max\-zone\-ttl ( unlimited | \fIttlval\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
- mirror \fIboolean\fR;
multi\-master \fIboolean\fR;
notify ( explicit | master\-only | \fIboolean\fR );
notify\-delay \fIinteger\fR;
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port (
\fIinteger\fR | * ) ] [ dscp \fIinteger\fR ];
try\-tcp\-refresh \fIboolean\fR;
- type ( primary | master | secondary | slave |
+ type ( primary | master | secondary | slave | mirror |
delegation\-only | forward | hint | redirect |
static\-stub | stub );
update\-check\-ksk \fIboolean\fR;
max\-zone\-ttl ( unlimited | \fIttlval\fR );
min\-refresh\-time \fIinteger\fR;
min\-retry\-time \fIinteger\fR;
- mirror \fIboolean\fR;
multi\-master \fIboolean\fR;
notify ( explicit | master\-only | \fIboolean\fR );
notify\-delay \fIinteger\fR;
transfer\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * )
] [ dscp \fIinteger\fR ];
try\-tcp\-refresh \fIboolean\fR;
- type ( primary | master | secondary | slave | delegation\-only |
- forward | hint | redirect | static\-stub | stub );
+ type ( primary | master | secondary | slave | mirror |
+ delegation\-only | forward | hint | redirect | static\-stub |
+ stub );
update\-check\-ksk \fIboolean\fR;
update\-policy ( local | { ( deny | grant ) \fIstring\fR ( 6to4\-self |
external | krb5\-self | krb5\-subdomain | ms\-self | ms\-subdomain
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
- mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
new-zones-directory <replaceable>quoted_string</replaceable>;
no-case-compress { <replaceable>address_match_element</replaceable>; ... };
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
- mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
new-zones-directory <replaceable>quoted_string</replaceable>;
no-case-compress { <replaceable>address_match_element</replaceable>; ... };
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
- mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
notify ( explicit | master-only | <replaceable>boolean</replaceable> );
notify-delay <replaceable>integer</replaceable>;
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port (
<replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
try-tcp-refresh <replaceable>boolean</replaceable>;
- type ( primary | master | secondary | slave |
+ type ( primary | master | secondary | slave | mirror |
delegation-only | forward | hint | redirect |
static-stub | stub );
update-check-ksk <replaceable>boolean</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
- mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
notify ( explicit | master-only | <replaceable>boolean</replaceable> );
notify-delay <replaceable>integer</replaceable>;
transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * )
] [ dscp <replaceable>integer</replaceable> ];
try-tcp-refresh <replaceable>boolean</replaceable>;
- type ( primary | master | secondary | slave | delegation-only |
- forward | hint | redirect | static-stub | stub );
+ type ( primary | master | secondary | slave | mirror |
+ delegation-only | forward | hint | redirect | static-stub |
+ stub );
update-check-ksk <replaceable>boolean</replaceable>;
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self |
external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
<em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( primary | master | secondary | slave |<br>
+ type ( primary | master | secondary | slave | mirror |<br>
delegation-only | forward | hint | redirect |<br>
static-stub | stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( primary | master | secondary | slave | delegation-only |<br>
- forward | hint | redirect | static-stub | stub );<br>
+ type ( primary | master | secondary | slave | mirror |<br>
+ delegation-only | forward | hint | redirect | static-stub |<br>
+ stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
strcmp(argv[1], "seconary") == 0)
{
zonetype = CFG_ZONE_SLAVE;
+ } else if (strcmp(argv[1], "mirror") == 0) {
+ zonetype = CFG_ZONE_MIRROR;
} else if (strcmp(argv[1], "stub") == 0) {
zonetype = CFG_ZONE_STUB;
} else if (strcmp(argv[1], "static-stub") == 0) {
</listitem>
</varlistentry>
- <varlistentry>
- <term><command>allow-transfer</command></term>
+ <varlistentry xml:id="allow_transfer">
+ <term xml:id="allow_transfer_term"><command>allow-transfer</command></term>
<listitem>
<para>
Specifies which hosts are allowed to
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="master.zoneopt.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="slave.zoneopt.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="mirror.zoneopt.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="hint.zoneopt.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="stub.zoneopt.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="static-stub.zoneopt.xml"/>
acceptable values include:
<varname>master</varname> (or <varname>primary</varname>),
<varname>slave</varname> (or <varname>secondary</varname>),
+ <varname>mirror</varname>,
<varname>delegation-only</varname>,
<varname>forward</varname>,
<varname>hint</varname>,
</para>
</entry>
</row>
+ <row rowsep="0">
+ <entry colname="1">
+ <para>
+ <varname>mirror</varname>
+ </para>
+ </entry>
+ <entry colname="2">
+ <para>
+ </para>
+ <para>
+ A mirror zone acts like a zone of type
+ <userinput>secondary</userinput> whose data is
+ subject to DNSSEC validation before being used
+ in answers. Validation is performed during the
+ zone transfer process, and again when the zone
+ file is loaded from disk when
+ <command>named</command> is restarted. If
+ validation fails, a retransfer of the zone is
+ scheduled; if the mirror zone had not previously
+ been loaded or if the previous version has
+ expired, traditional DNS recursion will be used
+ to look up the answers instead.
+ </para>
+ <para>
+ For validation to succeed, a key-signing key
+ (KSK) for the zone must be configured as a trust
+ anchor in <filename>named.conf</filename>: that
+ is, a key for the zone must either be specified
+ in <command>managed-keys</command> or
+ <command>trusted-keys</command>, or in the case
+ of the root zone,
+ <command>dnssec-validation</command> must be set
+ to <userinput>auto</userinput>. Answers coming
+ from a mirror zone look almost exactly like
+ answers from a zone of type
+ <userinput>secondary</userinput>, with the
+ notable exceptions that the AA bit
+ ("authoritative answer") is not set, and the AD
+ bit ("authenticated data") is.
+ </para>
+ <para>
+ Since mirror zones are intended to be used by
+ recursive resolvers, adding one to a view with
+ recursion disabled is considered to be a
+ configuration error.
+ </para>
+ <para>
+ When configuring NOTIFY for a mirror zone, only
+ <userinput>notify no;</userinput> and
+ <userinput>notify explicit;</userinput> can be
+ used. Using any other
+ <userinput>notify</userinput> setting at the
+ zone level is a configuration error. Using any
+ other <userinput>notify</userinput> setting at
+ the <userinput>options</userinput> or
+ <userinput>view</userinput> level will cause
+ that setting to be overridden with
+ <userinput>notify explicit;</userinput> for the
+ mirror zone in question.
+ </para>
+ <para>
+ Outgoing transfers of mirror zones are disabled
+ by default but may be enabled using
+ <xref endterm="allow_transfer_term" linkend="allow_transfer"/>.
+ </para>
+ <para>
+ While any zone may be configured with this type,
+ it is intended to be used to set up a fast local
+ copy of the root zone, similar to the one
+ described in RFC 7706. Note, however, that
+ mirror zones are not supposed to augment the
+ example configuration provided by RFC 7706 but
+ rather to replace it altogether.
+ </para>
+ <para>
+ A default list of primary servers for the root
+ zone is built into <command>named</command> and
+ thus IANA root zone mirroring can be enabled
+ using the following configuration:
+ </para>
+<programlisting>zone "." {
+ type mirror;
+};</programlisting>
+ <para>
+ To make mirror zone contents persist between
+ <command>named</command> restarts, use the
+ <xref endterm="file_option_term" linkend="file_option"/>
+ option.
+ </para>
+ </entry>
+ </row>
<row rowsep="0">
<entry colname="1">
<para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><command>file</command></term>
+ <varlistentry xml:id="file_option">
+ <term xml:id="file_option_term"><command>file</command></term>
<listitem>
<para>
Set the zone's filename. In <command>master</command>,
<command>hint</command>, and <command>redirect</command>
zones which do not have <command>masters</command>
defined, zone data is loaded from this file. In
- <command>slave</command>, <command>stub</command>, and
- <command>redirect</command> zones which do have
- <command>masters</command> defined, zone data is
- retrieved from another server and saved in this file.
- This option is not applicable to other zone types.
+ <command>slave</command>, <command>mirror</command>,
+ <command>stub</command>, and <command>redirect</command>
+ zones which do have <command>masters</command>
+ defined, zone data is retrieved from another server
+ and saved in this file. This option is not
+ applicable to other zone types.
</para>
</listitem>
</varlistentry>
</listitem>
</varlistentry>
- <varlistentry>
- <term><command>mirror</command></term>
- <listitem>
- <para>
- If set to <userinput>yes</userinput>, this causes the
- zone to become a mirror zone. A mirror zone is a
- <userinput>secondary</userinput> zone whose data
- is subject to DNSSEC validation before being
- used in answers. The default is
- <userinput>no</userinput>.
- </para>
- <para>
- A mirror zone's contents are validated during the transfer
- process, and again when the zone file is loaded from disk
- when <command>named</command> is restarted. If validation
- fails, a retransfer of the zone is scheduled; if the mirror
- zone had not previously been loaded or if the previous
- version has expired, traditional DNS recursion will be used
- to look up the answers instead.
- </para>
- <para>
- For validation to succeed, a key-signing key (KSK) for
- the zone must be configured as a trust anchor in
- <filename>named.conf</filename>:
- that is, a key for the zone must either be specified in
- <command>managed-keys</command> or
- <command>trusted-keys</command>, or in the case of
- the root zone, <command>dnssec-validation</command>
- must be set to <userinput>auto</userinput>.
- Answers coming from a mirror zone look almost exactly like
- answers from a normal slave zone, with the notable
- exceptions that the AA bit ("authoritative answer") is
- not set, and the AD bit ("authenticated data") is.
- </para>
- <para>
- Though this option can be used for other zones, it
- is intended to be used to set up a fast local copy of
- the root zone, as described in RFC 7706.
- This can be done by using the following configuration:
- </para>
-<programlisting>zone "." {
- type slave;
- mirror yes;
- file "root.mirror";
- masters {
- 192.228.79.201; # b.root-servers.net
- 192.33.4.12; # c.root-servers.net
- 192.5.5.241; # f.root-servers.net
- 192.112.36.4; # g.root-servers.net
- 193.0.14.129; # k.root-servers.net
- 192.0.47.132; # xfr.cjr.dns.icann.org
- 192.0.32.132; # xfr.lax.dns.icann.org
- 2001:500:84::b; # b.root-servers.net
- 2001:500:2f::f; # f.root-servers.net
- 2001:7fd::1; # k.root-servers.net
- 2620:0:2830:202::132; # xfr.cjr.dns.icann.org
- 2620:0:2d0:202::132; # xfr.lax.dns.icann.org
- };
-};</programlisting>
- </listitem>
- </varlistentry>
-
<varlistentry>
<term><command>multi-master</command></term>
<listitem>
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>minimal-any</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>minimal-responses</strong></span> ( no-auth | no-auth-recursive | <em class="replaceable"><code>boolean</code></em> );
- <span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>new-zones-directory</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
<span class="command"><strong>no-case-compress</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
It is now ignored with some warning messages.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>allow-transfer</strong></span></span></dt>
+<dt>
+<a name="allow_transfer"></a><span class="term"><a name="allow_transfer_term"></a><span class="command"><strong>allow-transfer</strong></span></span>
+</dt>
<dd>
<p>
Specifies which hosts are allowed to
<span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
<span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
- <span class="command"><strong>mirror</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
<span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
<span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
};
</pre>
<pre class="programlisting">
+<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
+ <span class="command"><strong>type</strong></span> mirror;
+ <span class="command"><strong>allow-notify</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+ <span class="command"><strong>allow-query</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+ <span class="command"><strong>allow-query-on</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+ <span class="command"><strong>allow-transfer</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+ <span class="command"><strong>allow-update-forwarding</strong></span> { <em class="replaceable"><code>address_match_element</code></em>; ... };
+ <span class="command"><strong>also-notify</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+ <span class="command"><strong>alt-transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>alt-transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
+ <span class="command"><strong>database</strong></span> <em class="replaceable"><code>string</code></em>;
+ <span class="command"><strong>file</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+ <span class="command"><strong>ixfr-from-differences</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>journal</strong></span> <em class="replaceable"><code>quoted_string</code></em>;
+ <span class="command"><strong>masterfile-format</strong></span> ( map | raw | text );
+ <span class="command"><strong>masterfile-style</strong></span> ( full | relative );
+ <span class="command"><strong>masters</strong></span> [ port <em class="replaceable"><code>integer</code></em> ] [ dscp <em class="replaceable"><code>integer</code></em> ] { ( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] | <em class="replaceable"><code>ipv6_address</code></em> [ port <em class="replaceable"><code>integer</code></em> ] ) [ key <em class="replaceable"><code>string</code></em> ]; ... };
+ <span class="command"><strong>max-journal-size</strong></span> ( default | unlimited | <em class="replaceable"><code>sizeval</code></em> );
+ <span class="command"><strong>max-records</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-transfer-idle-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-transfer-idle-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-transfer-time-in</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>max-transfer-time-out</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>min-refresh-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>min-retry-time</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>multi-master</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>notify</strong></span> ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );
+ <span class="command"><strong>notify-delay</strong></span> <em class="replaceable"><code>integer</code></em>;
+ <span class="command"><strong>notify-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>notify-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>request-expire</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>request-ixfr</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>transfer-source</strong></span> ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>transfer-source-v6</strong></span> ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];
+ <span class="command"><strong>try-tcp-refresh</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>use-alt-transfer-source</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>zero-no-soa-ttl</strong></span> <em class="replaceable"><code>boolean</code></em>;
+ <span class="command"><strong>zone-statistics</strong></span> ( full | terse | none | <em class="replaceable"><code>boolean</code></em> );
+};
+</pre>
+<pre class="programlisting">
<span class="command"><strong>zone</strong></span> <em class="replaceable"><code>string</code></em> [ <em class="replaceable"><code>class</code></em> ] {
<span class="command"><strong>type</strong></span> hint;
<span class="command"><strong>check-names</strong></span> ( fail | warn | ignore );
acceptable values include:
<code class="varname">master</code> (or <code class="varname">primary</code>),
<code class="varname">slave</code> (or <code class="varname">secondary</code>),
+ <code class="varname">mirror</code>,
<code class="varname">delegation-only</code>,
<code class="varname">forward</code>,
<code class="varname">hint</code>,
</td>
</tr>
<tr>
+<td>
+ <p>
+ <code class="varname">mirror</code>
+ </p>
+ </td>
+<td>
+ <p>
+ </p>
+ <p>
+ A mirror zone acts like a zone of type
+ <strong class="userinput"><code>secondary</code></strong> whose data is
+ subject to DNSSEC validation before being used
+ in answers. Validation is performed during the
+ zone transfer process, and again when the zone
+ file is loaded from disk when
+ <span class="command"><strong>named</strong></span> is restarted. If
+ validation fails, a retransfer of the zone is
+ scheduled; if the mirror zone had not previously
+ been loaded or if the previous version has
+ expired, traditional DNS recursion will be used
+ to look up the answers instead.
+ </p>
+ <p>
+ For validation to succeed, a key-signing key
+ (KSK) for the zone must be configured as a trust
+ anchor in <code class="filename">named.conf</code>: that
+ is, a key for the zone must either be specified
+ in <span class="command"><strong>managed-keys</strong></span> or
+ <span class="command"><strong>trusted-keys</strong></span>, or in the case
+ of the root zone,
+ <span class="command"><strong>dnssec-validation</strong></span> must be set
+ to <strong class="userinput"><code>auto</code></strong>. Answers coming
+ from a mirror zone look almost exactly like
+ answers from a zone of type
+ <strong class="userinput"><code>secondary</code></strong>, with the
+ notable exceptions that the AA bit
+ ("authoritative answer") is not set, and the AD
+ bit ("authenticated data") is.
+ </p>
+ <p>
+ Since mirror zones are intended to be used by
+ recursive resolvers, adding one to a view with
+ recursion disabled is considered to be a
+ configuration error.
+ </p>
+ <p>
+ When configuring NOTIFY for a mirror zone, only
+ <strong class="userinput"><code>notify no;</code></strong> and
+ <strong class="userinput"><code>notify explicit;</code></strong> can be
+ used. Using any other
+ <strong class="userinput"><code>notify</code></strong> setting at the
+ zone level is a configuration error. Using any
+ other <strong class="userinput"><code>notify</code></strong> setting at
+ the <strong class="userinput"><code>options</code></strong> or
+ <strong class="userinput"><code>view</code></strong> level will cause
+ that setting to be overridden with
+ <strong class="userinput"><code>notify explicit;</code></strong> for the
+ mirror zone in question.
+ </p>
+ <p>
+ Outgoing transfers of mirror zones are disabled
+ by default but may be enabled using
+ <a class="xref" href="Bv9ARM.ch05.html#allow_transfer"><span class="command"><strong>allow-transfer</strong></span></a>.
+ </p>
+ <p>
+ While any zone may be configured with this type,
+ it is intended to be used to set up a fast local
+ copy of the root zone, similar to the one
+ described in RFC 7706. Note, however, that
+ mirror zones are not supposed to augment the
+ example configuration provided by RFC 7706 but
+ rather to replace it altogether.
+ </p>
+ <p>
+ A default list of primary servers for the root
+ zone is built into <span class="command"><strong>named</strong></span> and
+ thus IANA root zone mirroring can be enabled
+ using the following configuration:
+ </p>
+<pre class="programlisting">zone "." {
+ type mirror;
+};</pre>
+ <p>
+ To make mirror zone contents persist between
+ <span class="command"><strong>named</strong></span> restarts, use the
+ <a class="xref" href="Bv9ARM.ch05.html#file_option"><span class="command"><strong>file</strong></span></a>
+ option.
+ </p>
+ </td>
+</tr>
+<tr>
<td>
<p>
<code class="varname">static-stub</code>
See caveats in <a class="xref" href="Bv9ARM.ch05.html#root_delegation_only"><span class="command"><strong>root-delegation-only</strong></span></a>.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>file</strong></span></span></dt>
+<dt>
+<a name="file_option"></a><span class="term"><a name="file_option_term"></a><span class="command"><strong>file</strong></span></span>
+</dt>
<dd>
<p>
Set the zone's filename. In <span class="command"><strong>master</strong></span>,
<span class="command"><strong>hint</strong></span>, and <span class="command"><strong>redirect</strong></span>
zones which do not have <span class="command"><strong>masters</strong></span>
defined, zone data is loaded from this file. In
- <span class="command"><strong>slave</strong></span>, <span class="command"><strong>stub</strong></span>, and
- <span class="command"><strong>redirect</strong></span> zones which do have
- <span class="command"><strong>masters</strong></span> defined, zone data is
- retrieved from another server and saved in this file.
- This option is not applicable to other zone types.
+ <span class="command"><strong>slave</strong></span>, <span class="command"><strong>mirror</strong></span>,
+ <span class="command"><strong>stub</strong></span>, and <span class="command"><strong>redirect</strong></span>
+ zones which do have <span class="command"><strong>masters</strong></span>
+ defined, zone data is retrieved from another server
+ and saved in this file. This option is not
+ applicable to other zone types.
</p>
</dd>
<dt><span class="term"><span class="command"><strong>forward</strong></span></span></dt>
behavior is disabled by default.
</p>
</dd>
-<dt><span class="term"><span class="command"><strong>mirror</strong></span></span></dt>
-<dd>
- <p>
- If set to <strong class="userinput"><code>yes</code></strong>, this causes the
- zone to become a mirror zone. A mirror zone is a
- <strong class="userinput"><code>secondary</code></strong> zone whose data
- is subject to DNSSEC validation before being
- used in answers. The default is
- <strong class="userinput"><code>no</code></strong>.
- </p>
- <p>
- A mirror zone's contents are validated during the transfer
- process, and again when the zone file is loaded from disk
- when <span class="command"><strong>named</strong></span> is restarted. If validation
- fails, a retransfer of the zone is scheduled; if the mirror
- zone had not previously been loaded or if the previous
- version has expired, traditional DNS recursion will be used
- to look up the answers instead.
- </p>
- <p>
- For validation to succeed, a key-signing key (KSK) for
- the zone must be configured as a trust anchor in
- <code class="filename">named.conf</code>:
- that is, a key for the zone must either be specified in
- <span class="command"><strong>managed-keys</strong></span> or
- <span class="command"><strong>trusted-keys</strong></span>, or in the case of
- the root zone, <span class="command"><strong>dnssec-validation</strong></span>
- must be set to <strong class="userinput"><code>auto</code></strong>.
- Answers coming from a mirror zone look almost exactly like
- answers from a normal slave zone, with the notable
- exceptions that the AA bit ("authoritative answer") is
- not set, and the AD bit ("authenticated data") is.
- </p>
- <p>
- Though this option can be used for other zones, it
- is intended to be used to set up a fast local copy of
- the root zone, as described in RFC 7706.
- This can be done by using the following configuration:
- </p>
-<pre class="programlisting">zone "." {
- type slave;
- mirror yes;
- file "root.mirror";
- masters {
- 192.228.79.201; # b.root-servers.net
- 192.33.4.12; # c.root-servers.net
- 192.5.5.241; # f.root-servers.net
- 192.112.36.4; # g.root-servers.net
- 193.0.14.129; # k.root-servers.net
- 192.0.47.132; # xfr.cjr.dns.icann.org
- 192.0.32.132; # xfr.lax.dns.icann.org
- 2001:500:84::b; # b.root-servers.net
- 2001:500:2f::f; # f.root-servers.net
- 2001:7fd::1; # k.root-servers.net
- 2620:0:2830:202::132; # xfr.cjr.dns.icann.org
- 2620:0:2d0:202::132; # xfr.lax.dns.icann.org
- };
-};</pre>
- </dd>
<dt><span class="term"><span class="command"><strong>multi-master</strong></span></span></dt>
<dd>
<p>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port (<br>
<em class="replaceable"><code>integer</code></em> | * ) ] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( primary | master | secondary | slave |<br>
+ type ( primary | master | secondary | slave | mirror |<br>
delegation-only | forward | hint | redirect |<br>
static-stub | stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
max-zone-ttl ( unlimited | <em class="replaceable"><code>ttlval</code></em> );<br>
min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
- mirror <em class="replaceable"><code>boolean</code></em>;<br>
multi-master <em class="replaceable"><code>boolean</code></em>;<br>
notify ( explicit | master-only | <em class="replaceable"><code>boolean</code></em> );<br>
notify-delay <em class="replaceable"><code>integer</code></em>;<br>
transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [ port ( <em class="replaceable"><code>integer</code></em> | * )<br>
] [ dscp <em class="replaceable"><code>integer</code></em> ];<br>
try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
- type ( primary | master | secondary | slave | delegation-only |<br>
- forward | hint | redirect | static-stub | stub );<br>
+ type ( primary | master | secondary | slave | mirror |<br>
+ delegation-only | forward | hint | redirect | static-stub |<br>
+ stub );<br>
update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
update-policy ( local | { ( deny | grant ) <em class="replaceable"><code>string</code></em> ( 6to4-self |<br>
external | krb5-self | krb5-subdomain | ms-self | ms-subdomain<br>
--- /dev/null
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Generated by doc/misc/docbook-zoneopt.pl -->
+<programlisting>
+<command>zone</command> <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
+ <command>type</command> mirror;
+ <command>allow-notify</command> { <replaceable>address_match_element</replaceable>; ... };
+ <command>allow-query</command> { <replaceable>address_match_element</replaceable>; ... };
+ <command>allow-query-on</command> { <replaceable>address_match_element</replaceable>; ... };
+ <command>allow-transfer</command> { <replaceable>address_match_element</replaceable>; ... };
+ <command>allow-update-forwarding</command> { <replaceable>address_match_element</replaceable>; ... };
+ <command>also-notify</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+ <command>alt-transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>alt-transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>check-names</command> ( fail | warn | ignore );
+ <command>database</command> <replaceable>string</replaceable>;
+ <command>file</command> <replaceable>quoted_string</replaceable>;
+ <command>ixfr-from-differences</command> <replaceable>boolean</replaceable>;
+ <command>journal</command> <replaceable>quoted_string</replaceable>;
+ <command>masterfile-format</command> ( map | raw | text );
+ <command>masterfile-style</command> ( full | relative );
+ <command>masters</command> [ port <replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key <replaceable>string</replaceable> ]; ... };
+ <command>max-journal-size</command> ( default | unlimited | <replaceable>sizeval</replaceable> );
+ <command>max-records</command> <replaceable>integer</replaceable>;
+ <command>max-refresh-time</command> <replaceable>integer</replaceable>;
+ <command>max-retry-time</command> <replaceable>integer</replaceable>;
+ <command>max-transfer-idle-in</command> <replaceable>integer</replaceable>;
+ <command>max-transfer-idle-out</command> <replaceable>integer</replaceable>;
+ <command>max-transfer-time-in</command> <replaceable>integer</replaceable>;
+ <command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
+ <command>min-refresh-time</command> <replaceable>integer</replaceable>;
+ <command>min-retry-time</command> <replaceable>integer</replaceable>;
+ <command>multi-master</command> <replaceable>boolean</replaceable>;
+ <command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
+ <command>notify-delay</command> <replaceable>integer</replaceable>;
+ <command>notify-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>notify-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>request-expire</command> <replaceable>boolean</replaceable>;
+ <command>request-ixfr</command> <replaceable>boolean</replaceable>;
+ <command>transfer-source</command> ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
+ <command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
+ <command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
+ <command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
+ <command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
+};
+</programlisting>
<command>min-retry-time</command> <replaceable>integer</replaceable>;
<command>minimal-any</command> <replaceable>boolean</replaceable>;
<command>minimal-responses</command> ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
- <command>mirror</command> <replaceable>boolean</replaceable>;
<command>multi-master</command> <replaceable>boolean</replaceable>;
<command>new-zones-directory</command> <replaceable>quoted_string</replaceable>;
<command>no-case-compress</command> { <replaceable>address_match_element</replaceable>; ... };
<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
<command>min-refresh-time</command> <replaceable>integer</replaceable>;
<command>min-retry-time</command> <replaceable>integer</replaceable>;
- <command>mirror</command> <replaceable>boolean</replaceable>;
<command>multi-master</command> <replaceable>boolean</replaceable>;
<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
<command>notify-delay</command> <replaceable>integer</replaceable>;
${CFG_TEST} --named --grammar > $@.raw ; \
${CFG_TEST} --zonegrammar master > master.zoneopt ; \
${CFG_TEST} --zonegrammar slave > slave.zoneopt ; \
+ ${CFG_TEST} --zonegrammar mirror > mirror.zoneopt ; \
${CFG_TEST} --zonegrammar forward > forward.zoneopt ; \
${CFG_TEST} --zonegrammar hint > hint.zoneopt ; \
${CFG_TEST} --zonegrammar stub > stub.zoneopt ; \
${PERL} docbook-options.pl options > ${top_srcdir}/bin/named/named.conf.docbook
${PERL} docbook-zoneopt.pl master.zoneopt > ${top_srcdir}/doc/arm/master.zoneopt.xml
${PERL} docbook-zoneopt.pl slave.zoneopt > ${top_srcdir}/doc/arm/slave.zoneopt.xml
+ ${PERL} docbook-zoneopt.pl mirror.zoneopt > ${top_srcdir}/doc/arm/mirror.zoneopt.xml
${PERL} docbook-zoneopt.pl forward.zoneopt > ${top_srcdir}/doc/arm/forward.zoneopt.xml
${PERL} docbook-zoneopt.pl hint.zoneopt > ${top_srcdir}/doc/arm/hint.zoneopt.xml
${PERL} docbook-zoneopt.pl stub.zoneopt > ${top_srcdir}/doc/arm/stub.zoneopt.xml
--- /dev/null
+zone <string> [ <class> ] {
+ type mirror;
+ allow-notify { <address_match_element>; ... };
+ allow-query { <address_match_element>; ... };
+ allow-query-on { <address_match_element>; ... };
+ allow-transfer { <address_match_element>; ... };
+ allow-update-forwarding { <address_match_element>; ... };
+ also-notify [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ check-names ( fail | warn | ignore );
+ database <string>;
+ file <quoted_string>;
+ ixfr-from-differences <boolean>;
+ journal <quoted_string>;
+ masterfile-format ( map | raw | text );
+ masterfile-style ( full | relative );
+ masters [ port <integer> ] [ dscp <integer> ] { ( <masters> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
+ max-journal-size ( default | unlimited | <sizeval> );
+ max-records <integer>;
+ max-refresh-time <integer>;
+ max-retry-time <integer>;
+ max-transfer-idle-in <integer>;
+ max-transfer-idle-out <integer>;
+ max-transfer-time-in <integer>;
+ max-transfer-time-out <integer>;
+ min-refresh-time <integer>;
+ min-retry-time <integer>;
+ multi-master <boolean>;
+ notify ( explicit | master-only | <boolean> );
+ notify-delay <integer>;
+ notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ request-expire <boolean>;
+ request-ixfr <boolean>;
+ transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
+ try-tcp-refresh <boolean>;
+ use-alt-transfer-source <boolean>;
+ zero-no-soa-ttl <boolean>;
+ zone-statistics ( full | terse | none | <boolean> );
+};
min-roots <integer>; // not implemented
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
- mirror <boolean>;
multi-master <boolean>;
multiple-cnames <boolean>; // obsolete
named-xfer <quoted_string>; // obsolete
min-roots <integer>; // not implemented
minimal-any <boolean>;
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
- mirror <boolean>;
multi-master <boolean>;
new-zones-directory <quoted_string>;
no-case-compress { <address_match_element>; ... };
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
- mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
transfer-source-v6 ( <ipv6_address> | * ) [ port (
<integer> | * ) ] [ dscp <integer> ];
try-tcp-refresh <boolean>;
- type ( primary | master | secondary | slave |
+ type ( primary | master | secondary | slave | mirror |
delegation-only | forward | hint | redirect |
static-stub | stub );
update-check-ksk <boolean>;
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
- mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
] [ dscp <integer> ];
try-tcp-refresh <boolean>;
- type ( primary | master | secondary | slave | delegation-only |
- forward | hint | redirect | static-stub | stub );
+ type ( primary | master | secondary | slave | mirror |
+ delegation-only | forward | hint | redirect | static-stub |
+ stub );
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
max-transfer-time-out <integer>;
min-refresh-time <integer>;
min-retry-time <integer>;
- mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
./doc/arm/managed-keys.xml SGML 2010,2014,2015,2016,2017,2018
./doc/arm/master.zoneopt.xml SGML 2018
./doc/arm/masters.grammar.xml SGML 2018
+./doc/arm/mirror.zoneopt.xml SGML 2018
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018
./doc/arm/notes.conf X 2015,2018
./doc/arm/notes.html X 2014,2015,2016,2017,2018
./doc/misc/master.zoneopt X 2018
./doc/misc/migration TXT.BRIEF 2000,2001,2003,2004,2007,2008,2016,2018
./doc/misc/migration-4to9 TXT.BRIEF 2001,2004,2016,2018
+./doc/misc/mirror.zoneopt X 2018
./doc/misc/options X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./doc/misc/redirect.zoneopt X 2018
./doc/misc/rfc-compliance TXT.BRIEF 2001,2004,2015,2016,2018
projects / thirdparty / bind9.git / commitdiff
