NAMED.CONF File Format Reference

A note from CyberMike:   I live in constant fear that excellent sources of information such as this will be removed from availability to the general public by way of some corporate management decision.   My paranoia in this respect motivates me to preserve these precious morsels of knowledge, and in so doing, help to perpetuate their availability on the Internet.

That said, please understand that this information was taken from IBM's web site as it exists as part of a comprehensive SysAdmin manual for their AIX operating system.   As such, many of the hypertext links point to related material on IBM's web site which may or may not continue to be available at the whim of IBM.   I chose not to include these additional references as my intent is only to detail the insides of the named.conf file that must be edited when configuring BIND on a LINUX machine.

- CyberMike


named.conf     - usually located in /etc


Defines the configuration and behavior of the named daemon.


The /etc/named.conf file is the default configuration file for the named server. If the named daemon is started without specifying an alternate file, the named daemon reads this file for information on how to set up the local name server.

Note: The named daemon reads the configuration file only when the named daemon starts or when the named daemon receives an SRC refresh command or a SIGHUP signal.

The data in the named.conf file specifies general configuration characteristics for the name server, defines each zone for which the name server is responsible (its zones of authority), and provides further config information per zone, possibly including the source DOMAIN database file for the zone.

Any database files referenced in the named.conf file must be in Standard Resource Record Format. These data files can have any name and any directory path. However, for convenience in maintaining the named database, they are generally given names in the following form: /etc/named.extension. The general format of named data files is described in DOMAIN Data File, DOMAIN Reverse Data File, DOMAIN Cache File, and DOMAIN Local File. 



Comments in the named.conf file can begin with a # (pound sign) or // (two forward slashes), or can be enclosed in the C-style comment characters, e.g., /* comment text */.

Configuration options are lines of text beginning with a keyword, possibly including some option text or a list, and ending in a ; (semicolon).

The named.conf file is organized into stanzas.  Each stanza is an enclosed set of configuration options that define either general characteristics of the daemon or a zone configuration.  Certain stanza definitions are allowed only at the top-level, therefore nesting these stanzas is not allowed.  The current top-level configuration stanza keywords are: acl, key, logging, options, server, and zone.

Further configuration information can be incorporated into the conf file via the include keyword.  This keyword directs the daemon to insert the contents of the indicated file into the current position of the include directive.

Access Control List (ACL) Definition

acl acl-name {
    [ access-element; ... ]

Defines an access control list to be referenced thoughout the configuration file byacl-name. Multiple acl definitions can exist within one configuration file provided that each acl-name is unique. Additionally, four default access control lists are defined:

  • any Any host is allowed.
  • none No host is allowed.
  • localhost Only the localhost is allowed.
  • localnets Only hosts on a network matching a name server interface is allowed.
Option Values Explanation
access-element IP-address
Defines a source as allowed or disallowed.  Multiple access-elements are allowed inside the acl stanza.

Each element can be an IP address in dot notation (e.g., an IP prefix in CIDR or slash notation (e.g., 9.3.149/24) or a reference to another access control list (e.g.,  localhost).

Additionally, each element indicates whether the element is allowed or disallowed access via an ! (exclamation point) modifier prepended to the element.

For example:

acl hostlist1 {

When the access control list " hostlist1" is referenced in the configuration, it implies to allow access from any host whose IP address begins with 9.3.149 and to disallow access from the internet host

Key Definition

key key-name {
    algorithm alg-id;
    secret secret-string;

Defines an algorithm and shared secret key to be referenced in a server stanza and used for authentication by that name server. This feature is included for future use and is currently unused in the name server.

Option Values Explanation
algorithm alg-id string A quoted-string that defines the type of security algorithm that will be used when interpreting the secret string. None are defined at this time.
secret secret-string string A quoted-string that is used by the algorithm to authenticate the host.

Logging Configuration

logging {

    [ channel channel-name {
       ( file file-name
             [ versions ( num-vers | unlimited ) ]
             [ size size-value ]
       | syslog ( kern | user | mail | daemon |
                  syslog | lpr | news | uucp )
       | null );
       [ print-category ( yes | no ); ]
       [ print-severity ( yes | no ); ]
       [ print-time ( yes | no ); ]
      }; ... ]
    [ category category-name {
          [ channel-reference; ... ]
      }; ... ]

In this newest version of the name server, the logging facility has been greatly improved to allow for much reconfiguration of the default logging mechanism. The logging stanza is used to define logging output channels and to associate the predefined logging categories with either the predefined or user-defined logging output channels.

When no logging stanza is included in the conf file, the name server still logs messages and errors just as it has in previous releases. Informational and some critical messages will be logged through the syslog daemon facility, and debug and other esoteric information will be logged to the file when the global debug level (set with the -d command-line option) is non-zero.

Option Values Explanation
channel   Defines an output channel to be referenced later by the channel-name identifier. An output channel specifies a destination for output messages to be sent as well as some formatting information to be used when writing the output message. More than one output channel can be defined provided that each channel-identifier is unique. Also, each output channel can be referenced from multiple logging categories.

There are four predefined output channels:

  • default_syslog sends "info" and higher severity messages to syslog's "daemon" facility
  • default_debug writes debug messages to the file as specified by the global debug level
  • default_stderr writes "info" and higher severity messages to stderr
  • null discards all messages
file file-name string Defines an output channel as one that logs messages to an output file. The file used for output is specified with the file-name string. Additionally, the file option allows for controlling how many versions of the output file should be kept, and what size limit the output file should never exceed.

The file, syslog, and null output paths are mutually exclusive.

versions num-versions
Specifies the number of old output files that should be kept. When an output file is reopened, rather than replacing a possible existing output file, the existing output file will be saved as an old output file with a .value extension. Using the num-versions value, one can limit the number of old output files to be kept. However, specifying the unlimited keyword indicates to continually accumulate old output file versions. By default, no old versions of any log file are kept.
size size-value Specifies the maximum size of the log file used by this channel. By default, the size is unlimited. However, when a size is configured, once size-value bytes are written to the file, nothing more will be written until the file is reopened.

Accepted values for size-value include the word "unlimited" and numbers with k, m, or g modifiers specifying kilobytes, megabytes, and gigabytes respectively. For example, 1000k and 1m indicate one thousand kilobytes and one megabyte respectively.

syslog kern
Defines an output channel as one that redirects its messages to the syslog service. The supported value keywords correspond to facilities logged by the syslog service.

Ultimately, the syslog service will define which received messages will be logged through the service, therefore, if definining a channel to redirect its messages to the syslog service's user facility would not result in any visibly logged messages if the syslog service is not configured to output messages from this facility.

For more information concerning the syslog service, see the syslogd daemon.

The file, syslog, and null output paths are mutually exclusive.

null   Defines an output channel through which all messages will be discarded. All other output channel options are invalid for an output channel whose output path is null.
severity critical
debug [ level ]
Sets a threshold of message severities to be logged through the output channel. While these severity definitions are similar to those used by the syslog service, for the name server they also control output through file path channels. Messages must meet or exceed the severity level to be logged through the output channel. The dynamic severity specifies that the name server's global debug level (specified when the daemon is invoked with the -d flag) controls which messages pass through the output channel.

Also, the debug severity can specify a level modifier which is an upper threshold for debug messages whenever the name server has debugging enabled at any level. A lower debug level indicates less information is to be logged through the channel. It is not necessary for the global debug level to meet or exceed the debug level value.

If used with the syslog output path, the syslog facility will ultimately control what severities are logged through the syslog service. For example, if the syslog service is configured to only log messages, and the name server is configured to channel all debug messages to the syslog service, the syslog service will filter the messages from its output path.

print-category yes
Controls the format of the output message when it is sent through the output path. Regardless of which, how many, or in which order these options are listed inside the channel stanza, the message will be prepended with the the text in a time, category, severity order.

The following is an example of a message with all three print- options enabled:

28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.

By default, no extra text will be prepended to an output message.

Note that when the syslog service logs messages, it also prepends the date and time information to the text of the message. Thus, enabling print-time on a channel that uses the syslog output path would result in the syslog service logging a message with two dates prepended to it.

print-severity yes
print-time yes
category   The category keyword defines a stanza which associates a logging or messaging category with predefined or user-defined output channels.

By default, the following categories are defined:

category default { default_syslog; default_debug; };
category panic { default_syslog; default_debug; };
category-name default
The category-name specifies which logging category is to be associated with the listed channel-references. This results in any output text generated by the name server daemon for that logging category to be redirected through each of the channel-references listed.

The default category defines all messages that are not listed in one of the specific categories listed. Also, the insist and panic categories are associated with messages that define a fatal inconsistency in the name server's state. The remaining categories define messages that are generated when handling specific functions of the name server. For example, the update category is used when logging errors or messages specific to the handling of a dynamic zone update, and the parser category is used when logging errors or messages during the parsing of the conf file.

channel-reference   References a channel-name identifier defined previously in the logging configuration stanza. Therefore, every message associated with the defined category-name will be logged through each of the defined channel-references.

Global Options

options {
    [ directory path-string; ]
    [ named-xfer path-string; ]
    [ dump-file path-string; ]
    [ pid-file path-string; ]
    [ statistics-file path-string; ]
    [ auth-nxdomain ( yes | no ); ]
    [ fake-iquery ( yes | no ); ]
    [ fetch-glue ( yes | no ); ]
    [ multiple-cnames ( yes | no ); ]
    [ notify ( yes | no ); ]
    [ recursion ( yes | no ); ]
    [ forward ( only | first ); ]
    [ forwarders { ipaddr; [...] }; ]
    [ check-names
       ( master|slave|response )
       ( warn|fail|ignore ); ]
    [ allow-query { access-element; [...] }; ]
    [ allow-transfer { access-element; [...] ); ]
    [ listen-on [ port port-num ] { access-element; [...] }; ... ]
    [ query-source [ address ( ipaddr|* ) ] [ port ( port|* ) ]; ]
    [ max-transfer-time-in seconds; ]
    [ transfer-format ( one-answer | many-answers ); ]
    [ transfers-in value; ]
    [ transfers-out value; ]
    [ transfers-per-ns value; ]
    [ coresize size-value; ]
    [ datasize size-value; ]
    [ files size-value; ]
    [ stacksize size-value; ]
    [ clean-interval value; ]
    [ interface-interval value; ]
    [ statistics-interval value; ]
    [ topology { access-element; [...] }; ]

Defines many globally available options to to modify basic characteristics of the name server.

Because some of the options in this configuration stanza may modify the behavior in how the named daemon will read and interpret later sections of the named file, it is highly recommended that the options stanza be the first stanza listed in the configuration file.

Option Values Default Explanation
directory path-string "." Indicates the directory from which all relative paths will be anchored. The path-string parameter must be a quoted string. For example, to indicate that all zone files will exist in the "/usr/local/named/data" without listing each file in the zone definitions, specify the global option directory as:
options {
    directory "/usr/local/named/data";
named-xfer path-string "/usr/sbin/named-xfer" Specifies the path and executable name of the named-xfer command used for inbound zone transfers. The path-string parameter must be a quoted string.
dump-file path-string "/usr/tmp/named_dump.db" Specifies a filename to which the database in memory will be dumped whenever the named daemon receives a SIGINT signal.
pid-file path-string "/etc/" Specifies the file in which the named daemon will write its PID value.
statistics-file path-string "/usr/tmp/named.stats" Specifies the file to which the name server will append operating statistics when it receives the SIGILL signal.
auth-nxdomain yes
yes Controls whether the server should respond authoritatively when returning an NXDOMAIN response.
fake-iquery yes
no Controls whether the server should respond to the obsolete IQUERY requests.
fetch-glue yes
yes Controls whether the server should search for "glue" records to include in the additional section of a query response.
multiple-cnames yes
no Controls whether the server will allow multiple CNAME records for one domain name in any of its zone databases. This practice is discouraged but an option remains for backwards compatibility.
notify yes
yes Controls whether the name server will send NOTIFY messages to its slave servers upon realization of zone changes. Because the slave servers will almost immediately respond to the NOTIFY message with a request for zone transfer, this limits the amount of time that the databases are out of synchronization in the master and slave relationship.
recursion yes
yes Controls whether the server will attempt to resolve names outside of its domains on behalf of the client. If set to no, the name server will return a referral to the client in order for the client to continue searching for the name. Used with the fetch-glue option, one can contain the amount of data that grows in the name server's memory cache.
forward only
first Controls how forwarding is used when forwarding is enabled. When set to first, the name server will attempt to search for a name whenever the forwarded host does not provide an answer. However, when set to only, the name server will not attempt this extra work.
forwarders ipaddr (empty list) Enables the use of query forwarding when defining a Forwarding Name Server. The ipaddr parameter list specifies the hosts to which the query should be forwarded when it cannot be resolved from the local database. Each ipaddr is an internet address in standard dot notation.
check-names master ignore
master warn
master fail
slave ignore
slave warn
slave fail
response ignore
response warn
response fail
master fail
slave warn
response ignore
Controls how the name server will handle non-RFC compliant host names and domain names through each of its operation domains.

The master keyword specifies how to handle malformed names in a master zone file.
The slave keyword specifies how to handle malformed names received from a master server.
The response keyword specifies how to handle malformed names received in response to a query.

ignore directs the server to ignore any malformed names and continue normal processing.
warn directs the server to warn the administrator through logging, but to continue normal processing.
fail directs the server to reject the name entirely. For the responses to queries, this implies that the server will return a REFUSED message to the original query host.

allow-query access-element any Limits the range of querying hosts allowed to access the system. Each access-element is specified in the same manner as in the acl stanza defined earlier.
allow-transfer access-element any Limits the range of querying hosts that are requesting zone transfers. Each access-element is specified in the same manner as in the acl stanza defined earlier.
listen-on port port-num
port 53 { localhost; } Limits the interfaces available to the name server daemon and controls which port to use to listen for queries. By default, the name server uses all interfaces on the system and listens on port 53. Additionally, multiple listen-on definitions are allowed within the options stanza.

Each access element is specified in the same manner as in the acl stanza defined earlier. The following example limits the name server to using only the interface with address

listen-on port 53 {; };
query-source address ipaddr
address *
port port
port *
address * port * Modifies the default address and port from which queries will originate.
max-transfer-time-in seconds 120 Specifies the maximum amount of time an inbound zone transfer will be allowed to run before it is aborted. This is used to control an event in which a child process of the name server does not execute or terminate properly.
transfer-format one-answer
one-answer Controls the method in which full zone transfers will be sent to requestors. The one-answer method uses one packet per zone resource record while many-answers will insert as many resource records into one packet as possible. While the many-answers method is more efficient, it is only understood by the newest revisions of the name server. This option can be overridden in the server stanza to specify the method on a per name server basis.
transfers-in value 10 Specifies the maximum number of concurrent inbound zone transfers. While this will limit the amount of time each slave zone is out of synchronization with the master's database, because each inbound transfer runs in a separate child process, increasing the value may also increase the load on the slave server.
transfers-out value N/A Specifies the maximum number of concurrent outbound zone transfers for the name server. This option is currently unused in the server, but will be available at a later time.
transfers-per-ns value 2 Specifies the maximum amount of concurrent zone transfers from a specific remote name server. While this will limit the amount of time each slave zone is out of synchronization with the master's database, increasing this value may increase the load on the remote master server.
coresize size-value default Configures some process specific values for the daemon.

The default values or those inherited by the system and by the system's resources.

Each size-value can be specified as a number or as a number followed by the k, m, and g modifiers indicating kilobytes, megabytes, and gigabytes respectively.

datasize size-value default
files value unlimited
stacksize size-value default
clean-interval minutes 60 Controls the intervals for the periodic maintenance tasks of the name server.

The clean-interval specifies how frequently the server will remove expired resource records from the cache. The interface-interval specifies how frequently the server will rescan for interfaces in the system. The statistics-interval specifies how frequently the name server will output statistics data.

A minutes value of zero indicates that the service task should only run when the configuration file is reread.

interface-interval minutes 60
statistics-interval minutes 60
cleandb-time time N/A Specifies a time of day in which the database will be scanned and any dynamic records whose set of SIG resource records are all expired will be removed. For a dynamic zone which has update-security set to presecured, only the expired SIG KEY will remain.

The default is to never perform this scan. Instead, the expired records will remain until the name is queried.

time is specified as HH:MM in a 24-hour format.

topology access-element localhost; localnets; Specifies a search order to use to find a preference in a list of addresses corresponding to a name server. Whenever a query is forwarded or a query must be made to another name server, it may be necessary to choose an address from a list of available addresses.

Each access-element, while seemingly similar to those specified in an acl stanza, is interpretted by its position in the list. The first elements in the list are preferred more than those following them. Negated elements (those specified with the ! (exclamation point) modifier) are considered least desirable.

Server Specific Options

server ipaddr
    [ bogus ( yes | no ); ]
    [ transfers value;
    [ transfer-format ( one-answer |
many-answers ); ]

Modifies the behavior in which the remote name server matching the specified ipaddr IP address should be treated.

Option Values Explanation
bogus yes
Indicates that the name server identified by the stanza should not be used again. The default value is no.
transfers value Overrides the globally available option transfers-per-ns. Specifies a maximum value for the number of concurrent inbound zone transfers from the foreign name server identified by the stanza.
transfer-format one-answer
Overrides the globally available option transfer-format to a specific value for the specified server. The transfer-format option indicates to the name server how to form its outbound full zone transfers. By default, the value is inherited from the options stanza (where it defaults to one-answer). one-answer specifies that only one resource record can be sent per packet during the zone transfer, whereas many-answers indicates to entirely fill the outbound packet with resource records. The many-answers format is only available in the newest revisions of the name server.

Zone Definition

zone domain-string [ class ] {
    type ( hint | stub | slave | master );
    [ file path-string; ]
    [ masters { ipaddr; [...] }; ]
    [ check-names ( warn | fail | ignore ); ]
    [ allow-update { access-element; [...] }; ]
    [ update-security ( unsecured | presecured | controlled ); ]
    [ allow-query { access-element; [...] }; ]
    [ allow-transfer { access-element; [...] }; ]
    [ max-transfer-time-in seconds; ]
    [ notify ( yes | no ); ]
    [ also-notify { ipaddr; [...] }; ]
    [ dont-notify { ipaddr; [...] }; ]
    [ notify-delaytime seconds; ]
    [ notify-retrytime seconds; ]
    [ notify-retrycount value; ]
    [ dump-interval seconds; ]
    [ incr-interval seconds; ]
    [ deferupdcnt value; ]
    [ key-xfer ( yes | no ); ]
    [ timesync ( yes | no ); ]
    [ timesync-xfer ( yes | no ); ]
    [ save-backups ( yes | no ); ]
    [ ixfr-directory path-string; ]
    [ separate-dynamic ( yes | no ); ]

The zone stanza is used to define a zone, its type, possible location of data, and operating parameters. The domain-string is a quoted string specifying the zone, where "." is used to specify the root zone. The class paramter specifies the class of the zone as either in, hs, hesiod, or chaos. By default, the class is assumed to be IN.

Option Values Default Explanation
type hint
N/A Defines the type of the zone. hint zones, previously regarded as cache zones, only describe a source for information not contained in the other defined zones. A stub zone is one similar to a slave zone. While the slave zone replicates the entire database of its master, the stub zone only replicates the NS resource records. The master zone maintains a database on disk.

Based upon the selection of zone type, some of the other options are required while others may be impertinent. Zones of type hint and master require the file option, while zones of type slave and stub require the masters option. Additionally, the only other option available to a hint zone is the check-names option.

file path-string N/A Specifies the location for the source of data specific to the zone. This parameter is only optional for stub and slave zones, where its inclusion indicates that a locally saved copy of the remote zone can be kept. The path-string parameter is a quoted string which can specify the file name either non-relative or relative to the options stanza's directory. If the path is intended to be specified relative to the server root, the options stanza must be specified before the zone stanza.
masters ipaddr N/A Specifies a list of sources that will be referenced for a slave or stub zone to retrieve its data. This option is not valid for any other type of zone, and must be included for either of these two types.
check-names warn
  Overrides the check-names option in the global options stanza. The default value is inherited from the options stanza, where its default is fail for master zones and warn for slave zones.
allow-update access-element none Indicates from what source addresses a zone will accept dynamic updates. access-elements are specified in the same manner as they are for the acl stanza. Because of the inherint insecurity of a dynamic update, this value defaults to none. If no update-security is specified, dynamic updates should be limited to a specific set of secured machines.
update-security unsecured
unsecured Valid only when the allow-update option specifies at least one source address, update-security defines what type of secured update mechanism the zone will use. The current zone update security method is a non-standard two-key method, but is compatible with previous releases of the name server.

presecured indicates that a zone will only accept updates for which names and resource records already exist, unless the update is signed by the zone's authorizing key. Normally, this means that the zone must be prepopulated with the names and records it is to maintain. controlled specifies a zone in which names can be added to the database without the signature of the zone's authorizing key, but existing records cannot be modified without being signed by the KEY resource record's corresponding private key.

Note that a proper presecured or controlled zone must contain a zone KEY resource record.

See the TCP/IP Name Resolution for more information regarding zone update security.

allow-query access-element   Overrides the globally available option allow-query. This option's default is inherited from the global options stanza, where its default is any.
allow-transfer access-element   Overrides the globally available option allow-transfer. This option's default is inherited from the global options stanza, where its default is any.
max-transfer-time-in seconds   Overrides the globally available option max-transfer-time-in. This option's default is inherited from the global options stanza, where its default is 120.
notify yes
  Overrides the globally available option notify. This option's default is inherited from the global options stanza, where its default is yes.
also-notify ipaddr N/A The default NOTIFY mechanism will notify slave servers of a change in the DOMAIN database in order to limit the amount of time that the slave server retains a zone out of synchronization with the master server. The also-notify option allows for the addition of addresses to submit the notifications.
dont-notify ipaddr N/A Specifies a list of IP addresses to be removed from the default list of NOTIFY recipients. This option is useful if a name server is known to be problematic when receiving NOTIFY requests.
notify-delaytime seconds 30 Specifies an estimated time of delay between notifications to multiple name servers. Because the receipt of a NOTIFY message usually triggers the prompt request for a zone transfer, this option can tune to latency in which each server will respond with the request for the modified zone.

The real value used will be randomized between the specified number of seconds and twice this value.

notify-retrytime seconds 60 Specifies the number of seconds in which the name server will wait to retransmit a NOTIFY message which has gone unresponded.
notify-retrycount value 3 Specifies the maximum number of tries that the name server will attempt to send unanswered NOTIFY messages to other name servers.
dump-interval seconds 3600 Specifies an interval in which the name server will rewrite a dynamic zone to the zone file. In the interim, all updates and other transactions will be logged in the transaction log file for performance reasons. Aside from this periodic zone dump, the transaction log file is only discarded and the zone is only dumped when the name server is properly shut down.

This option is only valid for zones in which the allow-update option specifies at least one valid accessor.

Note: The transaction log file name is the zone file name with an appended ".log" extension.

incr-interval seconds 300 Specifies an interval in which the name server will accept dynamic updates while not increasing the zone's SOA record's serial level. Because a change in the zone SOA record will instantiate a NOTIFY message, limiting this occurrence will limit the amount of zone transfer requests at the expense of minimal zone differences between a dynamic master server and its slave.

This option is only valid for zones in which the allow-update option specifies at least one valid accessor.

deferupdcnt value 100 Specifies a threshold value for the number of properly applied updates received during one incr-interval interval. If more than value updates are realized during the interval, the name server will modify the zone SOA serial level and subsequently NOTIFY each of the slave servers. Use this value to limit the database replication inconsistencies in an environment where dynamic zone updates occur infrequently but in large magnitude.

This option is only valid for zones in which the allow-update option specifies at least one valid accessor.

key-xfer yes
yes Specifies whether the server should transmit KEY resource records during a zone transfer. In a very controlled environment where KEY queries will only be made to the master name server, setting this option to no will save zone transfer time and improve performance.
timesync yes
yes Specifies that a name server should calculate the true expiration time of a SIG resource record using its own clock rather than relying on the expiration time set by a possible update source. This removes the inconsistencies involved when dynamic zone updaters have their system clocks misaligned from the name server host. Because enabling this option modifies the output and interpretation of a SIG resource record in a DOMAIN database file, disabling this option may be required when manually transfering a DOMAIN database file to another name server.
timesync-xfer yes
yes Specifies which SIG resource record expiration time will be transfered during a zone transfer. Enabling this option is only valid when the timesync option is enabled.
ixfr-directory path-string   Specifies a directory in which temporary data files will be contained for use with this zone. The datafiles contain incremental zone changes and are essential to the proper use of the Incremental Zone Transfer (IXFR) method. Because these files are created and destroyed dynamically by the name server, one should not specify a globally-writable directory. Additionally, the directory specified must be unique from other ixfr-directory options specified in other zones.

The default value for this directory is derived from the zone's file name or domain name. By default, a directory is created in an "ixfrdata" directory within the name server's default directory. Contained in this directory will be subdirectory matching the base name of the zone's file name or domain name.

It is not necessary to specify this option for the proper behavior of the IXFR feature.

save-backups yes
no To properly calculate an incremental zone difference between server invocations, it is necessary to determine the zone database differences prior to the shutdown of the server and after the loading of the server. By enabling this option, a backup of the zone file will be written and read upon loading of the name server to determine any zone differences.

While enabling this option is necessary to use the IXFR transfer method after a stop and restart transition of the name server, it is not necessary to realize incremental zone differences when a zone file is modified and signalled to reload via the SRC refresh command or SIGHUP signal.

separate-dynamic yes
no Instructs the name server to retain $INCLUDE references in a dynamic zone when the DOMAIN database file is written to disk. The behavior of this feature implies that resource records that can be modified through the dynamic update mechanism exist in the DOMAIN database file referenced by the file option, while other resource records that should not be modified through the dynamic update mechanism be contained in files included (through the $INCLUDE directive) by the DOMAIN database file.


The following examples show the some of the various ways to use configure a simple named.conf file. In these examples, two networks are represented: abc and xyz.

Network abc consists of:

  •, the master name server for the abc network,
  •, a host machine,
  •, a slave name server for the abc network and the gateway between abc and xyz,

Network xyz consists of:

  •, master name server for the xyz network,
  •, a host machine,
  •, a host machine and hint name server for the xyz network,
  •, a slave name server for the xyz network and gateway between abc and xyz,

    Note: Note that sandy, a gateway host, is on both networks and also serves as a slave name server for both domains.


  1. The /etc/named.conf file for, the master name server for network abc, contains these entries:

    # conf file for abc master server  -
    server {
        transfer-format many-answers;

    zone "abc" in {
        type master;
        file "/etc/named.abcdata";
        allow-update { localhost; };

    zone "" in {
        type master;
        file "/etc/named.abcrev";
        allow-update { localhost; };

    zone "" in {
        type master;
        file "/etc/named.abclocal";
  2. The /etc/named.conf file for, the master name server for network xyz, contains these entries:

    # conf file for abc master server  -
    acl xyz-slaves {;

    options {
        directory "/etc";
        allow-transfer { xyz-slaves; localhost; };

    zone "xyz" in {
        type master;
        file "named.xyzdata";

    zone "" in {
        type master;
        file "named.xyxrev";

    zone "" in {
        type master;
        file "named.xyzlocal";
  3. The /etc/named.conf file for sandy, the slave name server for networks abc and xyz, contains the following entries:

    # conf file for slave server for abc and xyz - sandy
    options {
        directory "/etc";

    zone "abc" in {
        type slave;
        masters {; };
        file "named.abcdata.bak";

    zone "xyz" in {
        type slave;
        masters {; };
        file "named.xyzdata.bak";

    zone "" in {
        type slave;
        masters {; };

    zone "" in {
        type slave;
        masters {; };

    zone "" in {
        type master;
        file "named.local";
  4. The /etc/named.conf file for sahara, a hint name server for the network xyz, contains the following entries:

    # conf file for hint server for xyz - sahara
    zone "." in {
        type hint;
        file "/etc/";

    zone "" in {
        type master;
        file "/etc/named.local";


/usr/samples/tcpip/named.conf  Contains the sample named.conf file.

Related Information

The named daemon.

The syslogd daemon.

The DOMAIN cache file format, DOMAIN local file format, DOMAIN data file format, DOMAIN Reverse data file format, rc.tcpip file format.

Configuring a Primary Name Server and Naming for TCP/IP in System Management Guide: Communications and Networks.