File
named.conf - usually located in /etc
Purpose
Defines the configuration and behavior of the named daemon.
Description
The /etc/named.conf file is the default configuration file for the named
server. If the named daemon is started without specifying an alternate
file, the named daemon reads this file for information on how to set up
the local name server.
Note: The named daemon reads the configuration file only when
the named daemon starts or when the named daemon receives an SRC
refresh command or a SIGHUP signal.
The data in the named.conf file specifies general configuration
characteristics for the name server, defines each zone for which the name server
is responsible (its zones of authority), and provides further config information
per zone, possibly including the source DOMAIN database file for the zone.
Any database files referenced in the
named.conf file must be in Standard Resource Record Format. These data
files can have any name and any directory path. However, for convenience in
maintaining the named database, they are generally given names in the
following form: /etc/named.extension. The general format of
named data files is described in DOMAIN
Data File, DOMAIN
Reverse Data File, DOMAIN
Cache File, and DOMAIN
Local File.
Format
General
Comments in the named.conf file can begin
with a # (pound sign) or // (two forward slashes), or can be enclosed in the
C-style comment characters, e.g., /* comment text */.
Configuration options are lines of text beginning with a
keyword, possibly including some option text or a list, and ending in a ;
(semicolon).
The named.conf file is organized into
stanzas. Each stanza is an enclosed set of configuration options that
define either general characteristics of the daemon or a zone
configuration. Certain stanza definitions are allowed only at the
top-level, therefore nesting these stanzas is not allowed. The current
top-level configuration stanza keywords are: acl,
key,
logging,
options,
server,
and zone.
Further configuration information can be incorporated
into the conf file via the include keyword. This keyword directs
the daemon to insert the contents of the indicated file into the current
position of the include directive.
Access Control List (ACL) Definitionacl acl-name {
access-element;
[ access-element; ... ]
};
Defines an access control list to be referenced thoughout the configuration
file byacl-name. Multiple acl definitions can exist within one
configuration file provided that each acl-name is unique. Additionally,
four default access control lists are defined:
- any Any host is allowed.
- none No host is allowed.
- localhost Only the localhost is allowed.
- localnets Only hosts on a network matching a name server interface
is allowed.
| Option |
Values |
Explanation |
| access-element |
IP-address
IP-prefix
acl-reference
|
Defines a source as allowed or disallowed. Multiple
access-elements are allowed inside the acl stanza.
Each element can be an IP address in dot notation (e.g., 9.3.149.66) an
IP prefix in CIDR or slash notation (e.g., 9.3.149/24) or a reference to
another access control list (e.g., localhost).
Additionally, each element indicates whether the element is allowed or
disallowed access via an ! (exclamation point) modifier prepended to the
element.
For example: acl hostlist1 {
!9.53.150.239;
9.3.149/24;
};
When the access control list " hostlist1" is referenced in
the configuration, it implies to allow access from any host whose IP
address begins with 9.3.149 and to disallow access from the internet host
9.53.150.239. |
Key Definitionkey key-name {
algorithm alg-id;
secret secret-string;
};
Defines an algorithm and shared secret key to be referenced in a server
stanza and used for authentication by that name server. This feature is included
for future use and is currently unused in the name server.
| Option |
Values |
Explanation |
| algorithm |
alg-id string |
A quoted-string that defines the type of security algorithm
that will be used when interpreting the secret string. None are defined at
this time. |
| secret |
secret-string string |
A quoted-string that is used by the algorithm to
authenticate the host. |
Logging Configurationlogging {
[ channel channel-name {
( file file-name
[ versions ( num-vers | unlimited ) ]
[ size size-value ]
| syslog ( kern | user | mail | daemon |
syslog | lpr | news | uucp )
| null );
[ print-category ( yes | no ); ]
[ print-severity ( yes | no ); ]
[ print-time ( yes | no ); ]
}; ... ]
[ category category-name {
channel-reference;
[ channel-reference; ... ]
}; ... ]
};
In this newest version of the name server, the logging facility has been
greatly improved to allow for much reconfiguration of the default logging
mechanism. The logging stanza is used to define logging output channels
and to associate the predefined logging categories with either the predefined or
user-defined logging output channels.
When no logging stanza is included in the conf file, the name server still
logs messages and errors just as it has in previous releases. Informational and
some critical messages will be logged through the syslog daemon facility, and
debug and other esoteric information will be logged to the named.run file
when the global debug level (set with the -d command-line option)
is non-zero.
| Option |
Values |
Explanation |
| channel |
|
Defines an output channel to be referenced later by the
channel-name identifier. An output channel specifies a destination
for output messages to be sent as well as some formatting information to
be used when writing the output message. More than one output channel can
be defined provided that each channel-identifier is unique. Also,
each output channel can be referenced from multiple logging categories.
There are four predefined output channels:
- default_syslog sends "info" and higher severity messages to
syslog's "daemon" facility
- default_debug writes debug messages to the named.run
file as specified by the global debug level
- default_stderr writes "info" and higher severity messages to
stderr
- null discards all messages
|
| file |
file-name string |
Defines an output channel as one that logs messages to an
output file. The file used for output is specified with the
file-name string. Additionally, the file option allows for
controlling how many versions of the output file should be kept, and what
size limit the output file should never exceed.
The file, syslog, and null output paths are
mutually exclusive. |
| versions |
num-versions
unlimited |
Specifies the number of old output files that should be
kept. When an output file is reopened, rather than replacing a possible
existing output file, the existing output file will be saved as an old
output file with a .value extension. Using the
num-versions value, one can limit the number of old output files to
be kept. However, specifying the unlimited keyword indicates
to continually accumulate old output file versions. By default, no old
versions of any log file are kept. |
| size |
size-value |
Specifies the maximum size of the log file used by this
channel. By default, the size is unlimited. However, when a size is
configured, once size-value bytes are written to the file, nothing
more will be written until the file is reopened.
Accepted values for size-value include the word "unlimited" and
numbers with k, m, or g modifiers
specifying kilobytes, megabytes, and gigabytes respectively. For example,
1000k and 1m indicate one thousand kilobytes and
one megabyte respectively. |
| syslog |
kern
user
mail
daemon
auth
syslog
lpr
news
uucp |
Defines an output channel as one that redirects its
messages to the syslog service. The supported value keywords correspond to
facilities logged by the syslog service.
Ultimately, the syslog service will define which received messages will
be logged through the service, therefore, if definining a channel to
redirect its messages to the syslog service's user facility
would not result in any visibly logged messages if the syslog service is
not configured to output messages from this facility.
For more information concerning the syslog service, see the syslogd
daemon.
The file, syslog, and null output paths are
mutually exclusive. |
| null |
|
Defines an output channel through which all messages will
be discarded. All other output channel options are invalid for an output
channel whose output path is null. |
| severity |
critical
error
warning
notice
info
debug [
level ]
dynamic |
Sets a threshold of message severities to be logged through
the output channel. While these severity definitions are similar to those
used by the syslog service, for the name server they also control output
through file path channels. Messages must meet or exceed the severity
level to be logged through the output channel. The dynamic
severity specifies that the name server's global debug level (specified
when the daemon is invoked with the -d flag) controls which
messages pass through the output channel.
Also, the debug severity can specify a level
modifier which is an upper threshold for debug messages whenever the name
server has debugging enabled at any level. A lower debug level indicates
less information is to be logged through the channel. It is not necessary
for the global debug level to meet or exceed the debug level
value.
If used with the syslog output path, the syslog facility
will ultimately control what severities are logged through the syslog
service. For example, if the syslog service is configured to only log
daemon.info messages, and the name server is configured to
channel all debug messages to the syslog service, the syslog service will
filter the messages from its output path. |
| print-category |
yes
no |
Controls the format of the output message when it
is sent through the output path. Regardless of which, how many, or in
which order these options are listed inside the channel stanza, the
message will be prepended with the the text in a time, category, severity
order.
The following is an example of a message with all three
print- options enabled:
- 28-Apr-1997 15:05:32.863 default: notice: Ready to answer
queries.
By default, no extra text will be prepended to an output message.
Note that when the syslog service logs messages, it also prepends the
date and time information to the text of the message. Thus, enabling
print-time on a channel that uses the syslog output path
would result in the syslog service logging a message with two dates
prepended to it. |
| print-severity |
yes
no |
| print-time |
yes
no |
| category |
|
The category keyword defines a stanza which associates a
logging or messaging category with predefined or user-defined output
channels.
By default, the following categories are defined:
- category default { default_syslog; default_debug; };
- category panic { default_syslog; default_debug;
};
|
| category-name |
default
config
parser
queries
lame-servers
statistics
panic
update
ncache
xfer-in
xfer-out
db
event-lib
packet
notify
cname
security
os
insist
maintenance
load
response-checks |
The category-name specifies which logging category
is to be associated with the listed channel-references. This
results in any output text generated by the name server daemon for that
logging category to be redirected through each of the
channel-references listed.
The default category defines all messages that are not
listed in one of the specific categories listed. Also, the
insist and panic categories are associated with
messages that define a fatal inconsistency in the name server's state. The
remaining categories define messages that are generated when handling
specific functions of the name server. For example, the
update category is used when logging errors or messages
specific to the handling of a dynamic zone update, and the
parser category is used when logging errors or messages
during the parsing of the conf file. |
| channel-reference |
|
References a channel-name identifier defined previously in the
logging configuration stanza. Therefore, every message associated
with the defined category-name will be logged through each of the
defined channel-references. |
Global Optionsoptions {
[ directory path-string; ]
[ named-xfer path-string; ]
[ dump-file path-string; ]
[ pid-file path-string; ]
[ statistics-file path-string; ]
[ auth-nxdomain ( yes | no ); ]
[ fake-iquery ( yes | no ); ]
[ fetch-glue ( yes | no ); ]
[ multiple-cnames ( yes | no ); ]
[ notify ( yes | no ); ]
[ recursion ( yes | no ); ]
[ forward ( only | first ); ]
[ forwarders { ipaddr; [...] }; ]
[ check-names
( master|slave|response )
( warn|fail|ignore ); ]
[ allow-query { access-element; [...] }; ]
[ allow-transfer { access-element; [...] ); ]
[ listen-on [ port port-num ] { access-element; [...] }; ... ]
[ query-source [ address ( ipaddr|* ) ] [ port ( port|* ) ]; ]
[ max-transfer-time-in seconds; ]
[ transfer-format ( one-answer | many-answers ); ]
[ transfers-in value; ]
[ transfers-out value; ]
[ transfers-per-ns value; ]
[ coresize size-value; ]
[ datasize size-value; ]
[ files size-value; ]
[ stacksize size-value; ]
[ clean-interval value; ]
[ interface-interval value; ]
[ statistics-interval value; ]
[ topology { access-element; [...] }; ]
};
Defines many globally available options to to modify basic characteristics of
the name server.
Because some of the options in this configuration stanza may modify the
behavior in how the named daemon will read and interpret later sections
of the named file, it is highly recommended that the options stanza be
the first stanza listed in the configuration file.
| Option |
Values |
Default |
Explanation |
| directory |
path-string |
"." |
Indicates the directory from which all relative paths will
be anchored. The path-string parameter must be a quoted string. For
example, to indicate that all zone files will exist in the
"/usr/local/named/data" without listing each file in the zone
definitions, specify the global option directory as:
- options {
- directory
"/usr/local/named/data";
- };
|
| named-xfer |
path-string |
"/usr/sbin/named-xfer" |
Specifies the path and executable name of the
named-xfer command used for inbound zone transfers. The
path-string parameter must be a quoted string. |
| dump-file |
path-string |
"/usr/tmp/named_dump.db" |
Specifies a filename to which the database in memory will
be dumped whenever the named daemon receives a SIGINT signal. |
| pid-file |
path-string |
"/etc/named.pid" |
Specifies the file in which the named daemon will
write its PID value. |
| statistics-file |
path-string |
"/usr/tmp/named.stats" |
Specifies the file to which the name server will append
operating statistics when it receives the SIGILL signal. |
| auth-nxdomain |
yes
no |
yes |
Controls whether the server should respond authoritatively
when returning an NXDOMAIN response. |
| fake-iquery |
yes
no |
no |
Controls whether the server should respond to the obsolete
IQUERY requests. |
| fetch-glue |
yes
no |
yes |
Controls whether the server should search for "glue"
records to include in the additional section of a query response. |
| multiple-cnames |
yes
no |
no |
Controls whether the server will allow multiple
CNAME records for one domain name in any of its zone
databases. This practice is discouraged but an option remains for
backwards compatibility. |
| notify |
yes
no |
yes |
Controls whether the name server will send
NOTIFY messages to its slave servers upon realization of zone
changes. Because the slave servers will almost immediately respond to the
NOTIFY message with a request for zone transfer, this limits
the amount of time that the databases are out of synchronization in the
master and slave relationship. |
| recursion |
yes
no |
yes |
Controls whether the server will attempt to resolve names
outside of its domains on behalf of the client. If set to no,
the name server will return a referral to the client in order for the
client to continue searching for the name. Used with the
fetch-glue option, one can contain the amount of data that
grows in the name server's memory cache. |
| forward |
only
first |
first |
Controls how forwarding is used when forwarding is enabled.
When set to first, the name server will attempt to search for
a name whenever the forwarded host does not provide an answer. However,
when set to only, the name server will not attempt this extra
work. |
| forwarders |
ipaddr |
(empty list) |
Enables the use of query forwarding when defining a
Forwarding Name Server. The ipaddr parameter list specifies the
hosts to which the query should be forwarded when it cannot be resolved
from the local database. Each ipaddr is an internet address in
standard dot notation. |
| check-names |
master ignore
master warn
master fail
slave
ignore
slave warn
slave fail
response ignore
response
warn
response fail |
master fail
slave warn
response
ignore |
Controls how the name server will handle non-RFC compliant
host names and domain names through each of its operation domains.
The master keyword specifies how to handle malformed names
in a master zone file.
The slave keyword specifies how to
handle malformed names received from a master server.
The
response keyword specifies how to handle malformed names
received in response to a query.
ignore directs the server to ignore any malformed names
and continue normal processing.
warn directs the server to
warn the administrator through logging, but to continue normal
processing.
fail directs the server to reject the name
entirely. For the responses to queries, this implies that the server will
return a REFUSED message to the original query
host. |
| allow-query |
access-element |
any |
Limits the range of querying hosts allowed to access the
system. Each access-element is specified in the same manner as in
the acl
stanza defined earlier. |
| allow-transfer |
access-element |
any |
Limits the range of querying hosts that are requesting zone
transfers. Each access-element is specified in the same manner as
in the acl
stanza defined earlier. |
| listen-on |
port port-num
access-element |
port 53 { localhost; } |
Limits the interfaces available to the name server daemon
and controls which port to use to listen for queries. By default, the name
server uses all interfaces on the system and listens on port 53.
Additionally, multiple listen-on definitions are allowed
within the options stanza.
Each access element is specified in the same manner as in the acl
stanza defined earlier. The following example limits the name server to
using only the interface with address 9.53.150.239:
- listen-on port 53 { 9.53.150.239; };
|
| query-source |
address ipaddr
address *
port
port
port * |
address * port * |
Modifies the default address and port from which queries
will originate. |
| max-transfer-time-in |
seconds |
120 |
Specifies the maximum amount of time an inbound zone
transfer will be allowed to run before it is aborted. This is used to
control an event in which a child process of the name server does not
execute or terminate properly. |
| transfer-format |
one-answer
many-answers |
one-answer |
Controls the method in which full zone transfers will be
sent to requestors. The one-answer method uses one packet per
zone resource record while many-answers will insert as many
resource records into one packet as possible. While the
many-answers method is more efficient, it is only understood
by the newest revisions of the name server. This option can be overridden
in the server
stanza to specify the method on a per name server basis. |
| transfers-in |
value |
10 |
Specifies the maximum number of concurrent inbound zone
transfers. While this will limit the amount of time each slave zone is out
of synchronization with the master's database, because each inbound
transfer runs in a separate child process, increasing the value may
also increase the load on the slave server. |
| transfers-out |
value |
N/A |
Specifies the maximum number of concurrent outbound zone
transfers for the name server. This option is currently unused in the
server, but will be available at a later time. |
| transfers-per-ns |
value |
2 |
Specifies the maximum amount of concurrent zone transfers
from a specific remote name server. While this will limit the amount of
time each slave zone is out of synchronization with the master's database,
increasing this value may increase the load on the remote master
server. |
| coresize |
size-value |
default |
Configures some process specific values for the
daemon.
The default values or those inherited by the system and by the system's
resources.
Each size-value can be specified as a number or as a number
followed by the k, m, and g
modifiers indicating kilobytes, megabytes, and gigabytes
respectively. |
| datasize |
size-value |
default |
| files |
value |
unlimited |
| stacksize |
size-value |
default |
| clean-interval |
minutes |
60 |
Controls the intervals for the periodic
maintenance tasks of the name server.
The clean-interval specifies how frequently the server
will remove expired resource records from the cache. The
interface-interval specifies how frequently the server will
rescan for interfaces in the system. The statistics-interval
specifies how frequently the name server will output statistics data.
A minutes value of zero indicates that the service task should
only run when the configuration file is reread. |
| interface-interval |
minutes |
60 |
| statistics-interval |
minutes |
60 |
| cleandb-time |
time |
N/A |
Specifies a time of day in which the database will be
scanned and any dynamic records whose set of SIG resource
records are all expired will be removed. For a dynamic zone which has
update-security set to presecured, only the
expired SIG KEY will remain.
The default is to never perform this scan. Instead, the expired records
will remain until the name is queried.
time is specified as HH:MM in a 24-hour
format. |
| topology |
access-element |
localhost; localnets; |
Specifies a search order to use to find a preference in a
list of addresses corresponding to a name server. Whenever a query is
forwarded or a query must be made to another name server, it may be
necessary to choose an address from a list of available addresses.
Each access-element, while seemingly similar to those specified
in an acl
stanza, is interpretted by its position in the list. The first elements in
the list are preferred more than those following them. Negated elements
(those specified with the ! (exclamation point) modifier) are considered
least desirable. |
Server Specific Optionsserver ipaddr
{
[ bogus ( yes | no ); ]
[ transfers value;
]
[ transfer-format ( one-answer |
many-answers ); ]
}
Modifies the behavior in which the remote name server matching the specified
ipaddr IP address should be treated.
| Option |
Values |
Explanation |
| bogus |
yes
no |
Indicates that the name server identified by the stanza
should not be used again. The default value is no. |
| transfers |
value |
Overrides the globally available option transfers-per-ns.
Specifies a maximum value for the number of concurrent inbound zone
transfers from the foreign name server identified by the stanza. |
| transfer-format |
one-answer
many-answers |
Overrides the globally available option
transfer-format to a specific value for the specified server.
The transfer-format option indicates to the name server how
to form its outbound full zone transfers. By default, the value is
inherited from the options
stanza (where it defaults to one-answer).
one-answer specifies that only one resource record can be
sent per packet during the zone transfer, whereas
many-answers indicates to entirely fill the outbound packet
with resource records. The many-answers format is only
available in the newest revisions of the name server. |
Zone Definitionzone domain-string [ class ] {
type ( hint | stub | slave | master );
[ file path-string; ]
[ masters { ipaddr; [...] }; ]
[ check-names ( warn | fail | ignore ); ]
[ allow-update { access-element; [...] }; ]
[ update-security ( unsecured | presecured | controlled ); ]
[ allow-query { access-element; [...] }; ]
[ allow-transfer { access-element; [...] }; ]
[ max-transfer-time-in seconds; ]
[ notify ( yes | no ); ]
[ also-notify { ipaddr; [...] }; ]
[ dont-notify { ipaddr; [...] }; ]
[ notify-delaytime seconds; ]
[ notify-retrytime seconds; ]
[ notify-retrycount value; ]
[ dump-interval seconds; ]
[ incr-interval seconds; ]
[ deferupdcnt value; ]
[ key-xfer ( yes | no ); ]
[ timesync ( yes | no ); ]
[ timesync-xfer ( yes | no ); ]
[ save-backups ( yes | no ); ]
[ ixfr-directory path-string; ]
[ separate-dynamic ( yes | no ); ]
};
The zone stanza is used to define a zone, its type, possible location of
data, and operating parameters. The domain-string is a quoted string
specifying the zone, where "." is used to specify the root zone. The
class paramter specifies the class of the zone as either
in, hs, hesiod, or chaos. By
default, the class is assumed to be IN.
| Option |
Values |
Default |
Explanation |
| type |
hint
stub
slave
master |
N/A |
Defines the type of the zone. hint zones,
previously regarded as cache zones, only describe a source for information
not contained in the other defined zones. A stub zone is one
similar to a slave zone. While the slave zone
replicates the entire database of its master, the stub zone
only replicates the NS resource records. The
master zone maintains a database on disk.
Based upon the selection of zone type, some of the other options are
required while others may be impertinent. Zones of type hint
and master require the file option, while zones
of type slave and stub require the
masters option. Additionally, the only other option available
to a hint zone is the check-names option. |
| file |
path-string |
N/A |
Specifies the location for the source of data specific to
the zone. This parameter is only optional for stub and
slave zones, where its inclusion indicates that a locally
saved copy of the remote zone can be kept. The path-string
parameter is a quoted string which can specify the file name either
non-relative or relative to the options
stanza's directory. If the path is intended to be specified
relative to the server root, the options stanza must be
specified before the zone stanza. |
| masters |
ipaddr |
N/A |
Specifies a list of sources that will be referenced for a
slave or stub zone to retrieve its data. This
option is not valid for any other type of zone, and must be included for
either of these two types. |
| check-names |
warn
fail
ignore |
|
Overrides the check-names option in the global
options
stanza. The default value is inherited from the options
stanza, where its default is fail for master
zones and warn for slave zones. |
| allow-update |
access-element |
none |
Indicates from what source addresses a zone will accept
dynamic updates. access-elements are specified in the same manner
as they are for the acl
stanza. Because of the inherint insecurity of a dynamic update, this value
defaults to none. If no update-security is
specified, dynamic updates should be limited to a specific set of secured
machines. |
| update-security |
unsecured
presecured
controlled |
unsecured |
Valid only when the allow-update option
specifies at least one source address, update-security
defines what type of secured update mechanism the zone will use. The
current zone update security method is a non-standard two-key method, but
is compatible with previous releases of the name server.
presecured indicates that a zone will only accept updates
for which names and resource records already exist, unless the update is
signed by the zone's authorizing key. Normally, this means that the zone
must be prepopulated with the names and records it is to maintain.
controlled specifies a zone in which names can be added to
the database without the signature of the zone's authorizing key, but
existing records cannot be modified without being signed by the
KEY resource record's corresponding private key.
Note that a proper presecured or controlled
zone must contain a zone KEY resource record.
See the TCP/IP
Name Resolution for more information regarding zone update
security. |
| allow-query |
access-element |
|
Overrides the globally available option
allow-query. This option's default is inherited from the
global options
stanza, where its default is any. |
| allow-transfer |
access-element |
|
Overrides the globally available option
allow-transfer. This option's default is inherited from the
global options
stanza, where its default is any. |
| max-transfer-time-in |
seconds |
|
Overrides the globally available option
max-transfer-time-in. This option's default is inherited from
the global options
stanza, where its default is 120. |
| notify |
yes
no |
|
Overrides the globally available option
notify. This option's default is inherited from the global options
stanza, where its default is yes. |
| also-notify |
ipaddr |
N/A |
The default NOTIFY mechanism will notify slave
servers of a change in the DOMAIN database in order to limit the amount of
time that the slave server retains a zone out of synchronization with the
master server. The also-notify option allows for the addition
of addresses to submit the notifications. |
| dont-notify |
ipaddr |
N/A |
Specifies a list of IP addresses to be removed from the
default list of NOTIFY recipients. This option is useful if a
name server is known to be problematic when receiving NOTIFY
requests. |
| notify-delaytime |
seconds |
30 |
Specifies an estimated time of delay between notifications
to multiple name servers. Because the receipt of a NOTIFY
message usually triggers the prompt request for a zone transfer, this
option can tune to latency in which each server will respond with the
request for the modified zone.
The real value used will be randomized between the specified number of
seconds and twice this value. |
| notify-retrytime |
seconds |
60 |
Specifies the number of seconds in which the name
server will wait to retransmit a NOTIFY message which has
gone unresponded. |
| notify-retrycount |
value |
3 |
Specifies the maximum number of tries that the name server
will attempt to send unanswered NOTIFY messages to other name
servers. |
| dump-interval |
seconds |
3600 |
Specifies an interval in which the name server will rewrite
a dynamic zone to the zone file. In the interim, all updates
and other transactions will be logged in the transaction log file for
performance reasons. Aside from this periodic zone dump, the transaction
log file is only discarded and the zone is only dumped when the name
server is properly shut down.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor.
Note: The transaction log file name is the zone file name with an
appended ".log" extension. |
| incr-interval |
seconds |
300 |
Specifies an interval in which the name server will accept
dynamic updates while not increasing the zone's SOA record's
serial level. Because a change in the zone SOA record will
instantiate a NOTIFY message, limiting this occurrence will
limit the amount of zone transfer requests at the expense of minimal zone
differences between a dynamic master server and its slave.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor. |
| deferupdcnt |
value |
100 |
Specifies a threshold value for the number of properly
applied updates received during one incr-interval interval.
If more than value updates are realized during the interval, the
name server will modify the zone SOA serial level and subsequently NOTIFY
each of the slave servers. Use this value to limit the database
replication inconsistencies in an environment where dynamic zone updates
occur infrequently but in large magnitude.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor. |
| key-xfer |
yes
no |
yes |
Specifies whether the server should transmit
KEY resource records during a zone transfer. In a very
controlled environment where KEY queries will only be made to
the master name server, setting this option to no will save
zone transfer time and improve performance. |
| timesync |
yes
no |
yes |
Specifies that a name server should calculate the true
expiration time of a SIG resource record using its own clock
rather than relying on the expiration time set by a possible update
source. This removes the inconsistencies involved when dynamic zone
updaters have their system clocks misaligned from the name server host.
Because enabling this option modifies the output and interpretation of a
SIG resource record in a DOMAIN database file,
disabling this option may be required when manually transfering a
DOMAIN database file to another name server. |
| timesync-xfer |
yes
no |
yes |
Specifies which SIG resource record expiration
time will be transfered during a zone transfer. Enabling this option is
only valid when the timesync option is enabled. |
| ixfr-directory |
path-string |
|
Specifies a directory in which temporary data files will be
contained for use with this zone. The datafiles contain incremental zone
changes and are essential to the proper use of the Incremental Zone
Transfer (IXFR) method. Because these files are created and
destroyed dynamically by the name server, one should not specify a
globally-writable directory. Additionally, the directory specified must be
unique from other ixfr-directory options specified in other
zones.
The default value for this directory is derived from the zone's
file name or domain name. By default, a directory is created
in an "ixfrdata" directory within the name server's default
directory. Contained in this directory will be subdirectory matching the
base name of the zone's file name or domain name.
It is not necessary to specify this option for the proper behavior of
the IXFR feature. |
| save-backups |
yes
no |
no |
To properly calculate an incremental zone difference
between server invocations, it is necessary to determine the zone database
differences prior to the shutdown of the server and after the loading of
the server. By enabling this option, a backup of the zone file will be
written and read upon loading of the name server to determine any zone
differences.
While enabling this option is necessary to use the IXFR transfer method
after a stop and restart transition of the name server, it is not
necessary to realize incremental zone differences when a zone file is
modified and signalled to reload via the SRC refresh command or
SIGHUP signal. |
| separate-dynamic |
yes
no |
no |
Instructs the name server to retain $INCLUDE
references in a dynamic zone when the DOMAIN database file is
written to disk. The behavior of this feature implies that resource
records that can be modified through the dynamic update mechanism exist in
the DOMAIN database file referenced by the file
option, while other resource records that should not be modified through
the dynamic update mechanism be contained in files included (through the
$INCLUDE directive) by the DOMAIN database
file. |
Examples
The following examples show the some of the various ways to use configure a
simple named.conf file. In these examples, two networks are represented:
abc and xyz.
Network abc consists of:
- gobi.abc, the master name server for
the abc network, 192.9.201.2
- mojave.abc, a host machine,
192.9.201.6
- sandy.abc, a slave name server for the
abc network and the gateway between abc and
xyz, 192.9.201.3
Network xyz consists of:
- kalahari.xyz, master name server for
the xyz network, 160.9.201.4
- lopnor.xyz, a host machine,
160.9.201.5
- sahara.xyz, a host machine and hint
name server for the xyz network, 160.9.201.13
- sandy.xyz, a slave name server for the
xyz network and gateway between abc and
xyz, 160.9.201.3
Note: Note that sandy, a gateway host, is on both
networks and also serves as a slave name server for both domains.
- The /etc/named.conf file for
gobi.abc, the master name server for network abc,
contains these entries:
#
# conf file for abc master server -
gobi.abc
#
server 192.9.201.3
{
transfer-format many-answers;
};
zone
"abc" in {
type
master;
file
"/etc/named.abcdata";
allow-update { localhost;
};
};
zone "201.9.192.in-addr.arpa" in
{
type master;
file
"/etc/named.abcrev";
allow-update { localhost;
};
};
zone "0.0.127.in-addr.arpa" in
{
type master;
file
"/etc/named.abclocal";
};
- The /etc/named.conf file for
kalahari.xyz, the master name server for network
xyz, contains these entries:
#
# conf file for abc
master server - kalahari.xyz
#
acl xyz-slaves
{
160.9.201.3;
};
options
{
directory
"/etc";
allow-transfer { xyz-slaves; localhost;
};
};
zone "xyz" in {
type
master;
file "named.xyzdata";
};
zone
"9.160.in-addr.arpa" in {
type
master;
file "named.xyxrev";
};
zone
"0.0.127.in-addr.arpa" in {
type
master;
file "named.xyzlocal";
};
- The /etc/named.conf file for
sandy, the slave name server for networks abc and
xyz, contains the following entries:
#
# conf file for
slave server for abc and xyz - sandy
#
options
{
directory "/etc";
};
zone "abc" in
{
type slave;
masters {
192.9.201.2; };
file
"named.abcdata.bak";
};
zone "xyz" in
{
type slave;
masters {
160.9.201.4; };
file
"named.xyzdata.bak";
};
zone "201.9.192.in-addr.arpa" in
{
type slave;
masters {
192.9.201.2; };
};
zone "9.160.in-addr.arpa" in
{
type slave;
masters {
192.9.201.4; };
};
zone "0.0.127.in-addr.arpa" in
{
type master;
file
"named.local";
};
- The /etc/named.conf file for
sahara, a hint name server for the network xyz,
contains the following entries:
#
# conf file for hint server for
xyz - sahara
#
zone "." in {
type
hint;
file "/etc/named.ca";
};
zone
"0.0.127.in-addr.arpa" in {
type
master;
file "/etc/named.local";
};
Files
| /usr/samples/tcpip/named.conf |
Contains the sample named.conf
file. |
Related Information
The named
daemon.
The syslogd
daemon.
The DOMAIN
cache file format, DOMAIN
local file format, DOMAIN
data file format, DOMAIN
Reverse data file format, rc.tcpip
file format.
Configuring
a Primary Name Server and Naming
for TCP/IP in System Management Guide: Communications and Networks.
|
