<para>
ISC <acronym>BIND</acronym> 9 compiles and runs on a large
number
- of Unix-like operating systems and on
+ of Unix-like operating systems and on
Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
For an up-to-date
list of supported systems, see the README file in the top level
<command>allow-update</command> or an <command>update-policy</command>
clause in the <command>zone</command> statement.
</para>
-
+
<para>
If the zone's <command>update-policy</command> is set to
<userinput>local</userinput>, updates to the zone
To enable <command>named</command> to validate answers from
other servers, the <command>dnssec-enable</command> option
must be set to <userinput>yes</userinput>, and the
- <command>dnssec-validation</command> options must be set to
+ <command>dnssec-validation</command> options must be set to
<userinput>yes</userinput> or <userinput>auto</userinput>.
</para>
-
+
<para>
If <command>dnssec-validation</command> is set to
<userinput>auto</userinput>, then a default
will not occur. The default setting is
<userinput>yes</userinput>.
</para>
-
+
<para>
<command>trusted-keys</command> are copies of DNSKEY RRs
for zones that are used to form the first link in the
including missing, expired, or invalid signatures, a key which
does not match the DS RRset in the parent zone, or an insecure
response from a zone which, according to its parent, should have
- been secure.
+ been secure.
</para>
<note>
the traditional "nibble" format used in the
<emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
<emphasis>ip6.int</emphasis> domain.
- Older versions of <acronym>BIND</acronym> 9
+ Older versions of <acronym>BIND</acronym> 9
supported the "binary label" (also known as "bitstring") format,
but support of binary labels has been completely removed per
RFC 3363.
"as big as possible", depending on the context.
See the explanations of particular parameters
that use <varname>size_spec</varname>
- for details on how they interpret its use.
+ for details on how they interpret its use.
</para>
<para>
Numeric values can optionally be followed by a
(including <option>max-cache-size</option>), it may
mean the largest possible 32-bit unsigned integer
(0xffffffff); this distinction can be important when
- dealing with larger quantities.
+ dealing with larger quantities.
<varname>unlimited</varname> is usually the best way
to safely set a very large number.
</para>
<para>
- <varname>default</varname>
+ <varname>default</varname>
uses the limit that was in force when the server was started.
</para>
</entry>
<para>
defines a named masters list for
inclusion in stub and slave zones'
- <command>masters</command> or
+ <command>masters</command> or
<command>also-notify</command> lists.
</para>
</entry>
<title><command>masters</command> Statement Grammar</title>
<programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> |
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> |
<replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
</programlisting>
<optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
<optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
- <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
+ <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
... }; </optional>
<optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
<optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
- <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
- <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
+ <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
+ <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
<optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
<optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
The pathname of a file to override the built-in trusted
keys provided by <command>named</command>.
See the discussion of <command>dnssec-lookaside</command>
- and <command>dnssec-validation</command> for details.
+ and <command>dnssec-validation</command> for details.
If not specified, the default is
<filename>/etc/bind.keys</filename>.
</para>
<para>
Each <command>dns64</command> supports an optional
<command>mapped</command> ACL that selects which
- IPv4 addresses are to be mapped in the corresponding
+ IPv4 addresses are to be mapped in the corresponding
A RRset. If not defined it defaults to
<userinput>any;</userinput>.
</para>
<listitem>
<para>
If <userinput>yes</userinput>, then an empty EDNS(0)
- NSID (Name Server Identifier) option is sent with all
+ NSID (Name Server Identifier) option is sent with all
queries to authoritative name servers during iterative
resolution. If the authoritative server returns an NSID
option in its response, then its contents are logged in
<para>
If <userinput>yes</userinput>,
the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
- and if the response does not include DNSSEC signatures,
+ and if the response does not include DNSSEC signatures,
then all AAAA records are deleted from the response.
This filtering applies to all responses and not only
authoritative responses.
because the DNSSEC protocol is designed detect deletions.
</para>
<para>
- This mechanism can erroneously cause other servers to
- not give AAAA records to their clients.
+ This mechanism can erroneously cause other servers to
+ not give AAAA records to their clients.
A recursing server with both IPv6 and IPv4 network connections
that queries an authoritative server using this mechanism
via IPv4 will be denied AAAA records even if its client is
<para>
Note: BIND 9.5.0 introduced
- the <command>use-queryport-pool</command>
+ the <command>use-queryport-pool</command>
option to support a pool of such random ports, but this
option is now obsolete because reusing the same ports in
the pool may not be sufficiently secure.
</para>
</listitem>
</varlistentry>
-
+
</variablelist>
<note>
<para>
<para>
A "soft quota" is also set. When this lower
quota is exceeded, incoming requests are accepted, but
- for each one, a pending request will be dropped.
+ for each one, a pending request will be dropped.
If <option>recursive-clients</option> is greater than
1000, the soft quota is set to
<option>recursive-clients</option> minus 100;
waiting for
some data before being passed to accept. Nonzero values
less than 10 will be silently raised. A value of 0 may also
- be used; on most platforms this sets the listen queue
+ be used; on most platforms this sets the listen queue
length to a system-defined default value.
</para>
</listitem>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term><command>empty-contact</command></term>
<listitem>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term><command>empty-zones-enable</command></term>
<listitem>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term><command>disable-empty-zone</command></term>
<listitem>
whether the local server will add a NSID EDNS option
to requests sent to the server. This overrides
<command>request-nsid</command> set at the view or
- option level.
+ option level.
</para>
</sect2>
>http://127.0.0.1:8888/</ulink> or
<ulink url="http://127.0.0.1:8888/xml"
>http://127.0.0.1:8888/xml</ulink>. A CSS file is
- included which can format the XML statistics into tables
+ included which can format the XML statistics into tables
when viewed with a stylesheet-capable browser. When
- <acronym>BIND</acronym> 9 is configured with --enable-newstats,
+ <acronym>BIND</acronym> 9 is configured with --enable-newstats,
a new XML schema is used (version 3) which adds additional
zone statistics and uses a flatter tree for more efficient
parsing. The stylesheet included uses the Google Charts API
<para>
Applications that depend on a particular XML schema
- can request
+ can request
<ulink url="http://127.0.0.1:8888/xml/v2"
>http://127.0.0.1:8888/xml/v2</ulink> for version 2
- of the statistics XML schema or
+ of the statistics XML schema or
<ulink url="http://127.0.0.1:8888/xml/v3"
>http://127.0.0.1:8888/xml/v3</ulink> for version 3.
If the requested schema is supported by the server, then
<title><command>managed-keys</command> Statement Definition
and Usage</title>
<para>
- The <command>managed-keys</command> statement, like
+ The <command>managed-keys</command> statement, like
<command>trusted-keys</command>, defines DNSSEC
security roots. The difference is that
<command>managed-keys</command> can be kept up to date
<literal>initial-key</literal>. The difference is, whereas the
keys listed in a <command>trusted-keys</command> continue to be
trusted until they are removed from
- <filename>named.conf</filename>, an initializing key listed
+ <filename>named.conf</filename>, an initializing key listed
in a <command>managed-keys</command> statement is only trusted
<emphasis>once</emphasis>: for as long as it takes to load the
managed key database and start the RFC 5011 key maintenance
type static-stub;
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
<optional> server-addresses { <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional>
- <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional>
+ <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
};
<para>
Each static-stub zone is configured with
internally generated NS and (if necessary)
- glue A or AAAA RRs
+ glue A or AAAA RRs
</para>
</entry>
</row>
2001:ffff:ffff::100.100.100.2, one would
configure a type redirect zone named ".",
with the zone file containing wildcard records
- that point to the desired addresses:
+ that point to the desired addresses:
<literal>"*. IN A 100.100.100.2"</literal>
and
<literal>"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</literal>.
<para>
To redirect all Spanish names (under .ES) one
would use similar entries but with the names
- "*.ES." instead of "*.". To redirect all
+ "*.ES." instead of "*.". To redirect all
commercial Spanish names (under COM.ES) one
would use wildcard entries called "*.COM.ES.".
</para>
<replaceable>zonename</replaceable></command> causes
<command>named</command> to load keys from the key
repository and sign the zone with all keys that are
- active.
+ active.
<command>rndc loadkeys
<replaceable>zonename</replaceable></command> causes
<command>named</command> to load keys from the key
the zone is updated.
</para>
<para>
- When set to
+ When set to
<command>serial-update-method unixtime;</command>, the
SOA serial number will be set to the number of seconds
since the UNIX epoch, unless the serial number is
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term><command>masterfile-format</command></term>
<listitem>
<para>
This rule takes a Windows machine principal
(machine$@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
+ and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the <replaceable>identity</replaceable>
field.
</para>
</entry> <entry colname="2">
<para>
- This rule takes a Windows machine principal
+ This rule takes a Windows machine principal
(machine$@REALM) for machine in REALM and
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
<para>
This rule takes a Kerberos machine principal
(host/machine@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
+ and converts it machine.realm allowing the machine
to update machine.realm. The REALM to be matched
is specified in the <replaceable>identity</replaceable>
field.
</para>
</entry> <entry colname="2">
<para>
- This rule takes a Kerberos machine principal
+ This rule takes a Kerberos machine principal
(host/machine@REALM) for machine in REALM and
converts it to machine.realm allowing the machine
to update subdomains of machine.realm. The REALM
<para>
When used in the label (or name) field, the asperand or
at-sign (@) symbol represents the current origin.
- At the start of the zone file, it is the
+ At the start of the zone file, it is the
<<varname>zone_name</varname>> (followed by
trailing dot).
</para>
projects / thirdparty / bind9.git / commitdiff
