key-directory.
│ │ │ │ The following options can be specified in a key-store statement:
Grammar: pkcs11-uri <quoted_string>;
Blocks: key-store
│ │ │ │ -Tags: pkcs11, dnssec
│ │ │ │ +Tags: dnssec, pkcs11
│ │ │ │The uri is a string that specifies a PKCS#11 URI Scheme (defined in
│ │ │ │ RFC 7512). When set, named will try to create keys inside the
│ │ │ │ corresponding PKCS#11 token. This requires BIND to be built with OpenSSL 3,
│ │ │ │ and have a PKCS#11 provider configured.
Grammar: zone-statistics ( full | terse | none | <boolean> );
Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)
│ │ │ │ -Tags: logging, zone
│ │ │ │ +Tags: zone, logging
│ │ │ │Controls the level of statistics gathered for all zones.
│ │ │ │ │ │ │ │If full, the server collects statistical data on all zones,
│ │ │ │ unless specifically turned off on a per-zone basis by specifying
│ │ │ │ zone-statistics terse or zone-statistics none in the zone
│ │ │ │ statement. The statistical data includes, for example, DNSSEC signing
│ │ │ │ operations and the number of authoritative answers per query type. The
│ │ │ │ @@ -3637,15 +3637,15 @@
│ │ │ │
Grammar: check-dup-records ( fail | warn | ignore );
Blocks: options, view, zone (primary)
│ │ │ │ -Tags: query, dnssec
│ │ │ │ +Tags: dnssec, query
│ │ │ │Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
│ │ │ │ │ │ │ │This checks primary zones for records that are treated as different by
│ │ │ │ DNSSEC but are semantically equal in plain DNS. The default is to
│ │ │ │ warn. Other possible values are fail and ignore.
Grammar: zero-no-soa-ttl <boolean>;
Blocks: options, view, zone (mirror, primary, secondary)
│ │ │ │ -Tags: server, query, zone
│ │ │ │ +Tags: zone, query, server
│ │ │ │Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
│ │ │ │ │ │ │ │If yes, when returning authoritative negative responses to SOA queries, set
│ │ │ │ the TTL of the SOA record returned in the authority section to zero.
│ │ │ │ The default is yes.
Grammar: zero-no-soa-ttl-cache <boolean>;
Blocks: options, view
│ │ │ │ -Tags: server, query, zone
│ │ │ │ +Tags: zone, query, server
│ │ │ │Sets the time to live (TTL) to zero when caching a negative response to an SOA query.
│ │ │ │ │ │ │ │If yes, when caching a negative response to an SOA query set the TTL to zero.
│ │ │ │ The default is no.
Grammar: notify-rate <integer>;
Blocks: options
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
│ │ │ │ │ │ │ │This specifies the rate at which NOTIFY requests are sent during normal zone │ │ │ │ maintenance operations. (NOTIFY requests due to initial zone loading │ │ │ │ are subject to a separate rate limit; see below.) The default is 20 │ │ │ │ per second. The lowest possible rate is one per second; when set to │ │ │ │ zero, it is silently raised to one.
│ │ │ │Grammar: startup-notify-rate <integer>;
Blocks: options
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
│ │ │ │ │ │ │ │This is the rate at which NOTIFY requests are sent when the name server │ │ │ │ is first starting up, or when zones have been newly added to the │ │ │ │ name server. The default is 20 per second. The lowest possible rate is │ │ │ │ one per second; when set to zero, it is silently raised to one.
│ │ │ │Grammar: max-records <integer>;
Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Sets the maximum number of records permitted in a zone.
│ │ │ │ │ │ │ │This sets the maximum number of records permitted in a zone. The default is │ │ │ │ zero, which means the maximum is unlimited.
│ │ │ │Warning
│ │ │ │This option is deprecated and will be removed in a future version of BIND.
│ │ │ │Grammar: sortlist { <address_match_element>; ... }; // deprecated
Blocks: options, view
│ │ │ │ -Tags: query, deprecated
│ │ │ │ +Tags: deprecated, query
│ │ │ │Controls the ordering of RRs returned to the client, based on the client’s IP address.
│ │ │ │ │ │ │ │This option is deprecated and will be removed in a future release.
│ │ │ │The sortlist statement (see below) takes an address_match_list and
│ │ │ │ interprets it in a special way. Each top-level statement in the sortlist
│ │ │ │ must itself be an explicit address_match_list with one or two elements. The
│ │ │ │ first element (which may be an IP address, an IP prefix, an ACL name, or a nested
│ │ │ │ @@ -5895,15 +5895,15 @@
│ │ │ │
Grammar: masterfile-format ( raw | text );
Blocks: options, view, zone (mirror, primary, redirect, secondary, stub)
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Specifies the file format of zone files.
│ │ │ │ │ │ │ │This specifies the file format of zone files (see Additional File Formats
│ │ │ │ for details). The default value is text, which is the standard
│ │ │ │ textual representation, except for secondary zones, in which the default
│ │ │ │ value is raw. Files in formats other than text are typically
│ │ │ │ expected to be generated by the named-compilezone tool, or dumped by
│ │ │ │ @@ -5971,15 +5971,15 @@
│ │ │ │
Grammar: notify-delay <integer>;
Blocks: options, view, zone (mirror, primary, secondary)
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
│ │ │ │ │ │ │ │This sets the delay, in seconds, between sending sets of NOTIFY messages │ │ │ │ for a zone. Whenever a NOTIFY message is sent for a zone, a timer will │ │ │ │ be set for this duration. If the zone is updated again before the timer │ │ │ │ expires, the NOTIFY for that update will be postponed. The default is 5 │ │ │ │ seconds.
│ │ │ │ @@ -5988,15 +5988,15 @@ │ │ │ │Grammar: max-rsa-exponent-size <integer>;
Blocks: options
│ │ │ │ -Tags: query, dnssec
│ │ │ │ +Tags: dnssec, query
│ │ │ │Sets the maximum RSA exponent size (in bits) when validating.
│ │ │ │ │ │ │ │This sets the maximum RSA exponent size, in bits, that is accepted when │ │ │ │ validating. Valid values are 35 to 4096 bits. The default, zero, is │ │ │ │ also accepted and is equivalent to 4096.
│ │ │ │Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
Blocks: options, view
│ │ │ │ -Tags: security, query, zone, server
│ │ │ │ +Tags: zone, query, security, server
│ │ │ │Specifies response policy zones for the view or among global options.
│ │ │ │ │ │ │ │Response policy zones are named in the response-policy option for
│ │ │ │ the view, or among the global options if there is no response-policy
│ │ │ │ option for the view. Response policy zones are ordinary DNS zones
│ │ │ │ containing RRsets that can be queried normally if allowed. It is usually
│ │ │ │ best to restrict those queries with something like
│ │ │ │ @@ -7126,15 +7126,15 @@
│ │ │ │
Grammar: log-only <boolean>;
Blocks: options.rate-limit, view.rate-limit
│ │ │ │ -Tags: query, logging
│ │ │ │ +Tags: logging, query
│ │ │ │Tests rate-limiting parameters without actually dropping any requests.
│ │ │ │ │ │ │ │Use log-only yes to test rate-limiting parameters without actually
│ │ │ │ dropping any requests.
Responses dropped by rate limits are included in the RateDropped and
│ │ │ │ @@ -9751,15 +9751,15 @@
│ │ │ │
│ │ │ │
│ │ │ │
Grammar: server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
Blocks: zone (static-stub)
│ │ │ │ -Tags: query, zone
│ │ │ │ +Tags: zone, query
│ │ │ │Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
│ │ │ │ │ │ │ │This option is only meaningful for static-stub zones. This is a list of IP addresses │ │ │ │ to which queries should be sent in recursive resolution for the zone. │ │ │ │ A non-empty list for this option internally configures the apex │ │ │ │ NS RR with associated glue A or AAAA RRs.
│ │ │ │For example, if “example.com” is configured as a static-stub zone │ │ │ │ @@ -10318,15 +10318,15 @@ │ │ │ │
Defines a stream of data that can be independently logged.
│ │ │ │logging
Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
│ │ │ │query, dnssec
dnssec, query
Performs post-load zone integrity checks on primary zones.
│ │ │ │zone
Sets a maximum size for the memory map of the new-zone database in LMDB database format.
│ │ │ │server
Tests rate-limiting parameters without actually dropping any requests.
│ │ │ │query, logging
logging, query
Configures logging options for the name server.
│ │ │ │logging
Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64.
query
Specifies the file format of zone files.
│ │ │ │server, zone
zone, server
Specifies the format of zone files during a dump, when the masterfile-format is text.
server
Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.
│ │ │ │server
Sets the maximum number of records permitted in a zone.
│ │ │ │server, zone
zone, server
Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query.
│ │ │ │server
Limits the zone refresh retry interval to no less often than the specified value, in seconds.
│ │ │ │transfer
Sets the maximum RSA exponent size (in bits) when validating.
│ │ │ │query, dnssec
dnssec, query
Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records.
│ │ │ │server
Controls whether NOTIFY messages are sent on zone changes.
transfer
Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
│ │ │ │transfer, zone
zone, transfer
Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
│ │ │ │transfer, zone
zone, transfer
Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.
transfer
Specifies the pathname of the file where the server writes its process ID.
│ │ │ │server
pkcs11, dnssec
dnssec, pkcs11
Configures plugins in named.conf.
server
Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.
│ │ │ │query
Specifies response policy zones for the view or among global options.
│ │ │ │security, query, zone, server
zone, query, security, server
Limits the number of non-empty responses for a valid domain name and record type.
│ │ │ │query
Defines characteristics to be associated with a remote name server.
│ │ │ │server
Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
│ │ │ │query, zone
zone, query
Specifies the ID of the server to return in response to a ID.SERVER query.
server
Sets the number of "slipped" responses to minimize the use of forged source addresses for an attack.
│ │ │ │query
Controls the ordering of RRs returned to the client, based on the client's IP address.
│ │ │ │query, deprecated
deprecated, query
Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.
query, server
Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
│ │ │ │query, server
Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
│ │ │ │transfer, zone
zone, transfer
Specifies the communication channels to be used by system administrators to access statistics information on the name server.
│ │ │ │logging
Specifies the length of time during which responses are tracked.
│ │ │ │query
Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
│ │ │ │server, query, zone
zone, query, server
Sets the time to live (TTL) to zero when caching a negative response to an SOA query.
│ │ │ │server, query, zone
zone, query, server
Specifies the zone in a BIND 9 configuration.
│ │ │ │zone
Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
│ │ │ │dnssec, zone
Controls the level of statistics gathered for all zones.
│ │ │ │logging, zone
zone, logging