Provided by: bind9_9.20.0-2ubuntu3_amd64 bug

NAME

       named.conf - configuration file for **named**

SYNOPSIS

       named.conf

DESCRIPTION

       named.conf is the configuration file for named.

       For  complete  documentation  about  the  configuration  statements,  please  refer to the
       Configuration Reference section in the BIND 9 Administrator Reference Manual.

       Statements are enclosed in braces and  terminated  with  a  semi-colon.   Clauses  in  the
       statements are also semi-colon terminated. The usual comment styles are supported:

       C style: /* */

       C++ style: // to end of line

       Unix style: # to end of line

          acl <string> { <address_match_element>; ... }; // may occur multiple times

          controls {
               inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
               unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
          }; // may occur multiple times

          dlz <string> {
               database <string>;
               search <boolean>;
          }; // may occur multiple times

          dnssec-policy <string> {
               cdnskey <boolean>;
               cds-digest-types { <string>; ... };
               dnskey-ttl <duration>;
               inline-signing <boolean>;
               keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
               max-zone-ttl <duration>;
               nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
               parent-ds-ttl <duration>;
               parent-propagation-delay <duration>;
               publish-safety <duration>;
               purge-keys <duration>;
               retire-safety <duration>;
               signatures-jitter <duration>;
               signatures-refresh <duration>;
               signatures-validity <duration>;
               signatures-validity-dnskey <duration>;
               zone-propagation-delay <duration>;
          }; // may occur multiple times

          dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times

          http <string> {
               endpoints { <quoted_string>; ... };
               listener-clients <integer>;
               streams-per-connection <integer>;
          }; // may occur multiple times

          key <string> {
               algorithm <string>;
               secret <string>;
          }; // may occur multiple times

          key-store <string> {
               directory <string>;
               pkcs11-uri <quoted_string>;
          }; // may occur multiple times

          logging {
               category <string> { <string>; ... }; // may occur multiple times
               channel <string> {
                    buffered <boolean>;
                    file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
                    null;
                    print-category <boolean>;
                    print-severity <boolean>;
                    print-time ( iso8601 | iso8601-utc | local | <boolean> );
                    severity <log_severity>;
                    stderr;
                    syslog [ <syslog_facility> ];
               }; // may occur multiple times
          };

          managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

          options {
               allow-new-zones <boolean>;
               allow-notify { <address_match_element>; ... };
               allow-proxy { <address_match_element>; ... }; // experimental
               allow-proxy-on { <address_match_element>; ... }; // experimental
               allow-query { <address_match_element>; ... };
               allow-query-cache { <address_match_element>; ... };
               allow-query-cache-on { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               allow-recursion { <address_match_element>; ... };
               allow-recursion-on { <address_match_element>; ... };
               allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
               allow-update { <address_match_element>; ... };
               allow-update-forwarding { <address_match_element>; ... };
               also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               answer-cookie <boolean>;
               attach-cache <string>;
               auth-nxdomain <boolean>;
               automatic-interface-scan <boolean>;
               avoid-v4-udp-ports { <portrange>; ... }; // deprecated
               avoid-v6-udp-ports { <portrange>; ... }; // deprecated
               bindkeys-file <quoted_string>; // test only
               blackhole { <address_match_element>; ... };
               catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
               check-dup-records ( fail | warn | ignore );
               check-integrity <boolean>;
               check-mx ( fail | warn | ignore );
               check-mx-cname ( fail | warn | ignore );
               check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
               check-sibling <boolean>;
               check-spf ( warn | ignore );
               check-srv-cname ( fail | warn | ignore );
               check-svcb <boolean>;
               check-wildcard <boolean>;
               clients-per-query <integer>;
               cookie-algorithm ( siphash24 );
               cookie-secret <string>; // may occur multiple times
               deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
               deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
               dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
               directory <quoted_string>;
               disable-algorithms <string> { <string>; ... }; // may occur multiple times
               disable-ds-digests <string> { <string>; ... }; // may occur multiple times
               disable-empty-zone <string>; // may occur multiple times
               dns64 <netprefix> {
                    break-dnssec <boolean>;
                    clients { <address_match_element>; ... };
                    exclude { <address_match_element>; ... };
                    mapped { <address_match_element>; ... };
                    recursive-only <boolean>;
                    suffix <ipv6_address>;
               }; // may occur multiple times
               dns64-contact <string>;
               dns64-server <string>;
               dnskey-sig-validity <integer>; // obsolete
               dnsrps-enable <boolean>; // not configured
               dnsrps-library <quoted_string>; // not configured
               dnsrps-options { <unspecified-text> }; // not configured
               dnssec-accept-expired <boolean>;
               dnssec-dnskey-kskonly <boolean>; // obsolete
               dnssec-loadkeys-interval <integer>;
               dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
               dnssec-policy <string>;
               dnssec-secure-to-insecure <boolean>; // obsolete
               dnssec-update-mode ( maintain | no-resign ); // obsolete
               dnssec-validation ( yes | no | auto );
               dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
               dnstap-identity ( <quoted_string> | none | hostname ); // not configured
               dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
               dnstap-version ( <quoted_string> | none ); // not configured
               dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
               dump-file <quoted_string>;
               edns-udp-size <integer>;
               empty-contact <string>;
               empty-server <string>;
               empty-zones-enable <boolean>;
               fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
               fetches-per-server <integer> [ ( drop | fail ) ];
               fetches-per-zone <integer> [ ( drop | fail ) ];
               flush-zones-on-shutdown <boolean>;
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               fstrm-set-buffer-hint <integer>; // not configured
               fstrm-set-flush-timeout <integer>; // not configured
               fstrm-set-input-queue-size <integer>; // not configured
               fstrm-set-output-notify-threshold <integer>; // not configured
               fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
               fstrm-set-output-queue-size <integer>; // not configured
               fstrm-set-reopen-interval <duration>; // not configured
               geoip-directory ( <quoted_string> | none );
               heartbeat-interval <integer>; // deprecated
               hostname ( <quoted_string> | none );
               http-listener-clients <integer>;
               http-port <integer>;
               http-streams-per-connection <integer>;
               https-port <integer>;
               interface-interval <duration>;
               ipv4only-contact <string>;
               ipv4only-enable <boolean>;
               ipv4only-server <string>;
               ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
               keep-response-order { <address_match_element>; ... }; // obsolete
               key-directory <quoted_string>;
               lame-ttl <duration>;
               listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
               listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
               lmdb-mapsize <sizeval>;
               managed-keys-directory <quoted_string>;
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               match-mapped-addresses <boolean>;
               max-cache-size ( default | unlimited | <sizeval> | <percentage> );
               max-cache-ttl <duration>;
               max-clients-per-query <integer>;
               max-ixfr-ratio ( unlimited | <percentage> );
               max-journal-size ( default | unlimited | <sizeval> );
               max-ncache-ttl <duration>;
               max-records <integer>;
               max-records-per-type <integer>;
               max-recursion-depth <integer>;
               max-recursion-queries <integer>;
               max-refresh-time <integer>;
               max-retry-time <integer>;
               max-rsa-exponent-size <integer>;
               max-stale-ttl <duration>;
               max-transfer-idle-in <integer>;
               max-transfer-idle-out <integer>;
               max-transfer-time-in <integer>;
               max-transfer-time-out <integer>;
               max-types-per-name <integer>;
               max-udp-size <integer>;
               max-validation-failures-per-fetch <integer>; // experimental
               max-validations-per-fetch <integer>; // experimental
               max-zone-ttl ( unlimited | <duration> ); // deprecated
               memstatistics <boolean>;
               memstatistics-file <quoted_string>;
               message-compression <boolean>;
               min-cache-ttl <duration>;
               min-ncache-ttl <duration>;
               min-refresh-time <integer>;
               min-retry-time <integer>;
               minimal-any <boolean>;
               minimal-responses ( no-auth | no-auth-recursive | <boolean> );
               multi-master <boolean>;
               new-zones-directory <quoted_string>;
               no-case-compress { <address_match_element>; ... };
               nocookie-udp-size <integer>;
               notify ( explicit | master-only | primary-only | <boolean> );
               notify-delay <integer>;
               notify-rate <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               notify-to-soa <boolean>;
               nsec3-test-zone <boolean>; // test only
               nta-lifetime <duration>;
               nta-recheck <duration>;
               nxdomain-redirect <string>;
               parental-source ( <ipv4_address> | * );
               parental-source-v6 ( <ipv6_address> | * );
               pid-file ( <quoted_string> | none );
               port <integer>;
               preferred-glue <string>;
               prefetch <integer> [ <integer> ];
               provide-ixfr <boolean>;
               qname-minimization ( strict | relaxed | disabled | off );
               query-source [ address ] ( <ipv4_address> | * );
               query-source-v6 [ address ] ( <ipv6_address> | * );
               querylog <boolean>;
               rate-limit {
                    all-per-second <integer>;
                    errors-per-second <integer>;
                    exempt-clients { <address_match_element>; ... };
                    ipv4-prefix-length <integer>;
                    ipv6-prefix-length <integer>;
                    log-only <boolean>;
                    max-table-size <integer>;
                    min-table-size <integer>;
                    nodata-per-second <integer>;
                    nxdomains-per-second <integer>;
                    qps-scale <integer>;
                    referrals-per-second <integer>;
                    responses-per-second <integer>;
                    slip <integer>;
                    window <integer>;
               };
               recursing-file <quoted_string>;
               recursion <boolean>;
               recursive-clients <integer>;
               request-expire <boolean>;
               request-ixfr <boolean>;
               request-nsid <boolean>;
               require-server-cookie <boolean>;
               resolver-query-timeout <integer>;
               resolver-use-dns64 <boolean>;
               response-padding { <address_match_element>; ... } block-size <integer>;
               response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
               reuseport <boolean>;
               root-key-sentinel <boolean>;
               rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
               secroots-file <quoted_string>;
               send-cookie <boolean>;
               serial-query-rate <integer>;
               serial-update-method ( date | increment | unixtime );
               server-id ( <quoted_string> | none | hostname );
               servfail-ttl <duration>;
               session-keyalg <string>;
               session-keyfile ( <quoted_string> | none );
               session-keyname <string>;
               sig-signing-nodes <integer>;
               sig-signing-signatures <integer>;
               sig-signing-type <integer>;
               sig-validity-interval <integer> [ <integer> ]; // obsolete
               sig0checks-quota <integer>; // experimental
               sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
               sortlist { <address_match_element>; ... }; // deprecated
               stale-answer-client-timeout ( disabled | off | <integer> );
               stale-answer-enable <boolean>;
               stale-answer-ttl <duration>;
               stale-cache-enable <boolean>;
               stale-refresh-time <duration>;
               startup-notify-rate <integer>;
               statistics-file <quoted_string>;
               synth-from-dnssec <boolean>;
               tcp-advertised-timeout <integer>;
               tcp-clients <integer>;
               tcp-idle-timeout <integer>;
               tcp-initial-timeout <integer>;
               tcp-keepalive-timeout <integer>;
               tcp-listen-queue <integer>;
               tcp-receive-buffer <integer>;
               tcp-send-buffer <integer>;
               tkey-domain <quoted_string>;
               tkey-gssapi-credential <quoted_string>;
               tkey-gssapi-keytab <quoted_string>;
               tls-port <integer>;
               transfer-format ( many-answers | one-answer );
               transfer-message-size <integer>;
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               transfers-in <integer>;
               transfers-out <integer>;
               transfers-per-ns <integer>;
               trust-anchor-telemetry <boolean>;
               try-tcp-refresh <boolean>;
               udp-receive-buffer <integer>;
               udp-send-buffer <integer>;
               update-check-ksk <boolean>; // obsolete
               update-quota <integer>;
               use-v4-udp-ports { <portrange>; ... }; // deprecated
               use-v6-udp-ports { <portrange>; ... }; // deprecated
               v6-bias <integer>;
               validate-except { <string>; ... };
               version ( <quoted_string> | none );
               zero-no-soa-ttl <boolean>;
               zero-no-soa-ttl-cache <boolean>;
               zone-statistics ( full | terse | none | <boolean> );
          };

          parental-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

          plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times

          primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

          server <netprefix> {
               bogus <boolean>;
               edns <boolean>;
               edns-udp-size <integer>;
               edns-version <integer>;
               keys <server_key>;
               max-udp-size <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               padding <integer>;
               provide-ixfr <boolean>;
               query-source [ address ] ( <ipv4_address> | * );
               query-source-v6 [ address ] ( <ipv6_address> | * );
               request-expire <boolean>;
               request-ixfr <boolean>;
               request-nsid <boolean>;
               require-cookie <boolean>;
               send-cookie <boolean>;
               tcp-keepalive <boolean>;
               tcp-only <boolean>;
               transfer-format ( many-answers | one-answer );
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               transfers <integer>;
          }; // may occur multiple times

          statistics-channels {
               inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
          }; // may occur multiple times

          tls <string> {
               ca-file <quoted_string>;
               cert-file <quoted_string>;
               cipher-suites <string>;
               ciphers <string>;
               dhparam-file <quoted_string>;
               key-file <quoted_string>;
               prefer-server-ciphers <boolean>;
               protocols { <string>; ... };
               remote-hostname <quoted_string>;
               session-tickets <boolean>;
          }; // may occur multiple times

          trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times

          trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

          view <string> [ <class> ] {
               allow-new-zones <boolean>;
               allow-notify { <address_match_element>; ... };
               allow-proxy { <address_match_element>; ... }; // experimental
               allow-proxy-on { <address_match_element>; ... }; // experimental
               allow-query { <address_match_element>; ... };
               allow-query-cache { <address_match_element>; ... };
               allow-query-cache-on { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               allow-recursion { <address_match_element>; ... };
               allow-recursion-on { <address_match_element>; ... };
               allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
               allow-update { <address_match_element>; ... };
               allow-update-forwarding { <address_match_element>; ... };
               also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               attach-cache <string>;
               auth-nxdomain <boolean>;
               catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
               check-dup-records ( fail | warn | ignore );
               check-integrity <boolean>;
               check-mx ( fail | warn | ignore );
               check-mx-cname ( fail | warn | ignore );
               check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
               check-sibling <boolean>;
               check-spf ( warn | ignore );
               check-srv-cname ( fail | warn | ignore );
               check-svcb <boolean>;
               check-wildcard <boolean>;
               clients-per-query <integer>;
               deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
               deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
               dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
               disable-algorithms <string> { <string>; ... }; // may occur multiple times
               disable-ds-digests <string> { <string>; ... }; // may occur multiple times
               disable-empty-zone <string>; // may occur multiple times
               dlz <string> {
                    database <string>;
                    search <boolean>;
               }; // may occur multiple times
               dns64 <netprefix> {
                    break-dnssec <boolean>;
                    clients { <address_match_element>; ... };
                    exclude { <address_match_element>; ... };
                    mapped { <address_match_element>; ... };
                    recursive-only <boolean>;
                    suffix <ipv6_address>;
               }; // may occur multiple times
               dns64-contact <string>;
               dns64-server <string>;
               dnskey-sig-validity <integer>; // obsolete
               dnsrps-enable <boolean>; // not configured
               dnsrps-options { <unspecified-text> }; // not configured
               dnssec-accept-expired <boolean>;
               dnssec-dnskey-kskonly <boolean>; // obsolete
               dnssec-loadkeys-interval <integer>;
               dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
               dnssec-policy <string>;
               dnssec-secure-to-insecure <boolean>; // obsolete
               dnssec-update-mode ( maintain | no-resign ); // obsolete
               dnssec-validation ( yes | no | auto );
               dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
               dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
               dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
               edns-udp-size <integer>;
               empty-contact <string>;
               empty-server <string>;
               empty-zones-enable <boolean>;
               fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
               fetches-per-server <integer> [ ( drop | fail ) ];
               fetches-per-zone <integer> [ ( drop | fail ) ];
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               ipv4only-contact <string>;
               ipv4only-enable <boolean>;
               ipv4only-server <string>;
               ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
               key <string> {
                    algorithm <string>;
                    secret <string>;
               }; // may occur multiple times
               key-directory <quoted_string>;
               lame-ttl <duration>;
               lmdb-mapsize <sizeval>;
               managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               match-clients { <address_match_element>; ... };
               match-destinations { <address_match_element>; ... };
               match-recursive-only <boolean>;
               max-cache-size ( default | unlimited | <sizeval> | <percentage> );
               max-cache-ttl <duration>;
               max-clients-per-query <integer>;
               max-ixfr-ratio ( unlimited | <percentage> );
               max-journal-size ( default | unlimited | <sizeval> );
               max-ncache-ttl <duration>;
               max-records <integer>;
               max-records-per-type <integer>;
               max-recursion-depth <integer>;
               max-recursion-queries <integer>;
               max-refresh-time <integer>;
               max-retry-time <integer>;
               max-stale-ttl <duration>;
               max-transfer-idle-in <integer>;
               max-transfer-idle-out <integer>;
               max-transfer-time-in <integer>;
               max-transfer-time-out <integer>;
               max-types-per-name <integer>;
               max-udp-size <integer>;
               max-validation-failures-per-fetch <integer>; // experimental
               max-validations-per-fetch <integer>; // experimental
               max-zone-ttl ( unlimited | <duration> ); // deprecated
               message-compression <boolean>;
               min-cache-ttl <duration>;
               min-ncache-ttl <duration>;
               min-refresh-time <integer>;
               min-retry-time <integer>;
               minimal-any <boolean>;
               minimal-responses ( no-auth | no-auth-recursive | <boolean> );
               multi-master <boolean>;
               new-zones-directory <quoted_string>;
               no-case-compress { <address_match_element>; ... };
               nocookie-udp-size <integer>;
               notify ( explicit | master-only | primary-only | <boolean> );
               notify-delay <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               notify-to-soa <boolean>;
               nsec3-test-zone <boolean>; // test only
               nta-lifetime <duration>;
               nta-recheck <duration>;
               nxdomain-redirect <string>;
               parental-source ( <ipv4_address> | * );
               parental-source-v6 ( <ipv6_address> | * );
               plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
               preferred-glue <string>;
               prefetch <integer> [ <integer> ];
               provide-ixfr <boolean>;
               qname-minimization ( strict | relaxed | disabled | off );
               query-source [ address ] ( <ipv4_address> | * );
               query-source-v6 [ address ] ( <ipv6_address> | * );
               rate-limit {
                    all-per-second <integer>;
                    errors-per-second <integer>;
                    exempt-clients { <address_match_element>; ... };
                    ipv4-prefix-length <integer>;
                    ipv6-prefix-length <integer>;
                    log-only <boolean>;
                    max-table-size <integer>;
                    min-table-size <integer>;
                    nodata-per-second <integer>;
                    nxdomains-per-second <integer>;
                    qps-scale <integer>;
                    referrals-per-second <integer>;
                    responses-per-second <integer>;
                    slip <integer>;
                    window <integer>;
               };
               recursion <boolean>;
               request-expire <boolean>;
               request-ixfr <boolean>;
               request-nsid <boolean>;
               require-server-cookie <boolean>;
               resolver-query-timeout <integer>;
               resolver-use-dns64 <boolean>;
               response-padding { <address_match_element>; ... } block-size <integer>;
               response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
               root-key-sentinel <boolean>;
               rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
               send-cookie <boolean>;
               serial-update-method ( date | increment | unixtime );
               server <netprefix> {
                    bogus <boolean>;
                    edns <boolean>;
                    edns-udp-size <integer>;
                    edns-version <integer>;
                    keys <server_key>;
                    max-udp-size <integer>;
                    notify-source ( <ipv4_address> | * );
                    notify-source-v6 ( <ipv6_address> | * );
                    padding <integer>;
                    provide-ixfr <boolean>;
                    query-source [ address ] ( <ipv4_address> | * );
                    query-source-v6 [ address ] ( <ipv6_address> | * );
                    request-expire <boolean>;
                    request-ixfr <boolean>;
                    request-nsid <boolean>;
                    require-cookie <boolean>;
                    send-cookie <boolean>;
                    tcp-keepalive <boolean>;
                    tcp-only <boolean>;
                    transfer-format ( many-answers | one-answer );
                    transfer-source ( <ipv4_address> | * );
                    transfer-source-v6 ( <ipv6_address> | * );
                    transfers <integer>;
               }; // may occur multiple times
               servfail-ttl <duration>;
               sig-signing-nodes <integer>;
               sig-signing-signatures <integer>;
               sig-signing-type <integer>;
               sig-validity-interval <integer> [ <integer> ]; // obsolete
               sortlist { <address_match_element>; ... }; // deprecated
               stale-answer-client-timeout ( disabled | off | <integer> );
               stale-answer-enable <boolean>;
               stale-answer-ttl <duration>;
               stale-cache-enable <boolean>;
               stale-refresh-time <duration>;
               synth-from-dnssec <boolean>;
               transfer-format ( many-answers | one-answer );
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               trust-anchor-telemetry <boolean>;
               trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
               trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
               try-tcp-refresh <boolean>;
               update-check-ksk <boolean>; // obsolete
               v6-bias <integer>;
               validate-except { <string>; ... };
               zero-no-soa-ttl <boolean>;
               zero-no-soa-ttl-cache <boolean>;
               zone-statistics ( full | terse | none | <boolean> );
          }; // may occur multiple times

       Any of these zone statements can also be set inside the view statement.

          zone <string> [ <class> ] {
               type primary;
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
               allow-update { <address_match_element>; ... };
               also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               check-dup-records ( fail | warn | ignore );
               check-integrity <boolean>;
               check-mx ( fail | warn | ignore );
               check-mx-cname ( fail | warn | ignore );
               check-names ( fail | warn | ignore );
               check-sibling <boolean>;
               check-spf ( warn | ignore );
               check-srv-cname ( fail | warn | ignore );
               check-svcb <boolean>;
               check-wildcard <boolean>;
               checkds ( explicit | <boolean> );
               database <string>;
               dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
               dlz <string>;
               dnskey-sig-validity <integer>; // obsolete
               dnssec-dnskey-kskonly <boolean>; // obsolete
               dnssec-loadkeys-interval <integer>;
               dnssec-policy <string>;
               dnssec-secure-to-insecure <boolean>; // obsolete
               dnssec-update-mode ( maintain | no-resign ); // obsolete
               file <quoted_string>;
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               inline-signing <boolean>;
               ixfr-from-differences <boolean>;
               journal <quoted_string>;
               key-directory <quoted_string>;
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               max-ixfr-ratio ( unlimited | <percentage> );
               max-journal-size ( default | unlimited | <sizeval> );
               max-records <integer>;
               max-records-per-type <integer>;
               max-transfer-idle-out <integer>;
               max-transfer-time-out <integer>;
               max-types-per-name <integer>;
               max-zone-ttl ( unlimited | <duration> ); // deprecated
               notify ( explicit | master-only | primary-only | <boolean> );
               notify-delay <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               notify-to-soa <boolean>;
               nsec3-test-zone <boolean>; // test only
               parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               parental-source ( <ipv4_address> | * );
               parental-source-v6 ( <ipv6_address> | * );
               serial-update-method ( date | increment | unixtime );
               sig-signing-nodes <integer>;
               sig-signing-signatures <integer>;
               sig-signing-type <integer>;
               sig-validity-interval <integer> [ <integer> ]; // obsolete
               update-check-ksk <boolean>; // obsolete
               update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } );
               zero-no-soa-ttl <boolean>;
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               type secondary;
               allow-notify { <address_match_element>; ... };
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
               allow-update-forwarding { <address_match_element>; ... };
               also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               check-names ( fail | warn | ignore );
               checkds ( explicit | <boolean> );
               database <string>;
               dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
               dlz <string>;
               dnskey-sig-validity <integer>; // obsolete
               dnssec-dnskey-kskonly <boolean>; // obsolete
               dnssec-loadkeys-interval <integer>;
               dnssec-policy <string>;
               dnssec-update-mode ( maintain | no-resign ); // obsolete
               file <quoted_string>;
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               inline-signing <boolean>;
               ixfr-from-differences <boolean>;
               journal <quoted_string>;
               key-directory <quoted_string>;
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               max-ixfr-ratio ( unlimited | <percentage> );
               max-journal-size ( default | unlimited | <sizeval> );
               max-records <integer>;
               max-records-per-type <integer>;
               max-refresh-time <integer>;
               max-retry-time <integer>;
               max-transfer-idle-in <integer>;
               max-transfer-idle-out <integer>;
               max-transfer-time-in <integer>;
               max-transfer-time-out <integer>;
               max-types-per-name <integer>;
               min-refresh-time <integer>;
               min-retry-time <integer>;
               multi-master <boolean>;
               notify ( explicit | master-only | primary-only | <boolean> );
               notify-delay <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               notify-to-soa <boolean>;
               nsec3-test-zone <boolean>; // test only
               parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               parental-source ( <ipv4_address> | * );
               parental-source-v6 ( <ipv6_address> | * );
               primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               request-expire <boolean>;
               request-ixfr <boolean>;
               sig-signing-nodes <integer>;
               sig-signing-signatures <integer>;
               sig-signing-type <integer>;
               sig-validity-interval <integer> [ <integer> ]; // obsolete
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               try-tcp-refresh <boolean>;
               update-check-ksk <boolean>; // obsolete
               zero-no-soa-ttl <boolean>;
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               type mirror;
               allow-notify { <address_match_element>; ... };
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
               allow-update-forwarding { <address_match_element>; ... };
               also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               check-names ( fail | warn | ignore );
               database <string>;
               file <quoted_string>;
               ixfr-from-differences <boolean>;
               journal <quoted_string>;
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               max-ixfr-ratio ( unlimited | <percentage> );
               max-journal-size ( default | unlimited | <sizeval> );
               max-records <integer>;
               max-records-per-type <integer>;
               max-refresh-time <integer>;
               max-retry-time <integer>;
               max-transfer-idle-in <integer>;
               max-transfer-idle-out <integer>;
               max-transfer-time-in <integer>;
               max-transfer-time-out <integer>;
               max-types-per-name <integer>;
               min-refresh-time <integer>;
               min-retry-time <integer>;
               multi-master <boolean>;
               notify ( explicit | master-only | primary-only | <boolean> );
               notify-delay <integer>;
               notify-source ( <ipv4_address> | * );
               notify-source-v6 ( <ipv6_address> | * );
               primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               request-expire <boolean>;
               request-ixfr <boolean>;
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               try-tcp-refresh <boolean>;
               zero-no-soa-ttl <boolean>;
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               type forward;
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
          };

          zone <string> [ <class> ] {
               type hint;
               check-names ( fail | warn | ignore );
               file <quoted_string>;
          };

          zone <string> [ <class> ] {
               type redirect;
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               dlz <string>;
               file <quoted_string>;
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               max-records <integer>;
               max-records-per-type <integer>;
               max-types-per-name <integer>;
               max-zone-ttl ( unlimited | <duration> ); // deprecated
               primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               type static-stub;
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               max-records <integer>;
               max-records-per-type <integer>;
               max-types-per-name <integer>;
               server-addresses { ( <ipv4_address> | <ipv6_address> ); ... };
               server-names { <string>; ... };
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               type stub;
               allow-query { <address_match_element>; ... };
               allow-query-on { <address_match_element>; ... };
               check-names ( fail | warn | ignore );
               database <string>;
               dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
               file <quoted_string>;
               forward ( first | only );
               forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
               masterfile-format ( raw | text );
               masterfile-style ( full | relative );
               max-records <integer>;
               max-records-per-type <integer>;
               max-refresh-time <integer>;
               max-retry-time <integer>;
               max-transfer-idle-in <integer>;
               max-transfer-time-in <integer>;
               max-types-per-name <integer>;
               min-refresh-time <integer>;
               min-retry-time <integer>;
               multi-master <boolean>;
               primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
               transfer-source ( <ipv4_address> | * );
               transfer-source-v6 ( <ipv6_address> | * );
               zone-statistics ( full | terse | none | <boolean> );
          };

          zone <string> [ <class> ] {
               in-view <string>;
          };

FILES

       /etc/bind/named.conf

SEE ALSO

       named(8),   named-checkconf(8),   rndc(8),   rndc-confgen(8),   tsig-keygen(8),   BIND   9
       Administrator Reference Manual.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2024, Internet Systems Consortium