/* * This is a worthless, nonrunnable example of a named.conf file that has * every conceivable syntax element in use. We use it to test the parser. * It could also be used as a conceptual template for users of new features. */ /* * C-style comments are OK */ // So are C++-style comments # So are shell-style comments // watch out for ";" -- it's important! key sample_key { // for TSIG algorithm hmac-md5; // hmac-md5 is the supported algorithm secret "abcdefgh"; // base 64 encoded secret }; key key2 { algorithm hmac-md5; secret "87654321"; }; options { directory "."; // use current directory named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER dump-file "named_dump.db"; // _PATH_DUMPFILE pid-file "/var/run/named.pid"; // _PATH_PIDFILE statistics-file "named.stats"; // _PATH_STATS memstatistics-file "named.memstats"; // _PATH_MEMSTATS check-names master fail; check-names slave warn; check-names response ignore; host-statistics no; deallocate-on-exit no; // Painstakingly deallocate all // objects when exiting instead of // letting the OS clean up for us. // Useful a memory leak is suspected. // Final statistics are written to the // memstatistics-file. datasize default; stacksize default; coresize default; files unlimited; recursion yes; fetch-glue yes; fake-iquery no; notify yes; // send NOTIFY messages. You can set // notify on a zone-by-zone // basis in the "zone" statement // see (below) // notify explicit; // only sent the notifies to the // also-notify list serial-queries 4; // number of parallel SOA queries // we can have outstanding for master // zone change testing purposes auth-nxdomain yes; // always set AA on NXDOMAIN. // don't set this to 'no' unless // you know what you're doing -- older // servers won't like it. multiple-cnames no; // if yes, then a name my have more // than one CNAME RR. This use // is non-standard and is not // recommended, but it is available // because previous releases supported // it and it was used by large sites // for load balancing. allow-query { any; }; allow-transfer { any; }; transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be // set > than MAX_XFERS_RUNNING (20) transfers-per-ns 2; // DEFAULT_XFERS_PER_NS transfers-out 0; // not implemented max-transfer-time-in 120; // MAX_XFER_TIME; the default number // of minutes an inbound zone transfer // may run. May be set on a per-zone // basis. /* * The "transfer-format" option specifies the way outbound zone * transfers (i.e. from us to them) are formatted. Two values are * allowed: * * one-answer Each RR gets its own DNS message. * This format is not very efficient, * but is widely understood. All * versions of BIND prior to 8.1 generate * this format for outbound zone * and require it on inbound transfers. * * many-answers As many RRs as will fit are put into * each DNS message. This format is * the most efficient, but is only known * to work with BIND 8. Patches to * BIND 4.9.5 named-xfer that enable it * to understand 'many-answers' will be * available. * * If you are going to be doing zone transfers to older servers, you * shouldn't use 'many-answers'. 'transfer-format' may also be set * on a host-by-host basis using the 'server' statement (see below). */ transfer-format one-answer; query-source address * port *; /* * The "forward" option is only meaningful if you've defined * forwarders. "first" gives the normal BIND * forwarding behavior, i.e. ask the forwarders first, and if that * doesn't work then do the full lookup. You can also say * "forward only;" which is what used to be specified with * "slave" or "options forward-only". "only" will never attempt * a full lookup; only the forwarders will be used. */ forward first; forwarders { }; // default is no forwarders /* * Here's a forwarders example that isn't trivial */ /* forwarders { 1.2.3.4; 5.6.7.8; }; */ topology { localhost; localnets; }; // prefer local nameservers /* * Here's a more complicated topology example; it's commented out * because only one topology block is allowed. * topology { 10/8; // prefer network 10.0.0.0 // netmask 255.0.0.0 most !1.2.3/24; // don't like 1.2.3.0 netmask // 255.255.255.0 at all { 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0 // and 3.0.0.0 netmask 255.0.0.0 // equally well, but less than 10/8 }; */ listen-on port 53 { any; }; // listen for queries on port 53 on // any interface on the system // (i.e. all interfaces). The // "port 53" is optional; if you // don't specify a port, port 53 // is assumed. /* * Multiple listen-on statements are allowed. Here's a more * complicated example: */ /* listen-on { 5.6.7.8; }; // listen on port 53 on interface // 5.6.7.8 listen-on port 1234 { // listen on port 1234 on any !1.2.3.4; // interface on network 1.2.3 1.2.3/24; // netmask 255.255.255.0, except for }; // interface 1.2.3.4. */ /* * Interval Timers */ cleaning-interval 60; // clean the cache of expired RRs // every 'cleaning-interval' minutes interface-interval 60; // scan for new or deleted interfaces // every 'interface-interval' minutes statistics-interval 60; // log statistics every // 'statistics-interval' minutes /* * IXFR options */ maintain-ixfr-base no; // If yes, keep transaction log file for IXFR max-ixfr-log-size 20; // Not implemented, maximum size the // IXFR transaction log file to grow }; /* * Control listeners, for "ndc". Every nameserver needs at least one. */ controls { inet * port 52 allow { any; }; // a bad idea unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default }; zone "master.demo.zone" { type master; // what used to be called "primary" file "master.demo.zone"; check-names fail; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; // notify yes; // send NOTIFY messages for this // zone? The global option is used // if "notify" is not specified // here. // notify explicit; // only sent the notifies to the // also-notify list also-notify { }; // don't notify any nameservers other // than those on the NS list for this // zone }; zone "slave.demo.zone" { type slave; // what used to be called "secondary" file "slave.demo.zone"; ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file masters { 1.2.3.4; // where to zone transfer from 5.6.7.8 key key2; }; transfer-source 10.0.0.53; // fixes multihoming problems check-names warn; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; max-transfer-time-in 120; // if not set, global option is used. also-notify { }; // don't notify any nameservers other // than those on the NS list for this // zone }; zone "stub.demo.zone" { type stub; // stub zones are like slave zones, // except that only the NS records // are transferred. file "stub.demo.zone"; masters { 1.2.3.4; // where to zone transfer from 5.6.7.8; }; check-names warn; allow-update { none; }; allow-transfer { any; }; allow-query { any; }; max-transfer-time-in 120; // if not set, global option is used. }; zone "." { type hint; // used to be specified w/ "cache" file "cache.db"; pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; }; trusted-keys { . 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; }; acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0 // is disallowed; rest are OK acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed // by can_query are OK zone "non-default-acl.demo.zone" { type master; file "foo"; allow-query { can_query; }; allow-transfer { can_axfr; }; allow-update { 1.2.3.4; 5.6.7.8; }; }; acl key_acl { key sample_key; }; // a request signed with sample_key server 1.2.3.4 { edns no; // if no, we won't send ends queries // to this server bogus no; // if yes, we won't query or listen // to this server transfer-format one-answer; // set transfer format for this // server (see the description of // 'transfer-format' above) // if not specified, the global option // will be used transfers 0; // not implemented keys { sample_key; key2; }; // for TSIG; sign requests to this // server with this key support-ixfr yes; // for IXFR supported by server // if yes, the listed server talks IXFR }; logging { /* * All log output goes to one or more "channels"; you can make as * many of them as you want. */ channel syslog_errors { // this channel will send errors or syslog user; // or worse to syslog (user facility) severity error; }; /* * Channels have a severity level. Messages at severity levels * greater than or equal to the channel's level will be logged on * the channel. In order of decreasing severity, the levels are: * * critical a fatal error * error * warning * notice a normal, but significant event * info an informational message * debug 1 the least detailed debugging info * ... * debug 99 the most detailed debugging info */ /* * Here are the built-in channels: * * channel default_syslog { * syslog daemon; * severity info; * }; * * channel default_debug { * file "named.run"; // note: stderr is used instead * // of "named.run" if the server * // is started with the "-f" * // option. * severity dynamic; // this means log debugging * // at whatever debugging level * // the server is at, and don't * // log anything if not * // debugging. * }; * * channel null { // this is the bit bucket; * file "/dev/null"; // any logging to this channel * // is discarded. * }; * * channel default_stderr { // writes to stderr * file ""; // this is illustrative only; * // there's currently no way * // of saying "stderr" in the * // configuration language. * // i.e. don't try this at home. * severity info; * }; * * default_stderr only works before the server daemonizes (i.e. * during initial startup) or when it is running in foreground * mode (-f command line option). */ /* * There are many categories, so you can send the logs * you want to see wherever you want, without seeing logs you * don't want. Right now the categories are * * default the catch-all. many things still * aren't classified into categories, and * they all end up here. also, if you * don't specify any channels for a * category, the default category is used * instead. * config high-level configuration file * processing * parser low-level configuration file processing * queries what used to be called "query logging" * lame-servers messages like "Lame server on ..." * statistics * panic if the server has to shut itself * down due to an internal problem, it * logs the problem here (as well as * in the problem's native category) * update dynamic update * ncache negative caching * xfer-in zone transfers we're receiving * xfer-out zone transfers we're sending * db all database operations * eventlib debugging info from the event system * (see below) * packet dumps of packets received and sent * (see below) * notify the NOTIFY protocol * cname messages like "XX points to a CNAME" * security approved/unapproved requests * os operating system problems * insist consistency check failures * maintenance periodic maintenance * load zone loading * response-checks messages like * "Malformed response ..." * "wrong ans. name ..." * "unrelated additional info ..." * "invalid RR type ..." * "bad referral ..." */ category parser { syslog_errors; // you can log to as many channels default_syslog; // as you want }; category lame-servers { null; }; // don't log these at all channel moderate_debug { severity debug 3; // level 3 debugging to file file "foo"; // foo print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level /* * Note that debugging must have been turned on either * on the command line or with a signal to get debugging * output (non-debugging output will still be written to * this channel). */ }; /* * If you don't want to see "zone XXXX loaded" messages but do * want to see any problems, you could do the following. */ channel no_info_messages { syslog; severity notice; }; category load { no_info_messages; }; /* * You can also define category "default"; it gets used when no * "category" statement has been given for a category. */ category default { default_syslog; moderate_debug; }; /* * If you don't define category default yourself, the default * default category will be used. It is * * category default { default_syslog; default_debug; }; */ /* * If you don't define category panic yourself, the default * panic category will be used. It is * * category panic { default_syslog; default_stderr; }; */ /* * Two categories, 'packet' and 'eventlib', are special. Only one * channel may be assigned to each of them, and it must be a * file channel. If you don't define them yourself, they default to * * category eventlib { default_debug; }; * * category packet { default_debug; }; */ }; include "filename"; // can't do within a statement