From: Tinderbox User named.conf file:
options { - [ attach-cachecache_name; ] - [ versionversion_string; ] - [ hostnamehostname_string; ] - [ server-idserver_id_string; ] - [ directorypath_name; ] - [ dnstap {message_type; ... } ; ] - [ dnstap-output (file|unix)path_name[ sizesize_spec] [ versions (number|unlimited) ] ; ] - [ dnstap-identity (string|hostname|none) ; ] - [ dnstap-version (string|none) ; ] - [ fstrm-set-buffer-hintnumber; ] - [ fstrm-set-flush-timeoutnumber; ] - [ fstrm-set-input-queue-sizenumber; ] - [ fstrm-set-output-notify-thresholdnumber; ] - [ fstrm-set-output-queue-model (mpsc|spsc) ; ] - [ fstrm-set-output-queue-sizenumber; ] - [ fstrm-set-reopen-intervalnumber; ] - [ geoip-directorypath_name; ] - [ key-directorypath_name; ] - [ managed-keys-directorypath_name; ] - [ named-xferpath_name; ] - [ tkey-gssapi-keytabpath_name; ] - [ tkey-gssapi-credentialprincipal; ] - [ tkey-domaindomain_name; ] - [ tkey-dhkeykey_namekey_tag; ] - [ cache-filepath_name; ] - [ dump-filepath_name; ] - [ bindkeys-filepath_name; ] - [ lock-filepath_name; ] - [ secroots-filepath_name; ] - [ session-keyfilepath_name; ] - [ session-keynamekey_name; ] - [ session-keyalgalgorithm_id; ] - [ memstatisticsyes_or_no; ] - [ memstatistics-filepath_name; ] - [ pid-filepath_name; ] - [ recursing-filepath_name; ] - [ statistics-filepath_name; ] - [ zone-statistics (full|terse|none) ; ] - [ auth-nxdomainyes_or_no; ] - [ nxdomain-redirectstring; ] - [ deallocate-on-exityes_or_no; ] - [ dialupdialup_option; ] - [ fake-iqueryyes_or_no; ] - [ fetch-glueyes_or_no; ] - [ flush-zones-on-shutdownyes_or_no; ] - [ has-old-clientsyes_or_no; ] - [ host-statisticsyes_or_no; ] - [ host-statistics-maxnumber; ] - [ minimal-anyyes_or_no; ] - [ minimal-responses (yes_or_no|no-auth|no-auth-recursive) ; ] - [ multiple-cnamesyes_or_no; ] - [ notify (yes_or_no|explicit|master-only) ; ] - [ recursionyes_or_no; ] - [ send-cookieyes_or_no; ] - [ require-server-cookieyes_or_no; ] - [ cookie-algorithmalgorithm_id; ] - [ cookie-secretsecret_string; ] - [ nocookie-udp-sizenumber; ] - [ request-nsidyes_or_no; ] - [ rfc2308-type1yes_or_no; ] - [ use-id-poolyes_or_no; ] - [ maintain-ixfr-baseyes_or_no; ] - [ ixfr-from-differences (yes_or_no|master|slave) ; ] - [ auto-dnssec (allow|maintain|off) ; ] - [ dnssec-enableyes_or_no; ] - [ dnssec-validation (yes_or_no|auto) ; ] - [ dnssec-lookaside (auto|no|domaintrust-anchordomain) ; ] - [ dnssec-must-be-securedomain yes_or_no; ] - [ dnssec-accept-expiredyes_or_no; ] - [ forward (only|first) ; ] - [ forwarders { - (ip_addr[ portip_port] [ dscpip_dscp] ; ) - ... - } ; ] - [ dual-stack-servers [ portip_port] [ dscpip_dscp] { - ( (domain_name|ip_addr) [ portip_port] [ dscpip_dscp] ; ) - ... - } ; ] - [ check-names (master|slave|response) - (warn|fail|ignore) ; ] - [ check-dup-records (warn|fail|ignore) ; ] - [ check-mx (warn|fail|ignore) ; ] - [ check-wildcardyes_or_no; ] - [ check-integrityyes_or_no; ] - [ check-mx-cname (warn|fail|ignore) ; ] - [ check-srv-cname (warn|fail|ignore) ; ] - [ check-siblingyes_or_no; ] - [ check-spf (warn|ignore) ; ] - [ allow-new-zonesyes_or_no; ] - [ allow-notify {address_match_list} ; ] - [ allow-query {address_match_list} ; ] - [ allow-query-on {address_match_list} ; ] - [ allow-query-cache {address_match_list} ; ] - [ allow-query-cache-on {address_match_list} ; ] - [ allow-transfer {address_match_list} ; ] - [ allow-recursion {address_match_list} ; ] - [ allow-recursion-on {address_match_list} ; ] - [ allow-update {address_match_list} ] - [ allow-update-forwarding {address_match_list} ; ] - [ automatic-interface-scanyes_or_no; ] - [ geoip-use-ecsyes_or_no; ] - [ update-check-kskyes_or_no; ] - [ dnssec-update-mode (maintain|no-resign) ; ] - [ dnssec-dnskey-kskonlyyes_or_no; ] - [ dnssec-loadkeys-intervalnumber; ] - [ dnssec-secure-to-insecureyes_or_no; ] - [ try-tcp-refreshyes_or_no; ] - [ allow-v6-synthesis {address_match_list} ; ] - [ blackhole {address_match_list} ; ] - [ keep-response-order {address_match_list} ; ] - [ no-case-compress {address_match_list} ; ] - [ message-compressionyes_or_no; ] - [ use-v4-udp-ports {port_list} ; ] - [ avoid-v4-udp-ports {port_list} ; ] - [ use-v6-udp-ports {port_list} ; ] - [ avoid-v6-udp-ports {port_list} ; ] - [ listen-on [ portip_port] [ dscpip_dscp] {address_match_list} ; ] - [ listen-on-v6 [ portip_port] [ dscpip_dscp] {address_match_list} ; ] - [ query-source ( [ address ] (ip4_addr|*) ) - [ port (ip_port|*) ] [ dscpip_dscp] ] ; - [ query-source-v6 ( [ address ] (ip6_addr|*) ) - [ port (ip_port|*) ] [ dscpip_dscp] ] ; - [ use-queryport-poolyes_or_no; ] - [ queryport-pool-portsnumber; ] - [ queryport-pool-updateintervalnumber; ] - [ max-recordsnumber; ] - [ max-transfer-time-innumber; ] - [ max-transfer-time-outnumber; ] - [ max-transfer-idle-innumber; ] - [ max-transfer-idle-outnumber; ] - [ reserved-socketsnumber; ] - [ recursive-clientsnumber; ] - [ tcp-clientsnumber; ] - [ clients-per-querynumber; ] - [ max-clients-per-querynumber; ] - [ fetches-per-servernumber[ (drop|fail) ] ; ] - [ fetches-per-zonenumber[ (drop|fail) ] ; ] - [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] - [ notify-ratenumber; ] - [ startup-notify-ratenumber; ] - [ serial-query-ratenumber; ] - [ serial-queriesnumber; ] - [ tcp-listen-queuenumber; ] - [ tcp-initial-timeoutnumber; ] - [ tcp-idle-timeoutnumber; ] - [ tcp-keepalive-timeoutnumber; ] - [ tcp-advertised-timeoutnumber; ] - [ transfer-format (one-answer|many-answers) ; ] - [ transfer-message-sizenumber; ] - [ transfers-innumber; ] - [ transfers-outnumber; ] - [ transfers-per-nsnumber; ] - [ transfer-source (ip4_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ transfer-source-v6 (ip6_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ alt-transfer-source (ip4_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ alt-transfer-source-v6 (ip6_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ use-alt-transfer-sourceyes_or_no; ] - [ notify-delayseconds; ] - [ notify-source (ip4_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ notify-source-v6 (ip6_addr|*) - [ portip_port] [ dscpip_dscp] ; ] - [ notify-to-soayes_or_no; ] - [ also-notify [ portip_port] [ dscpip_dscp] { - (masters|ip_addr[ portip_port] ) [ keykey_name] ; - ... - } ; ] - [ max-ixfr-log-sizenumber; ] - [ max-journal-sizesize_spec; ] - [ coresizesize_spec; ] - [ datasizesize_spec; ] - [ filessize_spec; ] - [ stacksizesize_spec; ] - [ cleaning-intervalnumber; ] - [ heartbeat-intervalnumber; ] - [ interface-intervalnumber; ] - [ statistics-intervalnumber; ] - [ topology {address_match_list} ; ] - [ sortlist {address_match_list} ; ] - [ rrset-order {order_spec; ... } ; ] - [ lame-ttlnumber; ] - [ max-ncache-ttlnumber; ] - [ max-cache-ttlnumber; ] - [ max-zone-ttl (unlimited|number) ; ] - [ serial-update-method (increment|unixtime|date) ; ] - [ servfail-ttlnumber; ] - [ sig-validity-intervalnumber[number] ; ] - [ sig-signing-nodesnumber; ] - [ sig-signing-signaturesnumber; ] - [ sig-signing-typenumber; ] - [ min-rootsnumber; ] - [ use-ixfryes_or_no; ] - [ provide-ixfryes_or_no; ] - [ request-ixfryes_or_no; ] - [ request-expireyes_or_no; ] - [ treat-cr-as-spaceyes_or_no; ] - [ min-refresh-timenumber; ] - [ max-refresh-timenumber; ] - [ min-retry-timenumber; ] - [ max-retry-timenumber; ] - [ nta-lifetimeduration; ] - [ nta-recheckduration; ] - [ portip_port; ] - [ dscpip_dscp; ] - [ additional-from-authyes_or_no; ] - [ additional-from-cacheyes_or_no; ] - [ random-devicepath_name; ] - [ max-cache-sizesize_or_percent; ] - [ match-mapped-addressesyes_or_no; ] - [ filter-aaaa-on-v4 (yes_or_no|break-dnssec) ; ] - [ filter-aaaa-on-v6 (yes_or_no|break-dnssec) ; ] - [ filter-aaaa {address_match_list} ; ] - [ dns64ipv6-prefix{ - [ clients {address_match_list} ; ] - [ mapped {address_match_list} ; ] - [ exclude {address_match_list} ; ] - [ suffixip6-address; ] - [ recursive-onlyyes_or_no; ] - [ break-dnssecyes_or_no; ] - } ; ] - [ dns64-servername] - [ dns64-contactname] - [ preferred-glue (A|AAAA|none); ] - [ edns-udp-sizenumber; ] - [ max-udp-sizenumber; ] - [ response-padding {address_match_list} block-sizenumber; ] - [ max-rsa-exponent-sizenumber; ] - [ root-delegation-only [ exclude {namelist} ] ; ] - [ querylogyes_or_no; ] - [ disable-algorithmsdomain{algorithm; ... } ; ] - [ disable-ds-digestsdomain{digest_type; ... } ; ] - [ acache-enableyes_or_no; ] - [ acache-cleaning-intervalnumber; ] - [ max-acache-sizesize_spec; ] - [ max-recursion-depthnumber; ] - [ max-recursion-queriesnumber; ] - [ masterfile-format (text|raw|map) ; ] - [ masterfile-style (relative|full) ; ] - [ empty-servername; ] - [ empty-contactname; ] - [ empty-zones-enableyes_or_no; ] - [ disable-empty-zonezone_name; ] - [ zero-no-soa-ttlyes_or_no; ] - [ zero-no-soa-ttl-cacheyes_or_no; ] - [ resolver-query-timeoutnumber; ] - [ deny-answer-addresses {address_match_list} - [ except-from {namelist} ] ; ] - [ deny-answer-aliases {namelist} - [ except-from {namelist} ] ; ] - [ prefetchnumber[number] ; ] - [ rate-limit { - [ responses-per-secondnumber; ] - [ referrals-per-secondnumber; ] - [ nodata-per-secondnumber; ] - [ nxdomains-per-secondnumber; ] - [ errors-per-secondnumber; ] - [ all-per-secondnumber; ] - [ windownumber; ] - [ log-onlyyes_or_no; ] - [ qps-scalenumber; ] - [ ipv4-prefix-lengthnumber; ] - [ ipv6-prefix-lengthnumber; ] - [ slipnumber; ] - [ exempt-clients {address_match_list} ; ] - [ max-table-sizenumber; ] - [ min-table-sizenumber; ] - } ; ] - [ response-policy { - zonezone_name- [ policy ( given | disabled | passthru | drop | - tcp-only | nxdomain | nodata | cnamedomain) ] - [ recursive-onlyyes_or_no] - [ logyes_or_no] - [ max-policy-ttlnumber] ; - ... - } [ recursive-onlyyes_or_no] - [ max-policy-ttlnumber] - [ break-dnssecyes_or_no] - [ min-ns-dotsnumber] - [ nsip-wait-recurseyes_or_no] - [ qname-wait-recurseyes_or_no] ; ] - [ catalog-zones { - zonequoted_string- [default-masters[ portip_port] [ dscpip_dscp] { - (masters_list|ip_addr[portip_port] [ keykey_name] ) ; - ... - } ] - [ zone-directorypath_name] - [ in-memoryyes_or_no] - [ min-update-intervalinterval] ; - ... - } ; ] - [ v6-biasnumber; ] -} ; ] +options { + [ attach-cache@@ -8192,6 +8193,15 @@ example.com CNAME rpz-tcp-only. turn off rewrite logging for a particular response policy zone. By default, all rewrites are logged. + +cache_name; ] + [ versionversion_string; ] + [ hostnamehostname_string; ] + [ server-idserver_id_string; ] + [ directorypath_name; ] + [ dnstap {message_type; ... }; ] + [ dnstap-output (file|unix)path_name; ] + [ dnstap-identity (string|hostname|none); ] + [ dnstap-version (string|none); ] + [ fstrm-set-buffer-hintnumber; ] + [ fstrm-set-flush-timeoutnumber; ] + [ fstrm-set-input-queue-sizenumber; ] + [ fstrm-set-output-notify-thresholdnumber; ] + [ fstrm-set-output-queue-model (mpsc| +spsc) ; ] + [ fstrm-set-output-queue-sizenumber; ] + [ fstrm-set-reopen-intervalnumber; ] + [ geoip-directorypath_name; ] + [ key-directorypath_name; ] + [ managed-keys-directorypath_name; ] + [ named-xferpath_name; ] + [ tkey-gssapi-keytabpath_name; ] + [ tkey-gssapi-credentialprincipal; ] + [ tkey-domaindomainname; ] + [ tkey-dhkeykey_namekey_tag; ] + [ cache-filepath_name; ] + [ dump-filepath_name; ] + [ bindkeys-filepath_name; ] + [ lock-filepath_name; ] + [ secroots-filepath_name; ] + [ session-keyfilepath_name; ] + [ session-keynamekey_name; ] + [ session-keyalgalgorithm_id; ] + [ memstatisticsyes_or_no; ] + [ memstatistics-filepath_name; ] + [ pid-filepath_name; ] + [ recursing-filepath_name; ] + [ statistics-filepath_name; ] + [ zone-statisticsfull|terse|none; ] + [ auth-nxdomainyes_or_no; ] + [ nxdomain-redirectstring; ] + [ deallocate-on-exityes_or_no; ] + [ dialupdialup_option; ] + [ fake-iqueryyes_or_no; ] + [ fetch-glueyes_or_no; ] + [ flush-zones-on-shutdownyes_or_no; ] + [ has-old-clientsyes_or_no; ] + [ host-statisticsyes_or_no; ] + [ host-statistics-maxnumber; ] + [ minimal-anyyes_or_no; ] + [ minimal-responses (yes_or_no|no-auth|no-auth-recursive); ] + [ multiple-cnamesyes_or_no; ] + [ notifyyes_or_no|explicit|master-only; ] + [ recursionyes_or_no; ] + [ send-cookieyes_or_no; ] + [ require-server-cookieyes_or_no; ] + [ cookie-algorithmalgorithm_id; ] + [ cookie-secretsecret_string; ] + [ nocookie-udp-sizenumber; ] + [ request-nsidyes_or_no; ] + [ rfc2308-type1yes_or_no; ] + [ use-id-poolyes_or_no; ] + [ maintain-ixfr-baseyes_or_no; ] + [ ixfr-from-differences (yes_or_no|master|slave); ] + [ auto-dnssecallow|maintain|off; ] + [ dnssec-enableyes_or_no; ] + [ dnssec-validation (yes_or_no|auto); ] + [ dnssec-lookaside (auto| +no| +domaintrust-anchordomain); ] + [ dnssec-must-be-securedomain yes_or_no; ] + [ dnssec-accept-expiredyes_or_no; ] + [ forward (only|first); ] + [ forwarders { [ip_addr[portip_port] [dscpip_dscp] ; ... ] }; ] + [ dual-stack-servers [portip_port] [dscpip_dscp] { + (domain_name[portip_port] [dscpip_dscp] | +ip_addr[portip_port] [dscpip_dscp]) ; + ... }; ] + [ check-names (master|slave|response) + (warn|fail|ignore); ] + [ check-dup-records (warn|fail|ignore); ] + [ check-mx (warn|fail|ignore); ] + [ check-wildcardyes_or_no; ] + [ check-integrityyes_or_no; ] + [ check-mx-cname (warn|fail|ignore); ] + [ check-srv-cname (warn|fail|ignore); ] + [ check-siblingyes_or_no; ] + [ check-spf (warn|ignore); ] + [ allow-new-zones {yes_or_no}; ] + [ allow-notify {address_match_list}; ] + [ allow-query {address_match_list}; ] + [ allow-query-on {address_match_list}; ] + [ allow-query-cache {address_match_list}; ] + [ allow-query-cache-on {address_match_list}; ] + [ allow-transfer {address_match_list}; ] + [ allow-recursion {address_match_list}; ] + [ allow-recursion-on {address_match_list}; ] + [ allow-update {address_match_list}; ] + [ allow-update-forwarding {address_match_list}; ] + [ automatic-interface-scan {yes_or_no}; ] + [ geoip-use-ecsyes_or_no;] + [ update-check-kskyes_or_no; ] + [ dnssec-update-mode (maintain|no-resign); ] + [ dnssec-dnskey-kskonlyyes_or_no; ] + [ dnssec-loadkeys-intervalnumber; ] + [ dnssec-secure-to-insecureyes_or_no;] + [ try-tcp-refreshyes_or_no; ] + [ allow-v6-synthesis {address_match_list}; ] + [ blackhole {address_match_list}; ] + [ keep-response-order {address_match_list}; ] + [ no-case-compress {address_match_list}; ] + [ message-compressionyes_or_no; ] + [ use-v4-udp-ports {port_list}; ] + [ avoid-v4-udp-ports {port_list}; ] + [ use-v6-udp-ports {port_list}; ] + [ avoid-v6-udp-ports {port_list}; ] + [ listen-on [ portip_port] [dscpip_dscp] {address_match_list}; ] + [ listen-on-v6 [ portip_port] [dscpip_dscp] +{address_match_list}; ] + [ query-source ( (ip4_addr|*) + [ port (ip_port|*) ] + [ dscpip_dscp] | + [ address (ip4_addr|*) ] + [ port (ip_port|*) ] ) + [ dscpip_dscp] ; ] + [ query-source-v6 ( (ip6_addr|*) + [ port (ip_port|*) ] + [ dscpip_dscp] | + [ address (ip6_addr|*) ] + [ port (ip_port|*) ] ) + [ dscpip_dscp] ; ] + [ use-queryport-poolyes_or_no; ] + [ queryport-pool-portsnumber; ] + [ queryport-pool-updateintervalnumber; ] + [ max-transfer-time-innumber; ] + [ max-transfer-time-outnumber; ] + [ max-transfer-idle-innumber; ] + [ max-transfer-idle-outnumber; ] + [ reserved-socketsnumber; ] + [ recursive-clientsnumber; ] + [ tcp-clientsnumber; ] + [ clients-per-querynumber; ] + [ max-clients-per-querynumber; ] + [ fetches-per-servernumber[(drop | fail)]; ] + [ fetch-quota-paramsnumber fixedpoint fixedpoint fixedpoint; ] + [ fetches-per-zonenumber[(drop | fail)]; ] + [ notify-ratenumber; ] + [ startup-notify-ratenumber; ] + [ serial-query-ratenumber; ] + [ serial-queriesnumber; ] + [ tcp-listen-queuenumber; ] + [ transfer-format( one-answer | many-answers ); ] + [ transfer-message-sizenumber; ] + [ transfers-innumber; ] + [ transfers-outnumber; ] + [ transfers-per-nsnumber; ] + [ transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] + [ transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] + [ alt-transfer-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] + [ alt-transfer-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] + [ use-alt-transfer-sourceyes_or_no; ] + [ notify-delayseconds; ] + [ notify-source (ip4_addr|*) [portip_port] [dscpip_dscp] ; ] + [ notify-source-v6 (ip6_addr|*) [portip_port] [dscpip_dscp] ; ] + [ notify-to-soayes_or_no; ] + [ also-notify [portip_port] [dscpip_dscp] { (masters|ip_addr+ [portip_port] ) [keykeyname] ; ... }; ] + [ max-ixfr-log-sizenumber; ] + [ max-journal-sizesize_spec; ] + [ coresizesize_spec; ] + [ datasizesize_spec; ] + [ filessize_spec; ] + [ stacksizesize_spec; ] + [ cleaning-intervalnumber; ] + [ heartbeat-intervalnumber; ] + [ interface-intervalnumber; ] + [ statistics-intervalnumber; ] + [ topology {address_match_list}]; + [ sortlist {address_match_list}]; + [ rrset-order {order_spec; [order_spec; ... ] ] }; + [ lame-ttlnumber; ] + [ max-ncache-ttlnumber; ] + [ max-cache-ttlnumber; ] + [ max-zone-ttl (unlimited|number; ] + [ serial-update-methodincrement|unixtime|date; ] + [ servfail-ttlnumber; ] + [ sig-validity-intervalnumber[number] ; ] + [ sig-signing-nodesnumber; ] + [ sig-signing-signaturesnumber; ] + [ sig-signing-typenumber; ] + [ min-rootsnumber; ] + [ use-ixfryes_or_no; ] + [ provide-ixfryes_or_no; ] + [ request-ixfryes_or_no; ] + [ request-expireyes_or_no; ] + [ treat-cr-as-spaceyes_or_no; ] + [ min-refresh-timenumber; ] + [ max-refresh-timenumber; ] + [ min-retry-timenumber; ] + [ max-retry-timenumber; ] + [ nta-lifetimeduration; ] + [ nta-recheckduration; ] + [ portip_port; ] + [ dscpip_dscp] ; + [ additional-from-authyes_or_no; ] + [ additional-from-cacheyes_or_no; ] + [ random-devicepath_name; ] + [ max-cache-sizesize_or_percent; ] + [ match-mapped-addressesyes_or_no; ] + [ filter-aaaa-on-v4 (yes_or_no|break-dnssec); ] + [ filter-aaaa-on-v6 (yes_or_no|break-dnssec); ] + [ filter-aaaa {address_match_list}; ] + [ dns64ipv6-prefix{ + [ clients {address_match_list}; ] + [ mapped {address_match_list}; ] + [ exclude {address_match_list}; ] + [ suffixIPv6-address; ] + [ recursive-onlyyes_or_no; ] + [ break-dnssecyes_or_no; ] + }; ]; + [ dns64-servername] + [ dns64-contactname] + [ preferred-glue (A|AAAA|NONE); ] + [ edns-udp-sizenumber; ] + [ max-udp-sizenumber; ] + [ max-rsa-exponent-sizenumber; ] + [ root-delegation-only [ exclude {namelist} ] ; ] + [ querylogyes_or_no; ] + [ disable-algorithmsdomain{algorithm; + [algorithm; ] }; ] + [ disable-ds-digestsdomain{digest_type; + [digest_type; ] }; ] + [ acache-enableyes_or_no; ] + [ acache-cleaning-intervalnumber; ] + [ max-acache-sizesize_spec; ] + [ max-recursion-depthnumber; ] + [ max-recursion-queriesnumber; ] + [ masterfile-format + (text|raw|map) ; ] + [ masterfile-style + (relative|full) ; ] + [ empty-servername; ] + [ empty-contactname; ] + [ empty-zones-enableyes_or_no; ] + [ disable-empty-zonezone_name; ] + [ zero-no-soa-ttlyes_or_no; ] + [ zero-no-soa-ttl-cacheyes_or_no; ] + [ resolver-query-timeoutnumber; ] + [ deny-answer-addresses {address_match_list} [ except-from {namelist} ];] + [ deny-answer-aliases {namelist} [ except-from {namelist} ];] + [ prefetchnumber[number] ; ] + + [ rate-limit { + [ responses-per-secondnumber; ] + [ referrals-per-secondnumber; ] + [ nodata-per-secondnumber; ] + [ nxdomains-per-secondnumber; ] + [ errors-per-secondnumber; ] + [ all-per-secondnumber; ] + [ windownumber; ] + [ log-onlyyes_or_no; ] + [ qps-scalenumber; ] + [ ipv4-prefix-lengthnumber; ] + [ ipv6-prefix-lengthnumber; ] + [ slipnumber; ] + [ exempt-clients {address_match_list} ; ] + [ max-table-sizenumber; ] + [ min-table-sizenumber; ] + } ; ] + [ response-policy { + zonezone_name+ [ policy(given | disabled | passthru | drop | + tcp-only | nxdomain | nodata | cname domain) ] + [ recursive-onlyyes_or_no] + [ logyes_or_no] + [ max-policy-ttlnumber] + [ min-update-intervalnumber] + ; [...] + } [ recursive-onlyyes_or_no] + [ max-policy-ttlnumber] + [ min-update-intervalnumber] + [ break-dnssecyes_or_no] + [ min-ns-dotsnumber] + [ nsip-wait-recurseyes_or_no] + [ qname-wait-recurseyes_or_no] + [ automatic-interface-scanyes_or_no] + ; ] + [ catalog-zones { + zonequoted_string+ [ default-masters + [portip_port] + [dscpip_dscp] + { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] }] + [in-memoryyes_or_no] + [min-update-intervalinterval] + ; [...] }; + ; ] + [v6-biasnumber; ] +};+ Updates to RPZ zones are processed asynchronously; if there + is more than one update pending they are bundled together. + If an update to a RPZ zone (for example, via IXFR) happens less + than
min-update-intervalseconds after the most + recent update, then the changes will not be carried out until this + interval has elapsed. The default is5seconds. +diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html index be410fe5f83..139a77b15cd 100644 --- a/doc/arm/Bv9ARM.ch09.html +++ b/doc/arm/Bv9ARM.ch09.html @@ -278,6 +278,19 @@
- +
+ The Response Policy Zone (RPZ) implementation has been + substantially refactored: updates to the RPZ summary + database are no longer directly performed by the zone + database but by a separate function that is called when + a policy zone is updated. This improves both performance + and reliability when policy zones receive frequent updates. + Summary database updates can be rate-limited by using the + min-update-interval option in a + response-policy statement. [RT #43449] +
+- +
dnstap now stores both the local and remote addresses for all messages, instead of only the remote address. The default output format for dnstap-read has diff --git a/doc/arm/notes.html b/doc/arm/notes.html index aa00a1aa631..ee80220de8c 100644 --- a/doc/arm/notes.html +++ b/doc/arm/notes.html @@ -241,6 +241,19 @@
- +
+ The Response Policy Zone (RPZ) implementation has been + substantially refactored: updates to the RPZ summary + database are no longer directly performed by the zone + database but by a separate function that is called when + a policy zone is updated. This improves both performance + and reliability when policy zones receive frequent updates. + Summary database updates can be rate-limited by using the + min-update-interval option in a + response-policy statement. [RT #43449] +
+- +
dnstap now stores both the local and remote addresses for all messages, instead of only the remote address. The default output format for dnstap-read has diff --git a/doc/misc/options b/doc/misc/options index c697de264fd..68dd47ba0f7 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -303,7 +303,7 @@ options {
; response-policy { zone [ log ] [ max-policy-ttl ] [ min-update-interval ] [ - policy ( cname | disabled | drop | given | no-op | nodata | + policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ]; ... } [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ @@ -613,7 +613,7 @@ view [ ] { response-policy { zone [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | - nxdomain | passthru | tcp-only | ) ] [ + nxdomain | passthru | tcp-only ) ] [ recursive-only ]; ... } [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [