From 86c1ac00da33c2ecc14f5ca69fba40186460ce57 Mon Sep 17 00:00:00 2001 From: Andreas Gustafsson Date: Fri, 2 Feb 2001 19:51:58 +0000 Subject: [PATCH] represent the lists containing descriptions of named.conf options as DocBook elements instead of elements. This is more correct, and will eliminate some multi-page tables that have been giving JadeTeX grief. --- doc/arm/Bv9ARM-book.xml | 1291 ++++++++++++----------- doc/arm/Bv9ARM.ch06.html | 2114 ++++++++++---------------------------- doc/arm/Bv9ARM.ch07.html | 8 +- doc/arm/Bv9ARM.ch08.html | 14 +- doc/arm/Bv9ARM.ch09.html | 116 +-- doc/arm/Bv9ARM.html | 61 +- 6 files changed, 1283 insertions(+), 2321 deletions(-) diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index afb0fd4723..c0ad751f24 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + @@ -2206,9 +2206,11 @@ Usage ... }; - - <command>logging</command> Statement Definition and -Usage + + + +<command>logging</command> Statement Definition and Usage + The logging statement configures a wide variety of logging options for the nameserver. Its channel phrase associates output methods, format options and severity levels with @@ -2217,7 +2219,8 @@ to select how various classes of messages are logged. Only one logging statement is used to define as many channels and categories as are wanted. If there is no logging statement, the logging configuration will be: -logging { + +logging { category "default" { "default_syslog"; "default_debug"; }; }; @@ -2229,8 +2232,11 @@ was parsed. When the server is starting up, all logging messages regarding syntax errors in the configuration file go to the default channels, or to standard error if the "" option was specified. - The <command>channel</command> Phrase - All log output goes to one or more channels; + + +The <command>channel</command> Phrase + +All log output goes to one or more channels; you can make as many of them as you want. Every channel definition must include a destination clause that @@ -2267,7 +2273,8 @@ renamed to lamers.log.0. No rolled versions are kept by default; any existing log file is simply appended. The unlimited keyword is synonymous with 99 in current BIND releases. Example usage of the size and versions options: - channel "an_example_channel" { + +channel "an_example_channel" { file "example.log" versions 3 size 20m; print-time yes; print-category yes; @@ -2469,13 +2476,15 @@ lookups performed on behalf of clients by a caching name server. - - - - <command>lwres</command> Statement Grammar + + + + +<command>lwres</command> Statement Grammar + + This is the grammar of the lwres +statement in the named.conf file: - This is the grammar of the lwres - statement in the named.conf file: lwres { listen-on { ip_addr port ip_port ; ip_addr port ip_port ; ... }; view view_name; @@ -2483,45 +2492,47 @@ lookups performed on behalf of clients by a caching name server. ndots number; }; - - - <command>lwres</command> Statement Definition and Usage - The lwres statement configures the name - server to also act as a lightweight resolver server, see - . There may be be multiple - lwres statements configuring - lightweight resolver servers with different properties. + + +<command>lwres</command> Statement Definition and Usage - The listen-on statement specifies a list of - addresses (and ports) that this instance of a lightweight resolver daemon - should accept requests on. If no port is specified, port 921 is used. - If this statement is omitted, requests will be accepted on 127.0.0.1, - port 921. +The lwres statement configures the name +server to also act as a lightweight resolver server, see +. There may be be multiple +lwres statements configuring +lightweight resolver servers with different properties. - The view statement binds this instance of a - lightweight resolver daemon to a view in the DNS namespace, so that the - response will be constructed in the same manner as a normal DNS query - matching this view. If this statement is omitted, the default view is - used, and if there is no default view, an error is triggered. +The listen-on statement specifies a list of +addresses (and ports) that this instance of a lightweight resolver daemon +should accept requests on. If no port is specified, port 921 is used. +If this statement is omitted, requests will be accepted on 127.0.0.1, +port 921. - The search statement is equivalent to the - search statement in - /etc/resolv.conf. It provides a list of domains - which are appended to relative names in queries. +The view statement binds this instance of a +lightweight resolver daemon to a view in the DNS namespace, so that the +response will be constructed in the same manner as a normal DNS query +matching this view. If this statement is omitted, the default view is +used, and if there is no default view, an error is triggered. - The ndots statement is equivalent to the - ndots statement in - /etc/resolv.conf. It indicates the minimum - number of dots in a relative domain name that should result in an - exact match lookup before search path elements are appended. - - - <command>options</command> Statement Grammar +The search statement is equivalent to the +search statement in +/etc/resolv.conf. It provides a list of domains +which are appended to relative names in queries. - This is the grammar of the options - statement in the named.conf file: -options { +The ndots statement is equivalent to the +ndots statement in +/etc/resolv.conf. It indicates the minimum +number of dots in a relative domain name that should result in an +exact match lookup before search path elements are appended. + + +<command>options</command> Statement Grammar + +This is the grammar of the options +statement in the named.conf file: + +options { version version_string; directory path_name; named-xfer path_name; @@ -2603,107 +2614,101 @@ lookups performed on behalf of clients by a caching name server. }; - <command>options</command> Statement Definition and -Usage - The options statement sets up global options -to be used by BIND. This statement may appear only once in a configuration -file. If more than one occurrence is found, the first occurrence -determines the actual options used, and a warning will be generated. -If there is no options statement, an options -block with each option set to its default will be used. - - - - -version -The version the server should report -via a query of name version.bind in class chaos. -The default is the real version number of this server. - +<command>options</command> Statement Definition andUsage - -directory -The working directory of the server. +The options statement sets up global options +to be used by BIND. This statement may appear only +once in a configuration file. If more than one occurrence is found, +the first occurrence determines the actual options used, and a warning +will be generated. If there is no options +statement, an options block with each option set to its default will +be used. + + + + +version +The version the server should report +via a query of name version.bind in +class CHAOS. +The default is the real version number of this server. + + +directory +The working directory of the server. Any non-absolute pathnames in the configuration file will be taken as relative to this directory. The default location for most server output files (e.g. named.run) is this directory. If a directory is not specified, the working directory defaults to `.', the directory from which the server -was started. The directory specified should be an absolute path. - +was started. The directory specified should be an absolute path. + - -named-xfer - -This option is obsolete. -It was used in BIND 8 to specify the pathname to the named-xfer program. - In BIND 9, no separate named-xfer program is +named-xfer +This option is obsolete. +It was used in BIND 8 to +specify the pathname to the named-xfer program. +In BIND 9, no separate named-xfer program is needed; its functionality is built into the name server. - - - -tkey-domain -The domain appended to the names of all + + +tkey-domain +The domain appended to the names of all shared keys generated with TKEY. When a client requests a TKEY exchange, it may or may not specify the desired name for the key. If present, the name of the shared -key will be "client specified part" + "tkey-domain". +key will be "client specified part" + +"tkey-domain". Otherwise, the name of the shared key will be "random hex digits" + "tkey-domain". In most cases, the domainname should be the server's domain -name. - +name. + - -tkey-dhkey -The Diffie-Hellman key used by the server +tkey-dhkey +The Diffie-Hellman key used by the server to generate shared keys with clients using the Diffie-Hellman mode of TKEY. The server must be able to load the public and private keys from files in the working directory. In -most cases, the keyname should be the server's host name. - +most cases, the keyname should be the server's host name. + - -dump-file -The pathname of the file the server dumps +dump-file +The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb. If not specified, the default is named_dump.db. - - -memstatistics-file -The pathname of the file the server writes memory -usage statistics to on exit. If not specified, the default is named.memstats. -Not yet implemented in BIND 9. - + +memstatistics-file +The pathname of the file the server writes memory +usage statistics to on exit. If not specified, +the default is named.memstats. +Not yet implemented in BIND 9. + - -pid-file -The pathname of the file the server writes +pid-file +The pathname of the file the server writes its process ID in. If not specified, the default is operating system dependent, but is usually /var/run/named.pid or /etc/named.pid. The pid-file is used by programs that want to send signals to the running -nameserver. - +nameserver. + - -statistics-file -The pathname of the file the server appends statistics +statistics-file +The pathname of the file the server appends statistics to when instructed to do so using rndc stats. If not specified, the default is named.stats in the server's current directory. The format of the file is described -in - +in + - -port - -The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic. +port + +The UDP/TCP port number the server uses for +receiving and sending DNS protocol traffic. The default is 53. This option is mainly intended for server testing; a server using a port other than 53 will not be able to communicate with the global DNS. @@ -2712,12 +2717,10 @@ the beginning of the options block, before any other options that take port numbers or IP addresses, to ensure that the port value takes effect for all addresses used by the server. - - + - -random-device - +random-device + The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read @@ -2728,35 +2731,29 @@ file has been exhausted. If not specified, the default value is random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. - - + + + + - - Boolean Options - - - - - -auth-nxdomain -If yes, then the AA bit + + + +auth-nxdomain +If yes, then the AA bit is always set on NXDOMAIN responses, even if the server is not actually authoritative. The default is no; this is a change from BIND 8. If you are using very old DNS software, you -may need to set it to yes. - - -deallocate-on-exit -This option was used in BIND 8 to enable checking +may need to set it to yes. + +deallocate-on-exit +This option was used in BIND 8 to enable checking for memory leaks on exit. BIND 9 ignores the option and always performs -the checks. - - -dialup -If yes, then the +the checks. + +dialup +If yes, then the server treats all zones as if they are doing zone transfers across a dial on demand dialup link, which can be brought up by traffic originating from this server. This has different effects according @@ -2783,57 +2780,55 @@ suppresses the normal refresh queries, refresh which suppresses normal refresh processing and send refresh queries when the heartbeat-interval expires and passive which just disables normal refresh -processing. - - - -fake-iquery -In BIND 8, this option was used to enable simulating -the obsolete DNS query type IQUERY. BIND 9 never does IQUERY simulation. - - -fetch-glue -This option is obsolete. +processing. + +fake-iquery +In BIND 8, this option was used to +enable simulating the obsolete DNS query type +IQUERY. BIND 9 never does IQUERY simulation. + + +fetch-glue +This option is obsolete. In BIND 8, fetch-glue yes caused the server to attempt to fetch glue resource records it didn't have when constructing the additional data section of a response. This is now considered a bad idea -and BIND 9 never does it. - - - -has-old-clients -This option was incorrectly implemented +and BIND 9 never does it. + +has-old-clients +This option was incorrectly implemented in BIND 8, and is ignored by BIND 9. To achieve the intended effect of has-old-clients yes, specify -the two separate options auth-nxdomain yes and rfc2308-type1 no instead. - - -host-statistics -In BIND 8, this enables keeping of +the two separate options auth-nxdomain yes +and rfc2308-type1 no instead. + + +host-statistics +In BIND 8, this enables keeping of statistics for every host that the nameserver interacts with. -Not implemented in BIND 9. - - -maintain-ixfr-base -This option is obsolete. +Not implemented in BIND 9. + + +maintain-ixfr-base +This option is obsolete. It was used in BIND 8 to determine whether a transaction log was kept for Incremental Zone Transfer. BIND 9 maintains a transaction log whenever possible. If you need to disable outgoing incremental zone -transfers, use provide-ixfr no. - - -multiple-cnames -This option was used in BIND 8 to allow +transfers, use provide-ixfr no. + + +multiple-cnames +This option was used in BIND 8 to allow a domain name to allow multiple CNAME records in violation of the DNS standards. BIND 9.1 always strictly -enforces the CNAME rules both in master files and dynamic updates. - - -notify -If yes (the default), +enforces the CNAME rules both in master files and dynamic updates. + + +notify +If yes (the default), DNS NOTIFY messages are sent when a zone the server is authoritative for changes, see . The messages are sent to the servers listed in the zone's NS records (except the master server identified @@ -2844,14 +2839,14 @@ If explicit, notifies are sent only to servers explicitly listed using also-notify. If no, no notifies are sent. -The notify option may also be specified in the zone statement, +The notify option may also be +specified in the zone statement, in which case it overrides the options notify statement. It would only be necessary to turn off this option if it caused slaves -to crash. - - -recursion -If yes, and a +to crash. + +recursion +If yes, and a DNS query requests recursion, then the server will attempt to do all the work required to answer the query. If recursion is off and the server does not already know the answer, it will return a @@ -2861,54 +2856,51 @@ clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching may still occur as an effect the server's internal operation, such as NOTIFY address lookups. -See also fetch-glue above. - - -rfc2308-type1 -Setting this to yes will +See also fetch-glue above. + + +rfc2308-type1 +Setting this to yes will cause the server to send NS records along with the SOA record for negative answers. The default is no. - - Not yet implemented in BIND 9. - - -use-id-pool -This option is obsolete. - BIND 9 always allocates query IDs from a pool. - - -zone-statistics -If yes, the server will, by default, collect +Not yet implemented in BIND 9. + + +use-id-pool +This option is obsolete. +BIND 9 always allocates query IDs from a pool. + + +zone-statistics +If yes, the server will, by default, collect statistical data on all zones in the server. These statistics may be accessed using rndc stats, which will dump them to the file listed -in the statistics-file. See also . - - -use-ixfr -This option is obsolete. +in the statistics-file. See also . + + +use-ixfr +This option is obsolete. If you need to disable IXFR to a particular server or servers see the information on the provide-ixfr option in . See also -. - - -treat-cr-as-space -This option was used in BIND 8 to make +. + + +treat-cr-as-space +This option was used in BIND 8 to make the server treat carriage return ("\r") characters the same way as a space or tab character, to facilitate loading of zone files on a UNIX system that were generated on an NT or DOS machine. In BIND 9, both UNIX "\n" and NT/DOS "\r\n" newlines are always accepted, -and the option is ignored. - - - -min-refresh-time -max-refresh-time -min-retry-time -max-retry-time - - +and the option is ignored. + + +min-refresh-time +max-refresh-time +min-retry-time +max-retry-time + These options control the server's behavior on refreshing a zone (querying for SOA changes) or retrying failed transfers. Usually the SOA values for the zone are used, but these values @@ -2919,16 +2911,12 @@ These options allow the administrator to set a minimum and maximum refresh and retry time either per-zone, per-view, or per-server. These options are valid for master, slave and stub zones, and clamp the SOA refresh and retry times to the specified values. - - - + - - -additional-from-auth -additional-from-cache - - + +additional-from-auth +additional-from-cache + These options control the server's behavior when answering queries which have additional data, or when following CNAME and DNAME chains to provide additional data. @@ -2950,12 +2938,13 @@ For example, if a query asks for an MX record for host foo.example.com< and the record found is "MX 10 mail.example.net", normally the address records (A, A6, and AAAA) for mail.example.net will be provided as well, if known. These options disable this behavior. - - - + + + + + + - - Forwarding The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -2964,94 +2953,92 @@ do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache. - - - - - -forward -This option is only meaningful if the + + +forward +This option is only meaningful if the forwarders list is not empty. A value of first, the default, causes the server to query the forwarders first, and if that doesn't answer the question the server will then look for the answer itself. If only is specified, the -server will only query the forwarders. - - -forwarders -Specifies the IP addresses to be used -for forwarding. The default is the empty list (no forwarding). - - - +server will only query the forwarders. + + +forwarders +Specifies the IP addresses to be used +for forwarding. The default is the empty list (no forwarding). + + + + Forwarding can also be configured on a per-domain basis, allowing for the global forwarding options to be overridden in a variety of ways. You can set particular domains to use different forwarders, or have a different forward only/first behavior, -or not forward at all, see . +or not forward at all, see . + + Access Control + Access to the server can be restricted based on the IP address of the requesting system. See for details on how to specify IP address lists. - - - - - -allow-notify -Specifies which hosts are allowed to + + + +allow-notify +Specifies which hosts are allowed to notify slaves of a zone change in addition to the zone masters. allow-notify may also be specified in the zone statement, in which case it overrides the options allow-notify statement. It is only meaningful for a slave zone. If not specified, the default is to process notify messages -only from a zone's master. - - -allow-query -Specifies which hosts are allowed to +only from a zone's master. + + +allow-query +Specifies which hosts are allowed to ask ordinary questions. allow-query may also be specified in the zone statement, in which case it overrides the options allow-query statement. If -not specified, the default is to allow queries from all hosts. - +not specified, the default is to allow queries from all hosts. + - -allow-recursion -Specifies which hosts are allowed to + +allow-recursion +Specifies which hosts are allowed to make recursive queries through this server. If not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server's cache. - - + + - -allow-v6-synthesis -Specifies which hosts are to receive +allow-v6-synthesis +Specifies which hosts are to receive synthetic responses to IPv6 queries as described in . - - + + - -allow-transfer -Specifies which hosts are allowed to +allow-transfer +Specifies which hosts are allowed to receive zone transfers from the server. allow-transfer may also be specified in the zone statement, in which case it overrides the options allow-transfer statement. -If not specified, the default is to allow transfers from all hosts. - - -blackhole -Specifies a list of addresses that the +If not specified, the default is to allow transfers from all hosts. + + +blackhole +Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries -from these addresses will not be responded to. The default is none. - - - +from these addresses will not be responded to. The default is none. + + + + + + Interfaces The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -3060,31 +3047,32 @@ The server will listen on all interfaces allowed by the address match list. If a port is not specified, port 53 will be used. Multiple listen-on statements are allowed. For example, + listen-on { 5.6.7.8; }; listen-on port 1234 { !1.2.3.4; 1.2/16; }; - will enable the nameserver on port 53 for the IP address - 5.6.7.8, and on port 1234 of an address on the machine in net - 1.2 that is not 1.2.3.4. +will enable the nameserver on port 53 for the IP address +5.6.7.8, and on port 1234 of an address on the machine in net +1.2 that is not 1.2.3.4. - If no listen-on is specified, the - server will listen on port 53 on all interfaces. +If no listen-on is specified, the +server will listen on port 53 on all interfaces. - The listen-on-v6 option is used to - specify the ports on which the server will listen for incoming - queries sent using IPv6. +The listen-on-v6 option is used to +specify the ports on which the server will listen for incoming +queries sent using IPv6. - The server does not bind a separate socket to each IPv6 - interface address as it does for IPv4. Instead, it always - listens on the IPv6 wildcard address. Therefore, the only - values allowed for the address_match_list - argument to the listen-on-v6 statement are - { any; } and - { none;} +The server does not bind a separate socket to each IPv6 +interface address as it does for IPv4. Instead, it always +listens on the IPv6 wildcard address. Therefore, the only +values allowed for the address_match_list +argument to the listen-on-v6 statement are +{ any; } and +{ none;} - Multiple listen-on-v6 options can be - used to listen on multiple ports: +Multiple listen-on-v6 options can be +used to listen on multiple ports: listen-on-v6 port 53 { any; }; listen-on-v6 port 1234 { any; }; @@ -3110,19 +3098,16 @@ query-source-v6 address * port * query-source currently applies only to UDP queries; TCP queries always use a wildcard IP address and a random unprivileged port. + Zone Transfers BIND has mechanisms in place to facilitate zone transfers and set limits on the amount of load that transfers place on the system. The following options apply to zone transfers. - - - - - -also-notify -Defines a global list of IP addresses of name servers + + +also-notify +Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will @@ -3131,35 +3116,35 @@ is given in a zone statement, it will override the options also-notify statement. When a zone notify statement is set to no, the IP addresses in the global also-notify list will not be sent NOTIFY messages for that zone. The default is the empty -list (no global notification list). - - -max-transfer-time-in -Inbound zone transfers running longer than +list (no global notification list). + + +max-transfer-time-in +Inbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes -(2 hours). - - -max-transfer-idle-in -Inbound zone transfers making no progress +(2 hours). + + +max-transfer-idle-in +Inbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes -(1 hour). - - -max-transfer-time-out -Outbound zone transfers running longer than +(1 hour). + + +max-transfer-time-out +Outbound zone transfers running longer than this many minutes will be terminated. The default is 120 minutes -(2 hours). - - -max-transfer-idle-out -Outbound zone transfers making no progress +(2 hours). + + +max-transfer-idle-out +Outbound zone transfers making no progress in this many minutes will be terminated. The default is 60 minutes (1 -hour). - - -serial-queries -Slave servers will periodically query master +hour). + + +serial-queries +Slave servers will periodically query master servers to find out if zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth, but more importantly each query uses a small amount of memory in @@ -3172,43 +3157,43 @@ instead, it limits the rate at which the queries are sent. The maximum rate is currently fixed at 20 queries per second but may become configurable in a future release. - - - -transfer-format -The server supports two zone transfer methods. one-answer uses + + + +transfer-format +The server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 9, BIND 8.x and patched versions of BIND 4.9.5. The default is many-answers. transfer-format may -be overridden on a per-server basis by using the server statement. - - -transfers-in -The maximum number of inbound zone transfers +be overridden on a per-server basis by using the server statement. + + +transfers-in +The maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing transfers-in may speed up the convergence -of slave zones, but it also may increase the load on the local system. - - -transfers-out -The maximum number of outbound zone transfers +of slave zones, but it also may increase the load on the local system. + + +transfers-out +The maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess -of the limit will be refused. The default value is 10. - - -transfers-per-ns -The maximum number of inbound zone transfers +of the limit will be refused. The default value is 10. + + +transfers-per-ns +The maximum number of inbound zone transfers that can be concurrently transferring from a given remote nameserver. The default value is 2. Increasing transfers-per-ns may speed up the convergence of slave zones, but it also may increase the load on the remote nameserver. transfers-per-ns may be overridden on a per-server basis by using the transfers phrase -of the server statement. - - -transfer-source -transfer-source determines +of the server statement. + + +transfer-source +transfer-source determines which local address will be bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address, and optionally the UDP port, used for the @@ -3221,16 +3206,16 @@ sets the transfer-source for all zones, but can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone block -in the configuration file. - - -transfer-source-v6 -The same as transfer-source, -except zone transfers are performed using IPv6. - - -notify-source -notify-source determines +in the configuration file. + + +transfer-source-v6 +The same as transfer-source, +except zone transfers are performed using IPv6. + + +notify-source +notify-source determines which local source address, and optionally UDP port, will be used to send NOTIFY messages. This address must appear in the slave server's masters @@ -3238,120 +3223,123 @@ zone clause or in an allow-notify clause. This statement sets the notify-source for all zones, but can be overridden on a per-zone / per-view basis by including a notify-source statement within the zone -or view block in the configuration file. - - -notify-source-v6 -Like notify-source, -but applies to notify messages sent to IPv6 addresses. - - - - - - - Resource Limits +or view block in the configuration file. + - The server's usage of many system resources can be - limited. Some operating systems don't support some of the - limits. On such systems, a warning will be issued if the - unsupported limit is used. Some operating systems don't - support limiting resources. Scaled values are - allowed when specifying resource limits. For example, - 1G can be used instead of - 1073741824 to specify a limit of one - gigabyte. unlimited requests unlimited use, - or the maximum available amount. default - uses the limit that was in force when the server was - started. See the description of size_spec - in . +notify-source-v6 +Like notify-source, +but applies to notify messages sent to IPv6 addresses. + - - - - - -coresize -The maximum size of a core dump. The default -is default. - - -datasize -The maximum amount of data memory the server -may use. The default is default. - - -files -The maximum number of files the server + + + + + +Resource Limits + +The server's usage of many system resources can be limited. +Some operating systems don't support some of the limits. On such +systems, a warning will be issued if the unsupported limit is +used. Some operating systems don't support limiting resources. +Scaled values are allowed when specifying resource limits. For +example, 1G can be used instead of +1073741824 to specify a limit of one +gigabyte. unlimited requests unlimited use, or the +maximum available amount. default uses the limit +that was in force when the server was started. See the description of +size_spec in . + + + +coresize +The maximum size of a core dump. The default +is default. + + +datasize +The maximum amount of data memory the server +may use. The default is default. + + +files +The maximum number of files the server may have open concurrently. The default is unlimited. - - - -max-ixfr-log-size -This option is obsolete; it is accepted -and ignored for BIND 8 compatibility. - - -recursive-clients -The maximum number of simultaneous recursive + + + +max-ixfr-log-size +This option is obsolete; it is accepted +and ignored for BIND 8 compatibility. + + +recursive-clients +The maximum number of simultaneous recursive lookups the server will perform on behalf of clients. The default -is 1000. - - -stacksize -The maximum amount of stack memory the server -may use. The default is default. - - -tcp-clients -The maximum number of simultaneous client TCP -connections that the server will accept. The default is 100. - - - - -Resource limits are not yet implemented in BIND 9. +is 1000. + + +stacksize +The maximum amount of stack memory the server +may use. The default is default. + + +tcp-clients +The maximum number of simultaneous client TCP +connections that the server will accept. The default is 100. + + + + + + +Resource limits are not yet implemented in +BIND 9. + + + Periodic Task Intervals - - - - - -cleaning-interval -The server will remove expired resource records + + + +cleaning-interval +The server will remove expired resource records from the cache every cleaning-interval minutes. The default is 60 minutes. -If set to 0, no periodic cleaning will occur. - - -heartbeat-interval -The server will perform zone maintenance tasks +If set to 0, no periodic cleaning will occur. + + +heartbeat-interval +The server will perform zone maintenance tasks for all zones marked as dialup whenever this interval expires. The default is 60 minutes. Reasonable values are up -to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur. - - -interface-interval -The server will scan the network interface list +to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur. + + +interface-interval +The server will scan the network interface list every interface-interval minutes. The default is 60 minutes. If set to 0, interface scanning will only occur when the configuration file is loaded. After the scan, listeners will be started on any new interfaces (provided they are allowed by the listen-on configuration). Listeners on interfaces -that have gone away will be cleaned up. - - -statistics-interval -Nameserver statistics will be logged +that have gone away will be cleaned up. + + +statistics-interval +Nameserver statistics will be logged every statistics-interval minutes. The default is 60. If set to 0, no statistics will be logged. -Not yet implemented in BIND9. - - - +Not yet implemented in BIND9. + + + + + + Topology + All other things being equal, when the server chooses a nameserver to query from a list of nameservers, it prefers the one that is topologically closest to itself. The topology statement @@ -3551,60 +3539,57 @@ containing synthetic RRs will not have the AD flag set. Tuning - - - - - -lame-ttl -Sets the number of seconds to cache a + + + +lame-ttl +Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is NOT recommended.) Default is 600 (10 minutes). Maximum value is 1800 (30 minutes). - - - -max-ncache-ttl -To reduce network traffic and increase performance + + + +max-ncache-ttl +To reduce network traffic and increase performance the server stores negative answers. max-ncache-ttl is used to set a maximum retention time for these answers in the server in seconds. The default max-ncache-ttl is 10800 seconds (3 hours). max-ncache-ttl cannot exceed 7 days and will -be silently truncated to 7 days if set to a greater value. - - -max-cache-ttl -max-cache-ttl sets +be silently truncated to 7 days if set to a greater value. + + +max-cache-ttl +max-cache-ttl sets the maximum time for which the server will cache ordinary (positive) -answers. The default is one week (7 days). - - -min-roots -The minimum number of root servers that +answers. The default is one week (7 days). + + +min-roots +The minimum number of root servers that is required for a request for the root servers to be accepted. Default is 2. - Not yet implemented in BIND -9. - - - -sig-validity-interval -Specifies the number of days into the +Not yet implemented in BIND9. + + +sig-validity-interval +Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates () will expire. The default is 30 days. The signature inception time is unconditionally set to one hour before the current time -to allow for a limited amount of clock skew. - - - +to allow for a limited amount of clock skew. + + + + + - The Statistics File +The Statistics File The statistics file generated by BIND 9 is similar, but not identical, to that @@ -3661,13 +3646,14 @@ failure response other than those above. + - - <command>server</command> -Statement Grammar - server ip_addr { + +<command>server</command>Statement Grammar + +server ip_addr { bogus yes_or_no ; provide-ixfr yes_or_no ; request-ixfr yes_or_no ; @@ -3676,11 +3662,14 @@ Statement Grammar keys { string ; string ; ... } ; }; + <command>server</command> Statement Definition and Usage + The server statement defines the characteristics to be associated with a remote nameserver. + If you discover that a remote server is giving out bad data, marking it as bogus will prevent further queries to it. The default value of bogus is no. @@ -3692,15 +3681,19 @@ whenever possible. If set to no, all transfers to the remote server will be nonincremental. If not set, the value of the provide-ixfr option in the global options block is used as a default. + The request-ixfr clause determines whether the local server, acting as a slave, will request incremental zone transfers from the given remote server, a master. If not set, the value of the request-ixfr option in the global options block is used as a default. + IXFR requests to servers that do not support IXFR will automatically fall back to AXFR. Therefore, there is no need to manually list which servers support IXFR and which ones do not; the global default -of yes should always work. The purpose of the provide-ixfr and request-ixfr clauses is +of yes should always work. +The purpose of the provide-ixfr and +request-ixfr clauses is to make it possible to disable the use of IXFR even when both master and slave claim to support it, for example if one of the servers is buggy and crashes or corrupts data when IXFR is used. @@ -3946,6 +3939,7 @@ Classes other than IN have no built-in defaults hints. + Class The zone's name may optionally be followed by a class. If a class is not specified, class IN (for Internet), @@ -3958,61 +3952,57 @@ as users, groups, printers and so on. The keyword a synonym for hesiod. Another MIT development is CHAOSnet, a LAN protocol created in the mid-1970s. Zone data for it can be specified with the CHAOS class. - - Zone Options - - - - - - - allow-notify - See the description of -allow-notify in - - - allow-query - See the description of -allow-query in - - - allow-transfer - See the description of allow-transfer in . - - - allow-update - Specifies which hosts are allowed to -submit Dynamic DNS updates for master zones. The default is to deny -updates from all hosts. - - - update-policy - Specifies a "Simple Secure Update" policy. See -. - - - allow-update-forwarding + -Specifies which hosts are allowed to +Zone Options + + + +allow-notify +See the description of +allow-notify in + + +allow-query +See the description of +allow-query in + + +allow-transfer +See the description of allow-transfer +in . + + +allow-update +Specifies which hosts are allowed to +submit Dynamic DNS updates for master zones. The default is to deny +updates from all hosts. + + +update-policy +Specifies a "Simple Secure Update" policy. See +. + + +allow-update-forwarding +Specifies which hosts are allowed to submit Dynamic DNS updates to slave zones to be forwarded to the master. The default is { none; }, which means that no update forwarding will be performed. To enable -update forwarding, specify allow-update-forwarding { any; };. +update forwarding, specify +allow-update-forwarding { any; };. Specifying values other than { none; } or { any; } is usually counterproductive, since the responsibility for update access control should rest with the master server, not the slaves. - Note that enabling the update forwarding feature on a slave server may expose master servers relying on insecure IP address based access control to attacks; see for more details. - - - - also-notify - Only meaningful if notify is + + +also-notify +Only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFY message for this zone is made up of all the listed nameservers (other than @@ -4021,21 +4011,20 @@ with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. also-notify is not meaningful for stub zones. -The default is the empty list. - - -check-names - +The default is the empty list. + + +check-names + This option was used in BIND 8 to restrict the character set of domain names in master files and/or DNS responses received from the netowrk. BIND 9 does not restrict the character set of domain names and does not implement the check-names option. - - - -database -Specify the type of database to be used for storing the + + +database +Specify the type of database to be used for storing the zone data. The string following the database keyword is interpreted as a list of whitespace-delimited words. The first word identifies the database type, and any subsequent words are passed @@ -4046,109 +4035,109 @@ red-black-tree database. This database does not take arguments. Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default. - - - -dialup - See the description of -dialup in . - - -forward -Only meaningful if the zone has a forwarders + + +dialup +See the description of +dialup in . + + +forward +Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried. - - - -forwarders -Used to override the list of global forwarders. + + +forwarders +Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone; the global options are not used. - - - -ixfr-base -Was used in BIND 8 to specify the name + + +ixfr-base +Was used in BIND 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. BIND 9 ignores the option and constructs the name of the journal file by appending ".jnl" to the name of the -zone file. - - -max-transfer-time-in -See the description of -max-transfer-time-in in . - - -max-transfer-idle-in -See the description of -max-transfer-idle-in in . - - -max-transfer-time-out -See the description of -max-transfer-time-out in . - - -max-transfer-idle-out -See the description of -max-transfer-idle-out in . - - -notify - See the description of -notify in . - - -pubkey -In BIND 8, this option was intended for specifying +zone file. + + +max-transfer-time-in +See the description of +max-transfer-time-in in . + + +max-transfer-idle-in +See the description of +max-transfer-idle-in in . + + +max-transfer-time-out +See the description of +max-transfer-time-out in . + + +max-transfer-idle-out +See the description of +max-transfer-idle-out in . + + +notify +See the description of +notify in . + + +pubkey +In BIND 8, this option was intended for specifying a public zone key for verification of signatures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signatures -on loading and ignores the option. - - -zone-statistics -If yes, the server will keep statistical +on loading and ignores the option. + + +zone-statistics +If yes, the server will keep statistical information for this zone, which can be dumped to the -statistics-file defined in the server options. - - -sig-validity-interval - See the description of -sig-validity-interval in . - - -transfer-source -See the description of +statistics-file defined in the server options. + + +sig-validity-interval +See the description of +sig-validity-interval in . + + +transfer-source +See the description of transfer-source in - - - -transfer-source-v6 -See the description of + + + +transfer-source-v6 +See the description of transfer-source-v6 in - - - -notify-source -See the description of + + + +notify-source +See the description of notify-source in - - - -notify-source-v6 -See the description of + + + +notify-source-v6 +See the description of notify-source-v6 in . - - - - + + + + + + Dynamic Update Policies BIND 9 supports two alternative methods of granting clients -the right to perform dynamic updates to a zone, configured by the allow-update and update-policy option, -respectively. +the right to perform dynamic updates to a zone, +configured by the allow-update and +update-policy option, respectively. The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record of any name in the zone. diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index 095ea3013a..4bf4cf7f8b 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -88,7 +88,7 @@ HREF="Bv9ARM.ch06.html#Configuration_File_Grammar" >
6.3. Zone File
6.2.10. logging Statement Definition and -Usage Statement Definition and Usage

The 

logging {
+>logging {
      category "default" { "default_syslog"; "default_debug"; };
 };

6.2.10.1. The channel

6.2.11. lwreslwres - statement in the named.conf file:

6.2.12. lwreslwres statement configures the name - server to also act as a lightweight resolver server, see - Section 5.2. There may be be multiple - lwres statements configuring - lightweight resolver servers with different properties.

The listen-on statement specifies a list of - addresses (and ports) that this instance of a lightweight resolver daemon - should accept requests on. If no port is specified, port 921 is used. - If this statement is omitted, requests will be accepted on 127.0.0.1, - port 921.

The view statement binds this instance of a - lightweight resolver daemon to a view in the DNS namespace, so that the - response will be constructed in the same manner as a normal DNS query - matching this view. If this statement is omitted, the default view is - used, and if there is no default view, an error is triggered.

The search statement is equivalent to the - search statement in - /etc/resolv.conf. It provides a list of domains - which are appended to relative names in queries.

The ndots statement is equivalent to the - ndots statement in - /etc/resolv.conf. It indicates the minimum - number of dots in a relative domain name that should result in an - exact match lookup before search path elements are appended.

6.2.13. optionsoptions - statement in the named.conf file:

options {
+>options {
     [ version 
6.2.14. options Statement Definition and
-Usage Statement Definition andUsage
The BIND. This statement may appear only once in a configuration
-file. If more than one occurrence is found, the first occurrence
-determines the actual options used, and a warning will be generated.
-If there is no . This statement may appear only
+once in a configuration file. If more than one occurrence is found,
+the first occurrence determines the actual options used, and a warning
+will be generated.  If there is no options statement, an options
-block with each option set to its default will be used.

+statement, an options block with each option set to its default will
+be used.
version
The version the server should report
 via a query of name version.bind in class  in
+class chaosCHAOS.
 The default is the real version number of this server.
directory
The working directory of the server.
 Any non-absolute pathnames in the configuration file will be taken
@@ -3765,36 +3736,27 @@ CLASS="filename"
 >.', the directory from which the server
 was started. The directory specified should be an absolute path.
named-xfer

This option is obsolete.
 It was used in BIND 8 to specify the pathname to the  8 to
+specify the pathname to the named-xfer program.
- In BIND 9, no separate named-xfer program is
 needed; its functionality is built into the name server.

-
tkey-domain
The domain appended to the names of all
 shared keys generated with client specified part" + "" + 
+"tkey-domain".
@@ -3851,23 +3803,13 @@ CLASS="command"
 >domainname should be the server's domain
 name.
tkey-dhkey
The Diffie-Hellman key used by the server
 to generate shared keys with clients using the Diffie-Hellman mode
@@ -3877,23 +3819,13 @@ CLASS="command"
 >. The server must be able to load the
 public and private keys from files in the working directory. In
 most cases, the keyname should be the server's host name.
dump-file
The pathname of the file the server dumps
 the database to when instructed to do so with
@@ -3905,32 +3837,21 @@ If not specified, the default is named_dump.db.

-
memstatistics-file
The pathname of the file the server writes memory
-usage statistics to on exit. If not specified, the default is named.memstats.

-
 9.
pid-file
The pathname of the file the server writes
 its process ID in. If not specified, the default is operating system
@@ -3973,23 +3884,13 @@ CLASS="filename"
 >.
 The pid-file is used by programs that want to send signals to the running
 nameserver.
statistics-file
The pathname of the file the server appends statistics
 to when instructed to do so using Section 6.2.14.14
port

The UDP/TCP port number the server uses for receiving and sending DNS protocol traffic.
+>
The UDP/TCP port number the server uses for 
+receiving and sending DNS protocol traffic.
 The default is 53.  This option is mainly intended for server testing;
 a server using a port other than 53 will not be able to communicate with
 the global DNS.
@@ -4035,24 +3927,13 @@ the beginning of the options block, before
 any other options that take port numbers or IP addresses,
 to ensure that the port value takes effect for all addresses
 used by the server.

-
random-device

The source of entropy to be used by the server.  Entropy is primarily needed
 for DNSSEC operations, such as TKEY transactions and dynamic update of signed
@@ -4070,14 +3951,8 @@ CLASS="command"
 > option takes effect during
 the initial configuration load at server startup time and
 is ignored on subsequent reloads.

-
 
6.2.14.1. Boolean Options
auth-nxdomain
If yes.
deallocate-on-exit
This option was used in BIND 9 ignores the option and always performs
 the checks.
dialup
If no.

-
The dialup which just disables normal refresh
 processing.

-
fake-iquery
In BIND 8, this option was used to enable simulating
-the obsolete DNS query type IQUERY.  8, this option was used to
+enable simulating the obsolete DNS query type
+IQUERY. BIND 9 never does IQUERY simulation.
 9 never does IQUERY simulation.
+
fetch-glue
This option is obsolete.
 In BIND 8, 
-
has-old-clients
This option was incorrectly implemented
 in yes and 
+and rfc2308-type1 no instead.
 instead.
+
host-statistics
In BIND 8, this enables keeping of
 statistics for every host that the nameserver interacts with.
-Not implemented in BIND 9.
maintain-ixfr-base
no.
.
+
multiple-cnames
This option was used in BIND 9.1 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
notify
If 
The notify option may also be specified in the  option may also be
+specified in the zone statement,
@@ -4535,27 +4311,14 @@ CLASS="command"
 >options notify statement.
 It would only be necessary to turn off this option if it caused slaves
-to crash.
recursion
If fetch-glue above.
 above.
+
rfc2308-type1
Setting this to no.

-
 9.
use-id-pool
This option is obsolete.
- BIND 9 always allocates query IDs from a pool.
 9 always allocates query IDs from a pool.
+
zone-statistics
If .  See also Section 6.2.14.14.
.
+
use-ixfr
This option is obsoleteSection 4.2.
.
+
treat-cr-as-space
This option was used in \r\n" newlines are always accepted,
 and the option is ignored.

min-refresh-time

-
, max-refresh-time

-
, min-retry-time

-
, max-retry-time

-

These options control the server's behavior on refreshing a zone
 (querying for SOA changes) or retrying failed transfers.
@@ -4815,31 +4511,16 @@ refresh and retry time either per-zone, per-view, or per-server.
 These options are valid for master, slave and stub zones, and clamp the SOA
 refresh and retry times to the specified values.
 

-

additional-from-auth

-
, additional-from-cache

-

These options control the server's behavior when answering queries
 which have additional data, or when following CNAME and DNAME
@@ -4879,20 +4560,15 @@ CLASS="literal"
 > will be provided as well,
 if known.  These options disable this behavior.
 

-
6.2.14.2. Forwarding
forward
This option is only meaningful if the
 forwarders list is not empty. A value of only is specified, the
-server will only query the forwarders.
forwarders
Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
Forwarding can also be configured on a per-domain basis, allowing
 for the global forwarding options to be overridden in a variety
@@ -4996,29 +4644,14 @@ HREF="Bv9ARM.ch06.html#address_match_lists"
 > for
 details on how to specify IP address lists.
allow-notify
Specifies which hosts are allowed to
 notify slaves of a zone change in addition to the zone masters.
@@ -5036,23 +4669,13 @@ CLASS="command"
 > statement.  It is only meaningful
 for a slave zone.  If not specified, the default is to process notify messages
 only from a zone's master.
allow-query
Specifies which hosts are allowed to
 ask ordinary questions. options allow-query statement. If
 not specified, the default is to allow queries from all hosts.
allow-recursion
Specifies which hosts are allowed to
 make recursive queries through this server. If not specified, the
@@ -5092,23 +4705,13 @@ default is to allow recursive queries from all hosts.
 Note that disallowing recursive queries for a host does not prevent the
 host from retrieving data that is already in the server's cache.
 
allow-v6-synthesis
Specifies which hosts are to receive
 synthetic responses to IPv6 queries as described in
@@ -5117,23 +4720,13 @@ HREF="Bv9ARM.ch06.html#synthesis"
 >Section 6.2.14.12.
 
allow-transfer
Specifies which hosts are allowed to
 receive zone transfers from the server. options allow-transfer statement.
 If not specified, the default is to allow transfers from all hosts.
blackhole
Specifies a list of addresses that the
 server will not accept queries from or use to resolve a query. Queries
@@ -5175,20 +4758,15 @@ CLASS="userinput"
 >none.
6.2.14.4. Interfaces
will enable the nameserver on port 53 for the IP address
-        5.6.7.8, and on port 1234 of an address on the machine in net
-        1.2 that is not 1.2.3.4.
If no listen-on is specified, the
-        server will listen on port 53 on all interfaces.
The listen-on-v6 option is used to
-        specify the ports on which the server will listen for incoming
-        queries sent using IPv6.
The server does not bind a separate socket to each IPv6
-        interface address as it does for IPv4. Instead, it always
-        listens on the IPv6 wildcard address. Therefore, the only
-        values allowed for the address_match_list
-        argument to the listen-on-v6 statement are
-        
{ any; }
 and
-        
{ none;}
listen-on-v6 options can be
-        used to listen on multiple ports:
listen-on-v6 port 53 { any; };
@@ -5283,7 +4861,7 @@ CLASS="sect3"
 >
6.2.14.5. Query Address
 has mechanisms in place to facilitate zone transfers
 and set limits on the amount of load that transfers place on the
 system. The following options apply to zone transfers.
also-notify
Defines a global list of IP addresses of name servers
 that are also sent NOTIFY messages whenever a fresh copy of the
@@ -5404,107 +4968,57 @@ CLASS="command"
 > list will
 not be sent NOTIFY messages for that zone. The default is the empty
 list (no global notification list).
max-transfer-time-in
Inbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
 (2 hours).
max-transfer-idle-in
Inbound zone transfers making no progress
 in this many minutes will be terminated. The default is 60 minutes
 (1 hour).
max-transfer-time-out
Outbound zone transfers running longer than
 this many minutes will be terminated. The default is 120 minutes
 (2 hours).
max-transfer-idle-out
Outbound zone transfers making no progress
 in this many minutes will be terminated.  The default is 60 minutes (1
 hour).
serial-queries
Slave servers will periodically query master
 servers to find out if zone serial numbers have changed. Each such
@@ -5525,24 +5039,13 @@ instead, it limits the rate at which the queries are sent.
 The maximum rate is currently fixed at 20 queries
 per second but may become configurable in a future release.  
 

-
transfer-format
The server supports two zone transfer methods. server statement.
transfers-in
The maximum number of inbound zone transfers
 that can be running concurrently. The default value is transfers-in may speed up the convergence
 of slave zones, but it also may increase the load on the local system.
transfers-out
The maximum number of outbound zone transfers
 that can be running concurrently. Zone transfer requests in excess
@@ -5629,23 +5112,13 @@ of the limit will be refused. The default value is 10.
transfers-per-ns
The maximum number of inbound zone transfers
 that can be concurrently transferring from a given remote nameserver.
@@ -5669,23 +5142,13 @@ of the server statement.
transfer-source
zone block
 in the configuration file.
transfer-source-v6
The same as transfer-source,
 except zone transfers are performed using IPv6.
notify-source
view block in the configuration file.
notify-source-v6
Like notify-source,
 but applies to notify messages sent to IPv6 addresses.
6.2.14.7. Resource Limits
The server's usage of many system resources can be
-        limited.  Some operating systems don't support some of the
-        limits. On such systems, a warning will be issued if the
-        unsupported limit is used. Some operating systems don't
-        support limiting resources.
The server's usage of many system resources can be limited.
+Some operating systems don't support some of the limits. On such
+systems, a warning will be issued if the unsupported limit is
+used. Some operating systems don't support limiting resources.
Scaled values are
-        allowed when specifying resource limits.  For example,
-        Scaled values are allowed when specifying resource limits.  For
+example, 1G can be used instead of
-        1073741824 to specify a limit of one
-        gigabyte. unlimited requests unlimited use,
-        or the maximum available amount.  requests unlimited use, or the
+maximum available amount. default
-        uses the limit that was in force when the server was
-        started. See the description of  uses the limit
+that was in force when the server was started. See the description of
+size_spec
-        in  in Section 6.1.
coresize
The maximum size of a core dump. The default
 is default.
datasize
The maximum amount of data memory the server
 may use. The default is default.
files
The maximum number of files the server
 may have open concurrently. The default is unlimited.
 
max-ixfr-log-size
This option is obsolete; it is accepted
 and ignored for BIND 8 compatibility.
recursive-clients
The maximum number of simultaneous recursive
 lookups the server will perform on behalf of clients.  The default
@@ -5982,58 +5354,34 @@ is 1000.
stacksize
The maximum amount of stack memory the server
 may use. The default is default.
tcp-clients
The maximum number of simultaneous client TCP
 connections that the server will accept. The default is 100.
Note: Resource limits are not yet implemented in Resource limits are not yet implemented in
+BIND 9.
6.2.14.8. Periodic Task Intervals
cleaning-interval
The server will remove expired resource records
 from the cache every  minutes.
 The default is 60 minutes.
 If set to 0, no  periodic cleaning will occur.
heartbeat-interval
The server will perform zone maintenance tasks
 for all zones marked as  whenever this
 interval expires. The default is 60 minutes. Reasonable values are up
 to 1 day (1440 minutes). If set to 0, no zone maintenance for these zones will occur.
interface-interval
The server will scan the network interface list
 every listen-on configuration). Listeners on interfaces
 that have gone away will be cleaned up.
statistics-interval
Nameserver statistics will be logged
 every 9.
6.2.14.13. Tuning

lame-ttl

Sets the number of seconds to cache a lame server indication. 0 disables caching. (This is @@ -6708,24 +5995,13 @@ CLASS="literal" CLASS="literal" >1800 (30 minutes).

-

max-ncache-ttl

To reduce network traffic and increase performance the server stores negative answers. max-ncache-ttl cannot exceed 7 days and will be silently truncated to 7 days if set to a greater value.

max-cache-ttl

sets the maximum time for which the server will cache ordinary (positive) answers. The default is one week (7 days).

min-roots

The minimum number of root servers that is required for a request for the root servers to be accepted. Default @@ -6796,8 +6052,7 @@ CLASS="userinput" >2.

-
Not yet implemented in BIND -9.

9.

-

sig-validity-interval

Specifies the number of days into the future when DNSSEC signatures automatically generated as a result @@ -6842,12 +6085,8 @@ CLASS="literal" > days. The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.

6.2.15. server -Statement GrammarStatement Grammar

yes should always work. The purpose of the  should always work.
+The purpose of the provide-ixfr and  and
+request-ixfr clauses is
@@ -7274,7 +6514,7 @@ CLASS="sect2"
 >
6.2.17. trusted-keys
6.2.18. trusted-keys
6.2.19. view
6.2.20. view
6.2.22. zone
6.2.22.1. Zone Types
6.2.22.2. Class
6.2.22.3. Zone Options
allow-notify
See the description of
 Section 6.2.14.3
allow-query
See the description of
 Section 6.2.14.3
allow-transfer
See the description of allow-transfer in 
+in Section 6.2.14.3.
allow-update
Specifies which hosts are allowed to
 submit Dynamic DNS updates for master zones. The default is to deny
 updates from all hosts.
update-policy
Specifies a "Simple Secure Update" policy. See
 Section 6.2.22.4.
allow-update-forwarding
Specifies which hosts are allowed to
 submit Dynamic DNS updates to slave zones to be forwarded to the
@@ -8475,7 +7652,8 @@ CLASS="userinput"
 >, which 
 means that no update forwarding will be performed.  To enable
-update forwarding, specify  allow-update-forwarding { any; }; is usually counterproductive, since
 the responsibility for update access control should rest with the 
 master server, not the slaves.

-
-
Note that enabling the update forwarding feature on a slave server
 may expose master servers relying on insecure IP address based
 access control to attacks; see Section 7.3
 for more details.

-
also-notify
Only meaningful if also-notify is not meaningful for stub zones.
 The default is the empty list.
check-names

This option was used in BIND 8 to restrict the character set of
 domain names in master files and/or DNS responses received from the
@@ -8575,24 +7730,13 @@ CLASS="command"
 >check-names option.
 

-
database
Specify the type of database to be used for storing the
 zone data.  The string following the 
-
The default is , BIND 9's native in-memory
 red-black-tree database.  This database does not take arguments.

-
Other values are possible if additional database drivers
 have been linked into the server.  Some sample drivers are included
 with the distribution but none are linked in by default.

-
dialup
See the description of
 Section 6.2.14.1.
forward
Only meaningful if the zone has a forwarders
 list. The first would
 allow a normal lookup to be tried.

-
forwarders
Used to override the list of global forwarders.
 If it is not specified in a zone of type forward,
 no forwarding is done for the zone; the global options are not used.

-
ixfr-base
Was used in jnl" to the name of the
 zone file.
max-transfer-time-in
See the description of
 Section 6.2.14.6.
max-transfer-idle-in
See the description of
 Section 6.2.14.6.
max-transfer-time-out
See the description of
 Section 6.2.14.6.
max-transfer-idle-out
See the description of
 Section 6.2.14.6.
notify
See the description of
 Section 6.2.14.1.
pubkey
In BIND 9 does not verify signatures
 on loading and ignores the option.
zone-statistics
If statistics-file defined in the server options.
sig-validity-interval
See the description of
 Section 6.2.14.13.
transfer-source
See the description of
 Section 6.2.14.6
 
transfer-source-v6
See the description of
 Section 6.2.14.6
 
notify-source
See the description of
 Section 6.2.14.6
 
notify-source-v6
See the description of
 Section 6.2.14.6.
 
BIND 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone, configured by the allow-update and  and
+update-policy option,
-respectively.
 option, respectively.
The 
6.3. Zone File
6.3.1.1. Resource Records
6.3.1.2. Textual expression of RRs
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.5.1. The $ORIGIN
6.3.5.2. The $INCLUDE
6.3.5.3. The $TTL
6.3.6. BIND
7.2. chroot
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgements
A.3. General DNS
A.1. Acknowledgements
A.1.1. A Brief History of the DNS
A.2.1.1. HS = hesiod
A.2.1.2. CH = chaos
A.3. General DNS
A.3.1. IPv6 addresses (A6)
Bibliography
Standards
[RFC974] C. Partridge, 
[RFC1034] P.V. Mockapetris, 
[RFC1035] P. V. Mockapetris, 
[RFC2181] R., R. Bush Elz, 
[RFC2308] M. Andrews, 
[RFC1995] M. Ohta, 
[RFC1996] P. Vixie, 
[RFC2136] P. Vixie, S. Thomson, Y. Rekhter, and J. Bound, 
[RFC2845] P. Vixie, O. Gudmundsson, D. Eastlake, 3rd, and B. Wellington, 
Proposed Standards Still Under Development
[RFC1886] S. Thomson and C. Huitema, 
[RFC2065] D. Eastlake, 3rd and C. Kaufman, 
[RFC2137] D. Eastlake, 3rd, 
Other Important RFCs About DNS
[RFC1535] E. Gavron, 
[RFC1536] A. Kumar, J. Postel, C. Neuman, P. Danzig, and S. Miller, 
[RFC1982] R. Elz and R. Bush, 
Resource Record Types
[RFC1183] C.F. Everhart, L. A. Mamakos, R. Ullmann, and P. Mockapetris, 
[RFC1706] B. Manning and R. Colella, 
[RFC2168] R. Daniel and M. Mealling, 
[RFC1876] C. Davis, P. Vixie, T., and I. Dickinson, 
[RFC2052] A. Gulbrandsen and P. Vixie, 
[RFC2163] A. Allocchio, 
[RFC2230] R. Atkinson, 
DNS
[RFC1101] P. V. Mockapetris, 
[RFC1123] Braden, 
[RFC1591] J. Postel, 
[RFC2317] H. Eidnes, G. de Groot, and P. Vixie, 
DNS
[RFC1537] P. Beertema, 
[RFC1912] D. Barr, 
[RFC1912] D. Barr, 
[RFC2010] B. Manning and P. Vixie, 
[RFC2219] M. Hamilton and R. Wright, 
Other DNS
[RFC1464] R. Rosenbaum, 
[RFC1713] A. Romao, 
[RFC1794] T. Brisco, 
[RFC2240] O. Vaughan, 
[RFC2345] J. Klensin, T. Wolf, and G. Oglesby, 
[RFC2352] O. Vaughan, 
Obsolete and Unimplemented Experimental RRs
[RFC1712] C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni, 
A.4.3. Other Documents About BIND
Bibliography
Paul Albitz and Cricket Liu, logging Statement Definition and
-Usage Statement Definition and Usage
6.2.11. lwres
6.2.12. lwres
6.2.13. options
6.2.14. options Statement Definition and
-Usage Statement Definition andUsage
6.2.15. server
-Statement GrammarStatement Grammar
6.2.16. 
6.2.17. trusted-keys
6.2.18. trusted-keys
6.2.19. view
6.2.20. view
6.2.22. zone
6.3. Zone File
6.3.2. Discussion of MX Records
6.3.4. Inverse Mapping in IPv4
6.3.5. Other Zone File Directives
6.3.6. BIND
7.2. chroot
7.2.1. The chroot
7.2.2. Using the setuid
8.1. Common Problems
8.1.1. It's not working; how can I figure out what's wrong?
8.2. Incrementing and Changing the Serial Number
8.3. Where Can I Get Help?
A.1. Acknowledgements
A.1.1. A Brief History of the DNS
A.3. General DNS
A.3.1. IPv6 addresses (A6)
A.4.3. Other Documents About BIND