named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-s ] [style-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-s ] [style-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-M ] [mode-n ] [mode-o ] [filename-s ] [style-S ] [mode-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-compilezone [-d] [-j] [-q] [-v] [-c ] [class-C ] [mode-f ] [format-F ] [format-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-s ] [style-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -53,7 +53,7 @@
@@ -149,6 +149,13 @@ "warn" (default) and "ignore".
mode+ Check if a MX record refers to a CNAME. + Possible modes are "fail", + "warn" (default) and + "ignore". +
modeSpecify whether NS records should be checked to see if they @@ -179,6 +186,13 @@ It also does not have any meaning if the output format is not text.
mode+ Check if a SRV record refers to a CNAME. + Possible modes are "fail", + "warn" (default) and + "ignore". +
directory
chroot to directory so that
@@ -219,21 +233,21 @@
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
nslookup [-option] [name | -] [server]
Nslookup is a program to query Internet domain name servers. Nslookup has two modes: interactive and non-interactive. Interactive mode allows @@ -43,7 +43,7 @@
Interactive mode is entered in the following cases:
@@ -76,7 +76,7 @@ nslookup -query=hinfo -timeout=10type=value- Change the top of the information query. + Change the type of the information query.
(Default = A; abbreviations = q, ty) @@ -288,19 +288,19 @@ nslookup -query=hinfo -timeout=10
Andrew Cherenson
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5 index 1cac7ba30c..b0f0ee737a 100644 --- a/bin/named/named.conf.5 +++ b/bin/named/named.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC") .\" .\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: named.conf.5,v 1.15 2005/10/13 03:13:58 marka Exp $ +.\" $Id: named.conf.5,v 1.16 2006/01/06 01:55:38 marka Exp $ .\" .hy 0 .ad l @@ -69,6 +69,7 @@ server ( \fIipv4_address\fR\fI[/prefixlen]\fR | \fIipv6_address\fR\fI[/prefixlen bogus \fIboolean\fR; edns \fIboolean\fR; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; provide\-ixfr \fIboolean\fR; request\-ixfr \fIboolean\fR; keys \fIserver_key\fR; @@ -200,7 +201,9 @@ options { check\-names ( master | slave | response ) ( fail | warn | ignore ); check\-mx ( fail | warn | ignore ); - integrity\-check \fIboolean\fR; + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); cache\-file \fIquoted_string\fR; suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; @@ -208,13 +211,15 @@ options { ( \fIquoted_string\fR [port \fIinteger\fR] | \fIipv4_address\fR [port \fIinteger\fR] | \fIipv6_address\fR [port \fIinteger\fR] ); ... - } + }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; empty\-server \fIstring\fR; empty\-contact \fIstring\fR; empty\-zones\-enable \fIboolean\fR; @@ -259,6 +264,8 @@ options { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete deallocate\-on\-exit \fIboolean\fR; // obsolete fake\-iquery \fIboolean\fR; // obsolete @@ -323,7 +330,9 @@ view \fIstring\fR \fIoptional_class\fR { check\-names ( master | slave | response ) ( fail | warn | ignore ); check\-mx ( fail | warn | ignore ); - integrity\-check \fIboolean\fR; + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); cache\-file \fIquoted_string\fR; suppress\-initial\-notify \fIboolean\fR; // not yet implemented preferred\-glue \fIstring\fR; @@ -333,11 +342,13 @@ view \fIstring\fR \fIoptional_class\fR { \fIipv6_address\fR [port \fIinteger\fR] ); ... }; edns\-udp\-size \fIinteger\fR; + max\-udp\-size \fIinteger\fR; root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ]; disable\-algorithms \fIstring\fR { \fIstring\fR; ... }; dnssec\-enable \fIboolean\fR; dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR; dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR; + dnssec\-accept\-expired \fIboolean\fR; empty\-server \fIstring\fR; empty\-contact \fIstring\fR; empty\-zones\-enable \fIboolean\fR; @@ -382,6 +393,8 @@ view \fIstring\fR \fIoptional_class\fR { use\-alt\-transfer\-source \fIboolean\fR; zone\-statistics \fIboolean\fR; key\-directory \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; + zero\-no\-soa\-ttl\-cache \fIboolean\fR; allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete fetch\-glue \fIboolean\fR; // obsolete maintain\-ixfr\-base \fIboolean\fR; // obsolete @@ -404,10 +417,13 @@ zone \fIstring\fR \fIoptional_class\fR { delegation\-only \fIboolean\fR; check\-names ( fail | warn | ignore ); check\-mx ( fail | warn | ignore ); - integrity\-check \fIboolean\fR; + check\-integrity \fIboolean\fR; + check\-mx\-cname ( fail | warn | ignore ); + check\-srv\-cname ( fail | warn | ignore ); dialup \fIdialuptype\fR; ixfr\-from\-differences \fIboolean\fR; journal \fIquoted_string\fR; + zero\-no\-soa\-ttl \fIboolean\fR; allow\-query { \fIaddress_match_element\fR; ... }; allow\-transfer { \fIaddress_match_element\fR; ... }; allow\-update { \fIaddress_match_element\fR; ... }; diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html index 4f4feadae0..bfef54eeb7 100644 --- a/bin/named/named.conf.html +++ b/bin/named/named.conf.html @@ -1,5 +1,5 @@ - + @@ -31,7 +31,7 @@named.conf
named.conf is the configuration file
for
named. Statements are enclosed
@@ -50,14 +50,14 @@
masters string [ port integer ] {
( masters | ipv4_address [port integer] |
@@ -75,12 +75,13 @@ masters
server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
bogus boolean;
edns boolean;
edns-udp-size integer;
+ max-udp-size integer;
provide-ixfr boolean;
request-ixfr boolean;
keys server_key;
@@ -96,7 +97,7 @@ server
trusted-keys {
domain_name flags protocol algorithm key; ...
@@ -104,7 +105,7 @@ trusted-keys
controls {
inet ( ipv4_address | ipv6_address | * )
@@ -116,7 +117,7 @@ controls
options {
avoid-v4-udp-ports { port; ... };
@@ -218,7 +219,9 @@ options
check-names ( master | slave | response )
( fail | warn | ignore );
check-mx ( fail | warn | ignore );
- integrity-check boolean;
+ check-integrity boolean;
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
cache-file quoted_string;
suppress-initial-notify boolean; // not yet implemented
preferred-glue string;
@@ -226,13 +229,15 @@ options
( quoted_string [port integer] |
ipv4_address [port integer] |
ipv6_address [port integer] ); ...
- }
+ };
edns-udp-size integer;
+ max-udp-size integer;
root-delegation-only [ exclude { quoted_string; ... } ];
disable-algorithms string { string; ... };
dnssec-enable boolean;
dnssec-lookaside string trust-anchor string;
dnssec-must-be-secure string boolean;
+ dnssec-accept-expired boolean;
empty-server string;
empty-contact string;
@@ -286,6 +291,8 @@ options
zone-statistics boolean;
key-directory quoted_string;
+ zero-no-soa-ttl boolean;
+ zero-no-soa-ttl-cache boolean;
allow-v6-synthesis { address_match_element; ... }; // obsolete
deallocate-on-exit boolean; // obsolete
@@ -303,7 +310,7 @@ options
view string optional_class {
match-clients { address_match_element; ... };
@@ -357,7 +364,9 @@ view
check-names ( master | slave | response )
( fail | warn | ignore );
check-mx ( fail | warn | ignore );
- integrity-check boolean;
+ check-integrity boolean;
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
cache-file quoted_string;
suppress-initial-notify boolean; // not yet implemented
preferred-glue string;
@@ -367,12 +376,13 @@ view
ipv6_address [port integer] ); ...
};
edns-udp-size integer;
+ max-udp-size integer;
root-delegation-only [ exclude { quoted_string; ... } ];
disable-algorithms string { string; ... };
dnssec-enable boolean;
dnssec-lookaside string trust-anchor string;
-
dnssec-must-be-secure string boolean;
+ dnssec-accept-expired boolean;
empty-server string;
empty-contact string;
@@ -426,6 +436,8 @@ view
zone-statistics boolean;
key-directory quoted_string;
+ zero-no-soa-ttl boolean;
+ zero-no-soa-ttl-cache boolean;
allow-v6-synthesis { address_match_element; ... }; // obsolete
fetch-glue boolean; // obsolete
@@ -435,7 +447,7 @@ view
zone string optional_class {
type ( master | slave | stub | hint |
@@ -452,10 +464,13 @@ zone
delegation-only boolean;
check-names ( fail | warn | ignore );
check-mx ( fail | warn | ignore );
- integrity-check boolean;
+ check-integrity boolean;
+ check-mx-cname ( fail | warn | ignore );
+ check-srv-cname ( fail | warn | ignore );
dialup dialuptype;
ixfr-from-differences boolean;
journal quoted_string;
+ zero-no-soa-ttl boolean;
allow-query { address_match_element; ... };
allow-transfer { address_match_element; ... };
@@ -515,12 +530,12 @@ zone
named(8), rndc(8), BIND 9 Administrator Reference Manual. diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html index a057b1eb7d..a9b6409408 100644 --- a/doc/arm/Bv9ARM.ch01.html +++ b/doc/arm/Bv9ARM.ch01.html @@ -1,5 +1,5 @@ - +
@@ -45,17 +45,17 @@ @@ -71,7 +71,7 @@The Berkeley Internet Name Domain (BIND) implements an @@ -87,7 +87,7 @@
In this document, Section 1 introduces the basic DNS and BIND concepts. Section 2 @@ -116,7 +116,7 @@
In this document, we use the following general typographic conventions: @@ -243,7 +243,7 @@
The purpose of this document is to explain the installation and upkeep of the BIND software @@ -253,7 +253,7 @@
The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to @@ -273,7 +273,7 @@
The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree, @@ -319,7 +319,7 @@
To properly operate a name server, it is important to understand the difference between a zone @@ -372,7 +372,7 @@
Each zone is served by at least one authoritative name server, @@ -389,7 +389,7 @@
The authoritative server where the master copy of the zone data is maintained is called the @@ -409,7 +409,7 @@
The other authoritative servers, the slave servers (also known as secondary servers) @@ -425,7 +425,7 @@
Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute @@ -460,7 +460,7 @@
The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not @@ -487,7 +487,7 @@
Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can @@ -514,7 +514,7 @@
The BIND name server can simultaneously act as diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html index 6b2d1108ed..157fd450f3 100644 --- a/doc/arm/Bv9ARM.ch02.html +++ b/doc/arm/Bv9ARM.ch02.html @@ -1,5 +1,5 @@ - +
@@ -45,16 +45,16 @@Table of Contents
DNS hardware requirements have traditionally been quite modest. @@ -73,7 +73,7 @@
CPU requirements for BIND 9 range from i486-class machines @@ -84,7 +84,7 @@
The memory of the server has to be large enough to fit the cache and zones loaded off disk. The max-cache-size @@ -107,7 +107,7 @@
For name server intensive environments, there are two alternative configurations that may be used. The first is where clients and @@ -124,7 +124,7 @@
ISC BIND 9 compiles and runs on a large number diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html index 5a488e7035..f3b7eaa3bd 100644 --- a/doc/arm/Bv9ARM.ch03.html +++ b/doc/arm/Bv9ARM.ch03.html @@ -1,5 +1,5 @@ - +
@@ -47,14 +47,14 @@The following sample configuration is appropriate for a caching-only name server for use by clients internal to a corporation. All @@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
This sample configuration is for an authoritative-only server
that is the master server for "example.com"
@@ -137,7 +137,7 @@ zone "eng.example.com" {
A primitive form of load balancing can be achieved in the DNS by using multiple A records for @@ -280,10 +280,10 @@ zone "eng.example.com" {
This section describes several indispensable diagnostic, administrative and monitoring tools available to the system @@ -741,7 +741,7 @@ controls {
Certain UNIX signals cause the name server to take specific actions, as described in the following table. These signals can diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html index 0352504084..7667c8a032 100644 --- a/doc/arm/Bv9ARM.ch04.html +++ b/doc/arm/Bv9ARM.ch04.html @@ -1,5 +1,5 @@ - +
@@ -49,28 +49,28 @@Setting up different views, or visibility, of the DNS space to internal and external resolvers is usually referred to as a @@ -479,7 +479,7 @@ nameserver 172.16.72.4
A shared secret is generated to be shared between host1 and host2. An arbitrary key name is chosen: "host1-host2.". The key name must @@ -487,7 +487,7 @@ nameserver 172.16.72.4
The following command will generate a 128 bit (16 byte) HMAC-MD5 key as described above. Longer keys are better, but shorter keys @@ -512,7 +512,7 @@ nameserver 172.16.72.4
The shared secret is simply a random sequence of bits, encoded in base-64. Most ASCII strings are valid base-64 strings (assuming @@ -527,7 +527,7 @@ nameserver 172.16.72.4
This is beyond the scope of DNS. A secure transport mechanism should be used. This could be secure FTP, ssh, telephone, etc. @@ -535,7 +535,7 @@ nameserver 172.16.72.4
Imagine host1 and host 2 are @@ -564,7 +564,7 @@ key host1-host2. {
Since keys are shared between two hosts only, the server must
be told when keys are to be used. The following is added to the named.conf file
@@ -596,7 +596,7 @@ server 10.1.2.3 {
BIND allows IP addresses and ranges to be specified in ACL @@ -624,7 +624,7 @@ allow-update { key host1-host2. ;};
The processing of TSIG signed messages can result in several errors. If a signed message is sent to a non-TSIG aware @@ -650,7 +650,7 @@ allow-update { key host1-host2. ;};
TKEY is a mechanism for automatically generating a shared secret between two hosts. There are several "modes" of @@ -686,7 +686,7 @@ allow-update { key host1-host2. ;};
BIND 9 partially supports DNSSEC SIG(0) transaction signatures as specified in RFC 2535 and RFC2931. @@ -747,7 +747,7 @@ allow-update { key host1-host2. ;};
The dnssec-keygen program is used to generate keys. @@ -798,7 +798,7 @@ allow-update { key host1-host2. ;};
The dnssec-signzone program is used to @@ -842,7 +842,7 @@ allow-update { key host1-host2. ;};
To enable named to respond appropriately to DNS requests from DNSSEC aware clients @@ -930,7 +930,7 @@ options {
BIND 9 fully supports all currently defined forms of IPv6 @@ -969,7 +969,7 @@ options {
The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the deprecated A6 record, specifies the entire @@ -988,7 +988,7 @@ host 3600 IN AAAA 2001:db8::1
When looking up an address in nibble format, the address components are simply reversed, just as in IPv4, and diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html index 7db22f0a0e..76a144fa62 100644 --- a/doc/arm/Bv9ARM.ch05.html +++ b/doc/arm/Bv9ARM.ch05.html @@ -1,5 +1,5 @@ - +
@@ -45,13 +45,13 @@Table of Contents
Traditionally applications have been linked with a stub resolver library that sends recursive DNS queries to a local caching name diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 91d9cc52b9..a3ac86af63 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -1,5 +1,5 @@ - +
@@ -48,52 +48,52 @@address_match_list= address_match_list_element ; [ address_match_list_element; ... ]address_match_list_element= [ ! ] (ip_address [/length] | @@ -437,7 +437,7 @@Address match lists are primarily used to determine access control for various server operations. They are also used in @@ -514,7 +514,7 @@
The BIND 9 comment syntax allows for comments to appear @@ -524,7 +524,7 @@
/* This is a BIND comment as in C */@@ -539,7 +539,7 @@Comments may appear anywhere that whitespace may appear in a BIND configuration file. @@ -773,7 +773,7 @@
acl acl-name { address_match_list }; @@ -856,7 +856,7 @@controls { [ inet ( ip_addr | * ) [ port ip_port ] allow {address_match_list} keys {key_list}; ] @@ -978,12 +978,12 @@includefilename;The include statement inserts the @@ -998,7 +998,7 @@
keykey_id{ algorithmstring; secretstring; @@ -1007,7 +1007,7 @@The key statement defines a shared secret key for use with TSIG (see the section called “TSIG”) @@ -1050,7 +1050,7 @@
logging { [ channel@@ -2631,6 +2637,11 @@ options { named behaves as if it does not support DNSSEC. The default ischannel_name{ ( filepath name@@ -1074,7 +1074,7 @@The logging statement configures a @@ -1108,7 +1108,7 @@
All log output goes to one or more channels; you can make as many of them as you want. @@ -1627,7 +1627,7 @@ category notify { null; };
This is the grammar of the lwres statement in the
named.conffile: @@ -1642,7 +1642,7 @@ category notify { null; };The lwres statement configures the name @@ -1693,14 +1693,14 @@ category notify { null; };
mastersname[portip_port] { (masters_list|ip_addr[portip_port] [keykey] ) ; [...] };masters lists allow for a common set of masters to be easily used by @@ -1709,7 +1709,7 @@ category notify { null; };
This is the grammar of the options statement in the
named.conffile: @@ -1747,6 +1747,7 @@ category notify { null; }; [ dnssec-enableyes_or_no; ] [ dnssec-lookasidedomaintrust-anchordomain; ] [ dnssec-must-be-securedomain yes_or_no; ] + [ dnssec-accept-expiredyes_or_no; ] [ forward (only|first); ] [ forwarders { [ip_addr[portip_port] ; ... ] }; ] [ dual-stack-servers [portip_port] { @@ -1758,6 +1759,8 @@ category notify { null; }; [ check-mx (warn|fail|ignore); ] [ check-wildcardyes_or_no; ] [ check-integrityyes_or_no; ] + [ check-mx-cname (warn|fail|ignore); ] + [ check-srv-cname (warn|fail|ignore); ] [ check-siblingyes_or_no; ] [ allow-notify {address_match_list}; ] [ allow-query {address_match_list}; ] @@ -1835,6 +1838,7 @@ category notify { null; }; [ match-mapped-addressesyes_or_no; ] [ preferred-glue (A|AAAA|NONE); ] [ edns-udp-sizenumber; ] + [ max-udp-sizenumber; ] [ root-delegation-only [ exclude {namelist} ] ; ] [ querylogyes_or_no; ] [ disable-algorithmsdomain{algorithm; [algorithm; ] }; ] @@ -1848,6 +1852,8 @@ category notify { null; }; [ empty-contactname; ] [ empty-zones-enableyes_or_no; ] [ disable-empty-zonezone_name; ] + [ zero-no-soa-ttlyes_or_no; ] + [ zero-no-soa-ttl-cacheyes_or_no; ] };no. +
+ When verifying DNSSEC signatures accept expired signatures.
+ The default is no.
+
Specify whether query logging should be started when named @@ -2697,16 +2708,39 @@ options { checks use named-checkzone). The default is yes.
+ If check-integrity is set then + fail, warn or ignore MX records that refer + to CNAMES. The default is to warn. +
+ If check-integrity is set then + fail, warn or ignore SRV records that refer + to CNAMES. The default is to warn. +
When performing integrity checks also check that sibling glue exists. The default is yes.
+ When returning authoritative negative responses to + SOA queries set the TTL of the SOA recored returned in + the authority section to zero. Default yes. +
+ When caching a negative response to a SOA query + set the TTL to zero. Default no. +
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -2750,7 +2784,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -2915,7 +2949,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -2995,7 +3029,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
If the server doesn't know the answer to a question, it will query other name servers. query-source specifies @@ -3025,6 +3059,13 @@ query-source-v6 address * port *;
+ Solaris 2.5.1 and earlier does not support setting the source + address for TCP sockets. +
+See also transfer-source and notify-source. @@ -3167,7 +3208,8 @@ query-source-v6 address * port *; of the server statement.
transfer-source +
transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the @@ -3187,7 +3229,15 @@ query-source-v6 address * port *; the view or zone block in the configuration file. -
+ Solaris 2.5.1 and earlier does not support setting the + source address for TCP sockets. +
+The same as transfer-source, @@ -3227,7 +3277,8 @@ query-source-v6 address * port *; compatibility).
notify-source +
notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave @@ -3240,7 +3291,15 @@ query-source-v6 address * port *; the zone or view block in the configuration file. -
+ Solaris 2.5.1 and earlier does not support setting the + source address for TCP sockets. +
+Like notify-source, @@ -3250,7 +3309,7 @@ query-source-v6 address * port *;
avoid-v4-udp-ports and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will not be used as system @@ -3264,7 +3323,7 @@ query-source-v6 address * port *;
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -3324,7 +3383,7 @@ query-source-v6 address * port *;
The following options set limits on the server's resource consumption that are enforced internally by the @@ -3402,7 +3461,7 @@ query-source-v6 address * port *;
@@ -3795,6 +3854,17 @@ query-source-v6 address * port *; packets and/or block UDP packets that are greater than 512 bytes.
+ Sets the maximum EDNS UDP message size named will + send. Valid values are 512 to 4096 (values outside + this range will be silently adjusted). The default + value is 4096. The usual reason for setting + max-udp-size to a non default value it to get UDP + answers to pass through broken firewalls that + block fragmented packets and/or block UDP packets + that are greater than 512 bytes. +
masterfile-format specifies
the file format of zone files (see
@@ -4242,6 +4312,7 @@ query-source-v6 address * port *;
[ request-ixfr yes_or_no ; ]
[ edns yes_or_no ; ]
[ edns-udp-size number ; ]
+ [ max-udp-size number ; ]
[ transfers number ; ]
[ transfer-format ( one-answer | many-answers ) ; ]]
[ keys { string ; [ string ; [...]] } ; ]
@@ -4337,6 +4408,14 @@ query-source-v6 address * port *;
advertise globally, for example, when there is a firewall at the
remote site that is blocking large replies.
+ The max-udp-size option sets the + maximum EDNS UDP message size named will send. Valid + values are 512 to 4096 (values outside this range will + be silently adjusted). This option is useful when you + know that there is a firewall that is blocking large + replies from named. +
The server supports two zone transfer methods. The first, one-answer, uses one DNS message per resource record transferred. many-answers packs @@ -4395,7 +4474,7 @@ query-source-v6 address * port *;
trusted-keys {
string number number number string ;
[ string number number number string ; [...]]
@@ -4404,7 +4483,7 @@ query-source-v6 address * port *;
The trusted-keys statement defines
@@ -4447,7 +4526,7 @@ query-source-v6 address * port *;
The view statement is a powerful
feature
@@ -4614,16 +4693,17 @@ view "external" {
[ max-retry-time number ; ]
[ multi-master yes_or_no ; ]
[ key-directory path_name; ]
+ [ zero-no-soa-ttl yes_or_no ; ]
}];