named.conf
— configuration file for named
named.conf
named.conf is the configuration file
for
named. Statements are enclosed
in braces and terminated with a semi-colon. Clauses in
the statements are also semi-colon terminated. The usual
comment styles are supported:
C style: /* */
C++ style: // to end of line
Unix style: # to end of line
controls�{
inet�(�ipv4_address�|�ipv6_address�|
����*�)�[�port�(�integer�|�*�)�]�allow
����{�address_match_element;�...�}�[
����keys�{�string;�...�}�]�[�read-only
����boolean�];
unix�quoted_string�perm�integer
����owner�integer�group�integer�[
����keys�{�string;�...�}�]�[�read-only
����boolean�];
};
dnssec-policy�string�{
dnskey-ttl�duration;
keys�{�(�csk�|�ksk�|�zsk�)�(�key-directory�)�lifetime�(�duration�|�unlimited�)
����algorithm�integer�[�integer�];�...�};
max-zone-ttl�duration;
parent-ds-ttl�duration;
parent-propagation-delay�duration;
parent-registration-delay�duration;
publish-safety�duration;
retire-safety�duration;
signatures-refresh�duration;
signatures-validity�duration;
signatures-validity-dnskey�duration;
zone-propagation-delay�duration;
};
logging�{
category�string�{�string;�...�};
channel�string�{
buffered�boolean;
file�quoted_string�[�versions�(�unlimited�|�integer�)�]
����[�size�size�]�[�suffix�(�increment�|�timestamp�)�];
null;
print-category�boolean;
print-severity�boolean;
print-time�(�iso8601�|�iso8601-utc�|�local�|�boolean�);
severity�log_severity;
stderr;
syslog�[�syslog_facility�];
};
};
Deprecated - see DNSSEC-KEYS.
managed-keys�{�string�(�static-key
����|�initial-key�|�static-ds�|
����initial-ds�)�integer�integer
����integer�quoted_string;�...�};�deprecated
masters�string�[�port�integer�]�[�dscp
����integer�]�{�(�masters�|�ipv4_address�[
����port�integer�]�|�ipv6_address�[�port
����integer�]�)�[�key�string�];�...�};
options�{
allow-new-zones�boolean;
allow-notify�{�address_match_element;�...�};
allow-query�{�address_match_element;�...�};
allow-query-cache�{�address_match_element;�...�};
allow-query-cache-on�{�address_match_element;�...�};
allow-query-on�{�address_match_element;�...�};
allow-recursion�{�address_match_element;�...�};
allow-recursion-on�{�address_match_element;�...�};
allow-transfer�{�address_match_element;�...�};
allow-update�{�address_match_element;�...�};
allow-update-forwarding�{�address_match_element;�...�};
also-notify�[�port�integer�]�[�dscp�integer�]�{�(�masters�|
����ipv4_address�[�port�integer�]�|�ipv6_address�[�port
����integer�]�)�[�key�string�];�...�};
alt-transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
alt-transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|
����*�)�]�[�dscp�integer�];
answer-cookie�boolean;
attach-cache�string;
auth-nxdomain�boolean;�//�default�changed
auto-dnssec�(�allow�|�maintain�|�off�);
automatic-interface-scan�boolean;
avoid-v4-udp-ports�{�portrange;�...�};
avoid-v6-udp-ports�{�portrange;�...�};
bindkeys-file�quoted_string;
blackhole�{�address_match_element;�...�};
cache-file�quoted_string;
catalog-zones�{�zone�string�[�default-masters�[�port�integer�]
����[�dscp�integer�]�{�(�masters�|�ipv4_address�[�port
����integer�]�|�ipv6_address�[�port�integer�]�)�[�key
����string�];�...�}�]�[�zone-directory�quoted_string�]�[
����in-memory�boolean�]�[�min-update-interval�duration�];�...�};
check-dup-records�(�fail�|�warn�|�ignore�);
check-integrity�boolean;
check-mx�(�fail�|�warn�|�ignore�);
check-mx-cname�(�fail�|�warn�|�ignore�);
check-names�(�primary�|�master�|
����secondary�|�slave�|�response�)�(
����fail�|�warn�|�ignore�);
check-sibling�boolean;
check-spf�(�warn�|�ignore�);
check-srv-cname�(�fail�|�warn�|�ignore�);
check-wildcard�boolean;
clients-per-query�integer;
cookie-algorithm�(�aes�|�siphash24�);
cookie-secret�string;
coresize�(�default�|�unlimited�|�sizeval�);
datasize�(�default�|�unlimited�|�sizeval�);
deny-answer-addresses�{�address_match_element;�...�}�[
����except-from�{�string;�...�}�];
deny-answer-aliases�{�string;�...�}�[�except-from�{�string;�...
����}�];
dialup�(�notify�|�notify-passive�|�passive�|�refresh�|�boolean�);
directory�quoted_string;
disable-algorithms�string�{�string;
����...�};
disable-ds-digests�string�{�string;
����...�};
disable-empty-zone�string;
dns64�netprefix�{
break-dnssec�boolean;
clients�{�address_match_element;�...�};
exclude�{�address_match_element;�...�};
mapped�{�address_match_element;�...�};
recursive-only�boolean;
suffix�ipv6_address;
};
dns64-contact�string;
dns64-server�string;
dnskey-sig-validity�integer;
dnsrps-enable�boolean;
dnsrps-options�{�unspecified-text�};
dnssec-accept-expired�boolean;
dnssec-dnskey-kskonly�boolean;
dnssec-loadkeys-interval�integer;
dnssec-must-be-secure�string�boolean;
dnssec-policy�string;
dnssec-secure-to-insecure�boolean;
dnssec-update-mode�(�maintain�|�no-resign�);
dnssec-validation�(�yes�|�no�|�auto�);
dnstap�{�(�all�|�auth�|�client�|�forwarder�|
����resolver�|�update�)�[�(�query�|�response�)�];
����...�};
dnstap-identity�(�quoted_string�|�none�|
����hostname�);
dnstap-output�(�file�|�unix�)�quoted_string�[
����size�(�unlimited�|�size�)�]�[�versions�(
����unlimited�|�integer�)�]�[�suffix�(�increment
����|�timestamp�)�];
dnstap-version�(�quoted_string�|�none�);
dscp�integer;
dual-stack-servers�[�port�integer�]�{�(�quoted_string�[�port
����integer�]�[�dscp�integer�]�|�ipv4_address�[�port
����integer�]�[�dscp�integer�]�|�ipv6_address�[�port
����integer�]�[�dscp�integer�]�);�...�};
dump-file�quoted_string;
edns-udp-size�integer;
empty-contact�string;
empty-server�string;
empty-zones-enable�boolean;
fetch-quota-params�integer�fixedpoint�fixedpoint�fixedpoint;
fetches-per-server�integer�[�(�drop�|�fail�)�];
fetches-per-zone�integer�[�(�drop�|�fail�)�];
files�(�default�|�unlimited�|�sizeval�);
flush-zones-on-shutdown�boolean;
forward�(�first�|�only�);
forwarders�[�port�integer�]�[�dscp�integer�]�{�(�ipv4_address
����|�ipv6_address�)�[�port�integer�]�[�dscp�integer�];�...�};
fstrm-set-buffer-hint�integer;
fstrm-set-flush-timeout�integer;
fstrm-set-input-queue-size�integer;
fstrm-set-output-notify-threshold�integer;
fstrm-set-output-queue-model�(�mpsc�|�spsc�);
fstrm-set-output-queue-size�integer;
fstrm-set-reopen-interval�duration;
geoip-directory�(�quoted_string�|�none�);
glue-cache�boolean;
heartbeat-interval�integer;
hostname�(�quoted_string�|�none�);
inline-signing�boolean;
interface-interval�duration;
ixfr-from-differences�(�primary�|�master�|�secondary�|�slave�|
����boolean�);
keep-response-order�{�address_match_element;�...�};
key-directory�quoted_string;
lame-ttl�duration;
listen-on�[�port�integer�]�[�dscp
����integer�]�{
����address_match_element;�...�};
listen-on-v6�[�port�integer�]�[�dscp
����integer�]�{
����address_match_element;�...�};
lmdb-mapsize�sizeval;
lock-file�(�quoted_string�|�none�);
managed-keys-directory�quoted_string;
masterfile-format�(�map�|�raw�|�text�);
masterfile-style�(�full�|�relative�);
match-mapped-addresses�boolean;
max-cache-size�(�default�|�unlimited�|�sizeval�|�percentage�);
max-cache-ttl�duration;
max-clients-per-query�integer;
max-journal-size�(�default�|�unlimited�|�sizeval�);
max-ncache-ttl�duration;
max-records�integer;
max-recursion-depth�integer;
max-recursion-queries�integer;
max-refresh-time�integer;
max-retry-time�integer;
max-rsa-exponent-size�integer;
max-stale-ttl�duration;
max-transfer-idle-in�integer;
max-transfer-idle-out�integer;
max-transfer-time-in�integer;
max-transfer-time-out�integer;
max-udp-size�integer;
max-zone-ttl�(�unlimited�|�duration�);
memstatistics�boolean;
memstatistics-file�quoted_string;
message-compression�boolean;
min-cache-ttl�duration;
min-ncache-ttl�duration;
min-refresh-time�integer;
min-retry-time�integer;
minimal-any�boolean;
minimal-responses�(�no-auth�|�no-auth-recursive�|�boolean�);
multi-master�boolean;
new-zones-directory�quoted_string;
no-case-compress�{�address_match_element;�...�};
nocookie-udp-size�integer;
notify�(�explicit�|�master-only�|�boolean�);
notify-delay�integer;
notify-rate�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)�]
����[�dscp�integer�];
notify-to-soa�boolean;
nta-lifetime�duration;
nta-recheck�duration;
nxdomain-redirect�string;
pid-file�(�quoted_string�|�none�);
port�integer;
preferred-glue�string;
prefetch�integer�[�integer�];
provide-ixfr�boolean;
qname-minimization�(�strict�|�relaxed�|�disabled�|�off�);
query-source�(�(�[�address�]�(�ipv4_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv4_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
query-source-v6�(�(�[�address�]�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv6_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
querylog�boolean;
random-device�(�quoted_string�|�none�);
rate-limit�{
all-per-second�integer;
errors-per-second�integer;
exempt-clients�{�address_match_element;�...�};
ipv4-prefix-length�integer;
ipv6-prefix-length�integer;
log-only�boolean;
max-table-size�integer;
min-table-size�integer;
nodata-per-second�integer;
nxdomains-per-second�integer;
qps-scale�integer;
referrals-per-second�integer;
responses-per-second�integer;
slip�integer;
window�integer;
};
recursing-file�quoted_string;
recursion�boolean;
recursive-clients�integer;
request-expire�boolean;
request-ixfr�boolean;
request-nsid�boolean;
require-server-cookie�boolean;
reserved-sockets�integer;
resolver-nonbackoff-tries�integer;
resolver-query-timeout�integer;
resolver-retry-interval�integer;
response-padding�{�address_match_element;�...�}�block-size
����integer;
response-policy�{�zone�string�[�add-soa�boolean�]�[�log
����boolean�]�[�max-policy-ttl�duration�]�[�min-update-interval
����duration�]�[�policy�(�cname�|�disabled�|�drop�|�given�|�no-op
����|�nodata�|�nxdomain�|�passthru�|�tcp-only�quoted_string�)�]�[
����recursive-only�boolean�]�[�nsip-enable�boolean�]�[
����nsdname-enable�boolean�];�...�}�[�add-soa�boolean�]�[
����break-dnssec�boolean�]�[�max-policy-ttl�duration�]�[
����min-update-interval�duration�]�[�min-ns-dots�integer�]�[
����nsip-wait-recurse�boolean�]�[�qname-wait-recurse�boolean�]
����[�recursive-only�boolean�]�[�nsip-enable�boolean�]�[
����nsdname-enable�boolean�]�[�dnsrps-enable�boolean�]�[
����dnsrps-options�{�unspecified-text�}�];
root-delegation-only�[�exclude�{�string;�...�}�];
root-key-sentinel�boolean;
rrset-order�{�[�class�string�]�[�type�string�]�[�name
����quoted_string�]�string�string;�...�};
secroots-file�quoted_string;
send-cookie�boolean;
serial-query-rate�integer;
serial-update-method�(�date�|�increment�|�unixtime�);
server-id�(�quoted_string�|�none�|�hostname�);
servfail-ttl�duration;
session-keyalg�string;
session-keyfile�(�quoted_string�|�none�);
session-keyname�string;
sig-signing-nodes�integer;
sig-signing-signatures�integer;
sig-signing-type�integer;
sig-validity-interval�integer�[�integer�];
sortlist�{�address_match_element;�...�};
stacksize�(�default�|�unlimited�|�sizeval�);
stale-answer-enable�boolean;
stale-answer-ttl�duration;
startup-notify-rate�integer;
statistics-file�quoted_string;
synth-from-dnssec�boolean;
tcp-advertised-timeout�integer;
tcp-clients�integer;
tcp-idle-timeout�integer;
tcp-initial-timeout�integer;
tcp-keepalive-timeout�integer;
tcp-listen-queue�integer;
tkey-dhkey�quoted_string�integer;
tkey-domain�quoted_string;
tkey-gssapi-credential�quoted_string;
tkey-gssapi-keytab�quoted_string;
transfer-format�(�many-answers�|�one-answer�);
transfer-message-size�integer;
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
transfers-in�integer;
transfers-out�integer;
transfers-per-ns�integer;
trust-anchor-telemetry�boolean;�//�experimental
try-tcp-refresh�boolean;
update-check-ksk�boolean;
use-alt-transfer-source�boolean;
use-v4-udp-ports�{�portrange;�...�};
use-v6-udp-ports�{�portrange;�...�};
v6-bias�integer;
validate-except�{�string;�...�};
version�(�quoted_string�|�none�);
zero-no-soa-ttl�boolean;
zero-no-soa-ttl-cache�boolean;
zone-statistics�(�full�|�terse�|�none�|�boolean�);
};
server�netprefix�{
bogus�boolean;
edns�boolean;
edns-udp-size�integer;
edns-version�integer;
keys�server_key;
max-udp-size�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)�]
����[�dscp�integer�];
padding�integer;
provide-ixfr�boolean;
query-source�(�(�[�address�]�(�ipv4_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv4_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
query-source-v6�(�(�[�address�]�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv6_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
request-expire�boolean;
request-ixfr�boolean;
request-nsid�boolean;
send-cookie�boolean;
tcp-keepalive�boolean;
tcp-only�boolean;
transfer-format�(�many-answers�|�one-answer�);
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
transfers�integer;
};
statistics-channels�{
inet�(�ipv4_address�|�ipv6_address�|
����*�)�[�port�(�integer�|�*�)�]�[
����allow�{�address_match_element;�...
����}�];
};
trust-anchors�{�string�(�static-key�|
����initial-key�|�static-ds�|�initial-ds�)
����integer�integer�integer
����quoted_string;�...�};
Deprecated - see DNSSEC-KEYS.
trusted-keys�{�string�integer
����integer�integer
����quoted_string;�...�};�deprecated
view�string�[�class�]�{
allow-new-zones�boolean;
allow-notify�{�address_match_element;�...�};
allow-query�{�address_match_element;�...�};
allow-query-cache�{�address_match_element;�...�};
allow-query-cache-on�{�address_match_element;�...�};
allow-query-on�{�address_match_element;�...�};
allow-recursion�{�address_match_element;�...�};
allow-recursion-on�{�address_match_element;�...�};
allow-transfer�{�address_match_element;�...�};
allow-update�{�address_match_element;�...�};
allow-update-forwarding�{�address_match_element;�...�};
also-notify�[�port�integer�]�[�dscp�integer�]�{�(�masters�|
����ipv4_address�[�port�integer�]�|�ipv6_address�[�port
����integer�]�)�[�key�string�];�...�};
alt-transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
alt-transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|
����*�)�]�[�dscp�integer�];
attach-cache�string;
auth-nxdomain�boolean;�//�default�changed
auto-dnssec�(�allow�|�maintain�|�off�);
cache-file�quoted_string;
catalog-zones�{�zone�string�[�default-masters�[�port�integer�]
����[�dscp�integer�]�{�(�masters�|�ipv4_address�[�port
����integer�]�|�ipv6_address�[�port�integer�]�)�[�key
����string�];�...�}�]�[�zone-directory�quoted_string�]�[
����in-memory�boolean�]�[�min-update-interval�duration�];�...�};
check-dup-records�(�fail�|�warn�|�ignore�);
check-integrity�boolean;
check-mx�(�fail�|�warn�|�ignore�);
check-mx-cname�(�fail�|�warn�|�ignore�);
check-names�(�primary�|�master�|
����secondary�|�slave�|�response�)�(
����fail�|�warn�|�ignore�);
check-sibling�boolean;
check-spf�(�warn�|�ignore�);
check-srv-cname�(�fail�|�warn�|�ignore�);
check-wildcard�boolean;
clients-per-query�integer;
deny-answer-addresses�{�address_match_element;�...�}�[
����except-from�{�string;�...�}�];
deny-answer-aliases�{�string;�...�}�[�except-from�{�string;�...
����}�];
dialup�(�notify�|�notify-passive�|�passive�|�refresh�|�boolean�);
disable-algorithms�string�{�string;
����...�};
disable-ds-digests�string�{�string;
����...�};
disable-empty-zone�string;
dlz�string�{
database�string;
search�boolean;
};
dns64�netprefix�{
break-dnssec�boolean;
clients�{�address_match_element;�...�};
exclude�{�address_match_element;�...�};
mapped�{�address_match_element;�...�};
recursive-only�boolean;
suffix�ipv6_address;
};
dns64-contact�string;
dns64-server�string;
dnskey-sig-validity�integer;
dnsrps-enable�boolean;
dnsrps-options�{�unspecified-text�};
dnssec-accept-expired�boolean;
dnssec-dnskey-kskonly�boolean;
dnssec-loadkeys-interval�integer;
dnssec-must-be-secure�string�boolean;
dnssec-policy�string;
dnssec-secure-to-insecure�boolean;
dnssec-update-mode�(�maintain�|�no-resign�);
dnssec-validation�(�yes�|�no�|�auto�);
dnstap�{�(�all�|�auth�|�client�|�forwarder�|
����resolver�|�update�)�[�(�query�|�response�)�];
����...�};
dual-stack-servers�[�port�integer�]�{�(�quoted_string�[�port
����integer�]�[�dscp�integer�]�|�ipv4_address�[�port
����integer�]�[�dscp�integer�]�|�ipv6_address�[�port
����integer�]�[�dscp�integer�]�);�...�};
dyndb�string�quoted_string�{
����unspecified-text�};
edns-udp-size�integer;
empty-contact�string;
empty-server�string;
empty-zones-enable�boolean;
fetch-quota-params�integer�fixedpoint�fixedpoint�fixedpoint;
fetches-per-server�integer�[�(�drop�|�fail�)�];
fetches-per-zone�integer�[�(�drop�|�fail�)�];
forward�(�first�|�only�);
forwarders�[�port�integer�]�[�dscp�integer�]�{�(�ipv4_address
����|�ipv6_address�)�[�port�integer�]�[�dscp�integer�];�...�};
glue-cache�boolean;
inline-signing�boolean;
ixfr-from-differences�(�primary�|�master�|�secondary�|�slave�|
����boolean�);
key�string�{
algorithm�string;
secret�string;
};
key-directory�quoted_string;
lame-ttl�duration;
lmdb-mapsize�sizeval;
managed-keys�{�string�(
����static-key�|�initial-key
����|�static-ds�|�initial-ds
����)�integer�integer
����integer
����quoted_string;�...�};�deprecated
masterfile-format�(�map�|�raw�|�text�);
masterfile-style�(�full�|�relative�);
match-clients�{�address_match_element;�...�};
match-destinations�{�address_match_element;�...�};
match-recursive-only�boolean;
max-cache-size�(�default�|�unlimited�|�sizeval�|�percentage�);
max-cache-ttl�duration;
max-clients-per-query�integer;
max-journal-size�(�default�|�unlimited�|�sizeval�);
max-ncache-ttl�duration;
max-records�integer;
max-recursion-depth�integer;
max-recursion-queries�integer;
max-refresh-time�integer;
max-retry-time�integer;
max-stale-ttl�duration;
max-transfer-idle-in�integer;
max-transfer-idle-out�integer;
max-transfer-time-in�integer;
max-transfer-time-out�integer;
max-udp-size�integer;
max-zone-ttl�(�unlimited�|�duration�);
message-compression�boolean;
min-cache-ttl�duration;
min-ncache-ttl�duration;
min-refresh-time�integer;
min-retry-time�integer;
minimal-any�boolean;
minimal-responses�(�no-auth�|�no-auth-recursive�|�boolean�);
multi-master�boolean;
new-zones-directory�quoted_string;
no-case-compress�{�address_match_element;�...�};
nocookie-udp-size�integer;
notify�(�explicit�|�master-only�|�boolean�);
notify-delay�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)�]
����[�dscp�integer�];
notify-to-soa�boolean;
nta-lifetime�duration;
nta-recheck�duration;
nxdomain-redirect�string;
plugin�(�query�)�string�[�{
����unspecified-text�}�];
preferred-glue�string;
prefetch�integer�[�integer�];
provide-ixfr�boolean;
qname-minimization�(�strict�|�relaxed�|�disabled�|�off�);
query-source�(�(�[�address�]�(�ipv4_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv4_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
query-source-v6�(�(�[�address�]�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�)�|�(�[�[�address�]�(�ipv6_address�|�*�)�]
����port�(�integer�|�*�)�)�)�[�dscp�integer�];
rate-limit�{
all-per-second�integer;
errors-per-second�integer;
exempt-clients�{�address_match_element;�...�};
ipv4-prefix-length�integer;
ipv6-prefix-length�integer;
log-only�boolean;
max-table-size�integer;
min-table-size�integer;
nodata-per-second�integer;
nxdomains-per-second�integer;
qps-scale�integer;
referrals-per-second�integer;
responses-per-second�integer;
slip�integer;
window�integer;
};
recursion�boolean;
request-expire�boolean;
request-ixfr�boolean;
request-nsid�boolean;
require-server-cookie�boolean;
resolver-nonbackoff-tries�integer;
resolver-query-timeout�integer;
resolver-retry-interval�integer;
response-padding�{�address_match_element;�...�}�block-size
����integer;
response-policy�{�zone�string�[�add-soa�boolean�]�[�log
����boolean�]�[�max-policy-ttl�duration�]�[�min-update-interval
����duration�]�[�policy�(�cname�|�disabled�|�drop�|�given�|�no-op
����|�nodata�|�nxdomain�|�passthru�|�tcp-only�quoted_string�)�]�[
����recursive-only�boolean�]�[�nsip-enable�boolean�]�[
����nsdname-enable�boolean�];�...�}�[�add-soa�boolean�]�[
����break-dnssec�boolean�]�[�max-policy-ttl�duration�]�[
����min-update-interval�duration�]�[�min-ns-dots�integer�]�[
����nsip-wait-recurse�boolean�]�[�qname-wait-recurse�boolean�]
����[�recursive-only�boolean�]�[�nsip-enable�boolean�]�[
����nsdname-enable�boolean�]�[�dnsrps-enable�boolean�]�[
����dnsrps-options�{�unspecified-text�}�];
root-delegation-only�[�exclude�{�string;�...�}�];
root-key-sentinel�boolean;
rrset-order�{�[�class�string�]�[�type�string�]�[�name
����quoted_string�]�string�string;�...�};
send-cookie�boolean;
serial-update-method�(�date�|�increment�|�unixtime�);
server�netprefix�{
bogus�boolean;
edns�boolean;
edns-udp-size�integer;
edns-version�integer;
keys�server_key;
max-udp-size�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*
����)�]�[�dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer
����|�*�)�]�[�dscp�integer�];
padding�integer;
provide-ixfr�boolean;
query-source�(�(�[�address�]�(�ipv4_address�|�*�)�[�port
����(�integer�|�*�)�]�)�|�(�[�[�address�]�(
����ipv4_address�|�*�)�]�port�(�integer�|�*�)�)�)�[
����dscp�integer�];
query-source-v6�(�(�[�address�]�(�ipv6_address�|�*�)�[
����port�(�integer�|�*�)�]�)�|�(�[�[�address�]�(
����ipv6_address�|�*�)�]�port�(�integer�|�*�)�)�)�[
����dscp�integer�];
request-expire�boolean;
request-ixfr�boolean;
request-nsid�boolean;
send-cookie�boolean;
tcp-keepalive�boolean;
tcp-only�boolean;
transfer-format�(�many-answers�|�one-answer�);
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|
����*�)�]�[�dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�[�dscp�integer�];
transfers�integer;
};
servfail-ttl�duration;
sig-signing-nodes�integer;
sig-signing-signatures�integer;
sig-signing-type�integer;
sig-validity-interval�integer�[�integer�];
sortlist�{�address_match_element;�...�};
stale-answer-enable�boolean;
stale-answer-ttl�duration;
synth-from-dnssec�boolean;
transfer-format�(�many-answers�|�one-answer�);
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
trust-anchor-telemetry�boolean;�//�experimental
trust-anchors�{�string�(�static-key�|
����initial-key�|�static-ds�|�initial-ds
����)�integer�integer�integer
����quoted_string;�...�};
trusted-keys�{�string
����integer�integer
����integer
����quoted_string;�...�};�deprecated
try-tcp-refresh�boolean;
update-check-ksk�boolean;
use-alt-transfer-source�boolean;
v6-bias�integer;
validate-except�{�string;�...�};
zero-no-soa-ttl�boolean;
zero-no-soa-ttl-cache�boolean;
zone�string�[�class�]�{
allow-notify�{�address_match_element;�...�};
allow-query�{�address_match_element;�...�};
allow-query-on�{�address_match_element;�...�};
allow-transfer�{�address_match_element;�...�};
allow-update�{�address_match_element;�...�};
allow-update-forwarding�{�address_match_element;�...�};
also-notify�[�port�integer�]�[�dscp�integer�]�{�(
����masters�|�ipv4_address�[�port�integer�]�|
����ipv6_address�[�port�integer�]�)�[�key�string�];
����...�};
alt-transfer-source�(�ipv4_address�|�*�)�[�port�(
����integer�|�*�)�]�[�dscp�integer�];
alt-transfer-source-v6�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�[�dscp�integer�];
auto-dnssec�(�allow�|�maintain�|�off�);
check-dup-records�(�fail�|�warn�|�ignore�);
check-integrity�boolean;
check-mx�(�fail�|�warn�|�ignore�);
check-mx-cname�(�fail�|�warn�|�ignore�);
check-names�(�fail�|�warn�|�ignore�);
check-sibling�boolean;
check-spf�(�warn�|�ignore�);
check-srv-cname�(�fail�|�warn�|�ignore�);
check-wildcard�boolean;
database�string;
delegation-only�boolean;
dialup�(�notify�|�notify-passive�|�passive�|�refresh�|
����boolean�);
dlz�string;
dnskey-sig-validity�integer;
dnssec-dnskey-kskonly�boolean;
dnssec-loadkeys-interval�integer;
dnssec-policy�string;
dnssec-secure-to-insecure�boolean;
dnssec-update-mode�(�maintain�|�no-resign�);
file�quoted_string;
forward�(�first�|�only�);
forwarders�[�port�integer�]�[�dscp�integer�]�{�(
����ipv4_address�|�ipv6_address�)�[�port�integer�]�[
����dscp�integer�];�...�};
in-view�string;
inline-signing�boolean;
ixfr-from-differences�boolean;
journal�quoted_string;
key-directory�quoted_string;
masterfile-format�(�map�|�raw�|�text�);
masterfile-style�(�full�|�relative�);
masters�[�port�integer�]�[�dscp�integer�]�{�(�masters
����|�ipv4_address�[�port�integer�]�|�ipv6_address�[
����port�integer�]�)�[�key�string�];�...�};
max-journal-size�(�default�|�unlimited�|�sizeval�);
max-records�integer;
max-refresh-time�integer;
max-retry-time�integer;
max-transfer-idle-in�integer;
max-transfer-idle-out�integer;
max-transfer-time-in�integer;
max-transfer-time-out�integer;
max-zone-ttl�(�unlimited�|�duration�);
min-refresh-time�integer;
min-retry-time�integer;
multi-master�boolean;
notify�(�explicit�|�master-only�|�boolean�);
notify-delay�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*
����)�]�[�dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer
����|�*�)�]�[�dscp�integer�];
notify-to-soa�boolean;
request-expire�boolean;
request-ixfr�boolean;
serial-update-method�(�date�|�increment�|�unixtime�);
server-addresses�{�(�ipv4_address�|�ipv6_address�);�...�};
server-names�{�string;�...�};
sig-signing-nodes�integer;
sig-signing-signatures�integer;
sig-signing-type�integer;
sig-validity-interval�integer�[�integer�];
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|
����*�)�]�[�dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(
����integer�|�*�)�]�[�dscp�integer�];
try-tcp-refresh�boolean;
type�(�primary�|�master�|�secondary�|�slave�|�mirror�|
����delegation-only�|�forward�|�hint�|�redirect�|
����static-stub�|�stub�);
update-check-ksk�boolean;
update-policy�(�local�|�{�(�deny�|�grant�)�string�(
����6to4-self�|�external�|�krb5-self�|�krb5-selfsub�|
����krb5-subdomain�|�ms-self�|�ms-selfsub�|�ms-subdomain�|
����name�|�self�|�selfsub�|�selfwild�|�subdomain�|�tcp-self
����|�wildcard�|�zonesub�)�[�string�]�rrtypelist;�...�};
use-alt-transfer-source�boolean;
zero-no-soa-ttl�boolean;
zone-statistics�(�full�|�terse�|�none�|�boolean�);
};
zone-statistics�(�full�|�terse�|�none�|�boolean�);
};
zone�string�[�class�]�{
allow-notify�{�address_match_element;�...�};
allow-query�{�address_match_element;�...�};
allow-query-on�{�address_match_element;�...�};
allow-transfer�{�address_match_element;�...�};
allow-update�{�address_match_element;�...�};
allow-update-forwarding�{�address_match_element;�...�};
also-notify�[�port�integer�]�[�dscp�integer�]�{�(�masters�|
����ipv4_address�[�port�integer�]�|�ipv6_address�[�port
����integer�]�)�[�key�string�];�...�};
alt-transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
alt-transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|
����*�)�]�[�dscp�integer�];
auto-dnssec�(�allow�|�maintain�|�off�);
check-dup-records�(�fail�|�warn�|�ignore�);
check-integrity�boolean;
check-mx�(�fail�|�warn�|�ignore�);
check-mx-cname�(�fail�|�warn�|�ignore�);
check-names�(�fail�|�warn�|�ignore�);
check-sibling�boolean;
check-spf�(�warn�|�ignore�);
check-srv-cname�(�fail�|�warn�|�ignore�);
check-wildcard�boolean;
database�string;
delegation-only�boolean;
dialup�(�notify�|�notify-passive�|�passive�|�refresh�|�boolean�);
dlz�string;
dnskey-sig-validity�integer;
dnssec-dnskey-kskonly�boolean;
dnssec-loadkeys-interval�integer;
dnssec-policy�string;
dnssec-secure-to-insecure�boolean;
dnssec-update-mode�(�maintain�|�no-resign�);
file�quoted_string;
forward�(�first�|�only�);
forwarders�[�port�integer�]�[�dscp�integer�]�{�(�ipv4_address
����|�ipv6_address�)�[�port�integer�]�[�dscp�integer�];�...�};
in-view�string;
inline-signing�boolean;
ixfr-from-differences�boolean;
journal�quoted_string;
key-directory�quoted_string;
masterfile-format�(�map�|�raw�|�text�);
masterfile-style�(�full�|�relative�);
masters�[�port�integer�]�[�dscp�integer�]�{�(�masters�|
����ipv4_address�[�port�integer�]�|�ipv6_address�[�port
����integer�]�)�[�key�string�];�...�};
max-journal-size�(�default�|�unlimited�|�sizeval�);
max-records�integer;
max-refresh-time�integer;
max-retry-time�integer;
max-transfer-idle-in�integer;
max-transfer-idle-out�integer;
max-transfer-time-in�integer;
max-transfer-time-out�integer;
max-zone-ttl�(�unlimited�|�duration�);
min-refresh-time�integer;
min-retry-time�integer;
multi-master�boolean;
notify�(�explicit�|�master-only�|�boolean�);
notify-delay�integer;
notify-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
notify-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)�]
����[�dscp�integer�];
notify-to-soa�boolean;
request-expire�boolean;
request-ixfr�boolean;
serial-update-method�(�date�|�increment�|�unixtime�);
server-addresses�{�(�ipv4_address�|�ipv6_address�);�...�};
server-names�{�string;�...�};
sig-signing-nodes�integer;
sig-signing-signatures�integer;
sig-signing-type�integer;
sig-validity-interval�integer�[�integer�];
transfer-source�(�ipv4_address�|�*�)�[�port�(�integer�|�*�)�]�[
����dscp�integer�];
transfer-source-v6�(�ipv6_address�|�*�)�[�port�(�integer�|�*�)
����]�[�dscp�integer�];
try-tcp-refresh�boolean;
type�(�primary�|�master�|�secondary�|�slave�|�mirror�|
����delegation-only�|�forward�|�hint�|�redirect�|�static-stub�|
����stub�);
update-check-ksk�boolean;
update-policy�(�local�|�{�(�deny�|�grant�)�string�(�6to4-self�|
����external�|�krb5-self�|�krb5-selfsub�|�krb5-subdomain�|�ms-self
����|�ms-selfsub�|�ms-subdomain�|�name�|�self�|�selfsub�|�selfwild
����|�subdomain�|�tcp-self�|�wildcard�|�zonesub�)�[�string�]
����rrtypelist;�...�};
use-alt-transfer-source�boolean;
zero-no-soa-ttl�boolean;
zone-statistics�(�full�|�terse�|�none�|�boolean�);
};
BIND 9.17.1 (Development Release)