Filenamed.conf - usually located in /etc
Purpose
Defines the configuration and behavior of the named daemon.
Description
The /etc/named.conf file is the default configuration file for
the named
server. If the named daemon is started without specifying an
alternate file, the named daemon reads this file for information on
how to set up the local name server.
Note: The named daemon reads the configuration file
only when the named daemon starts or when the named daemon
receives an SRC refresh command or a SIGHUP
signal.
The data in the named.conf file specifies general configuration
characteristics for the name server, defines each zone for which the name
server is responsible (its zones of authority), and provides further
config information per zone, possibly including the source DOMAIN database
file for the zone.
Any database files referenced in the
named.conf file must be in Standard Resource Record Format. These
data files can have any name and any directory path. However, for
convenience in maintaining the named database, they are generally
given names in the following form: /etc/named.extension. The
general format of named data files is described in DOMAIN
Data File, DOMAIN
Reverse Data File, DOMAIN
Cache File, and DOMAIN
Local File.
Format
General
Comments in the named.conf file can
begin with a # (pound sign) or // (two forward slashes), or can be
enclosed in the C-style comment characters, e.g., /* comment text */.
Configuration options are lines of text beginning
with a keyword, possibly including some option text or a list, and ending
in a ; (semicolon).
The named.conf file is organized
into stanzas. Each stanza is an enclosed set of configuration
options that define either general characteristics of the daemon or a zone
configuration. Certain stanza definitions are allowed only at the
top-level, therefore nesting these stanzas is not allowed. The
current top-level configuration stanza keywords are: acl,
key,
logging,
options,
server,
and zone.
Further configuration information can be
incorporated into the conf file via the include keyword. This
keyword directs the daemon to insert the contents of the indicated file
into the current position of the include directive.
Access Control List (ACL) Definitionacl acl-name {
access-element;
[ access-element; ... ]
};
Defines an access control list to be referenced thoughout the
configuration file byacl-name. Multiple acl definitions can exist
within one configuration file provided that each acl-name is
unique. Additionally, four default access control lists are defined:
- any Any host is allowed.
- none No host is allowed.
- localhost Only the localhost is allowed.
- localnets Only hosts on a network matching a name server
interface is allowed.
| Option |
Values |
Explanation |
| access-element |
IP-address
IP-prefix
acl-reference
|
Defines a source as allowed or disallowed.
Multiple access-elements are allowed inside the acl stanza.
Each element can be an IP address in dot notation (e.g.,
9.3.149.66) an IP prefix in CIDR or slash notation (e.g.,
9.3.149/24) or a reference to another access control list
(e.g., localhost).
Additionally, each element indicates whether the element is
allowed or disallowed access via an ! (exclamation point) modifier
prepended to the element.
For example: acl hostlist1 {
!9.53.150.239;
9.3.149/24;
};
When the access control list " hostlist1" is
referenced in the configuration, it implies to allow access from any
host whose IP address begins with 9.3.149 and to disallow access
from the internet host 9.53.150.239. |
Key Definitionkey key-name {
algorithm alg-id;
secret secret-string;
};
Defines an algorithm and shared secret key to be referenced in a server
stanza and used for authentication by that name server. This feature is
included for future use and is currently unused in the name server.
| Option |
Values |
Explanation |
| algorithm |
alg-id string |
A quoted-string that defines the type of security
algorithm that will be used when interpreting the secret string.
None are defined at this time. |
| secret |
secret-string string |
A quoted-string that is used by the algorithm to
authenticate the host. |
Logging Configurationlogging {
[ channel channel-name {
( file file-name
[ versions ( num-vers | unlimited ) ]
[ size size-value ]
| syslog ( kern | user | mail | daemon |
syslog | lpr | news | uucp )
| null );
[ print-category ( yes | no ); ]
[ print-severity ( yes | no ); ]
[ print-time ( yes | no ); ]
}; ... ]
[ category category-name {
channel-reference;
[ channel-reference; ... ]
}; ... ]
};
In this newest version of the name server, the logging facility has
been greatly improved to allow for much reconfiguration of the default
logging mechanism. The logging stanza is used to define logging
output channels and to associate the predefined logging categories with
either the predefined or user-defined logging output channels.
When no logging stanza is included in the conf file, the name server
still logs messages and errors just as it has in previous releases.
Informational and some critical messages will be logged through the syslog
daemon facility, and debug and other esoteric information will be logged
to the named.run file when the global debug level (set with the
-d command-line option) is non-zero.
| Option |
Values |
Explanation |
| channel |
|
Defines an output channel to be referenced later by the
channel-name identifier. An output channel specifies a
destination for output messages to be sent as well as some
formatting information to be used when writing the output message.
More than one output channel can be defined provided that each
channel-identifier is unique. Also, each output channel can
be referenced from multiple logging categories.
There are four predefined output channels:
- default_syslog sends "info" and higher severity
messages to syslog's "daemon" facility
- default_debug writes debug messages to the
named.run file as specified by the global debug level
- default_stderr writes "info" and higher severity
messages to stderr
- null discards all messages
|
| file |
file-name string |
Defines an output channel as one that logs messages
to an output file. The file used for output is specified with the
file-name string. Additionally, the file option allows
for controlling how many versions of the output file should be kept,
and what size limit the output file should never exceed.
The file, syslog, and null output paths are
mutually exclusive. |
| versions |
num-versions
unlimited |
Specifies the number of old output files that should
be kept. When an output file is reopened, rather than replacing a
possible existing output file, the existing output file will be
saved as an old output file with a .value extension.
Using the num-versions value, one can limit the number of old
output files to be kept. However, specifying the
unlimited keyword indicates to continually accumulate
old output file versions. By default, no old versions of any log
file are kept. |
| size |
size-value |
Specifies the maximum size of the log file used by
this channel. By default, the size is unlimited. However, when a
size is configured, once size-value bytes are written to the
file, nothing more will be written until the file is reopened.
Accepted values for size-value include the word
"unlimited" and numbers with k, m, or
g modifiers specifying kilobytes, megabytes, and
gigabytes respectively. For example, 1000k and
1m indicate one thousand kilobytes and one megabyte
respectively. |
| syslog |
kern
user
mail
daemon
auth
syslog
lpr
news
uucp |
Defines an output channel as one that redirects its
messages to the syslog service. The supported value keywords
correspond to facilities logged by the syslog service.
Ultimately, the syslog service will define which received
messages will be logged through the service, therefore, if
definining a channel to redirect its messages to the syslog
service's user facility would not result in any visibly
logged messages if the syslog service is not configured to output
messages from this facility.
For more information concerning the syslog service, see the syslogd
daemon.
The file, syslog, and null output paths are
mutually exclusive. |
| null |
|
Defines an output channel through which all messages
will be discarded. All other output channel options are invalid for
an output channel whose output path is null. |
| severity |
critical
error
warning
notice
info
debug [
level ]
dynamic |
Sets a threshold of message severities to be logged
through the output channel. While these severity definitions are
similar to those used by the syslog service, for the name server
they also control output through file path channels. Messages must
meet or exceed the severity level to be logged through the output
channel. The dynamic severity specifies that the name
server's global debug level (specified when the daemon is invoked
with the -d flag) controls which messages pass through
the output channel.
Also, the debug severity can specify a level
modifier which is an upper threshold for debug messages whenever the
name server has debugging enabled at any level. A lower debug level
indicates less information is to be logged through the channel. It
is not necessary for the global debug level to meet or exceed the
debug level value.
If used with the syslog output path, the syslog
facility will ultimately control what severities are logged through
the syslog service. For example, if the syslog service is configured
to only log daemon.info messages, and the name server
is configured to channel all debug messages to the syslog service,
the syslog service will filter the messages from its output
path. |
| print-category |
yes
no |
Controls the format of the output message
when it is sent through the output path. Regardless of which, how
many, or in which order these options are listed inside the channel
stanza, the message will be prepended with the the text in a time,
category, severity order.
The following is an example of a message with all three
print- options enabled:
- 28-Apr-1997 15:05:32.863 default: notice: Ready to
answer queries.
By default, no extra text will be prepended to an output
message.
Note that when the syslog service logs messages, it also prepends
the date and time information to the text of the message. Thus,
enabling print-time on a channel that uses the syslog
output path would result in the syslog service logging a message
with two dates prepended to it. |
| print-severity |
yes
no |
| print-time |
yes
no |
| category |
|
The category keyword defines a stanza which
associates a logging or messaging category with predefined or
user-defined output channels.
By default, the following categories are defined:
- category default { default_syslog; default_debug;
};
- category panic { default_syslog; default_debug;
};
|
| category-name |
default
config
parser
queries
lame-servers
statistics
panic
update
ncache
xfer-in
xfer-out
db
event-lib
packet
notify
cname
security
os
insist
maintenance
load
response-checks |
The category-name specifies which logging
category is to be associated with the listed
channel-references. This results in any output text generated
by the name server daemon for that logging category to be redirected
through each of the channel-references listed.
The default category defines all messages that are
not listed in one of the specific categories listed. Also, the
insist and panic categories are associated
with messages that define a fatal inconsistency in the name server's
state. The remaining categories define messages that are generated
when handling specific functions of the name server. For example,
the update category is used when logging errors or
messages specific to the handling of a dynamic zone update, and the
parser category is used when logging errors or messages
during the parsing of the conf file. |
| channel-reference |
|
References a channel-name identifier defined previously
in the logging configuration stanza. Therefore, every message
associated with the defined category-name will be logged
through each of the defined
channel-references. |
Global Optionsoptions {
[ directory path-string; ]
[ named-xfer path-string; ]
[ dump-file path-string; ]
[ pid-file path-string; ]
[ statistics-file path-string; ]
[ auth-nxdomain ( yes | no ); ]
[ fake-iquery ( yes | no ); ]
[ fetch-glue ( yes | no ); ]
[ multiple-cnames ( yes | no ); ]
[ notify ( yes | no ); ]
[ recursion ( yes | no ); ]
[ forward ( only | first ); ]
[ forwarders { ipaddr; [...] }; ]
[ check-names
( master|slave|response )
( warn|fail|ignore ); ]
[ allow-query { access-element; [...] }; ]
[ allow-transfer { access-element; [...] ); ]
[ listen-on [ port port-num ] { access-element; [...] }; ... ]
[ query-source [ address ( ipaddr|* ) ] [ port ( port|* ) ]; ]
[ max-transfer-time-in seconds; ]
[ transfer-format ( one-answer | many-answers ); ]
[ transfers-in value; ]
[ transfers-out value; ]
[ transfers-per-ns value; ]
[ coresize size-value; ]
[ datasize size-value; ]
[ files size-value; ]
[ stacksize size-value; ]
[ clean-interval value; ]
[ interface-interval value; ]
[ statistics-interval value; ]
[ topology { access-element; [...] }; ]
};
Defines many globally available options to to modify basic
characteristics of the name server.
Because some of the options in this configuration stanza may modify the
behavior in how the named daemon will read and interpret later
sections of the named file, it is highly recommended that the
options stanza be the first stanza listed in the configuration
file.
| Option |
Values |
Default |
Explanation |
| directory |
path-string |
"." |
Indicates the directory from which all relative paths
will be anchored. The path-string parameter must be a quoted
string. For example, to indicate that all zone files will exist in
the "/usr/local/named/data" without listing each file in the zone
definitions, specify the global option directory as:
- options {
- directory
"/usr/local/named/data";
- };
|
| named-xfer |
path-string |
"/usr/sbin/named-xfer" |
Specifies the path and executable name of the
named-xfer command used for inbound zone transfers. The
path-string parameter must be a quoted string. |
| dump-file |
path-string |
"/usr/tmp/named_dump.db" |
Specifies a filename to which the database in memory
will be dumped whenever the named daemon receives a SIGINT
signal. |
| pid-file |
path-string |
"/etc/named.pid" |
Specifies the file in which the named daemon
will write its PID value. |
| statistics-file |
path-string |
"/usr/tmp/named.stats" |
Specifies the file to which the name server will
append operating statistics when it receives the SIGILL
signal. |
| auth-nxdomain |
yes
no |
yes |
Controls whether the server should respond
authoritatively when returning an NXDOMAIN
response. |
| fake-iquery |
yes
no |
no |
Controls whether the server should respond to the
obsolete IQUERY requests. |
| fetch-glue |
yes
no |
yes |
Controls whether the server should search for "glue"
records to include in the additional section of a query
response. |
| multiple-cnames |
yes
no |
no |
Controls whether the server will allow multiple
CNAME records for one domain name in any of its zone
databases. This practice is discouraged but an option remains for
backwards compatibility. |
| notify |
yes
no |
yes |
Controls whether the name server will send
NOTIFY messages to its slave servers upon realization
of zone changes. Because the slave servers will almost immediately
respond to the NOTIFY message with a request for zone
transfer, this limits the amount of time that the databases are out
of synchronization in the master and slave relationship. |
| recursion |
yes
no |
yes |
Controls whether the server will attempt to resolve
names outside of its domains on behalf of the client. If set to
no, the name server will return a referral to the
client in order for the client to continue searching for the name.
Used with the fetch-glue option, one can contain the
amount of data that grows in the name server's memory cache. |
| forward |
only
first |
first |
Controls how forwarding is used when forwarding is
enabled. When set to first, the name server will
attempt to search for a name whenever the forwarded host does not
provide an answer. However, when set to only, the name
server will not attempt this extra work. |
| forwarders |
ipaddr |
(empty list) |
Enables the use of query forwarding when defining a
Forwarding Name Server. The ipaddr parameter list specifies
the hosts to which the query should be forwarded when it cannot be
resolved from the local database. Each ipaddr is an internet
address in standard dot notation. |
| check-names |
master ignore
master warn
master
fail
slave ignore
slave warn
slave fail
response
ignore
response warn
response fail |
master fail
slave warn
response
ignore |
Controls how the name server will handle non-RFC
compliant host names and domain names through each of its operation
domains.
The master keyword specifies how to handle malformed
names in a master zone file.
The slave keyword
specifies how to handle malformed names received from a master
server.
The response keyword specifies how to handle
malformed names received in response to a query.
ignore directs the server to ignore any malformed
names and continue normal processing.
warn directs
the server to warn the administrator through logging, but to
continue normal processing.
fail directs the server
to reject the name entirely. For the responses to queries, this
implies that the server will return a REFUSED message
to the original query host. |
| allow-query |
access-element |
any |
Limits the range of querying hosts allowed to access
the system. Each access-element is specified in the same
manner as in the acl
stanza defined earlier. |
| allow-transfer |
access-element |
any |
Limits the range of querying hosts that are
requesting zone transfers. Each access-element is specified
in the same manner as in the acl
stanza defined earlier. |
| listen-on |
port
port-num
access-element |
port 53 { localhost; } |
Limits the interfaces available to the name server
daemon and controls which port to use to listen for queries. By
default, the name server uses all interfaces on the system and
listens on port 53. Additionally, multiple listen-on
definitions are allowed within the options stanza.
Each access element is specified in the same manner as in the acl
stanza defined earlier. The following example limits the name server
to using only the interface with address 9.53.150.239:
- listen-on port 53 { 9.53.150.239;
};
|
| query-source |
address ipaddr
address *
port
port
port * |
address * port * |
Modifies the default address and port from which
queries will originate. |
| max-transfer-time-in |
seconds |
120 |
Specifies the maximum amount of time an inbound zone
transfer will be allowed to run before it is aborted. This is used
to control an event in which a child process of the name server does
not execute or terminate properly. |
| transfer-format |
one-answer
many-answers |
one-answer |
Controls the method in which full zone transfers will
be sent to requestors. The one-answer method uses one
packet per zone resource record while many-answers will
insert as many resource records into one packet as possible. While
the many-answers method is more efficient, it is only
understood by the newest revisions of the name server. This option
can be overridden in the server
stanza to specify the method on a per name server basis. |
| transfers-in |
value |
10 |
Specifies the maximum number of concurrent inbound
zone transfers. While this will limit the amount of time each slave
zone is out of synchronization with the master's database, because
each inbound transfer runs in a separate child process, increasing
the value may also increase the load on the slave
server. |
| transfers-out |
value |
N/A |
Specifies the maximum number of concurrent outbound
zone transfers for the name server. This option is currently unused
in the server, but will be available at a later time. |
| transfers-per-ns |
value |
2 |
Specifies the maximum amount of concurrent zone
transfers from a specific remote name server. While this will limit
the amount of time each slave zone is out of synchronization with
the master's database, increasing this value may increase the load
on the remote master server. |
| coresize |
size-value |
default |
Configures some process specific values for
the daemon.
The default values or those inherited by the system and by the
system's resources.
Each size-value can be specified as a number or as a
number followed by the k, m, and
g modifiers indicating kilobytes, megabytes, and
gigabytes respectively. |
| datasize |
size-value |
default |
| files |
value |
unlimited |
| stacksize |
size-value |
default |
| clean-interval |
minutes |
60 |
Controls the intervals for the periodic
maintenance tasks of the name server.
The clean-interval specifies how frequently the
server will remove expired resource records from the cache. The
interface-interval specifies how frequently the server
will rescan for interfaces in the system. The
statistics-interval specifies how frequently the name
server will output statistics data.
A minutes value of zero indicates that the service task
should only run when the configuration file is reread. |
| interface-interval |
minutes |
60 |
| statistics-interval |
minutes |
60 |
| cleandb-time |
time |
N/A |
Specifies a time of day in which the database will be
scanned and any dynamic records whose set of SIG
resource records are all expired will be removed. For a dynamic zone
which has update-security set to
presecured, only the expired SIG KEY will
remain.
The default is to never perform this scan. Instead, the expired
records will remain until the name is queried.
time is specified as HH:MM in a 24-hour
format. |
| topology |
access-element |
localhost; localnets; |
Specifies a search order to use to find a preference
in a list of addresses corresponding to a name server. Whenever a
query is forwarded or a query must be made to another name server,
it may be necessary to choose an address from a list of available
addresses.
Each access-element, while seemingly similar to those
specified in an acl
stanza, is interpretted by its position in the list. The first
elements in the list are preferred more than those following them.
Negated elements (those specified with the ! (exclamation point)
modifier) are considered least desirable. |
Server Specific Optionsserver ipaddr
{
[ bogus ( yes | no ); ]
[ transfers value;
]
[ transfer-format ( one-answer |
many-answers ); ]
}
Modifies the behavior in which the remote name server matching the
specified ipaddr IP address should be treated.
| Option |
Values |
Explanation |
| bogus |
yes
no |
Indicates that the name server identified by the
stanza should not be used again. The default value is
no. |
| transfers |
value |
Overrides the globally available option
transfers-per-ns. Specifies a maximum value for the
number of concurrent inbound zone transfers from the foreign name
server identified by the stanza. |
| transfer-format |
one-answer
many-answers |
Overrides the globally available option
transfer-format to a specific value for the specified
server. The transfer-format option indicates to the
name server how to form its outbound full zone transfers. By
default, the value is inherited from the options
stanza (where it defaults to one-answer).
one-answer specifies that only one resource record can
be sent per packet during the zone transfer, whereas
many-answers indicates to entirely fill the outbound
packet with resource records. The many-answers format
is only available in the newest revisions of the name
server. |
Zone Definitionzone domain-string [ class ] {
type ( hint | stub | slave | master );
[ file path-string; ]
[ masters { ipaddr; [...] }; ]
[ check-names ( warn | fail | ignore ); ]
[ allow-update { access-element; [...] }; ]
[ update-security ( unsecured | presecured | controlled ); ]
[ allow-query { access-element; [...] }; ]
[ allow-transfer { access-element; [...] }; ]
[ max-transfer-time-in seconds; ]
[ notify ( yes | no ); ]
[ also-notify { ipaddr; [...] }; ]
[ dont-notify { ipaddr; [...] }; ]
[ notify-delaytime seconds; ]
[ notify-retrytime seconds; ]
[ notify-retrycount value; ]
[ dump-interval seconds; ]
[ incr-interval seconds; ]
[ deferupdcnt value; ]
[ key-xfer ( yes | no ); ]
[ timesync ( yes | no ); ]
[ timesync-xfer ( yes | no ); ]
[ save-backups ( yes | no ); ]
[ ixfr-directory path-string; ]
[ separate-dynamic ( yes | no ); ]
};
The zone stanza is used to define a zone, its type, possible location
of data, and operating parameters. The domain-string is a quoted
string specifying the zone, where "." is used to specify the root zone.
The class paramter specifies the class of the zone as either
in, hs, hesiod, or
chaos. By default, the class is assumed to be
IN.
| Option |
Values |
Default |
Explanation |
| type |
hint
stub
slave
master |
N/A |
Defines the type of the zone. hint
zones, previously regarded as cache zones, only describe a source
for information not contained in the other defined zones. A
stub zone is one similar to a slave zone.
While the slave zone replicates the entire database of
its master, the stub zone only replicates the
NS resource records. The master zone
maintains a database on disk.
Based upon the selection of zone type, some of the other options
are required while others may be impertinent. Zones of type
hint and master require the
file option, while zones of type slave and
stub require the masters option.
Additionally, the only other option available to a hint zone is the
check-names option. |
| file |
path-string |
N/A |
Specifies the location for the source of data
specific to the zone. This parameter is only optional for
stub and slave zones, where its inclusion
indicates that a locally saved copy of the remote zone can be kept.
The path-string parameter is a quoted string which can
specify the file name either non-relative or relative to the options
stanza's directory. If the path is intended to be
specified relative to the server root, the options
stanza must be specified before the zone stanza. |
| masters |
ipaddr |
N/A |
Specifies a list of sources that will be referenced
for a slave or stub zone to retrieve its
data. This option is not valid for any other type of zone, and must
be included for either of these two types. |
| check-names |
warn
fail
ignore |
|
Overrides the check-names option in the
global options
stanza. The default value is inherited from the options
stanza, where its default is fail for
master zones and warn for
slave zones. |
| allow-update |
access-element |
none |
Indicates from what source addresses a zone will
accept dynamic updates. access-elements are specified in the
same manner as they are for the acl
stanza. Because of the inherint insecurity of a dynamic update, this
value defaults to none. If no
update-security is specified, dynamic updates should be
limited to a specific set of secured machines. |
| update-security |
unsecured
presecured
controlled |
unsecured |
Valid only when the allow-update option
specifies at least one source address, update-security
defines what type of secured update mechanism the zone will use. The
current zone update security method is a non-standard two-key
method, but is compatible with previous releases of the name server.
presecured indicates that a zone will only accept
updates for which names and resource records already exist, unless
the update is signed by the zone's authorizing key. Normally, this
means that the zone must be prepopulated with the names and records
it is to maintain. controlled specifies a zone in which
names can be added to the database without the signature of the
zone's authorizing key, but existing records cannot be modified
without being signed by the KEY resource record's
corresponding private key.
Note that a proper presecured or
controlled zone must contain a zone KEY
resource record.
See the TCP/IP
Name Resolution for more information regarding zone update
security. |
| allow-query |
access-element |
|
Overrides the globally available option
allow-query. This option's default is inherited from
the global options
stanza, where its default is any. |
| allow-transfer |
access-element |
|
Overrides the globally available option
allow-transfer. This option's default is inherited from
the global options
stanza, where its default is any. |
| max-transfer-time-in |
seconds |
|
Overrides the globally available option
max-transfer-time-in. This option's default is
inherited from the global options
stanza, where its default is 120. |
| notify |
yes
no |
|
Overrides the globally available option
notify. This option's default is inherited from the
global options
stanza, where its default is yes. |
| also-notify |
ipaddr |
N/A |
The default NOTIFY mechanism will notify
slave servers of a change in the DOMAIN database in order to limit
the amount of time that the slave server retains a zone out of
synchronization with the master server. The also-notify
option allows for the addition of addresses to submit the
notifications. |
| dont-notify |
ipaddr |
N/A |
Specifies a list of IP addresses to be removed from
the default list of NOTIFY recipients. This option is
useful if a name server is known to be problematic when receiving
NOTIFY requests. |
| notify-delaytime |
seconds |
30 |
Specifies an estimated time of delay between
notifications to multiple name servers. Because the receipt of a
NOTIFY message usually triggers the prompt request for
a zone transfer, this option can tune to latency in which each
server will respond with the request for the modified zone.
The real value used will be randomized between the specified
number of seconds and twice this value. |
| notify-retrytime |
seconds |
60 |
Specifies the number of seconds in which the
name server will wait to retransmit a NOTIFY message
which has gone unresponded. |
| notify-retrycount |
value |
3 |
Specifies the maximum number of tries that the name
server will attempt to send unanswered NOTIFY messages
to other name servers. |
| dump-interval |
seconds |
3600 |
Specifies an interval in which the name server will
rewrite a dynamic zone to the zone file. In the
interim, all updates and other transactions will be logged in the
transaction log file for performance reasons. Aside from this
periodic zone dump, the transaction log file is only discarded and
the zone is only dumped when the name server is properly shut down.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor.
Note: The transaction log file name is the zone file name with an
appended ".log" extension. |
| incr-interval |
seconds |
300 |
Specifies an interval in which the name server will
accept dynamic updates while not increasing the zone's
SOA record's serial level. Because a change in the zone
SOA record will instantiate a NOTIFY
message, limiting this occurrence will limit the amount of zone
transfer requests at the expense of minimal zone differences between
a dynamic master server and its slave.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor. |
| deferupdcnt |
value |
100 |
Specifies a threshold value for the number of
properly applied updates received during one
incr-interval interval. If more than value
updates are realized during the interval, the name server will
modify the zone SOA serial level and subsequently NOTIFY each of the
slave servers. Use this value to limit the database replication
inconsistencies in an environment where dynamic zone updates occur
infrequently but in large magnitude.
This option is only valid for zones in which the
allow-update option specifies at least one valid
accessor. |
| key-xfer |
yes
no |
yes |
Specifies whether the server should transmit
KEY resource records during a zone transfer. In a very
controlled environment where KEY queries will only be
made to the master name server, setting this option to
no will save zone transfer time and improve
performance. |
| timesync |
yes
no |
yes |
Specifies that a name server should calculate the
true expiration time of a SIG resource record using its
own clock rather than relying on the expiration time set by a
possible update source. This removes the inconsistencies involved
when dynamic zone updaters have their system clocks misaligned from
the name server host. Because enabling this option modifies the
output and interpretation of a SIG resource record in a
DOMAIN database file, disabling this option may be
required when manually transfering a DOMAIN database
file to another name server. |
| timesync-xfer |
yes
no |
yes |
Specifies which SIG resource record
expiration time will be transfered during a zone transfer. Enabling
this option is only valid when the timesync option is
enabled. |
| ixfr-directory |
path-string |
|
Specifies a directory in which temporary data files
will be contained for use with this zone. The datafiles contain
incremental zone changes and are essential to the proper use of the
Incremental Zone Transfer (IXFR) method. Because these
files are created and destroyed dynamically by the name server, one
should not specify a globally-writable directory. Additionally, the
directory specified must be unique from other
ixfr-directory options specified in other zones.
The default value for this directory is derived from the zone's
file name or domain name. By default, a directory is
created in an "ixfrdata" directory within the name
server's default directory. Contained in this directory will be
subdirectory matching the base name of the zone's file
name or domain name.
It is not necessary to specify this option for the proper
behavior of the IXFR feature. |
| save-backups |
yes
no |
no |
To properly calculate an incremental zone difference
between server invocations, it is necessary to determine the zone
database differences prior to the shutdown of the server and after
the loading of the server. By enabling this option, a backup of the
zone file will be written and read upon loading of the name server
to determine any zone differences.
While enabling this option is necessary to use the IXFR transfer
method after a stop and restart transition of the name server, it is
not necessary to realize incremental zone differences when a zone
file is modified and signalled to reload via the SRC refresh
command or SIGHUP signal. |
| separate-dynamic |
yes
no |
no |
Instructs the name server to retain
$INCLUDE references in a dynamic zone when the
DOMAIN database file is written to disk. The behavior
of this feature implies that resource records that can be modified
through the dynamic update mechanism exist in the
DOMAIN database file referenced by the
file option, while other resource records that should
not be modified through the dynamic update mechanism be contained in
files included (through the $INCLUDE directive) by the
DOMAIN database file. |
Examples
The following examples show the some of the various ways to use
configure a simple named.conf file. In these examples, two networks
are represented: abc and xyz.
Network abc consists of:
- gobi.abc, the master name server
for the abc network, 192.9.201.2
- mojave.abc, a host machine,
192.9.201.6
- sandy.abc, a slave name server
for the abc network and the gateway between
abc and xyz, 192.9.201.3
Network xyz consists of:
- kalahari.xyz, master name server
for the xyz network, 160.9.201.4
- lopnor.xyz, a host machine,
160.9.201.5
- sahara.xyz, a host machine and
hint name server for the xyz network, 160.9.201.13
- sandy.xyz, a slave name server
for the xyz network and gateway between abc
and xyz, 160.9.201.3
Note: Note that sandy, a gateway host, is on
both networks and also serves as a slave name server for both
domains.
- The /etc/named.conf file for
gobi.abc, the master name server for network
abc, contains these entries:
#
# conf file for
abc master server - gobi.abc
#
server 192.9.201.3
{
transfer-format
many-answers;
};
zone "abc" in
{
type
master;
file
"/etc/named.abcdata";
allow-update {
localhost; };
};
zone "201.9.192.in-addr.arpa" in
{
type
master;
file
"/etc/named.abcrev";
allow-update {
localhost; };
};
zone "0.0.127.in-addr.arpa" in
{
type
master;
file "/etc/named.abclocal";
};
- The /etc/named.conf file for
kalahari.xyz, the master name server for network
xyz, contains these entries:
#
# conf file for
abc master server - kalahari.xyz
#
acl xyz-slaves
{
160.9.201.3;
};
options
{
directory
"/etc";
allow-transfer { xyz-slaves;
localhost; };
};
zone "xyz" in
{
type
master;
file
"named.xyzdata";
};
zone "9.160.in-addr.arpa" in
{
type
master;
file
"named.xyxrev";
};
zone "0.0.127.in-addr.arpa" in
{
type
master;
file "named.xyzlocal";
};
- The /etc/named.conf file for
sandy, the slave name server for networks abc
and xyz, contains the following entries:
#
# conf
file for slave server for abc and xyz - sandy
#
options
{
directory "/etc";
};
zone "abc"
in {
type
slave;
masters { 192.9.201.2;
};
file
"named.abcdata.bak";
};
zone "xyz" in
{
type
slave;
masters { 160.9.201.4;
};
file
"named.xyzdata.bak";
};
zone "201.9.192.in-addr.arpa" in
{
type
slave;
masters { 192.9.201.2;
};
};
zone "9.160.in-addr.arpa" in
{
type
slave;
masters { 192.9.201.4;
};
};
zone "0.0.127.in-addr.arpa" in
{
type
master;
file "named.local";
};
- The /etc/named.conf file for
sahara, a hint name server for the network
xyz, contains the following entries:
#
# conf
file for hint server for xyz - sahara
#
zone "." in
{
type hint;
file
"/etc/named.ca";
};
zone "0.0.127.in-addr.arpa" in
{
type
master;
file
"/etc/named.local";
};
Files
| /usr/samples/tcpip/named.conf |
Contains the sample named.conf
file. |
Related Information
The named
daemon.
The syslogd
daemon.
The DOMAIN
cache file format, DOMAIN
local file format, DOMAIN
data file format, DOMAIN
Reverse data file format, rc.tcpip
file format.
Configuring
a Primary Name Server and Naming
for TCP/IP in System Management Guide: Communications and
Networks. |
