssec-policy: max-zone-ttl <duration>;

\n

Grammar options, view, zone (primary, redirect): max-zone-ttl ( unlimited | <duration> );

\n

Blocks: dnssec-policy, options, view, zone (primary, redirect)

\n-

Tags: zone, query

\n+

Tags: query, zone

\n

Specifies a maximum permissible time-to-live (TTL) value, in seconds.

\n

\n

This specifies the maximum permissible TTL value for the zone. When\n a zone file is loaded, any record encountered with a TTL higher than\n max-zone-ttl causes the zone to be rejected.

\n

This ensures that when rolling to a new DNSKEY, the old key will remain\n available until RRSIG records have expired from caches. The\n@@ -8525,15 +8525,15 @@\n

\n \n
\n
\n zone-propagation-delay\uf0c1
\n

Grammar: zone-propagation-delay <duration>;

\n

Blocks: dnssec-policy

\n-

Tags: zone, dnssec

\n+

Tags: dnssec, zone

\n

Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.

\n

\n
\n

This is the expected propagation delay from the time when a zone is\n first updated to the time when the new version of the zone is served\n by all secondary servers. The default is PT5M (5 minutes).

\n
\n@@ -8554,15 +8554,15 @@\n
\n \n
\n
\n parent-propagation-delay\uf0c1
\n

Grammar: parent-propagation-delay <duration>;

\n

Blocks: dnssec-policy

\n-

Tags: zone, dnssec

\n+

Tags: dnssec, zone

\n

Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone\u2019s name servers.

\n

\n
\n

This is the expected propagation delay from the time when the parent\n zone is updated to the time when the new version is served by all of\n the parent zone\u2019s name servers. The default is PT1H (1 hour).

\n
\n@@ -9846,15 +9846,15 @@\n \tin-view <string>;\n };\n
\n \n

\n

Grammar zone (in-view): in-view <string>;

\n

Blocks: zone, zone (in-view), view.zone

\n-

Tags: zone, view

\n+

Tags: view, zone

\n

Specifies the view in which a given zone is defined.

\n

\n

When using multiple views, a type primary or type secondary zone configured\n in one view can be referenced in a subsequent view. This allows both views\n to use the same zone without the overhead of loading it more than once. This\n is configured using a zone statement, with an in-view option\n specifying the view in which the zone is defined. A zone statement\n@@ -10042,15 +10042,15 @@\n

\n
\n
\n
\n server-addresses\uf0c1
\n

Grammar: server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };

\n

Blocks: zone (static-stub)

\n-

Tags: zone, query

\n+

Tags: query, zone

\n

Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.

\n

\n

This option is only meaningful for static-stub zones. This is a list of IP addresses\n to which queries should be sent in recursive resolution for the zone.\n A non-empty list for this option internally configures the apex\n NS RR with associated glue A or AAAA RRs.

\n

For example, if \u201cexample.com\u201d is configured as a static-stub zone\n@@ -10139,15 +10139,15 @@\n

\n
\n
\n
\n inline-signing\uf0c1
\n

Grammar: inline-signing <boolean>;

\n

Blocks: zone (primary, secondary)

\n-

Tags: zone, dnssec

\n+

Tags: dnssec, zone

\n

Specifies whether BIND 9 maintains a separate signed version of a zone.

\n

\n

If yes, BIND 9 maintains a separate signed version of the zone.\n An unsigned zone is transferred in or loaded from disk and the signed\n version of the zone is served with, possibly, a different serial\n number. The signed version of the zone is stored in a file that is\n the zone\u2019s filename (set in file) with a .signed extension.\n@@ -10462,15 +10462,15 @@\n

Limits UDP responses of all kinds.

\n

\n

query

\n \n allow-new-zones\n

Controls the ability to add zones at runtime via rndc addzone.

\n

\n-

zone, server

\n+

server, zone

\n \n allow-notify\n

Defines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone.

\n

\n

transfer

\n \n allow-query\n@@ -10592,40 +10592,40 @@\n

Controls flushing of log messages.

\n

\n

logging

\n \n ca-file\n

Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.

\n

\n-

security, server

\n+

server, security

\n \n catalog-zones\n

Configures catalog zones in named.conf.

\n

\n

zone

\n \n category\n

Specifies the type of data logged to a particular channel.

\n

\n

logging

\n \n cert-file\n

Specifies the path to a file containing the TLS certificate for a connection.

\n

\n-

security, server

\n+

server, security

\n \n channel\n

Defines a stream of data that can be independently logged.

\n

\n

logging

\n \n check-dup-records\n

Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.

\n

\n-

dnssec, query

\n+

query, dnssec

\n \n check-integrity\n

Performs post-load zone integrity checks on primary zones.

\n

\n

zone

\n \n check-mx\n@@ -10722,15 +10722,15 @@\n

Rejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements.

\n

\n

query

\n \n dhparam-file\n

Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.

\n

\n-

security, server

\n+

server, security

\n \n dialup\n

Concentrates zone maintenance so that all transfers take place once every heartbeat-interval, ideally during a single call.

\n

\n

deprecated

\n \n directory\n@@ -10742,20 +10742,20 @@\n

Disables DNSSEC algorithms from a specified zone.

\n

\n

dnssec

\n \n disable-ds-digests\n

Disables DS digest types from a specified zone.

\n

\n-

zone, dnssec

\n+

dnssec, zone

\n \n disable-empty-zone\n

Disables individual empty zones.

\n

\n-

zone, server

\n+

server, zone

\n \n dlz\n

Configures a Dynamically Loadable Zone (DLZ) database in named.conf.

\n

\n

zone

\n \n dns64\n@@ -10782,20 +10782,20 @@\n

Specifies the time to live (TTL) for DNSKEY resource records.

\n

\n

dnssec

\n \n dnsrps-enable\n

Turns on the DNS Response Policy Service (DNSRPS) interface.

\n

\n-

security, server

\n+

server, security

\n \n dnsrps-options\n

Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.

\n

\n-

security, server

\n+

server, security

\n \n dnssec-accept-expired\n

Instructs BIND 9 to accept expired DNSSEC signatures when validating.

\n

\n

dnssec

\n \n dnssec-dnskey-kskonly\n@@ -10887,25 +10887,25 @@\n

Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver.

\n

\n

server

\n \n empty-contact\n

Specifies the contact name in the returned SOA record for empty zones.

\n

\n-

zone, server

\n+

server, zone

\n \n empty-server\n

Specifies the server name in the returned SOA record for empty zones.

\n

\n-

zone, server

\n+

server, zone

\n \n empty-zones-enable\n

Enables or disables all empty zones.

\n

\n-

zone, server

\n+

server, zone

\n \n endpoints\n

Specifies a list of HTTP query paths on which to listen.

\n

\n

server, query

\n \n errors-per-second\n@@ -11042,25 +11042,25 @@\n

Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.

\n

\n

server, query

\n \n in-view\n

Specifies the view in which a given zone is defined.

\n

\n-

zone, view

\n+

view, zone

\n \n inet\n

Specifies a TCP socket as a control channel.

\n

\n

server

\n \n inline-signing\n

Specifies whether BIND 9 maintains a separate signed version of a zone.

\n

\n-

zone, dnssec

\n+

dnssec, zone

\n \n interface-interval\n

Sets the interval at which the server scans the network interface list.

\n

\n

server

\n \n ipv4-prefix-length\n@@ -11112,20 +11112,20 @@\n

Indicates the directory where public and private DNSSEC key files are found.

\n

\n

dnssec

\n \n key-file\n

Specifies the path to a file containing the private TLS key for a connection.

\n

\n-

security, server

\n+

server, security

\n \n keys\n

Specifies one or more server_key s to be used with a remote server.

\n

\n-

security, server

\n+

server, security

\n \n lame-ttl\n

Sets the resolver's lame cache.

\n

\n

server

\n \n listen-on\n@@ -11152,15 +11152,15 @@\n

Sets the pathname of the file on which named attempts to acquire a file lock when starting for the first time.

\n

\n

server

\n \n log-only\n

Tests rate-limiting parameters without actually dropping any requests.

\n

\n-

logging, query

\n+

query, logging

\n \n logging\n

Configures logging options for the name server.

\n

\n

logging

\n \n managed-keys\n@@ -11177,15 +11177,15 @@\n

Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64.

\n

\n

query

\n \n masterfile-format\n

Specifies the file format of zone files.

\n

\n-

zone, server

\n+

server, zone

\n \n masterfile-style\n

Specifies the format of zone files during a dump, when the masterfile-format is text.

\n

\n

server

\n \n match-clients\n@@ -11237,15 +11237,15 @@\n

Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.

\n

\n

server

\n \n max-records\n

Sets the maximum number of records permitted in a zone.

\n

\n-

zone, server

\n+

server, zone

\n \n max-records-per-type\n

Sets the maximum number of records that can be stored in an RRset

\n

\n

server

\n \n max-recursion-depth\n@@ -11267,15 +11267,15 @@\n

Limits the zone refresh retry interval to no less often than the specified value, in seconds.

\n

\n

transfer

\n \n max-rsa-exponent-size\n

Sets the maximum RSA exponent size (in bits) when validating.

\n

\n-

dnssec, query

\n+

query, dnssec

\n \n max-stale-ttl\n

Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records.

\n

\n

server

\n \n max-table-size\n@@ -11312,15 +11312,15 @@\n

Sets the maximum EDNS UDP message size sent by named.

\n

\n

query

\n \n max-zone-ttl\n

Specifies a maximum permissible time-to-live (TTL) value, in seconds.

\n

\n-

zone, query

\n+

query, zone

\n \n memstatistics\n

Controls whether memory statistics are written to the file specified by memstatistics-file at exit.

\n

\n

server, logging

\n \n memstatistics-file\n@@ -11467,15 +11467,15 @@\n

Sets the time to live (TTL) of the DS RRset used by the parent zone.

\n

\n

dnssec

\n \n parent-propagation-delay\n

Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers.

\n

\n-

zone, dnssec

\n+

dnssec, zone

\n \n parental-agents\n

Defines a list of delegation agents to be used by primary and secondary zones.

\n

\n

zone

\n \n parental-source\n@@ -11502,15 +11502,15 @@\n

Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.

\n

\n

server, query

\n \n prefer-server-ciphers\n

Specifies that server ciphers should be preferred over client ones.

\n

\n-

security, server

\n+

server, security

\n \n preferred-glue\n

Controls the order of glue records in an A or AAAA response.

\n

\n

query

\n \n prefetch\n@@ -11617,15 +11617,15 @@\n

Specifies the expected hostname in the TLS certificate of the remote server.

\n

\n

security

\n \n request-expire\n

Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.

\n

\n-

transfer, query

\n+

query, transfer

\n \n request-ixfr\n

Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR).

\n

\n

transfer

\n \n request-nsid\n@@ -11662,15 +11662,15 @@\n

Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.

\n

\n

query

\n \n response-policy\n

Specifies response policy zones for the view or among global options.

\n

\n-

zone, security, server, query

\n+

server, query, security, zone

\n \n responses-per-second\n

Limits the number of non-empty responses for a valid domain name and record type.

\n

\n

query

\n \n retire-safety\n@@ -11732,15 +11732,15 @@\n

Defines characteristics to be associated with a remote name server.

\n

\n

server

\n \n server-addresses\n

Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.

\n

\n-

zone, query

\n+

query, zone

\n \n server-id\n

Specifies the ID of the server to return in response to a ID.SERVER query.

\n

\n

server

\n \n server-names\n@@ -12102,15 +12102,15 @@\n

Specifies a Unix domain socket as a control channel.

\n

\n

server

\n \n update-check-ksk\n

Specifies whether to check the KSK bit to determine how a key should be used, when generating RRSIGs for a secure zone.

\n

\n-

zone, dnssec

\n+

dnssec, zone

\n \n update-policy\n

Sets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc.

\n

\n

transfer

\n \n update-quota\n@@ -12157,35 +12157,35 @@\n

Specifies the length of time during which responses are tracked.

\n

\n

query

\n \n zero-no-soa-ttl\n

Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.

\n

\n-

zone, server, query

\n+

server, query, zone

\n \n zero-no-soa-ttl-cache\n

Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

\n

\n-

zone, server, query

\n+

server, query, zone

\n \n zone\n

Specifies the zone in a BIND 9 configuration.

\n

\n

zone

\n \n zone-propagation-delay\n

Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.

\n

\n-

zone, dnssec

\n+

dnssec, zone

\n \n zone-statistics\n

Controls the level of statistics gathered for all zones.

\n

\n-

zone, logging

\n+

logging, zone

\n \n \n \n \n
\n

8.4. Statements by Tag\uf0c1

\n

These tables group the various statements permissible in named.conf by\n", "details": [{"source1": "html2text {}", "source2": "html2text {}", "unified_diff": "@@ -2414,1274 +2414,1274 @@\n Zone_Tag_Statements relate to or control zone behavior, and typically only\n appear in a zone block.\n Deprecated_Tag_Statements are those that are now deprecated, but are included\n here for historical reference.\n The following table lists all statements permissible in named.conf, with their\n associated tags; the next section groups the statements by tag. Please note\n that these sections are a work in progress.\n-Statement Description Tags\n-acl Assigns a symbolic name to server\n- an address match list.\n-algorithm Defines the algorithm to be security\n- used in a key clause.\n-all-per-second Limits UDP responses of all query\n- kinds.\n- Controls the ability to add\n-allow-new-zones zones at runtime via rndc zone, server\n- addzone.\n- Defines an\n- address_match_list that is\n- allowed to send NOTIFY\n-allow-notify messages for the zone, in transfer\n- addition to addresses\n- defined in the primaries\n- option for the zone.\n- Specifies which hosts (an\n-allow-query IP address list) are query\n- allowed to send queries to\n- this resolver.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache this server's cache and query\n- thus effectively controls\n- recursion.\n- Specifies which hosts (an\n- IP address list) can access\n-allow-query-cache-on this server's cache. Used query\n- on servers with multiple\n- interfaces.\n- Specifies which local\n- addresses (an IP address\n-allow-query-on list) are allowed to send query\n- queries to this resolver.\n- Used in multi-homed\n- configurations.\n- Defines an\n-allow-recursion address_match_list of query\n- clients that are allowed to\n- perform recursive queries.\n- Specifies which local\n-allow-recursion-on addresses can accept server, query\n- recursive queries.\n- Defines an\n- address_match_list of hosts\n-allow-transfer that are allowed to transfer\n- transfer the zone\n- information from this\n- server.\n- Defines an\n- address_match_list of hosts\n-allow-update that are allowed to submit transfer\n- dynamic updates for primary\n- zones.\n- Defines an\n- address_match_list of hosts\n-allow-update-forwarding that are allowed to submit transfer\n- dynamic updates to a\n- secondary server for\n- transmission to a primary.\n- Defines one or more hosts\n-also-notify that are sent NOTIFY transfer\n- messages when zone changes\n- occur.\n- Defines alternate local\n- IPv4 address(es) to be used\n- by the server for inbound\n-alt-transfer-source zone transfers, if the deprecated\n- address(es) defined by\n- transfer-source fail and\n- use-alt-transfer-source is\n- enabled.\n- Defines alternate local\n-alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n- by the server for inbound\n- zone transfers.\n- Controls whether COOKIE\n-answer-cookie EDNS replies are sent in query\n- response to client queries.\n- Allows multiple views to\n-attach-cache share a single cache view\n- database.\n- Controls whether BIND,\n- acting as a resolver,\n-auth-nxdomain provides authoritative query\n- NXDOMAIN (domain does not\n- exist) answers.\n- Permits varying levels of\n-auto-dnssec automatic DNSSEC key dnssec\n- management.\n- Controls the automatic\n-automatic-interface-scan rescanning of network server\n- interfaces when addresses\n- are added or removed.\n- Specifies the range(s) of\n-avoid-v4-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv4\n- messages.\n- Specifies the range(s) of\n-avoid-v6-udp-ports ports to be excluded from deprecated\n- use as sources for UDP/IPv6\n- messages.\n- Specifies the pathname of a\n-bindkeys-file file to override the built- dnssec\n- in trusted keys provided by\n- named.\n- Defines an\n- address_match_list of hosts\n-blackhole to ignore. The server will query\n- neither respond to queries\n- from nor send queries to\n- these addresses.\n-bogus Allows a remote server to server\n- be ignored.\n- Enables dns64 synthesis\n-break-dnssec even if the validated query\n- result would cause a DNSSEC\n- validation failure.\n-buffered Controls flushing of log logging\n- messages.\n- Specifies the path to a\n- file containing TLS\n-ca-file certificates for trusted CA security, server\n- authorities, used to verify\n- remote peer certificates.\n-catalog-zones Configures catalog zones in zone\n- named.conf.\n- Specifies the type of data\n-category logged to a particular logging\n- channel.\n- Specifies the path to a\n-cert-file file containing the TLS security, server\n- certificate for a\n- connection.\n- Defines a stream of data\n-channel that can be independently logging\n- logged.\n- Checks primary zones for\n- records that are treated as\n-check-dup-records different by DNSSEC but are dnssec, query\n- semantically equal in plain\n- DNS.\n- Performs post-load zone\n-check-integrity integrity checks on primary zone\n- zones.\n- Checks whether an MX record\n-check-mx appears to refer to an IP zone\n- address.\n- Sets the response to MX\n-check-mx-cname records that refer to zone\n- CNAMEs.\n- Restricts the character set\n- and syntax of certain\n-check-names domain names in primary server, query\n- files and/or DNS responses\n- received from the network.\n- Specifies whether to check\n-check-sibling for sibling glue when zone\n- performing integrity\n- checks.\n- Specifies whether to check\n-check-spf for a TXT Sender Policy zone\n- Framework record, if an SPF\n- record is present.\n- Sets the response to SRV\n-check-srv-cname records that refer to zone\n- CNAMEs.\n-check-wildcard Checks for non-terminal zone\n- wildcards.\n-ciphers Specifies a list of allowed security\n- ciphers.\n- Specifies an access control\n-clients list (ACL) of clients that query\n- are affected by a given\n- dns64 directive.\n- Sets the initial minimum\n- number of simultaneous\n-clients-per-query recursive clients accepted server\n- by the server for any given\n- query before the server\n- drops additional clients.\n- Specifies control channels\n-controls to be used to manage the server\n- name server.\n- Sets the algorithm to be\n-cookie-algorithm used when generating a server\n- server cookie.\n- Specifies a shared secret\n- used for generating and\n-cookie-secret verifying EDNS COOKIE server\n- options within an anycast\n- cluster.\n-coresize Sets the maximum size of a deprecated\n- core dump.\n- Specifies the type of\n-database database to be used to zone\n- store zone data.\n- Sets the maximum amount of\n-datasize data memory that can be deprecated\n- used by the server.\n- Indicates that a forward,\n-delegation-only hint, or stub zone is to be deprecated\n- treated as a delegation-\n- only type zone.\n- Rejects A or AAAA records\n-deny-answer-addresses if the corresponding IPv4 query\n- or IPv6 addresses match a\n- given address_match_list.\n- Rejects CNAME or DNAME\n-deny-answer-aliases records if the \"alias\" name query\n- matches a given list of\n- domain_name elements.\n- Specifies the path to a\n-dhparam-file file containing Diffie- security, server\n- Hellman parameters, for\n- enabling cipher suites.\n- Concentrates zone\n- maintenance so that all\n-dialup transfers take place once deprecated\n- every heartbeat-interval,\n- ideally during a single\n- call.\n-directory Sets the server's working server\n- directory.\n-disable-algorithms Disables DNSSEC algorithms dnssec\n- from a specified zone.\n-disable-ds-digests Disables DS digest types zone, dnssec\n- from a specified zone.\n-disable-empty-zone Disables individual empty zone, server\n- zones.\n- Configures a Dynamically\n-dlz Loadable Zone (DLZ) zone\n- database in named.conf.\n- Instructs named to return\n-dns64 mapped IPv4 addresses to query\n- AAAA queries when there are\n- no AAAA records.\n-dns64-contact Specifies the name of the server\n- contact for dns64 zones.\n-dns64-server Specifies the name of the server\n- server for dns64 zones.\n- Specifies the number of\n-dnskey-sig-validity days in the future when dnssec\n- automatically generated\n- DNSSEC signatures expire.\n- Specifies the time to live\n-dnskey-ttl (TTL) for DNSKEY resource dnssec\n- records.\n- Turns on the DNS Response\n-dnsrps-enable Policy Service (DNSRPS) security, server\n- interface.\n- Provides additional RPZ\n- configuration settings,\n-dnsrps-options which are passed to the DNS security, server\n- Response Policy Service\n- (DNSRPS) provider library.\n- Instructs BIND 9 to accept\n-dnssec-accept-expired expired DNSSEC signatures dnssec\n- when validating.\n- Specifies that only key-\n- signing keys are used to\n-dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n- and CDS RRsets at a zone's\n- apex.\n- Sets the frequency of\n-dnssec-loadkeys-interval automatic checks of the dnssec\n- DNSSEC key repository.\n- Defines hierarchies that\n-dnssec-must-be-secure must or may not be secure deprecated\n- (signed and validated).\n-dnssec-policy Defines a key and signing dnssec\n- policy (KASP) for zones.\n- Allows a dynamic zone to\n-dnssec-secure-to-insecure transition from secure to dnssec\n- insecure by deleting all\n- DNSKEY records.\n- Controls the scheduled\n-dnssec-update-mode maintenance of DNSSEC dnssec\n- signatures.\n-dnssec-validation Enables DNSSEC validation dnssec\n- in named.\n-dnstap Enables logging of dnstap logging\n- messages.\n- Specifies an identity\n-dnstap-identity string to send in dnstap logging\n- messages.\n- Configures the path to\n-dnstap-output which the dnstap frame logging\n- stream is sent.\n-dnstap-version Specifies a version string logging\n- to send in dnstap messages.\n- Sets the Differentiated\n-dscp Services Code Point (DSCP) server, query\n- value (obsolete).\n- Specifies host names or\n-dual-stack-servers addresses of machines with server\n- access to both IPv4 and\n- IPv6 transports.\n- Indicates the pathname of\n-dump-file the file where the server logging\n- dumps the database after\n- rndc_dumpdb.\n-dyndb Configures a DynDB database zone\n- in named.conf.\n-edns Controls the use of the server\n- EDNS0 (RFC_2671) feature.\n- Sets the maximum advertised\n- EDNS UDP buffer size to\n-edns-udp-size control the size of packets query\n- received from authoritative\n- servers in response to\n- recursive queries.\n- Sets the maximum EDNS\n-edns-version VERSION that is sent to the server\n- server(s) by the resolver.\n- Specifies the contact name\n-empty-contact in the returned SOA record zone, server\n- for empty zones.\n- Specifies the server name\n-empty-server in the returned SOA record zone, server\n- for empty zones.\n-empty-zones-enable Enables or disables all zone, server\n- empty zones.\n- Specifies a list of HTTP\n-endpoints query paths on which to server, query\n- listen.\n- Limits the number of errors\n-errors-per-second for a valid domain name and server\n- record type.\n- Allows a list of IPv6\n- addresses to be ignored if\n-exclude they appear in a domain query\n- name's AAAA records in\n- dns64.\n- Exempts specific clients or\n-exempt-clients client groups from rate query\n- limiting.\n- Sets the parameters for\n- dynamic resizing of the\n-fetch-quota-params fetches-per-server quota in server, query\n- response to detected\n- congestion.\n- Sets the maximum number of\n- simultaneous iterative\n- queries allowed to be sent\n-fetches-per-server by a server to an upstream server, query\n- name server before the\n- server blocks additional\n- queries.\n- Sets the maximum number of\n- simultaneous iterative\n-fetches-per-zone queries allowed to any one server, query\n- domain before the server\n- blocks new queries for data\n- in or beneath that zone.\n-file Specifies the zone's zone\n- filename.\n- Sets the maximum number of\n-files files the server may have deprecated\n- open concurrently.\n- Controls whether pending\n-flush-zones-on-shutdown zone writes are flushed zone\n- when the name server exits.\n- Allows or disallows\n- fallback to recursion if\n-forward forwarding has failed; it query\n- is always used in\n- conjunction with the\n- forwarders statement.\n- Defines one or more hosts\n-forwarders to which queries are query\n- forwarded.\n- Sets the number of\n-fstrm-set-buffer-hint accumulated bytes in the logging\n- output buffer before\n- forcing a buffer flush.\n- Sets the number of seconds\n-fstrm-set-flush-timeout that unflushed data remains logging\n- in the output buffer.\n- Sets the number of queue\n-fstrm-set-input-queue-size entries to allocate for logging\n- each input queue.\n- Sets the number of\n-fstrm-set-output-notify- outstanding queue entries\n-threshold allowed on an input queue logging\n- before waking the I/\n- O thread.\n-fstrm-set-output-queue- Sets the queuing semantics logging\n-model to use for queue objects.\n- Sets the number of queue\n-fstrm-set-output-queue-size entries allocated for each logging\n- output queue.\n- Sets the number of seconds\n-fstrm-set-reopen-interval to wait between attempts to logging\n- reopen a closed output\n- stream.\n- Specifies the directory\n-geoip-directory containing GeoIP database server\n- files.\n-glue-cache Deprecated. deprecated\n- Sets the interval at which\n-heartbeat-interval the server performs zone deprecated\n- maintenance tasks for all\n- zones marked as dialup.\n- Specifies the hostname of\n-hostname the server to return in server\n- response to a hostname.bind\n- query.\n- Configures HTTP endpoints\n-http on which to listen for DNS- server, query\n- over-HTTPS (DoH) queries.\n- Limits the number of active\n-http-listener-clients concurrent connections on a server\n- per-listener basis.\n- Specifies the TCP port\n- number the server uses to\n-http-port receive and send server, query\n- unencrypted DNS traffic via\n- HTTP.\n- Limits the number of active\n-http-streams-per-connection concurrent HTTP/2 streams server\n- on a per-connection basis.\n- Specifies the TCP port\n-https-port number the server uses to server, query\n- receive and send DNS-over-\n- HTTPS protocol traffic.\n-in-view Specifies the view in which zone, view\n- a given zone is defined.\n-inet Specifies a TCP socket as a server\n- control channel.\n- Specifies whether BIND 9\n-inline-signing maintains a separate signed zone, dnssec\n- version of a zone.\n- Sets the interval at which\n-interface-interval the server scans the server\n- network interface list.\n- Specifies the prefix\n-ipv4-prefix-length lengths of IPv4 address server\n- blocks.\n- Specifies the contact for\n-ipv4only-contact the IPV4ONLY.ARPA zone server\n- created by dns64.\n- Enables automatic IPv4\n-ipv4only-enable zones if a dns64 block is query\n- configured.\n- Specifies the name of the\n-ipv4only-server server for the server, query\n- IPV4ONLY.ARPA zone created\n- by dns64.\n- Specifies the prefix\n-ipv6-prefix-length lengths of IPv6 address server\n- blocks.\n-ixfr-from-differences Controls how IXFR transfers transfer\n- are calculated.\n- Allows the default\n-journal journal's filename to be zone\n- overridden.\n- Defines an\n- address_match_list of\n-keep-response-order addresses which do not server\n- accept reordered answers\n- within a single TCP stream.\n- Defines a shared secret key\n-key for use with TSIG or the security\n- command channel.\n- Indicates the directory\n-key-directory where public and private dnssec\n- DNSSEC key files are found.\n- Specifies the path to a\n-key-file file containing the private security, server\n- TLS key for a connection.\n- Specifies one or more\n-keys server_key s to be used security, server\n- with a remote server.\n-lame-ttl Sets the resolver's lame server\n- cache.\n- Specifies the IPv4\n-listen-on addresses on which a server server\n- listens for DNS queries.\n- Specifies the IPv6\n-listen-on-v6 addresses on which a server server\n- listens for DNS queries.\n- Specifies a per-listener\n-listener-clients quota for active server, query\n- connections.\n- Sets a maximum size for the\n-lmdb-mapsize memory map of the new-zone server\n- database in LMDB database\n- format.\n- Sets the pathname of the\n- file on which named\n-lock-file attempts to acquire a file server\n- lock when starting for the\n- first time.\n- Tests rate-limiting\n-log-only parameters without actually logging, query\n- dropping any requests.\n-logging Configures logging options logging\n- for the name server.\n-managed-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies the directory in\n-managed-keys-directory which to store the files dnssec\n- that track managed DNSSEC\n- keys.\n- Specifies an access control\n- list (ACL) of IPv4\n-mapped addresses that are to be query\n- mapped to the corresponding\n- A RRset in dns64.\n-masterfile-format Specifies the file format zone, server\n- of zone files.\n- Specifies the format of\n-masterfile-style zone files during a dump, server\n- when the masterfile-format\n- is text.\n- Specifies a view of DNS\n-match-clients namespace for a given view\n- subset of client IP\n- addresses.\n- Specifies a view of DNS\n-match-destinations namespace for a given view\n- subset of destination IP\n- addresses.\n- Allows IPv4-mapped IPv6\n- addresses to match address-\n-match-mapped-addresses match list entries for server\n- corresponding IPv4\n- addresses.\n- Specifies that only\n-match-recursive-only recursive requests can view\n- match this view of the DNS\n- namespace.\n- Sets the maximum amount of\n- memory to use for an\n-max-cache-size individual cache database server\n- and its associated\n- metadata.\n- Specifies the maximum time\n-max-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Sets the maximum number of\n- simultaneous recursive\n-max-clients-per-query clients accepted by the server\n- server for any given query\n- before the server drops\n- additional clients.\n- Sets the maximum size for\n-max-ixfr-ratio IXFR responses to zone transfer\n- transfer requests.\n-max-journal-size Controls the size of transfer\n- journal files.\n- Specifies the maximum\n- retention time (in seconds)\n-max-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Sets the maximum number of\n-max-records records permitted in a zone, server\n- zone.\n- Sets the maximum number of\n-max-records-per-type records that can be stored server\n- in an RRset\n- Sets the maximum number of\n- levels of recursion\n-max-recursion-depth permitted at any one time server\n- while servicing a recursive\n- query.\n- Sets the maximum number of\n-max-recursion-queries iterative queries while server, query\n- servicing a recursive\n- query.\n- Limits the zone refresh\n-max-refresh-time interval to no less often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-max-retry-time retry interval to no less transfer\n- often than the specified\n- value, in seconds.\n- Sets the maximum RSA\n-max-rsa-exponent-size exponent size (in bits) dnssec, query\n- when validating.\n- Specifies the maximum time\n- that the server retains\n-max-stale-ttl records past their normal server\n- expiry, to return them as\n- stale records.\n- Sets the maximum size of\n-max-table-size the table used to track server\n- requests and rate-limit\n- responses.\n- Specifies the number of\n-max-transfer-idle-in minutes after which inbound transfer\n- zone transfers making no\n- progress are terminated.\n- Specifies the number of\n- minutes after which\n-max-transfer-idle-out outbound zone transfers transfer\n- making no progress are\n- terminated.\n- Specifies the number of\n-max-transfer-time-in minutes after which inbound transfer\n- zone transfers are\n- terminated.\n- Specifies the number of\n-max-transfer-time-out minutes after which transfer\n- outbound zone transfers are\n- terminated.\n- Sets the maximum number of\n-max-types-per-name RR types that can be stored server\n- for an owner name\n-max-udp-size Sets the maximum EDNS UDP query\n- message size sent by named.\n- Specifies a maximum\n-max-zone-ttl permissible time-to-live zone, query\n- (TTL) value, in seconds.\n- Controls whether memory\n-memstatistics statistics are written to server, logging\n- the file specified by\n- memstatistics-file at exit.\n- Sets the pathname of the\n-memstatistics-file file where the server logging\n- writes memory usage\n- statistics on exit.\n- Controls whether DNS name\n-message-compression compression is used in query\n- responses to regular\n- queries.\n- Specifies the minimum time\n-min-cache-ttl (in seconds) that the server\n- server caches ordinary\n- (positive) answers.\n- Specifies the minimum\n- retention time (in seconds)\n-min-ncache-ttl for storage of negative server\n- answers in the server's\n- cache.\n- Limits the zone refresh\n-min-refresh-time interval to no more often transfer\n- than the specified value,\n- in seconds.\n- Limits the zone refresh\n-min-retry-time retry interval to no more transfer\n- often than the specified\n- value, in seconds.\n- Sets the minimum size of\n-min-table-size the table used to track query\n- requests and rate-limit\n- responses.\n- Controls whether the server\n- replies with only one of\n-minimal-any the RRsets for a query query\n- name, when generating a\n- positive response to a\n- query of type ANY over UDP.\n- Controls whether the server\n- only adds records to the\n- authority and additional\n-minimal-responses data sections when they are query\n- required (e.g. delegations,\n- negative responses). This\n- improves server\n- performance.\n- Controls whether serial\n-multi-master number mismatch errors are transfer\n- logged.\n- Specifies the directory\n- where configuration\n-new-zones-directory parameters are stored for zone\n- zones added by rndc\n- addzone.\n- Specifies a list of\n-no-case-compress addresses that require server\n- case-insensitive\n- compression in responses.\n- Sets the maximum size of\n-nocookie-udp-size UDP responses that are sent query\n- to queries without a valid\n- server COOKIE.\n- Limits the number of empty\n-nodata-per-second (NODATA) responses for a query\n- valid domain name.\n- Controls whether NOTIFY\n-notify messages are sent on zone transfer\n- changes.\n- Sets the delay (in seconds)\n-notify-delay between sending sets of transfer, zone\n- NOTIFY messages for a zone.\n- Specifies the rate at which\n-notify-rate NOTIFY requests are sent transfer, zone\n- during normal zone\n- maintenance operations.\n- Defines the IPv4 address\n-notify-source (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Defines the IPv6 address\n-notify-source-v6 (and optional port) to be transfer\n- used for outgoing NOTIFY\n- messages.\n- Controls whether the name\n-notify-to-soa servers in the NS RRset are transfer\n- checked against the SOA\n- MNAME.\n- Specifies the use of NSEC3\n-nsec3param instead of NSEC, and sets dnssec\n- NSEC3 parameters.\n- Specifies the lifetime, in\n-nta-lifetime seconds, for negative trust dnssec\n- anchors added via rndc_nta.\n- Specifies the time interval\n- for checking whether\n-nta-recheck negative trust anchors dnssec\n- added via rndc_nta are\n- still necessary.\n- Causes all messages sent to\n-null the logging channel to be logging\n- discarded.\n- Appends the specified\n- suffix to the original\n-nxdomain-redirect query name, when replacing query\n- an NXDOMAIN with a redirect\n- namespace.\n- Limits the number of\n-nxdomains-per-second undefined subdomains for a query\n- valid domain name.\n-options Defines global options to server\n- be used by BIND 9.\n- Adds EDNS Padding options\n-padding to outgoing messages to server\n- increase the packet size.\n- Sets the time to live (TTL)\n-parent-ds-ttl of the DS RRset used by the dnssec\n- parent zone.\n- Sets the propagation delay\n- from the time the parent\n-parent-propagation-delay zone is updated to when the zone, dnssec\n- new version is served by\n- all of the parent zone's\n- name servers.\n- Defines a list of\n-parental-agents delegation agents to be zone\n- used by primary and\n- secondary zones.\n- Specifies which local IPv4\n-parental-source source address is used to dnssec\n- send parental DS queries.\n- Specifies which local IPv6\n-parental-source-v6 source address is used to dnssec\n- send parental DS queries.\n- Specifies the pathname of\n-pid-file the file where the server server\n- writes its process ID.\n-plugin Configures plugins in server\n- named.conf.\n- Specifies the UDP/TCP port\n-port number the server uses to server, query\n- receive and send DNS\n- protocol traffic.\n- Specifies that server\n-prefer-server-ciphers ciphers should be preferred security, server\n- over client ones.\n- Controls the order of glue\n-preferred-glue records in an A or AAAA query\n- response.\n- Specifies the \"trigger\"\n-prefetch time-to-live (TTL) value at query\n- which prefetch of the\n- current query takes place.\n-primaries Defines one or more primary zone\n- servers for a zone.\n-print-category Includes the category in logging\n- log messages.\n-print-severity Includes the severity in logging\n- log messages.\n-print-time Specifies the time format logging\n- for log messages.\n- Specifies the allowed\n-protocols versions of the TLS security\n- protocol.\n- Controls whether a primary\n- responds to an incremental\n-provide-ixfr zone request (IXFR) or only transfer\n- responds with a full zone\n- transfer (AXFR).\n- Increases the amount of\n- time between when keys are\n-publish-safety published and when they dnssec\n- become active, to allow for\n- unforeseen events.\n- Specifies the amount of\n- time after which DNSSEC\n-purge-keys keys that have been deleted dnssec\n- from the zone can be\n- removed from disk.\n- Controls QNAME minimization\n-qname-minimization behavior in the BIND 9 query\n- resolver.\n- Tightens defenses during\n-qps-scale DNS attacks by scaling back query\n- the ratio of the current\n- query-per-second rate.\n- Controls the IPv4 address\n-query-source from which queries are query\n- issued.\n- Controls the IPv6 address\n-query-source-v6 from which queries are query\n- issued.\n- Specifies whether query\n-querylog logging should be active server, logging\n- when named first starts.\n- Controls excessive UDP\n- responses, to prevent BIND\n-rate-limit 9 from being used to query\n- amplify reflection denial-\n- of-service (DoS) attacks.\n- Specifies the pathname of\n- the file where the server\n-recursing-file dumps queries that are server\n- currently recursing via\n- rndc_recursing.\n-recursion Defines whether recursion query\n- and caching are allowed.\n- Specifies the maximum\n-recursive-clients number of concurrent query\n- recursive queries the\n- server can perform.\n- Toggles whether dns64\n-recursive-only synthesis occurs only for query\n- recursive queries.\n- Limits the number of\n-referrals-per-second referrals or delegations to query\n- a server for a given\n- domain.\n- Specifies the expected\n-remote-hostname hostname in the TLS security\n- certificate of the remote\n- server.\n- Specifies whether the local\n-request-expire server requests the EDNS transfer, query\n- EXPIRE value, when acting\n- as a secondary.\n- Controls whether a\n- secondary requests an\n-request-ixfr incremental zone transfer transfer\n- (IXFR) or a full zone\n- transfer (AXFR).\n- Controls whether an empty\n- EDNS(0) NSID (Name Server\n- Identifier) option is sent\n-request-nsid with all queries to query\n- authoritative name servers\n- during iterative\n- resolution.\n- Controls whether a valid\n-require-server-cookie server cookie is required query\n- before sending a full\n- response to a UDP request.\n-reserved-sockets Deprecated. deprecated\n- Specifies the number of\n-resolver-nonbackoff-tries retries before exponential deprecated.\n- backoff.\n- Specifies the length of\n- time, in milliseconds, that\n-resolver-query-timeout a resolver attempts to query\n- resolve a recursive query\n- before failing.\n-resolver-retry-interval Sets the base retry deprecated\n- interval (in milliseconds).\n- Adds an EDNS Padding option\n- to encrypted messages, to\n-response-padding reduce the chance of query\n- guessing the contents based\n- on size.\n- Specifies response policy zone, security, server,\n-response-policy zones for the view or among query\n- global options.\n- Limits the number of non-\n-responses-per-second empty responses for a valid query\n- domain name and record\n- type.\n- Increases the amount of\n- time a key remains\n-retire-safety published after it is no dnssec\n- longer active, to allow for\n- unforeseen events.\n-reuseport Enables kernel load- server\n- balancing of sockets.\n- Turns on enforcement of\n- delegation-only in top-\n-root-delegation-only level domains (TLDs) and deprecated\n- root zones with an optional\n- exclude list.\n- Controls whether BIND 9\n-root-key-sentinel responds to root key server\n- sentinel probes.\n- Defines the order in which\n-rrset-order equal RRs (RRsets) are query\n- returned.\n- Specifies whether a\n-search Dynamically Loadable Zone query\n- (DLZ) module is queried for\n- an answer to a query name.\n- Defines a Base64-encoded\n-secret string to be used as the security\n- secret by the algorithm.\n- Specifies the pathname of\n-secroots-file the file where the server dnssec\n- dumps security roots, when\n- using rndc_secroots.\n- Controls whether a COOKIE\n-send-cookie EDNS option is sent along query\n- with a query.\n- Defines an upper limit on\n- the number of queries per\n-serial-query-rate second issued by the transfer\n- server, when querying the\n- SOA RRs used for zone\n- transfers.\n- Specifies the update method\n-serial-update-method to be used for the zone zone\n- serial number in the SOA\n- record.\n- Defines characteristics to\n-server be associated with a remote server\n- name server.\n- Specifies a list of IP\n- addresses to which queries\n-server-addresses should be sent in recursive zone, query\n- resolution for a static-\n- stub zone.\n- Specifies the ID of the\n-server-id server to return in server\n- response to a ID.SERVER\n- query.\n- Specifies a list of domain\n- names of name servers that\n-server-names act as authoritative zone\n- servers of a static-stub\n- zone.\n- Sets the length of time (in\n-servfail-ttl seconds) that a SERVFAIL server\n- response is cached.\n- Specifies the algorithm to\n-session-keyalg use for the TSIG session security\n- key.\n- Specifies the pathname of\n- the file where a TSIG\n-session-keyfile session key is written, security\n- when generated by named for\n- use by nsupdate -l.\n-session-keyname Specifies the key name for security\n- the TSIG session key.\n- Enables or disables session\n-session-tickets resumption through TLS security\n- session tickets.\n-severity Defines the priority level logging\n- of log messages.\n- Specifies the maximum\n- number of nodes to be\n-sig-signing-nodes examined in each quantum, dnssec\n- when signing a zone with a\n- new DNSKEY.\n- Specifies the threshold for\n- the number of signatures\n-sig-signing-signatures that terminates processing dnssec\n- a quantum, when signing a\n- zone with a new DNSKEY.\n- Specifies a private RDATA\n-sig-signing-type type to use when generating dnssec\n- signing-state records.\n- Specifies the maximum\n-sig-validity-interval number of days that RRSIGs dnssec\n- generated by named are\n- valid.\n-signatures-jitter Specifies a range for dnssec\n- signatures expirations.\n-signatures-refresh Specifies how frequently an dnssec\n- RRSIG record is refreshed.\n-signatures-validity Indicates the validity dnssec\n- period of an RRSIG record.\n-signatures-validity-dnskey Indicates the validity dnssec\n- period of DNSKEY records.\n- Sets the number of\n- \"slipped\" responses to\n-slip minimize the use of forged query\n- source addresses for an\n- attack.\n- Controls the ordering of\n-sortlist RRs returned to the client, query\n- based on the client's IP\n- address.\n- Sets the maximum amount of\n-stacksize stack memory that can be deprecated\n- used by the server.\n- Defines the amount of time\n- (in milliseconds) that\n-stale-answer-client-timeout named waits before server, query\n- attempting to answer a\n- query with a stale RRset\n- from cache.\n- Enables the returning of\n-stale-answer-enable \"stale\" cached answers when server, query\n- the name servers for a zone\n- are not answering.\n- Specifies the time to live\n-stale-answer-ttl (TTL) to be returned on query\n- stale answers, in seconds.\n-stale-cache-enable Enables the retention of server, query\n- \"stale\" cached answers.\n- Sets the time window for\n- the return of \"stale\"\n- cached answers before the\n-stale-refresh-time next attempt to contact, if server, query\n- the name servers for a\n- given zone are not\n- responding.\n- Specifies the rate at which\n- NOTIFY requests are sent\n-startup-notify-rate when the name server is transfer, zone\n- first starting, or when new\n- zones have been added.\n- Specifies the communication\n- channels to be used by\n-statistics-channels system administrators to logging\n- access statistics\n- information on the name\n- server.\n- Specifies the pathname of\n-statistics-file the file where the server server, logging\n- appends statistics, when\n- using rndc_stats.\n- Directs the logging channel\n-stderr output to the server's logging\n- standard error stream.\n- Specifies the maximum\n-streams-per-connection number of concurrent HTTP/ server, query\n- 2 streams over an HTTP/\n- 2 connection.\n- Defines trailing bits for\n-suffix mapped IPv4 address bits in query\n- dns64.\n- Enables support for RFC\n-synth-from-dnssec 8198, Aggressive Use of dnssec\n- DNSSEC-Validated Cache.\n-syslog Directs the logging channel logging\n- to the system log.\n- Sets the timeout value (in\n- milliseconds) that the\n-tcp-advertised-timeout server sends in responses query\n- containing the EDNS TCP\n- keepalive option.\n- Specifies the maximum\n-tcp-clients number of simultaneous server\n- client TCP connections\n- accepted by the server.\n- Sets the amount of time (in\n- milliseconds) that the\n- server waits on an idle TCP\n-tcp-idle-timeout connection before closing query\n- it, if the EDNS TCP\n- keepalive option is not in\n- use.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-initial-timeout server waits on a new TCP server, query\n- connection for the first\n- message from the client.\n-tcp-keepalive Adds EDNS TCP keepalive to server\n- messages sent over TCP.\n- Sets the amount of time (in\n- milliseconds) that the\n-tcp-keepalive-timeout server waits on an idle TCP query\n- connection before closing\n- it, if the EDNS TCP\n- keepalive option is in use.\n-tcp-listen-queue Sets the listen-queue server\n- depth.\n-tcp-only Sets the transport protocol server\n- to TCP.\n- Sets the operating system's\n-tcp-receive-buffer receive buffer size for TCP server\n- sockets.\n- Sets the operating system's\n-tcp-send-buffer send buffer size for TCP server\n- sockets.\n- Sets the Diffie-Hellman key\n-tkey-dhkey used by the server to deprecated\n- generate shared keys.\n- Sets the domain appended to\n-tkey-domain the names of all shared security\n- keys generated with TKEY.\n- Sets the security\n- credential for\n-tkey-gssapi-credential authentication keys security\n- requested by the GSS-TSIG\n- protocol.\n- Sets the KRB5 keytab file\n-tkey-gssapi-keytab to use for GSS-TSIG security\n- updates.\n-tls Configures a TLS security\n- connection.\n- Specifies the TCP port\n-tls-port number the server uses to server, query\n- receive and send DNS-over-\n- TLS protocol traffic.\n- Controls whether multiple\n-transfer-format records can be packed into transfer\n- a message during zone\n- transfers.\n- Limits the uncompressed\n-transfer-message-size size of DNS messages used transfer\n- in zone transfers over TCP.\n- Defines which local IPv4\n- address(es) are bound to\n-transfer-source TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Defines which local IPv6\n- address(es) are bound to\n-transfer-source-v6 TCP connections used to transfer\n- fetch zones transferred\n- inbound by the server.\n- Limits the number of\n-transfers concurrent inbound zone server\n- transfers from a server.\n- Limits the number of\n-transfers-in concurrent inbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-out concurrent outbound zone transfer\n- transfers.\n- Limits the number of\n-transfers-per-ns concurrent inbound zone transfer\n- transfers from a remote\n- server.\n- Instructs named to send\n- specially formed queries\n-trust-anchor-telemetry once per day to domains for dnssec\n- which trust anchors have\n- been configured.\n-trust-anchors Defines DNSSEC trust dnssec\n- anchors.\n-trusted-keys Deprecated, use trust- deprecated\n- anchors.\n- Specifies that BIND 9\n-try-tcp-refresh should attempt to refresh a transfer\n- zone using TCP if UDP\n- queries fail.\n-type Specifies the kind of zone zone\n- in a given configuration.\n- Enforces the delegation-\n-type_delegation-only only status of deprecated\n- infrastructure zones (COM,\n- NET, ORG, etc.).\n- Contains forwarding\n-type_forward statements that apply to zone\n- queries within a given\n- domain.\n- Contains the initial set of\n-type_hint root name servers to be zone\n- used at BIND 9 startup.\n- Contains a DNSSEC-validated\n-type_mirror duplicate of the main data zone\n- for a zone.\n-type_primary Contains the main copy of zone\n- the data for a zone.\n- Contains information to\n-type_redirect answer queries when normal zone\n- resolution would return\n- NXDOMAIN.\n- Contains a duplicate of the\n-type_secondary data for a zone that has zone\n- been transferred from a\n- primary server.\n- Contains a duplicate of the\n- NS records of a primary\n-type_static-stub zone, but statically zone\n- configured rather than\n- transferred from a primary\n- server.\n- Contains a duplicate of the\n-type_stub NS records of a primary zone\n- zone.\n- Sets the operating system's\n-udp-receive-buffer receive buffer size for UDP server\n- sockets.\n- Sets the operating system's\n-udp-send-buffer send buffer size for UDP server\n- sockets.\n- Specifies a Unix domain\n-unix socket as a control server\n- channel.\n- Specifies whether to check\n- the KSK bit to determine\n-update-check-ksk how a key should be used, zone, dnssec\n- when generating RRSIGs for\n- a secure zone.\n- Sets fine-grained rules to\n- allow or deny dynamic\n-update-policy updates (DDNS), based on transfer\n- requester identity, updated\n- content, etc.\n- Specifies the maximum\n-update-quota number of concurrent DNS server\n- UPDATE messages that can be\n- processed by the server.\n- Indicates whether alt-\n-use-alt-transfer-source transfer-source and alt- deprecated\n- transfer-source-v6 can be\n- used.\n- Specifies a list of ports\n-use-v4-udp-ports that are valid sources for deprecated\n- UDP/IPv4 messages.\n- Specifies a list of ports\n-use-v6-udp-ports that are valid sources for deprecated\n- UDP/IPv6 messages.\n- Indicates the number of\n-v6-bias milliseconds of preference server, query\n- to give to IPv6 name\n- servers.\n- Specifies a list of domain\n-validate-except names at and beneath which dnssec\n- DNSSEC validation should\n- not be performed.\n- Specifies the version\n-version number of the server to server\n- return in response to a\n- version.bind query.\n- Allows a name server to\n-view answer a DNS query view\n- differently depending on\n- who is asking.\n- Specifies the length of\n-window time during which responses query\n- are tracked.\n- Specifies whether to set\n- the time to live (TTL) of\n-zero-no-soa-ttl the SOA record to zero, zone, server, query\n- when returning\n- authoritative negative\n- responses to SOA queries.\n- Sets the time to live (TTL)\n-zero-no-soa-ttl-cache to zero when caching a zone, server, query\n- negative response to an SOA\n- query.\n-zone Specifies the zone in a zone\n- BIND 9 configuration.\n- Sets the propagation delay\n- from the time a zone is\n-zone-propagation-delay first updated to when the zone, dnssec\n- new version of the zone is\n- served by all secondary\n- servers.\n- Controls the level of\n-zone-statistics statistics gathered for all zone, logging\n- zones.\n+Statement Description Tags\n+acl Assigns a symbolic name to server\n+ an address match list.\n+algorithm Defines the algorithm to be security\n+ used in a key clause.\n+all-per-second Limits UDP responses of all query\n+ kinds.\n+ Controls the ability to add\n+allow-new-zones zones at runtime via rndc server, zone\n+ addzone.\n+ Defines an\n+ address_match_list that is\n+ allowed to send NOTIFY\n+allow-notify messages for the zone, in transfer\n+ addition to addresses\n+ defined in the primaries\n+ option for the zone.\n+ Specifies which hosts (an\n+allow-query IP address list) are query\n+ allowed to send queries to\n+ this resolver.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache this server's cache and query\n+ thus effectively controls\n+ recursion.\n+ Specifies which hosts (an\n+ IP address list) can access\n+allow-query-cache-on this server's cache. Used query\n+ on servers with multiple\n+ interfaces.\n+ Specifies which local\n+ addresses (an IP address\n+allow-query-on list) are allowed to send query\n+ queries to this resolver.\n+ Used in multi-homed\n+ configurations.\n+ Defines an\n+allow-recursion address_match_list of query\n+ clients that are allowed to\n+ perform recursive queries.\n+ Specifies which local\n+allow-recursion-on addresses can accept server, query\n+ recursive queries.\n+ Defines an\n+ address_match_list of hosts\n+allow-transfer that are allowed to transfer\n+ transfer the zone\n+ information from this\n+ server.\n+ Defines an\n+ address_match_list of hosts\n+allow-update that are allowed to submit transfer\n+ dynamic updates for primary\n+ zones.\n+ Defines an\n+ address_match_list of hosts\n+allow-update-forwarding that are allowed to submit transfer\n+ dynamic updates to a\n+ secondary server for\n+ transmission to a primary.\n+ Defines one or more hosts\n+also-notify that are sent NOTIFY transfer\n+ messages when zone changes\n+ occur.\n+ Defines alternate local\n+ IPv4 address(es) to be used\n+ by the server for inbound\n+alt-transfer-source zone transfers, if the deprecated\n+ address(es) defined by\n+ transfer-source fail and\n+ use-alt-transfer-source is\n+ enabled.\n+ Defines alternate local\n+alt-transfer-source-v6 IPv6 address(es) to be used deprecated\n+ by the server for inbound\n+ zone transfers.\n+ Controls whether COOKIE\n+answer-cookie EDNS replies are sent in query\n+ response to client queries.\n+ Allows multiple views to\n+attach-cache share a single cache view\n+ database.\n+ Controls whether BIND,\n+ acting as a resolver,\n+auth-nxdomain provides authoritative query\n+ NXDOMAIN (domain does not\n+ exist) answers.\n+ Permits varying levels of\n+auto-dnssec automatic DNSSEC key dnssec\n+ management.\n+ Controls the automatic\n+automatic-interface-scan rescanning of network server\n+ interfaces when addresses\n+ are added or removed.\n+ Specifies the range(s) of\n+avoid-v4-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv4\n+ messages.\n+ Specifies the range(s) of\n+avoid-v6-udp-ports ports to be excluded from deprecated\n+ use as sources for UDP/IPv6\n+ messages.\n+ Specifies the pathname of a\n+bindkeys-file file to override the built- dnssec\n+ in trusted keys provided by\n+ named.\n+ Defines an\n+ address_match_list of hosts\n+blackhole to ignore. The server will query\n+ neither respond to queries\n+ from nor send queries to\n+ these addresses.\n+bogus Allows a remote server to server\n+ be ignored.\n+ Enables dns64 synthesis\n+break-dnssec even if the validated query\n+ result would cause a DNSSEC\n+ validation failure.\n+buffered Controls flushing of log logging\n+ messages.\n+ Specifies the path to a\n+ file containing TLS\n+ca-file certificates for trusted CA server, security\n+ authorities, used to verify\n+ remote peer certificates.\n+catalog-zones Configures catalog zones in zone\n+ named.conf.\n+ Specifies the type of data\n+category logged to a particular logging\n+ channel.\n+ Specifies the path to a\n+cert-file file containing the TLS server, security\n+ certificate for a\n+ connection.\n+ Defines a stream of data\n+channel that can be independently logging\n+ logged.\n+ Checks primary zones for\n+ records that are treated as\n+check-dup-records different by DNSSEC but are query, dnssec\n+ semantically equal in plain\n+ DNS.\n+ Performs post-load zone\n+check-integrity integrity checks on primary zone\n+ zones.\n+ Checks whether an MX record\n+check-mx appears to refer to an IP zone\n+ address.\n+ Sets the response to MX\n+check-mx-cname records that refer to zone\n+ CNAMEs.\n+ Restricts the character set\n+ and syntax of certain\n+check-names domain names in primary server, query\n+ files and/or DNS responses\n+ received from the network.\n+ Specifies whether to check\n+check-sibling for sibling glue when zone\n+ performing integrity\n+ checks.\n+ Specifies whether to check\n+check-spf for a TXT Sender Policy zone\n+ Framework record, if an SPF\n+ record is present.\n+ Sets the response to SRV\n+check-srv-cname records that refer to zone\n+ CNAMEs.\n+check-wildcard Checks for non-terminal zone\n+ wildcards.\n+ciphers Specifies a list of allowed security\n+ ciphers.\n+ Specifies an access control\n+clients list (ACL) of clients that query\n+ are affected by a given\n+ dns64 directive.\n+ Sets the initial minimum\n+ number of simultaneous\n+clients-per-query recursive clients accepted server\n+ by the server for any given\n+ query before the server\n+ drops additional clients.\n+ Specifies control channels\n+controls to be used to manage the server\n+ name server.\n+ Sets the algorithm to be\n+cookie-algorithm used when generating a server\n+ server cookie.\n+ Specifies a shared secret\n+ used for generating and\n+cookie-secret verifying EDNS COOKIE server\n+ options within an anycast\n+ cluster.\n+coresize Sets the maximum size of a deprecated\n+ core dump.\n+ Specifies the type of\n+database database to be used to zone\n+ store zone data.\n+ Sets the maximum amount of\n+datasize data memory that can be deprecated\n+ used by the server.\n+ Indicates that a forward,\n+delegation-only hint, or stub zone is to be deprecated\n+ treated as a delegation-\n+ only type zone.\n+ Rejects A or AAAA records\n+deny-answer-addresses if the corresponding IPv4 query\n+ or IPv6 addresses match a\n+ given address_match_list.\n+ Rejects CNAME or DNAME\n+deny-answer-aliases records if the \"alias\" name query\n+ matches a given list of\n+ domain_name elements.\n+ Specifies the path to a\n+dhparam-file file containing Diffie- server, security\n+ Hellman parameters, for\n+ enabling cipher suites.\n+ Concentrates zone\n+ maintenance so that all\n+dialup transfers take place once deprecated\n+ every heartbeat-interval,\n+ ideally during a single\n+ call.\n+directory Sets the server's working server\n+ directory.\n+disable-algorithms Disables DNSSEC algorithms dnssec\n+ from a specified zone.\n+disable-ds-digests Disables DS digest types dnssec, zone\n+ from a specified zone.\n+disable-empty-zone Disables individual empty server, zone\n+ zones.\n+ Configures a Dynamically\n+dlz Loadable Zone (DLZ) zone\n+ database in named.conf.\n+ Instructs named to return\n+dns64 mapped IPv4 addresses to query\n+ AAAA queries when there are\n+ no AAAA records.\n+dns64-contact Specifies the name of the server\n+ contact for dns64 zones.\n+dns64-server Specifies the name of the server\n+ server for dns64 zones.\n+ Specifies the number of\n+dnskey-sig-validity days in the future when dnssec\n+ automatically generated\n+ DNSSEC signatures expire.\n+ Specifies the time to live\n+dnskey-ttl (TTL) for DNSKEY resource dnssec\n+ records.\n+ Turns on the DNS Response\n+dnsrps-enable Policy Service (DNSRPS) server, security\n+ interface.\n+ Provides additional RPZ\n+ configuration settings,\n+dnsrps-options which are passed to the DNS server, security\n+ Response Policy Service\n+ (DNSRPS) provider library.\n+ Instructs BIND 9 to accept\n+dnssec-accept-expired expired DNSSEC signatures dnssec\n+ when validating.\n+ Specifies that only key-\n+ signing keys are used to\n+dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec\n+ and CDS RRsets at a zone's\n+ apex.\n+ Sets the frequency of\n+dnssec-loadkeys-interval automatic checks of the dnssec\n+ DNSSEC key repository.\n+ Defines hierarchies that\n+dnssec-must-be-secure must or may not be secure deprecated\n+ (signed and validated).\n+dnssec-policy Defines a key and signing dnssec\n+ policy (KASP) for zones.\n+ Allows a dynamic zone to\n+dnssec-secure-to-insecure transition from secure to dnssec\n+ insecure by deleting all\n+ DNSKEY records.\n+ Controls the scheduled\n+dnssec-update-mode maintenance of DNSSEC dnssec\n+ signatures.\n+dnssec-validation Enables DNSSEC validation dnssec\n+ in named.\n+dnstap Enables logging of dnstap logging\n+ messages.\n+ Specifies an identity\n+dnstap-identity string to send in dnstap logging\n+ messages.\n+ Configures the path to\n+dnstap-output which the dnstap frame logging\n+ stream is sent.\n+dnstap-version Specifies a version string logging\n+ to send in dnstap messages.\n+ Sets the Differentiated\n+dscp Services Code Point (DSCP) server, query\n+ value (obsolete).\n+ Specifies host names or\n+dual-stack-servers addresses of machines with server\n+ access to both IPv4 and\n+ IPv6 transports.\n+ Indicates the pathname of\n+dump-file the file where the server logging\n+ dumps the database after\n+ rndc_dumpdb.\n+dyndb Configures a DynDB database zone\n+ in named.conf.\n+edns Controls the use of the server\n+ EDNS0 (RFC_2671) feature.\n+ Sets the maximum advertised\n+ EDNS UDP buffer size to\n+edns-udp-size control the size of packets query\n+ received from authoritative\n+ servers in response to\n+ recursive queries.\n+ Sets the maximum EDNS\n+edns-version VERSION that is sent to the server\n+ server(s) by the resolver.\n+ Specifies the contact name\n+empty-contact in the returned SOA record server, zone\n+ for empty zones.\n+ Specifies the server name\n+empty-server in the returned SOA record server, zone\n+ for empty zones.\n+empty-zones-enable Enables or disables all server, zone\n+ empty zones.\n+ Specifies a list of HTTP\n+endpoints query paths on which to server, query\n+ listen.\n+ Limits the number of errors\n+errors-per-second for a valid domain name and server\n+ record type.\n+ Allows a list of IPv6\n+ addresses to be ignored if\n+exclude they appear in a domain query\n+ name's AAAA records in\n+ dns64.\n+ Exempts specific clients or\n+exempt-clients client groups from rate query\n+ limiting.\n+ Sets the parameters for\n+ dynamic resizing of the\n+fetch-quota-params fetches-per-server quota in server, query\n+ response to detected\n+ congestion.\n+ Sets the maximum number of\n+ simultaneous iterative\n+ queries allowed to be sent\n+fetches-per-server by a server to an upstream server, query\n+ name server before the\n+ server blocks additional\n+ queries.\n+ Sets the maximum number of\n+ simultaneous iterative\n+fetches-per-zone queries allowed to any one server, query\n+ domain before the server\n+ blocks new queries for data\n+ in or beneath that zone.\n+file Specifies the zone's zone\n+ filename.\n+ Sets the maximum number of\n+files files the server may have deprecated\n+ open concurrently.\n+ Controls whether pending\n+flush-zones-on-shutdown zone writes are flushed zone\n+ when the name server exits.\n+ Allows or disallows\n+ fallback to recursion if\n+forward forwarding has failed; it query\n+ is always used in\n+ conjunction with the\n+ forwarders statement.\n+ Defines one or more hosts\n+forwarders to which queries are query\n+ forwarded.\n+ Sets the number of\n+fstrm-set-buffer-hint accumulated bytes in the logging\n+ output buffer before\n+ forcing a buffer flush.\n+ Sets the number of seconds\n+fstrm-set-flush-timeout that unflushed data remains logging\n+ in the output buffer.\n+ Sets the number of queue\n+fstrm-set-input-queue-size entries to allocate for logging\n+ each input queue.\n+ Sets the number of\n+fstrm-set-output-notify- outstanding queue entries\n+threshold allowed on an input queue logging\n+ before waking the I/\n+ O thread.\n+fstrm-set-output-queue- Sets the queuing semantics logging\n+model to use for queue objects.\n+fstrm-set-output-queue- Sets the number of queue\n+size entries allocated for each logging\n+ output queue.\n+ Sets the number of seconds\n+fstrm-set-reopen-interval to wait between attempts to logging\n+ reopen a closed output\n+ stream.\n+ Specifies the directory\n+geoip-directory containing GeoIP database server\n+ files.\n+glue-cache Deprecated. deprecated\n+ Sets the interval at which\n+heartbeat-interval the server performs zone deprecated\n+ maintenance tasks for all\n+ zones marked as dialup.\n+ Specifies the hostname of\n+hostname the server to return in server\n+ response to a hostname.bind\n+ query.\n+ Configures HTTP endpoints\n+http on which to listen for DNS- server, query\n+ over-HTTPS (DoH) queries.\n+ Limits the number of active\n+http-listener-clients concurrent connections on a server\n+ per-listener basis.\n+ Specifies the TCP port\n+ number the server uses to\n+http-port receive and send server, query\n+ unencrypted DNS traffic via\n+ HTTP.\n+http-streams-per- Limits the number of active\n+connection concurrent HTTP/2 streams server\n+ on a per-connection basis.\n+ Specifies the TCP port\n+https-port number the server uses to server, query\n+ receive and send DNS-over-\n+ HTTPS protocol traffic.\n+in-view Specifies the view in which view, zone\n+ a given zone is defined.\n+inet Specifies a TCP socket as a server\n+ control channel.\n+ Specifies whether BIND 9\n+inline-signing maintains a separate signed dnssec, zone\n+ version of a zone.\n+ Sets the interval at which\n+interface-interval the server scans the server\n+ network interface list.\n+ Specifies the prefix\n+ipv4-prefix-length lengths of IPv4 address server\n+ blocks.\n+ Specifies the contact for\n+ipv4only-contact the IPV4ONLY.ARPA zone server\n+ created by dns64.\n+ Enables automatic IPv4\n+ipv4only-enable zones if a dns64 block is query\n+ configured.\n+ Specifies the name of the\n+ipv4only-server server for the server, query\n+ IPV4ONLY.ARPA zone created\n+ by dns64.\n+ Specifies the prefix\n+ipv6-prefix-length lengths of IPv6 address server\n+ blocks.\n+ixfr-from-differences Controls how IXFR transfers transfer\n+ are calculated.\n+ Allows the default\n+journal journal's filename to be zone\n+ overridden.\n+ Defines an\n+ address_match_list of\n+keep-response-order addresses which do not server\n+ accept reordered answers\n+ within a single TCP stream.\n+ Defines a shared secret key\n+key for use with TSIG or the security\n+ command channel.\n+ Indicates the directory\n+key-directory where public and private dnssec\n+ DNSSEC key files are found.\n+ Specifies the path to a\n+key-file file containing the private server, security\n+ TLS key for a connection.\n+ Specifies one or more\n+keys server_key s to be used server, security\n+ with a remote server.\n+lame-ttl Sets the resolver's lame server\n+ cache.\n+ Specifies the IPv4\n+listen-on addresses on which a server server\n+ listens for DNS queries.\n+ Specifies the IPv6\n+listen-on-v6 addresses on which a server server\n+ listens for DNS queries.\n+ Specifies a per-listener\n+listener-clients quota for active server, query\n+ connections.\n+ Sets a maximum size for the\n+lmdb-mapsize memory map of the new-zone server\n+ database in LMDB database\n+ format.\n+ Sets the pathname of the\n+ file on which named\n+lock-file attempts to acquire a file server\n+ lock when starting for the\n+ first time.\n+ Tests rate-limiting\n+log-only parameters without actually query, logging\n+ dropping any requests.\n+logging Configures logging options logging\n+ for the name server.\n+managed-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies the directory in\n+managed-keys-directory which to store the files dnssec\n+ that track managed DNSSEC\n+ keys.\n+ Specifies an access control\n+ list (ACL) of IPv4\n+mapped addresses that are to be query\n+ mapped to the corresponding\n+ A RRset in dns64.\n+masterfile-format Specifies the file format server, zone\n+ of zone files.\n+ Specifies the format of\n+masterfile-style zone files during a dump, server\n+ when the masterfile-format\n+ is text.\n+ Specifies a view of DNS\n+match-clients namespace for a given view\n+ subset of client IP\n+ addresses.\n+ Specifies a view of DNS\n+match-destinations namespace for a given view\n+ subset of destination IP\n+ addresses.\n+ Allows IPv4-mapped IPv6\n+ addresses to match address-\n+match-mapped-addresses match list entries for server\n+ corresponding IPv4\n+ addresses.\n+ Specifies that only\n+match-recursive-only recursive requests can view\n+ match this view of the DNS\n+ namespace.\n+ Sets the maximum amount of\n+ memory to use for an\n+max-cache-size individual cache database server\n+ and its associated\n+ metadata.\n+ Specifies the maximum time\n+max-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Sets the maximum number of\n+ simultaneous recursive\n+max-clients-per-query clients accepted by the server\n+ server for any given query\n+ before the server drops\n+ additional clients.\n+ Sets the maximum size for\n+max-ixfr-ratio IXFR responses to zone transfer\n+ transfer requests.\n+max-journal-size Controls the size of transfer\n+ journal files.\n+ Specifies the maximum\n+ retention time (in seconds)\n+max-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Sets the maximum number of\n+max-records records permitted in a server, zone\n+ zone.\n+ Sets the maximum number of\n+max-records-per-type records that can be stored server\n+ in an RRset\n+ Sets the maximum number of\n+ levels of recursion\n+max-recursion-depth permitted at any one time server\n+ while servicing a recursive\n+ query.\n+ Sets the maximum number of\n+max-recursion-queries iterative queries while server, query\n+ servicing a recursive\n+ query.\n+ Limits the zone refresh\n+max-refresh-time interval to no less often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+max-retry-time retry interval to no less transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the maximum RSA\n+max-rsa-exponent-size exponent size (in bits) query, dnssec\n+ when validating.\n+ Specifies the maximum time\n+ that the server retains\n+max-stale-ttl records past their normal server\n+ expiry, to return them as\n+ stale records.\n+ Sets the maximum size of\n+max-table-size the table used to track server\n+ requests and rate-limit\n+ responses.\n+ Specifies the number of\n+max-transfer-idle-in minutes after which inbound transfer\n+ zone transfers making no\n+ progress are terminated.\n+ Specifies the number of\n+ minutes after which\n+max-transfer-idle-out outbound zone transfers transfer\n+ making no progress are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-in minutes after which inbound transfer\n+ zone transfers are\n+ terminated.\n+ Specifies the number of\n+max-transfer-time-out minutes after which transfer\n+ outbound zone transfers are\n+ terminated.\n+ Sets the maximum number of\n+max-types-per-name RR types that can be stored server\n+ for an owner name\n+max-udp-size Sets the maximum EDNS UDP query\n+ message size sent by named.\n+ Specifies a maximum\n+max-zone-ttl permissible time-to-live query, zone\n+ (TTL) value, in seconds.\n+ Controls whether memory\n+memstatistics statistics are written to server, logging\n+ the file specified by\n+ memstatistics-file at exit.\n+ Sets the pathname of the\n+memstatistics-file file where the server logging\n+ writes memory usage\n+ statistics on exit.\n+ Controls whether DNS name\n+message-compression compression is used in query\n+ responses to regular\n+ queries.\n+ Specifies the minimum time\n+min-cache-ttl (in seconds) that the server\n+ server caches ordinary\n+ (positive) answers.\n+ Specifies the minimum\n+ retention time (in seconds)\n+min-ncache-ttl for storage of negative server\n+ answers in the server's\n+ cache.\n+ Limits the zone refresh\n+min-refresh-time interval to no more often transfer\n+ than the specified value,\n+ in seconds.\n+ Limits the zone refresh\n+min-retry-time retry interval to no more transfer\n+ often than the specified\n+ value, in seconds.\n+ Sets the minimum size of\n+min-table-size the table used to track query\n+ requests and rate-limit\n+ responses.\n+ Controls whether the server\n+ replies with only one of\n+minimal-any the RRsets for a query query\n+ name, when generating a\n+ positive response to a\n+ query of type ANY over UDP.\n+ Controls whether the server\n+ only adds records to the\n+ authority and additional\n+minimal-responses data sections when they are query\n+ required (e.g. delegations,\n+ negative responses). This\n+ improves server\n+ performance.\n+ Controls whether serial\n+multi-master number mismatch errors are transfer\n+ logged.\n+ Specifies the directory\n+ where configuration\n+new-zones-directory parameters are stored for zone\n+ zones added by rndc\n+ addzone.\n+ Specifies a list of\n+no-case-compress addresses that require server\n+ case-insensitive\n+ compression in responses.\n+ Sets the maximum size of\n+nocookie-udp-size UDP responses that are sent query\n+ to queries without a valid\n+ server COOKIE.\n+ Limits the number of empty\n+nodata-per-second (NODATA) responses for a query\n+ valid domain name.\n+ Controls whether NOTIFY\n+notify messages are sent on zone transfer\n+ changes.\n+ Sets the delay (in seconds)\n+notify-delay between sending sets of transfer, zone\n+ NOTIFY messages for a zone.\n+ Specifies the rate at which\n+notify-rate NOTIFY requests are sent transfer, zone\n+ during normal zone\n+ maintenance operations.\n+ Defines the IPv4 address\n+notify-source (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Defines the IPv6 address\n+notify-source-v6 (and optional port) to be transfer\n+ used for outgoing NOTIFY\n+ messages.\n+ Controls whether the name\n+notify-to-soa servers in the NS RRset are transfer\n+ checked against the SOA\n+ MNAME.\n+ Specifies the use of NSEC3\n+nsec3param instead of NSEC, and sets dnssec\n+ NSEC3 parameters.\n+ Specifies the lifetime, in\n+nta-lifetime seconds, for negative trust dnssec\n+ anchors added via rndc_nta.\n+ Specifies the time interval\n+ for checking whether\n+nta-recheck negative trust anchors dnssec\n+ added via rndc_nta are\n+ still necessary.\n+ Causes all messages sent to\n+null the logging channel to be logging\n+ discarded.\n+ Appends the specified\n+ suffix to the original\n+nxdomain-redirect query name, when replacing query\n+ an NXDOMAIN with a redirect\n+ namespace.\n+ Limits the number of\n+nxdomains-per-second undefined subdomains for a query\n+ valid domain name.\n+options Defines global options to server\n+ be used by BIND 9.\n+ Adds EDNS Padding options\n+padding to outgoing messages to server\n+ increase the packet size.\n+ Sets the time to live (TTL)\n+parent-ds-ttl of the DS RRset used by the dnssec\n+ parent zone.\n+ Sets the propagation delay\n+ from the time the parent\n+parent-propagation-delay zone is updated to when the dnssec, zone\n+ new version is served by\n+ all of the parent zone's\n+ name servers.\n+ Defines a list of\n+parental-agents delegation agents to be zone\n+ used by primary and\n+ secondary zones.\n+ Specifies which local IPv4\n+parental-source source address is used to dnssec\n+ send parental DS queries.\n+ Specifies which local IPv6\n+parental-source-v6 source address is used to dnssec\n+ send parental DS queries.\n+ Specifies the pathname of\n+pid-file the file where the server server\n+ writes its process ID.\n+plugin Configures plugins in server\n+ named.conf.\n+ Specifies the UDP/TCP port\n+port number the server uses to server, query\n+ receive and send DNS\n+ protocol traffic.\n+ Specifies that server\n+prefer-server-ciphers ciphers should be preferred server, security\n+ over client ones.\n+ Controls the order of glue\n+preferred-glue records in an A or AAAA query\n+ response.\n+ Specifies the \"trigger\"\n+prefetch time-to-live (TTL) value at query\n+ which prefetch of the\n+ current query takes place.\n+primaries Defines one or more primary zone\n+ servers for a zone.\n+print-category Includes the category in logging\n+ log messages.\n+print-severity Includes the severity in logging\n+ log messages.\n+print-time Specifies the time format logging\n+ for log messages.\n+ Specifies the allowed\n+protocols versions of the TLS security\n+ protocol.\n+ Controls whether a primary\n+ responds to an incremental\n+provide-ixfr zone request (IXFR) or only transfer\n+ responds with a full zone\n+ transfer (AXFR).\n+ Increases the amount of\n+ time between when keys are\n+publish-safety published and when they dnssec\n+ become active, to allow for\n+ unforeseen events.\n+ Specifies the amount of\n+ time after which DNSSEC\n+purge-keys keys that have been deleted dnssec\n+ from the zone can be\n+ removed from disk.\n+ Controls QNAME minimization\n+qname-minimization behavior in the BIND 9 query\n+ resolver.\n+ Tightens defenses during\n+qps-scale DNS attacks by scaling back query\n+ the ratio of the current\n+ query-per-second rate.\n+ Controls the IPv4 address\n+query-source from which queries are query\n+ issued.\n+ Controls the IPv6 address\n+query-source-v6 from which queries are query\n+ issued.\n+ Specifies whether query\n+querylog logging should be active server, logging\n+ when named first starts.\n+ Controls excessive UDP\n+ responses, to prevent BIND\n+rate-limit 9 from being used to query\n+ amplify reflection denial-\n+ of-service (DoS) attacks.\n+ Specifies the pathname of\n+ the file where the server\n+recursing-file dumps queries that are server\n+ currently recursing via\n+ rndc_recursing.\n+recursion Defines whether recursion query\n+ and caching are allowed.\n+ Specifies the maximum\n+recursive-clients number of concurrent query\n+ recursive queries the\n+ server can perform.\n+ Toggles whether dns64\n+recursive-only synthesis occurs only for query\n+ recursive queries.\n+ Limits the number of\n+referrals-per-second referrals or delegations to query\n+ a server for a given\n+ domain.\n+ Specifies the expected\n+remote-hostname hostname in the TLS security\n+ certificate of the remote\n+ server.\n+ Specifies whether the local\n+request-expire server requests the EDNS query, transfer\n+ EXPIRE value, when acting\n+ as a secondary.\n+ Controls whether a\n+ secondary requests an\n+request-ixfr incremental zone transfer transfer\n+ (IXFR) or a full zone\n+ transfer (AXFR).\n+ Controls whether an empty\n+ EDNS(0) NSID (Name Server\n+ Identifier) option is sent\n+request-nsid with all queries to query\n+ authoritative name servers\n+ during iterative\n+ resolution.\n+ Controls whether a valid\n+require-server-cookie server cookie is required query\n+ before sending a full\n+ response to a UDP request.\n+reserved-sockets Deprecated. deprecated\n+ Specifies the number of\n+resolver-nonbackoff-tries retries before exponential deprecated.\n+ backoff.\n+ Specifies the length of\n+ time, in milliseconds, that\n+resolver-query-timeout a resolver attempts to query\n+ resolve a recursive query\n+ before failing.\n+resolver-retry-interval Sets the base retry deprecated\n+ interval (in milliseconds).\n+ Adds an EDNS Padding option\n+ to encrypted messages, to\n+response-padding reduce the chance of query\n+ guessing the contents based\n+ on size.\n+ Specifies response policy server, query, security,\n+response-policy zones for the view or among zone\n+ global options.\n+ Limits the number of non-\n+responses-per-second empty responses for a valid query\n+ domain name and record\n+ type.\n+ Increases the amount of\n+ time a key remains\n+retire-safety published after it is no dnssec\n+ longer active, to allow for\n+ unforeseen events.\n+reuseport Enables kernel load- server\n+ balancing of sockets.\n+ Turns on enforcement of\n+ delegation-only in top-\n+root-delegation-only level domains (TLDs) and deprecated\n+ root zones with an optional\n+ exclude list.\n+ Controls whether BIND 9\n+root-key-sentinel responds to root key server\n+ sentinel probes.\n+ Defines the order in which\n+rrset-order equal RRs (RRsets) are query\n+ returned.\n+ Specifies whether a\n+search Dynamically Loadable Zone query\n+ (DLZ) module is queried for\n+ an answer to a query name.\n+ Defines a Base64-encoded\n+secret string to be used as the security\n+ secret by the algorithm.\n+ Specifies the pathname of\n+secroots-file the file where the server dnssec\n+ dumps security roots, when\n+ using rndc_secroots.\n+ Controls whether a COOKIE\n+send-cookie EDNS option is sent along query\n+ with a query.\n+ Defines an upper limit on\n+ the number of queries per\n+serial-query-rate second issued by the transfer\n+ server, when querying the\n+ SOA RRs used for zone\n+ transfers.\n+ Specifies the update method\n+serial-update-method to be used for the zone zone\n+ serial number in the SOA\n+ record.\n+ Defines characteristics to\n+server be associated with a remote server\n+ name server.\n+ Specifies a list of IP\n+ addresses to which queries\n+server-addresses should be sent in recursive query, zone\n+ resolution for a static-\n+ stub zone.\n+ Specifies the ID of the\n+server-id server to return in server\n+ response to a ID.SERVER\n+ query.\n+ Specifies a list of domain\n+ names of name servers that\n+server-names act as authoritative zone\n+ servers of a static-stub\n+ zone.\n+ Sets the length of time (in\n+servfail-ttl seconds) that a SERVFAIL server\n+ response is cached.\n+ Specifies the algorithm to\n+session-keyalg use for the TSIG session security\n+ key.\n+ Specifies the pathname of\n+ the file where a TSIG\n+session-keyfile session key is written, security\n+ when generated by named for\n+ use by nsupdate -l.\n+session-keyname Specifies the key name for security\n+ the TSIG session key.\n+ Enables or disables session\n+session-tickets resumption through TLS security\n+ session tickets.\n+severity Defines the priority level logging\n+ of log messages.\n+ Specifies the maximum\n+ number of nodes to be\n+sig-signing-nodes examined in each quantum, dnssec\n+ when signing a zone with a\n+ new DNSKEY.\n+ Specifies the threshold for\n+ the number of signatures\n+sig-signing-signatures that terminates processing dnssec\n+ a quantum, when signing a\n+ zone with a new DNSKEY.\n+ Specifies a private RDATA\n+sig-signing-type type to use when generating dnssec\n+ signing-state records.\n+ Specifies the maximum\n+sig-validity-interval number of days that RRSIGs dnssec\n+ generated by named are\n+ valid.\n+signatures-jitter Specifies a range for dnssec\n+ signatures expirations.\n+signatures-refresh Specifies how frequently an dnssec\n+ RRSIG record is refreshed.\n+signatures-validity Indicates the validity dnssec\n+ period of an RRSIG record.\n+signatures-validity-dnskey Indicates the validity dnssec\n+ period of DNSKEY records.\n+ Sets the number of\n+ \"slipped\" responses to\n+slip minimize the use of forged query\n+ source addresses for an\n+ attack.\n+ Controls the ordering of\n+sortlist RRs returned to the client, query\n+ based on the client's IP\n+ address.\n+ Sets the maximum amount of\n+stacksize stack memory that can be deprecated\n+ used by the server.\n+ Defines the amount of time\n+ (in milliseconds) that\n+stale-answer-client- named waits before server, query\n+timeout attempting to answer a\n+ query with a stale RRset\n+ from cache.\n+ Enables the returning of\n+stale-answer-enable \"stale\" cached answers when server, query\n+ the name servers for a zone\n+ are not answering.\n+ Specifies the time to live\n+stale-answer-ttl (TTL) to be returned on query\n+ stale answers, in seconds.\n+stale-cache-enable Enables the retention of server, query\n+ \"stale\" cached answers.\n+ Sets the time window for\n+ the return of \"stale\"\n+ cached answers before the\n+stale-refresh-time next attempt to contact, if server, query\n+ the name servers for a\n+ given zone are not\n+ responding.\n+ Specifies the rate at which\n+ NOTIFY requests are sent\n+startup-notify-rate when the name server is transfer, zone\n+ first starting, or when new\n+ zones have been added.\n+ Specifies the communication\n+ channels to be used by\n+statistics-channels system administrators to logging\n+ access statistics\n+ information on the name\n+ server.\n+ Specifies the pathname of\n+statistics-file the file where the server server, logging\n+ appends statistics, when\n+ using rndc_stats.\n+ Directs the logging channel\n+stderr output to the server's logging\n+ standard error stream.\n+ Specifies the maximum\n+streams-per-connection number of concurrent HTTP/ server, query\n+ 2 streams over an HTTP/\n+ 2 connection.\n+ Defines trailing bits for\n+suffix mapped IPv4 address bits in query\n+ dns64.\n+ Enables support for RFC\n+synth-from-dnssec 8198, Aggressive Use of dnssec\n+ DNSSEC-Validated Cache.\n+syslog Directs the logging channel logging\n+ to the system log.\n+ Sets the timeout value (in\n+ milliseconds) that the\n+tcp-advertised-timeout server sends in responses query\n+ containing the EDNS TCP\n+ keepalive option.\n+ Specifies the maximum\n+tcp-clients number of simultaneous server\n+ client TCP connections\n+ accepted by the server.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+ server waits on an idle TCP\n+tcp-idle-timeout connection before closing query\n+ it, if the EDNS TCP\n+ keepalive option is not in\n+ use.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-initial-timeout server waits on a new TCP server, query\n+ connection for the first\n+ message from the client.\n+tcp-keepalive Adds EDNS TCP keepalive to server\n+ messages sent over TCP.\n+ Sets the amount of time (in\n+ milliseconds) that the\n+tcp-keepalive-timeout server waits on an idle TCP query\n+ connection before closing\n+ it, if the EDNS TCP\n+ keepalive option is in use.\n+tcp-listen-queue Sets the listen-queue server\n+ depth.\n+tcp-only Sets the transport protocol server\n+ to TCP.\n+ Sets the operating system's\n+tcp-receive-buffer receive buffer size for TCP server\n+ sockets.\n+ Sets the operating system's\n+tcp-send-buffer send buffer size for TCP server\n+ sockets.\n+ Sets the Diffie-Hellman key\n+tkey-dhkey used by the server to deprecated\n+ generate shared keys.\n+ Sets the domain appended to\n+tkey-domain the names of all shared security\n+ keys generated with TKEY.\n+ Sets the security\n+ credential for\n+tkey-gssapi-credential authentication keys security\n+ requested by the GSS-TSIG\n+ protocol.\n+ Sets the KRB5 keytab file\n+tkey-gssapi-keytab to use for GSS-TSIG security\n+ updates.\n+tls Configures a TLS security\n+ connection.\n+ Specifies the TCP port\n+tls-port number the server uses to server, query\n+ receive and send DNS-over-\n+ TLS protocol traffic.\n+ Controls whether multiple\n+transfer-format records can be packed into transfer\n+ a message during zone\n+ transfers.\n+ Limits the uncompressed\n+transfer-message-size size of DNS messages used transfer\n+ in zone transfers over TCP.\n+ Defines which local IPv4\n+ address(es) are bound to\n+transfer-source TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Defines which local IPv6\n+ address(es) are bound to\n+transfer-source-v6 TCP connections used to transfer\n+ fetch zones transferred\n+ inbound by the server.\n+ Limits the number of\n+transfers concurrent inbound zone server\n+ transfers from a server.\n+ Limits the number of\n+transfers-in concurrent inbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-out concurrent outbound zone transfer\n+ transfers.\n+ Limits the number of\n+transfers-per-ns concurrent inbound zone transfer\n+ transfers from a remote\n+ server.\n+ Instructs named to send\n+ specially formed queries\n+trust-anchor-telemetry once per day to domains for dnssec\n+ which trust anchors have\n+ been configured.\n+trust-anchors Defines DNSSEC trust dnssec\n+ anchors.\n+trusted-keys Deprecated, use trust- deprecated\n+ anchors.\n+ Specifies that BIND 9\n+try-tcp-refresh should attempt to refresh a transfer\n+ zone using TCP if UDP\n+ queries fail.\n+type Specifies the kind of zone zone\n+ in a given configuration.\n+ Enforces the delegation-\n+type_delegation-only only status of deprecated\n+ infrastructure zones (COM,\n+ NET, ORG, etc.).\n+ Contains forwarding\n+type_forward statements that apply to zone\n+ queries within a given\n+ domain.\n+ Contains the initial set of\n+type_hint root name servers to be zone\n+ used at BIND 9 startup.\n+ Contains a DNSSEC-validated\n+type_mirror duplicate of the main data zone\n+ for a zone.\n+type_primary Contains the main copy of zone\n+ the data for a zone.\n+ Contains information to\n+type_redirect answer queries when normal zone\n+ resolution would return\n+ NXDOMAIN.\n+ Contains a duplicate of the\n+type_secondary data for a zone that has zone\n+ been transferred from a\n+ primary server.\n+ Contains a duplicate of the\n+ NS records of a primary\n+type_static-stub zone, but statically zone\n+ configured rather than\n+ transferred from a primary\n+ server.\n+ Contains a duplicate of the\n+type_stub NS records of a primary zone\n+ zone.\n+ Sets the operating system's\n+udp-receive-buffer receive buffer size for UDP server\n+ sockets.\n+ Sets the operating system's\n+udp-send-buffer send buffer size for UDP server\n+ sockets.\n+ Specifies a Unix domain\n+unix socket as a control server\n+ channel.\n+ Specifies whether to check\n+ the KSK bit to determine\n+update-check-ksk how a key should be used, dnssec, zone\n+ when generating RRSIGs for\n+ a secure zone.\n+ Sets fine-grained rules to\n+ allow or deny dynamic\n+update-policy updates (DDNS), based on transfer\n+ requester identity, updated\n+ content, etc.\n+ Specifies the maximum\n+update-quota number of concurrent DNS server\n+ UPDATE messages that can be\n+ processed by the server.\n+ Indicates whether alt-\n+use-alt-transfer-source transfer-source and alt- deprecated\n+ transfer-source-v6 can be\n+ used.\n+ Specifies a list of ports\n+use-v4-udp-ports that are valid sources for deprecated\n+ UDP/IPv4 messages.\n+ Specifies a list of ports\n+use-v6-udp-ports that are valid sources for deprecated\n+ UDP/IPv6 messages.\n+ Indicates the number of\n+v6-bias milliseconds of preference server, query\n+ to give to IPv6 name\n+ servers.\n+ Specifies a list of domain\n+validate-except names at and beneath which dnssec\n+ DNSSEC validation should\n+ not be performed.\n+ Specifies the version\n+version number of the server to server\n+ return in response to a\n+ version.bind query.\n+ Allows a name server to\n+view answer a DNS query view\n+ differently depending on\n+ who is asking.\n+ Specifies the length of\n+window time during which responses query\n+ are tracked.\n+ Specifies whether to set\n+ the time to live (TTL) of\n+zero-no-soa-ttl the SOA record to zero, server, query, zone\n+ when returning\n+ authoritative negative\n+ responses to SOA queries.\n+ Sets the time to live (TTL)\n+zero-no-soa-ttl-cache to zero when caching a server, query, zone\n+ negative response to an SOA\n+ query.\n+zone Specifies the zone in a zone\n+ BIND 9 configuration.\n+ Sets the propagation delay\n+ from the time a zone is\n+zone-propagation-delay first updated to when the dnssec, zone\n+ new version of the zone is\n+ served by all secondary\n+ servers.\n+ Controls the level of\n+zone-statistics statistics gathered for all logging, zone\n+ zones.\n \n ***** 8.4. Statements by Tag\u00ef\u0083\u0081 *****\n These tables group the various statements permissible in named.conf by their\n corresponding tag.\n **** 8.4.1. DNSSEC Tag Statements\u00ef\u0083\u0081 ****\n Statement Description\n auto-dnssec Permits varying levels of automatic DNSSEC key\n"}]}]}]}]}]}