max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
+ mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
notify ( explicit | master-only | <replaceable>boolean</replaceable> );
notify-delay <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
+ mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
notify ( explicit | master-only | <replaceable>boolean</replaceable> );
notify-delay <replaceable>integer</replaceable>;
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>mirror</command></term>
+ <listitem>
+ <para>
+ If set to <userinput>yes</userinput>, causes the
+ zone to become a mirror zone. A mirror zone is a
+ <userinput>slave</userinput> zone whose every
+ version is subject to DNSSEC validation before being
+ used. In order for zone validation to succeed, its
+ KSK must be configured as a trust anchor. Answers
+ coming from a mirror zone look almost exactly like
+ answers from a regular <userinput>slave</userinput>
+ zone, with the notable exception of the AA bit not
+ being set. The default is <userinput>no</userinput>.
+ This option is meant to be used for deploying an RFC
+ 7706-style local copy of the root zone, e.g. using a
+ configuration like this:
+ </para>
+<programlisting>zone "." {
+ type slave;
+ mirror yes;
+ file "root.mirror";
+ masters {
+ 192.228.79.201; # b.root-servers.net
+ 192.33.4.12; # c.root-servers.net
+ 192.5.5.241; # f.root-servers.net
+ 192.112.36.4; # g.root-servers.net
+ 193.0.14.129; # k.root-servers.net
+ 192.0.47.132; # xfr.cjr.dns.icann.org
+ 192.0.32.132; # xfr.lax.dns.icann.org
+ 2001:500:84::b; # b.root-servers.net
+ 2001:500:2f::f; # f.root-servers.net
+ 2001:7fd::1; # k.root-servers.net
+ 2620:0:2830:202::132; # xfr.cjr.dns.icann.org
+ 2620:0:2d0:202::132; # xfr.lax.dns.icann.org
+ };
+};</programlisting>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>multi-master</command></term>
<listitem>
<command>min-retry-time</command> <replaceable>integer</replaceable>;
<command>minimal-any</command> <replaceable>boolean</replaceable>;
<command>minimal-responses</command> ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
+ <command>mirror</command> <replaceable>boolean</replaceable>;
<command>multi-master</command> <replaceable>boolean</replaceable>;
<command>new-zones-directory</command> <replaceable>quoted_string</replaceable>;
<command>no-case-compress</command> { <replaceable>address_match_element</replaceable>; ... };
<command>max-transfer-time-out</command> <replaceable>integer</replaceable>;
<command>min-refresh-time</command> <replaceable>integer</replaceable>;
<command>min-retry-time</command> <replaceable>integer</replaceable>;
+ <command>mirror</command> <replaceable>boolean</replaceable>;
<command>multi-master</command> <replaceable>boolean</replaceable>;
<command>notify</command> ( explicit | master-only | <replaceable>boolean</replaceable> );
<command>notify-delay</command> <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
+ mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
max-zone-ttl ( unlimited | <ttlval> );
min-refresh-time <integer>;
min-retry-time <integer>;
+ mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;
max-transfer-time-out <integer>;
min-refresh-time <integer>;
min-retry-time <integer>;
+ mirror <boolean>;
multi-master <boolean>;
notify ( explicit | master-only | <boolean> );
notify-delay <integer>;