xref: /src/etc/named.conf

# $NetBSD: named.conf,v 1.14 2025/08/06 02:03:59 kim Exp $

# boot file for secondary name server
# Note that there should be one primary entry for each SOA record.
# If you cannot get DNSSEC to work, and you see the following message:
# DNSKEY: verify failed due to bad signature (keyid=19036): \
# RRSIG validity period has not begun 
# Fix your clock. You can comment out the dnssec entries temporarily to
# get to an ntp server.

options {
	directory "/etc/namedb";
	dnssec-validation auto;
	managed-keys-directory "keys";
	bindkeys-file "bind.keys";
	allow-recursion { localhost; localnets; };

	#
	# An EDNS buffer size of 1232 bytes will avoid fragmentation on
	# nearly all current networks. This is based on an MTU of 1280,
	# which is required by the IPv6 specification, minus 48 bytes for
	# the IPv6 and UDP headers and the aforementioned research.
	#
	# https://www.dnsflagday.net/2020/
	#
	max-udp-size 1232;
	edns-udp-size 1232;

	# RFC 8482
	minimal-any yes;
	minimal-responses yes;

	#
	# This forces all queries to come from port 53; might be
	# needed for firewall traversals but should be avoided if
	# at all possible because of the risk of spoofing attacks.
	#
	#query-source address * port 53;
};

zone "." {
	type hint;
	file "root.cache";
};

zone "localhost" {
	type master;
	file "localhost";
};

zone "127.IN-ADDR.ARPA" {
	type master;
	file "127";
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
	type master;
	file "loopback.v6";
};

# example secondary server config:
#
# zone "Berkeley.EDU" {
# 	type slave;
# 	file "berkeley.edu.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type slave;
# 	file "128.32.cache";
# 	masters {
# 		128.32.130.11;
# 		128.32.133.1;
# 	};
# };

# example primary server config:
# 
# zone "Berkeley.EDU" {
# 	type master;
# 	file "berkeley.edu";
# };

# zone "32.128.IN-ADDR.ARPA" {
# 	type master;
# 	file "128.32";
# };