configuration file for named
/etc/named.conf
The format for this configuration file has changed dramatically in TCP/IP 4.25 because of new features and configurable options in the named utility. For instance:
The named-bootconf utility converts the old BIND 4 format to the new BIND 8 named.conf format.
A sample named.conf file may be found in /etc/config/socket/named.conf. |
Described below are elements used throughout the named configuration file documentation. Elements that are associated with only one statement are described in the statement's section.
address_match_list = 1*address_match_element address_match_element = [ "!" ] ( ip_address / ip_prefix / acl_name / address_match_list)
An address_match_list is a list of elements. The elements can be any of the following:
The ACLs any, none, localhost and localnets are predefined. More information can be found in the description of the acl statement.
Elements can be negated with a leading ``!''.
When a given IP address or prefix is compared to an address match list, the list is traversed in order, and the first match (regardless of negation) is used. The interpretation of a match depends on whether the list is being used for access control or as a topology.
When used as an ACL, a nonnegated match allows access and a negated match denies access. If there's no match, access is denied. The clauses: allow-query, allow-transfer, and allow-update all use address match lists like this. Similarly, the listen-on clause can use negation to define local addresses that shouldn't be used to accept nameserver connections.
When used with the topology clause, a nonnegated match returns a distance based on its position on the list (the closer the match is to the start of the list, the shorter the distance is between it and the server). A negated match will be assigned the maximum distance from the server. If there's no match, the address will get a distance that's further than any nonnegated list element, and closer than any negated element.
Because of the first-match aspect of the algorithm, an element that defines a subset of another element in the list should come before the broader element, regardless of whether either is negated. For example, in:
1.2.3/24; ! 1.2.3.13
the 1.2.3.13 element is completely useless because the algorithm matches any lookup for 1.2.3.13 to the 1.2.3/24 element. Using:
! 1.2.3.13; 1.2.3/24
fixes that problem by having 1.2.3.13 blocked by the negation but all other 1.2.3.* hosts fall through.
The maximum value of size_spec is that of unsigned long integers on the machine. The word unlimited requests unlimited use, or the maximum available amount. The word default uses the limit that was in force when the server was started.
A number can optionally be followed by a scaling factor: K or k for kilobytes, M or m for megabytes, and G or g for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024, respectively.
Integer storage overflow is currently silently ignored during conversion of scaled values, resulting in values less than intended, possibly even negative. Using unlimited is the best way to safely set a really large number.
A named configuration consists of statements and comments. Statements end with a semicolon. Many statements contain a block of substatements, which are also terminated with a semicolon. The following statements are supported:
The logging and options statements may occur only once per configuration.
acl name { address_match_list };
The acl statement creates a named address match list. It gets its name from a primary use of address match lists: Access Control Lists (ACLs).
An address match list's name must be defined with acl before it can be used elsewhere; no forward references are allowed. |
The following ACLs are builtin:
include path_name;
The include statement inserts the specified file at the point that the include statement is encountered. It can't be used within another statement, so the following isn't allowed:
acl internal_hosts { "include internal_hosts.acl" }
Use include to break the configuration up into easily-managed chunks. For example the following could be used at the top of a BIND configuration file in order to include any ACL or key information:
include "/etc/security/keys.bind" include "/etc/acls.bind"
Be careful not to type #include as you would in a C program, because # is used to start a comment. |
key key_id { algorithm algorithm_id; secret secret_string; };
where:
The key statement defines a key ID which can be used in a server statement to associate an authentication method with a particular name server. A key ID must be created with the key statement before it can be used in a server definition.
The key statement is intended for future use by the server. It's checked for syntax but is otherwise ignored.
logging { [ channel channel_name { ( file path_name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog ( kern | user | mail | daemon | auth | syslog | lpr | news | uucp | cron | authpriv | ftp | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 ) | null ); [ severity ( critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes_or_no; ] [ print-severity yes_or_no; ] [ print-time yes_or_no; ] }; ] [ category category_name { channel_name; [ channel_name; ... ] }; ] ... };
The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with a name that can then be used with the category phrase to select how various classes of messages are logged.
Only one logging statement is used to define as many channels and categories as are wanted. If there are multiple logging statements in a configuration, the first defined determines the logging, and warnings are issued for the others. If there's no logging statement, the logging configuration will be:
logging { category default { default_syslog; default_debug; }; category panic { default_syslog; default_stderr; }; category packet { default_debug; }; category eventlib { default_debug; }; };
All log output goes to one or more ``channels.'' You can make as many of them as you want.
Every channel definition must include a clause that says whether messages selected for the channel go to a file, to a particular syslog() facility, or are discarded. Also, it can optionally limit the message severity level that will be accepted by the channel (the default is info), and whether to include a named-generated time stamp, the category name and/or severity level (the default is not to include any).
The word NULL as the destination option for the channel will cause all messages sent to it to be discarded; other options for the channel are meaningless.
The file clause can include limitations both on how large the file is allowed to become, and how many versions of the file will be saved each time the file is opened.
The size option for files is simply a hard ceiling on log growth. If the file ever exceeds the size, then named will just not write anything more to it until the file is reopened; exceeding the size doesn't automatically trigger a reopen. The default behavior is to not limit the size of the file.
If you use the version logfile option, then named will retain that many backup versions of the file by renaming them when opening. For example, if you choose to keep three old versions of the file lamers.log then just before it's opened lamers.log.1 is renamed to lames.log.2, lamers.log.0 is renamed to lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled versions are kept by default. The unlimited keyword is synonymous with 99 in current releases.
The argument for the syslog clause is a syslog() facility as described in the syslog() function page. How syslogd will handle messages sent to this facility is described in the syslogd utility page.
The severity clause works like syslog()'s ``priorities,'' except that they can also be used if you are writing straight to a file rather than using syslog(). Messages that aren't at least of the severity level given will not be selected for the channel; messages of higher severity levels will be accepted.
If you're using syslog(), the /etc/syslog.conf priorities will also determine what eventually passes through. For example, defining a channel facility and severity as daemon and debug but only logging daemon.warning via /etc/syslog.conf will cause messages of severity info and notice to be dropped. If the situation were reversed, with named writing messages of only warning or higher, then syslogd would print all messages it received from the channel.
The server can supply extensive debugging information when it's in debugging mode. If the server's global debug level is greater than zero, then debugging mode will be active. The global debug level is set either by starting the server with the -d flag followed by a positive integer, or by sending the server the SIGUSR1 signal (for example, by using ndc trace). The global debug level can be set to zero, and debugging mode turned off, by sending the server the SIGUSR2 signal (ndc notrace). All debugging messages in the server have a debug level, and higher debug levels give more more detailed output. Channels that specify a specific debug severity, for example:
channel specific_debug_level { file "foo"; severity debug 3; };
will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debugging level. Channels with dynamic severity use the server's global level to determine what messages to print.
If print-time has been turned on, then the date and time will be logged. It may also be specified for a syslog() channel, but is usually pointless since syslog() also prints the date and time. If print-category is requested, then the category of the message will be logged as well. Finally, if print-severity is on, then the severity level of the message will be logged. The print- options may be used in any combination, and will always be printed in the following order: time, category, severity. Here is an example where all three print- options are on:
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.
There are four predefined channels that are used for named's default logging as follows. How they are used used is described in the next section, the category phrase.
channel default_syslog { syslog daemon; # send to syslog()'s daemon facility severity info; # only send priority info and higher }; channel default_debug { file "named.run"; # write to named.run in the working directory # Note: stderr is used instead of named.run # if the server is started with the -f option. severity dynamic; # log at the server's current debug level }; channel default_stderr { # writes to stderr file "<stderr>"; # this is illustrative only; there's currently # no way of specifying an internal file # descriptor in the configuration language. severity info; # only send priority info and higher }; channel null { null; # toss anything sent to this channel };
Once a channel is defined, it can't be redefined. Thus you can't alter the builtin channels directly, but you can modify the default logging by pointing categories at channels you have defined.
There are many categories, so you can send the logs you want to see wherever you want, without seeing logs you don't want. If you don't specify a list of channels for a category, then log messages in that category will be sent to the default category instead. If you don't specify a default category, the following ``default default'' is used:
category default { default_syslog; default_debug; };
As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:
channel my_security_channel { file "my_security_file"; severity info; }; category security { my_security_channel; default_syslog; default_debug; };
To discard all messages in a category, specify the null channel:
category lame-servers { null; }; category cname { null; };
The following categories are available:
category default { default_syslog; default_debug; };
category eventlib { default_debug; };
category packet { default_debug; };
category panic { default_syslog; default_stderr; };
options { [ directory path_name; ] [ named-xfer path_name; ] [ dump-file path_name; ] [ memstatistics-file path_name; ] [ pid-file path_name; ] [ statistics-file path_name; ] [ auth-nxdomain yes_or_no; ] [ deallocate-on-exit yes_or_no; ] [ fake-iquery yes_or_no; ] [ fetch-glue yes_or_no; ] [ host-statistics yes_or_no; ] [ multiple-cnames yes_or_no; ] [ notify yes_or_no; ] [ recursion yes_or_no; ] [ forward ( only | first ); ] [ forwarders { [ ip_addr ; [ ip_addr ; ... ] ] }; ] [ check-names (master | slave | response) (warn | fail | ignore); ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ listen-on [ port ip_port ] { address_match_list }; ] [ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ] ; ] [ max-transfer-time-in number; ] [ transfer-format ( one-answer | many-answers ); ] [ transfers-in number; ] [ transfers-out number; ] [ transfers-per-ns number; ] [ cleaning-interval number; ] [ interface-interval number; ] [ statistics-interval number; ] [ topology { address_match_list }; ] };
The options statement sets up global options to be used by named. This statement may appear only once in a configuration file; if more than one occurrence is found, the first occurrence determines the actual options used, and a warning will be generated. If there's no options statement, an options block with each option set to its default will be used.
The following options are available:
The following options are available:
The forwarding facility can be used to create a large sitewide cache on a few servers, reducing traffic over links to external nameservers. It can also be used to allow queries by servers that don't have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server isn't authoritative and doesn't have the answer in its cache.
The server can check domain names based upon their expected client contexts. For example, a domain name used as a hostname can be checked for compliance with the RFCs defining valid hostnames.
Three checking methods are available:
The server can check names in three areas: master zone files, slave zone files, and in responses to queries the server has initiated. If check-names response fail has been specified, and answering the client's question would require sending an invalid name to the client, the server will send a REFUSED response code to the client.
The defaults are:
check-names master fail; check-names slave warn; check-names response ignore;
The check-names option may also be specified in the zone statement, in which case it overrides the options check-names statement. When used in a zone statement, the area isn't specified (because it can be deduced from the zone type).
Access to the server can be restricted based on the IP address of the requesting system. See address_match_list for details on how to specify IP address lists.
The interfaces and ports that the server will answer queries from may be specified using the listen-on option which takes an optional port and an address_match_list. The server will listen on all interfaces allowed by the address match list. If a port isn't specified, port 53 will be used.
Multiple listen-on statements are allowed. For example,
listen-on { 5.6.7.8; };
listen-on port 1234 { !1.2.3.4; 1.2/16; };
If no listen-on is specified, the server will listen on port 53 on all interfaces.
If the server doesn't know the answer to a question, it will query other nameservers. The query-source option specifies the address and port used for such queries. If address is * or is omitted, a wildcard IP address (INADDR_ANY) will be used. If port is * or is omitted, a random unprivileged port will be used. The default is
query-source address * port *;
The query-source option currently applies only to UDP queries; TCP queries always use a wildcard IP address and a random unprivileged port. |
The following options are available:
The following options are available:
All other things being equal, when the server chooses a nameserver to query from a list of nameservers, it prefers the one that is topologically closest to itself. The topology statement takes an address_match_list and interprets it in a special way. Each top-level list element is assigned a distance. Nonnegated elements get a distance based on their position in the list, where the closer the match is to the start of the list, the shorter the distance is between it and the server. A negated match will be assigned the maximum distance from the server. If there's no match, the address will get a distance that's further than any nonnegated list element, and closer than any negated element. For example,
topology { 10/8; !1.2.3/24; { 1.2/16; 3/8; }; };
will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
The default topology is:
topology { localhost; localnets; };
server ip_addr { [ bogus yes_or_no; ] [ transfers number; ] [ transfer-format ( one-answer | many-answers ); ] [ keys { key_id [key_id ... ] }; ] };
The server statement defines the characteristics to be associated with a remote name server.
If you discover that a server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no.
The server supports two zone transfer methods. The one-answer option uses one DNS message per resource record transferred, while the many-answers option packs as many resource records as possible into a message. Although many-answers is more efficient, it's understood only by this release of named. You can specify which method to use for a server with the transfer-format option. If transfer-format isn't specified, the transfer-format specified by the options statement will be used.
The transfers statement will be used in a future release of the server to limit the number of concurrent in-bound zone transfers from the specified server. It's checked for syntax but is otherwise ignored. The keys statement is intended for future use by the server. It's checked for syntax but is otherwise ignored.
zone domain_name [ ( in | hs | hesiod | chaos ) ] { type master; file path_name; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; }; zone domain_name [ ( in | hs | hesiod | chaos ) ] { type ( slave | stub ); [ file path_name; ] masters { ip_addr; [ ip_addr; ... ] }; [ check-names ( warn | fail | ignore ); ] [ allow-update { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ max-transfer-time-in number; ] [ notify yes_or_no; ] [ also-notify { ip_addr; [ ip_addr; ... ] }; }; zone "." [ ( in | hs | hesiod | chaos ) ] { type hint; file path_name; [ check-names ( warn | fail | ignore ); ] };
The following options are available:
Previous releases of named used the term primary for a master zone, secondary for a slave zone, and cache for a hint zone. |
The zone's name may optionally be followed by a class. If a class isn't specified, class in is used.
The following options are available:
/* This is a comment as in C */ // This is a comment as in C++ # This is a comment as in common Unix shells and perl
Comments may appear anywhere that whitespace may appear in a named configuration file.
C-style comments start with the two characters /* (slash, star) and end with */ (star, slash). Because they are completely delimited with these characters, they can be used to comment a portion of a line or to span multiple lines.
C-style comments can't be nested. For example, the following isn't valid because the entire comment ends with the first */:
/* This is the start of a comment. This is still part of the comment. /* This is an incorrect attempt at nesting a comment. */ This is no longer in any comment. */
C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They can't be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example:
// This is the start of a comment. The next line // is a new comment, even though it's logically // part of the previous comment.
Shell-style (or perl-style, if you prefer) comments start with the pound sign (#) and continue to the end of the physical line, like C++ comments. For example:
# This is the start of a comment. The next line # is a new comment, even though it's logically # part of the previous comment.
You can't use a semicolon (;) to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement, so whatever follows it will be interpreted as the start of the next statement. |
named,
named-bootconf
TCP/IP Network Administration
DNS and BIND by Paul Albitz and Cricket Liu,
O'Reilly & Associates (ISBN 1-56592-010-4)