/*
* This is a worthless, nonrunnable example of a named.conf file that has
* every conceivable syntax element in use. We use it to test the parser.
* It could also be used as a conceptual template for users of new features.
*/
/*
* C-style comments are OK
*/
// So are C++-style comments
# So are shell-style comments
// watch out for ";" -- it's important!
options {
directory "."; // use current directory
named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
dump-file "named_dump.db"; // _PATH_DUMPFILE
pid-file "/var/run/named.pid"; // _PATH_PIDFILE
statistics-file "named.stats"; // _PATH_STATS
memstatistics-file "named.memstats"; // _PATH_MEMSTATS
check-names master fail;
check-names slave warn;
check-names response ignore;
host-statistics no;
deallocate-on-exit no; // Painstakingly deallocate all
// objects when exiting instead of
// letting the OS clean up for us.
// Useful a memory leak is suspected.
// Final statistics are written to the
// memstatistics-file.
datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;
fetch-glue yes;
fake-iquery no;
notify yes; // send NOTIFY messages. You can set
// notify on a zone-by-zone
// basis in the "zone" statement
// see (below)
max-serial-queries 4; // number of parallel SOA queries
// we can have outstanding for master
// zone change testing purposes
auth-nxdomain yes; // always set AA on NXDOMAIN.
// don't set this to 'no' unless
// you know what you're doing -- older
// servers won't like it.
multiple-cnames no; // if yes, then a name my have more
// than one CNAME RR. This use
// is non-standard and is not
// recommended, but it is available
// because previous releases supported
// it and it was used by large sites
// for load balancing.
allow-query { any; };
allow-transfer { any; };
transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be
// set > than MAX_XFERS_RUNNING (20)
transfers-per-ns 2; // DEFAULT_XFERS_PER_NS
transfers-out 0; // not implemented
max-transfer-time-in 120; // MAX_XFER_TIME; the default number
// of minutes an inbound zone transfer
// may run. May be set on a per-zone
// basis.
/*
* The "transfer-format" option specifies the way outbound zone
* transfers (i.e. from us to them) are formatted. Two values are
* allowed:
*
* one-answer Each RR gets its own DNS message.
* This format is not very efficient,
* but is widely understood. All
* versions of BIND prior to 8.1 generate
* this format for outbound zone
* and require it on inbound transfers.
*
* many-answers As many RRs as will fit are put into
* each DNS message. This format is
* the most efficient, but is only known
* to work with BIND 8. Patches to
* BIND 4.9.5 named-xfer that enable it
* to understand 'many-answers' will be
* available.
*
* If you are going to be doing zone transfers to older servers, you
* shouldn't use 'many-answers'. 'transfer-format' may also be set
* on a host-by-host basis using the 'server' statement (see below).
*/
transfer-format one-answer;
query-source address * port *;
/*
* The "forward" option is only meaningful if you've defined
* forwarders. "first" gives the normal BIND
* forwarding behavior, i.e. ask the forwarders first, and if that
* doesn't work then do the full lookup. You can also say
* "forward only;" which is what used to be specified with
* "slave" or "options forward-only". "only" will never attempt
* a full lookup; only the forwarders will be used.
*/
forward first;
forwarders { }; // default is no forwarders
/*
* Here's a forwarders example that isn't trivial
*/
/*
forwarders {
1.2.3.4;
5.6.7.8;
};
*/
topology { localhost; localnets; }; // prefer local nameservers
/*
* Here's a more complicated topology example; it's commented out
* because only one topology block is allowed.
*
topology {
10/8; // prefer network 10.0.0.0
// netmask 255.0.0.0 most
!1.2.3/24; // don't like 1.2.3.0 netmask
// 255.255.255.0 at all
{ 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0
// and 3.0.0.0 netmask 255.0.0.0
// equally well, but less than 10/8
};
*/
listen-on port 53 { any; }; // listen for queries on port 53 on
// any interface on the system
// (i.e. all interfaces). The
// "port 53" is optional; if you
// don't specify a port, port 53
// is assumed.
/*
* Multiple listen-on statements are allowed. Here's a more
* complicated example:
*/
/*
*/
listen-on { 5.6.7.8; }; // listen on port 53 on interface
// 5.6.7.8
listen-on port 1234 { // listen on port 1234 on any
!1.2.3.4; // interface on network 1.2.3
1.2.3/24; // netmask 255.255.255.0, except for
}; // interface 1.2.3.4.
/*
* Interval Timers
*/
cleaning-interval 60; // clean the cache of expired RRs
// every 'cleaning-interval' minutes
interface-interval 60; // scan for new or deleted interfaces
// every 'interface-interval' minutes
statistics-interval 60; // log statistics every
// 'statistics-interval' minutes
/*
* IXFR options
*/
maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
max-ixfr-log-size 20; // Not implemented, maximum size the
// IXFR transaction log file to grow
};
/*
* Control listeners, for "ndc". Every nameserver needs at least one.
*/
controls {
inet * port 52 allow { any; }; // a bad idea
unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default
};
zone "master.demo.zone" {
type master; // what used to be called "primary"
file "master.demo.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
// notify yes; // send NOTIFY messages for this
// zone? The global option is used
// if "notify" is not specified
// here.
also-notify { }; // don't notify any nameservers other
// than those on the NS list for this
// zone
};
zone "slave.demo.zone" {
type slave; // what used to be called "secondary"
file "slave.demo.zone";
ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file
masters {
1.2.3.4; // where to zone transfer from
5.6.7.8;
};
transfer-source 10.0.0.53; // fixes multihoming problems
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
also-notify { }; // don't notify any nameservers other
// than those on the NS list for this
// zone
};
zone "stub.demo.zone" {
type stub; // stub zones are like slave zones,
// except that only the NS records
// are transferred.
file "stub.demo.zone";
masters {
1.2.3.4; // where to zone transfer from
5.6.7.8;
};
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
};
zone "." {
type hint; // used to be specified w/ "cache"
file "cache.db";
pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
trusted-keys {
. 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
// by can_query are OK
zone "non-default-acl.demo.zone" {
type master;
file "foo";
allow-query { can_query; };
allow-transfer { can_axfr; };
allow-update {
1.2.3.4;
5.6.7.8;
};
};
key sample_key { // for TSIG
algorithm hmac-md5; // hmac-md5 is the supported algorithm
secret "abcdefgh"; // base 64 encoded secret
};
key key2 {
algorithm hmac-md5;
secret "87654321";
};
acl key_acl { key sample_key; }; // a request signed with sample_key
server 1.2.3.4 {
bogus no; // if yes, we won't query or listen
// to this server
transfer-format one-answer; // set transfer format for this
// server (see the description of
// 'transfer-format' above)
// if not specified, the global option
// will be used
transfers 0; // not implemented
keys { sample_key; key2; }; // for TSIG; sign requests to this
// server with this key
support-ixfr yes; // for IXFR supported by server
// if yes, the listed server talks IXFR
};
logging {
/*
* All log output goes to one or more "channels"; you can make as
* many of them as you want.
*/
channel syslog_errors { // this channel will send errors or
syslog user; // or worse to syslog (user facility)
severity error;
};
/*
* Channels have a severity level. Messages at severity levels
* greater than or equal to the channel's level will be logged on
* the channel. In order of decreasing severity, the levels are:
*
* critical a fatal error
* error
* warning
* notice a normal, but significant event
* info an informational message
* debug 1 the least detailed debugging info
* ...
* debug 99 the most detailed debugging info
*/
/*
* Here are the built-in channels:
*
* channel default_syslog {
* syslog daemon;
* severity info;
* };
*
* channel default_debug {
* file "named.run"; // note: stderr is used instead
* // of "named.run" if the server
* // is started with the "-f"
* // option.
* severity dynamic; // this means log debugging
* // at whatever debugging level
* // the server is at, and don't
* // log anything if not
* // debugging.
* };
*
* channel null { // this is the bit bucket;
* file "/dev/null"; // any logging to this channel
* // is discarded.
* };
*
* channel default_stderr { // writes to stderr
* file "<stderr>"; // this is illustrative only;
* // there's currently no way
* // of saying "stderr" in the
* // configuration language.
* // i.e. don't try this at home.
* severity info;
* };
*
* default_stderr only works before the server daemonizes (i.e.
* during initial startup) or when it is running in foreground
* mode (-f command line option).
*/
/*
* There are many categories, so you can send the logs
* you want to see wherever you want, without seeing logs you
* don't want. Right now the categories are
*
* default the catch-all. many things still
* aren't classified into categories, and
* they all end up here. also, if you
* don't specify any channels for a
* category, the default category is used
* instead.
* config high-level configuration file
* processing
* parser low-level configuration file processing
* queries what used to be called "query logging"
* lame-servers messages like "Lame server on ..."
* statistics
* panic if the server has to shut itself
* down due to an internal problem, it
* logs the problem here (as well as
* in the problem's native category)
* update dynamic update
* ncache negative caching
* xfer-in zone transfers we're receiving
* xfer-out zone transfers we're sending
* db all database operations
* eventlib debugging info from the event system
* (see below)
* packet dumps of packets received and sent
* (see below)
* notify the NOTIFY protocol
* cname messages like "XX points to a CNAME"
* security approved/unapproved requests
* os operating system problems
* insist consistency check failures
* maintenance periodic maintenance
* load zone loading
* response-checks messages like
* "Malformed response ..."
* "wrong ans. name ..."
* "unrelated additional info ..."
* "invalid RR type ..."
* "bad referral ..."
*/
category parser {
syslog_errors; // you can log to as many channels
default_syslog; // as you want
};
category lame-servers { null; }; // don't log these at all
channel moderate_debug {
severity debug 3; // level 3 debugging to file
file "foo"; // foo
print-time yes; // timestamp log entries
print-category yes; // print category name
print-severity yes; // print severity level
/*
* Note that debugging must have been turned on either
* on the command line or with a signal to get debugging
* output (non-debugging output will still be written to
* this channel).
*/
};
/*
* If you don't want to see "zone XXXX loaded" messages but do
* want to see any problems, you could do the following.
*/
channel no_info_messages {
syslog;
severity notice;
};
category load { no_info_messages; };
/*
* You can also define category "default"; it gets used when no
* "category" statement has been given for a category.
*/
category default {
default_syslog;
moderate_debug;
};
/*
* If you don't define category default yourself, the default
* default category will be used. It is
*
* category default { default_syslog; default_debug; };
*/
/*
* If you don't define category panic yourself, the default
* panic category will be used. It is
*
* category panic { default_syslog; default_stderr; };
*/
/*
* Two categories, 'packet' and 'eventlib', are special. Only one
* channel may be assigned to each of them, and it must be a
* file channel. If you don't define them yourself, they default to
*
* category eventlib { default_debug; };
*
* category packet { default_debug; };
*/
};
include "t/include.conf"; // can't do within a statement