xref: /src/external/mpl/bind/dist/doc/misc/options

acl <string> { <address_match_element>; ... }; // may occur multiple times

controls {
	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
	unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
}; // may occur multiple times

dlz <string> {
	database <string>;
	search <boolean>;
}; // may occur multiple times

dnssec-policy <string> {
	cdnskey <boolean>;
	cds-digest-types { <string>; ... };
	dnskey-ttl <duration>;
	inline-signing <boolean>;
	keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... };
	manual-mode <boolean>;
	max-zone-ttl <duration>;
	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
	offline-ksk <boolean>;
	parent-ds-ttl <duration>;
	parent-propagation-delay <duration>;
	publish-safety <duration>;
	purge-keys <duration>;
	retire-safety <duration>;
	signatures-jitter <duration>;
	signatures-refresh <duration>;
	signatures-validity <duration>;
	signatures-validity-dnskey <duration>;
	zone-propagation-delay <duration>;
}; // may occur multiple times

dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times

http <string> {
	endpoints { <quoted_string>; ... };
	listener-clients <integer>;
	streams-per-connection <integer>;
}; // may occur multiple times

key <string> {
	algorithm <string>;
	secret <string>;
}; // may occur multiple times

key-store <string> {
	directory <string>;
	pkcs11-uri <quoted_string>;
}; // may occur multiple times

logging {
	category <string> { <string>; ... }; // may occur multiple times
	channel <string> {
		buffered <boolean>;
		file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
		null;
		print-category <boolean>;
		print-severity <boolean>;
		print-time ( iso8601 | iso8601-utc | local | <boolean> );
		severity <log_severity>;
		stderr;
		syslog [ <syslog_facility> ];
	}; // may occur multiple times
};

managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

options {
	allow-new-zones <boolean>;
	allow-notify { <address_match_element>; ... };
	allow-proxy { <address_match_element>; ... }; // experimental
	allow-proxy-on { <address_match_element>; ... }; // experimental
	allow-query { <address_match_element>; ... };
	allow-query-cache { <address_match_element>; ... };
	allow-query-cache-on { <address_match_element>; ... };
	allow-query-on { <address_match_element>; ... };
	allow-recursion { <address_match_element>; ... };
	allow-recursion-on { <address_match_element>; ... };
	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow-update { <address_match_element>; ... };
	allow-update-forwarding { <address_match_element>; ... };
	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	answer-cookie <boolean>;
	attach-cache <string>;
	auth-nxdomain <boolean>;
	automatic-interface-scan <boolean>;
	avoid-v4-udp-ports { <portrange>; ... }; // deprecated
	avoid-v6-udp-ports { <portrange>; ... }; // deprecated
	bindkeys-file <quoted_string>; // test only
	blackhole { <address_match_element>; ... };
	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
	check-dup-records ( fail | warn | ignore );
	check-integrity <boolean>;
	check-mx ( fail | warn | ignore );
	check-mx-cname ( fail | warn | ignore );
	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
	check-sibling <boolean>;
	check-spf ( warn | ignore );
	check-srv-cname ( fail | warn | ignore );
	check-svcb <boolean>;
	check-wildcard <boolean>;
	clients-per-query <integer>;
	cookie-algorithm ( siphash24 );
	cookie-secret <string>; // may occur multiple times
	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
	dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
	directory <quoted_string>;
	disable-algorithms <string> { <string>; ... }; // may occur multiple times
	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
	disable-empty-zone <string>; // may occur multiple times
	dns64 <netprefix> {
		break-dnssec <boolean>;
		clients { <address_match_element>; ... };
		exclude { <address_match_element>; ... };
		mapped { <address_match_element>; ... };
		recursive-only <boolean>;
		suffix <ipv6_address>;
	}; // may occur multiple times
	dns64-contact <string>;
	dns64-server <string>;
	dnskey-sig-validity <integer>; // obsolete
	dnsrps-enable <boolean>; // not configured
	dnsrps-library <quoted_string>; // not configured
	dnsrps-options { <unspecified-text> }; // not configured
	dnssec-accept-expired <boolean>;
	dnssec-dnskey-kskonly <boolean>; // obsolete
	dnssec-loadkeys-interval <integer>;
	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
	dnssec-policy <string>;
	dnssec-secure-to-insecure <boolean>; // obsolete
	dnssec-update-mode ( maintain | no-resign ); // obsolete
	dnssec-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
	dnstap-identity ( <quoted_string> | none | hostname ); // not configured
	dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
	dnstap-version ( <quoted_string> | none ); // not configured
	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
	dump-file <quoted_string>;
	edns-udp-size <integer>;
	empty-contact <string>;
	empty-server <string>;
	empty-zones-enable <boolean>;
	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
	fetches-per-server <integer> [ ( drop | fail ) ];
	fetches-per-zone <integer> [ ( drop | fail ) ];
	flush-zones-on-shutdown <boolean>;
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	fstrm-set-buffer-hint <integer>; // not configured
	fstrm-set-flush-timeout <integer>; // not configured
	fstrm-set-input-queue-size <integer>; // not configured
	fstrm-set-output-notify-threshold <integer>; // not configured
	fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
	fstrm-set-output-queue-size <integer>; // not configured
	fstrm-set-reopen-interval <duration>; // not configured
	geoip-directory ( <quoted_string> | none );
	heartbeat-interval <integer>; // deprecated
	hostname ( <quoted_string> | none );
	http-listener-clients <integer>;
	http-port <integer>;
	http-streams-per-connection <integer>;
	https-port <integer>;
	interface-interval <duration>;
	ipv4only-contact <string>;
	ipv4only-enable <boolean>;
	ipv4only-server <string>;
	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
	keep-response-order { <address_match_element>; ... }; // obsolete
	key-directory <quoted_string>;
	lame-ttl <duration>;
	listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
	listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
	lmdb-mapsize <sizeval>;
	managed-keys-directory <quoted_string>;
	masterfile-format ( raw | text );
	masterfile-style ( full | relative );
	match-mapped-addresses <boolean>;
	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
	max-cache-ttl <duration>;
	max-clients-per-query <integer>;
	max-ixfr-ratio ( unlimited | <percentage> );
	max-journal-size ( default | unlimited | <sizeval> );
	max-ncache-ttl <duration>;
	max-query-count <integer>;
	max-query-restarts <integer>;
	max-records <integer>;
	max-records-per-type <integer>;
	max-recursion-depth <integer>;
	max-recursion-queries <integer>;
	max-refresh-time <integer>;
	max-retry-time <integer>;
	max-rsa-exponent-size <integer>;
	max-stale-ttl <duration>;
	max-transfer-idle-in <integer>;
	max-transfer-idle-out <integer>;
	max-transfer-time-in <integer>;
	max-transfer-time-out <integer>;
	max-types-per-name <integer>;
	max-udp-size <integer>;
	max-validation-failures-per-fetch <integer>; // experimental
	max-validations-per-fetch <integer>; // experimental
	max-zone-ttl ( unlimited | <duration> ); // deprecated
	memstatistics <boolean>;
	memstatistics-file <quoted_string>;
	message-compression <boolean>;
	min-cache-ttl <duration>;
	min-ncache-ttl <duration>;
	min-refresh-time <integer>;
	min-retry-time <integer>;
	min-transfer-rate-in <integer> <integer>;
	minimal-any <boolean>;
	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
	multi-master <boolean>;
	new-zones-directory <quoted_string>;
	no-case-compress { <address_match_element>; ... };
	nocookie-udp-size <integer>;
	notify ( explicit | master-only | primary-only | <boolean> );
	notify-defer <integer>;
	notify-delay <integer>;
	notify-rate <integer>;
	notify-source ( <ipv4_address> | * );
	notify-source-v6 ( <ipv6_address> | * );
	notify-to-soa <boolean>;
	nsec3-test-zone <boolean>; // test only
	nta-lifetime <duration>;
	nta-recheck <duration>;
	nxdomain-redirect <string>;
	parental-source ( <ipv4_address> | * );
	parental-source-v6 ( <ipv6_address> | * );
	pid-file ( <quoted_string> | none );
	port <integer>;
	preferred-glue <string>;
	prefetch <integer> [ <integer> ];
	provide-ixfr <boolean>;
	qname-minimization ( strict | relaxed | disabled | off );
	query-source [ address ] ( <ipv4_address> | * | none );
	query-source-v6 [ address ] ( <ipv6_address> | * | none );
	querylog <boolean>;
	rate-limit {
		all-per-second <integer>;
		errors-per-second <integer>;
		exempt-clients { <address_match_element>; ... };
		ipv4-prefix-length <integer>;
		ipv6-prefix-length <integer>;
		log-only <boolean>;
		max-table-size <integer>;
		min-table-size <integer>;
		nodata-per-second <integer>;
		nxdomains-per-second <integer>;
		qps-scale <integer>;
		referrals-per-second <integer>;
		responses-per-second <integer>;
		slip <integer>;
		window <integer>;
	};
	recursing-file <quoted_string>;
	recursion <boolean>;
	recursive-clients <integer>;
	request-expire <boolean>;
	request-ixfr <boolean>;
	request-nsid <boolean>;
	require-server-cookie <boolean>;
	resolver-query-timeout <integer>;
	resolver-use-dns64 <boolean>;
	response-padding { <address_match_element>; ... } block-size <integer>;
	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ servfail-until-ready <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
	responselog <boolean>;
	reuseport <boolean>;
	root-key-sentinel <boolean>;
	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
	secroots-file <quoted_string>;
	send-cookie <boolean>;
	serial-query-rate <integer>;
	serial-update-method ( date | increment | unixtime );
	server-id ( <quoted_string> | none | hostname );
	servfail-ttl <duration>;
	session-keyalg <string>;
	session-keyfile ( <quoted_string> | none );
	session-keyname <string>;
	sig-signing-nodes <integer>;
	sig-signing-signatures <integer>;
	sig-signing-type <integer>;
	sig-validity-interval <integer> [ <integer> ]; // obsolete
	sig0checks-quota <integer>; // experimental
	sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
	sig0key-checks-limit <integer>;
	sig0message-checks-limit <integer>;
	sortlist { <address_match_element>; ... }; // deprecated
	stale-answer-client-timeout ( disabled | off | <integer> );
	stale-answer-enable <boolean>;
	stale-answer-ttl <duration>;
	stale-cache-enable <boolean>;
	stale-refresh-time <duration>;
	startup-notify-rate <integer>;
	statistics-file <quoted_string>;
	synth-from-dnssec <boolean>;
	tcp-advertised-timeout <integer>;
	tcp-clients <integer>;
	tcp-idle-timeout <integer>;
	tcp-initial-timeout <integer>;
	tcp-keepalive-timeout <integer>;
	tcp-listen-queue <integer>;
	tcp-receive-buffer <integer>;
	tcp-send-buffer <integer>;
	tkey-domain <quoted_string>; // obsolete
	tkey-gssapi-credential <quoted_string>; // deprecated
	tkey-gssapi-keytab <quoted_string>;
	tls-port <integer>;
	transfer-format ( many-answers | one-answer );
	transfer-message-size <integer>;
	transfer-source ( <ipv4_address> | * );
	transfer-source-v6 ( <ipv6_address> | * );
	transfers-in <integer>;
	transfers-out <integer>;
	transfers-per-ns <integer>;
	trust-anchor-telemetry <boolean>;
	try-tcp-refresh <boolean>;
	udp-receive-buffer <integer>;
	udp-send-buffer <integer>;
	update-check-ksk <boolean>; // obsolete
	update-quota <integer>;
	use-v4-udp-ports { <portrange>; ... }; // deprecated
	use-v6-udp-ports { <portrange>; ... }; // deprecated
	v6-bias <integer>;
	validate-except { <string>; ... };
	version ( <quoted_string> | none );
	zero-no-soa-ttl <boolean>;
	zero-no-soa-ttl-cache <boolean>;
	zone-statistics ( full | terse | none | <boolean> );
};

plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times

remote-servers <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times

server <netprefix> {
	bogus <boolean>;
	edns <boolean>;
	edns-udp-size <integer>;
	edns-version <integer>;
	keys <server_key>;
	max-udp-size <integer>;
	notify-source ( <ipv4_address> | * );
	notify-source-v6 ( <ipv6_address> | * );
	padding <integer>;
	provide-ixfr <boolean>;
	query-source [ address ] ( <ipv4_address> | * );
	query-source-v6 [ address ] ( <ipv6_address> | * );
	request-expire <boolean>;
	request-ixfr <boolean>;
	request-nsid <boolean>;
	require-cookie <boolean>;
	send-cookie <boolean>;
	tcp-keepalive <boolean>;
	tcp-only <boolean>;
	transfer-format ( many-answers | one-answer );
	transfer-source ( <ipv4_address> | * );
	transfer-source-v6 ( <ipv6_address> | * );
	transfers <integer>;
}; // may occur multiple times

statistics-channels {
	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
}; // may occur multiple times

tls <string> {
	ca-file <quoted_string>;
	cert-file <quoted_string>;
	cipher-suites <string>;
	ciphers <string>;
	dhparam-file <quoted_string>;
	key-file <quoted_string>;
	prefer-server-ciphers <boolean>;
	protocols { <string>; ... };
	remote-hostname <quoted_string>;
	session-tickets <boolean>;
}; // may occur multiple times

trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times

trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated

view <string> [ <class> ] {
	allow-new-zones <boolean>;
	allow-notify { <address_match_element>; ... };
	allow-proxy { <address_match_element>; ... }; // experimental
	allow-proxy-on { <address_match_element>; ... }; // experimental
	allow-query { <address_match_element>; ... };
	allow-query-cache { <address_match_element>; ... };
	allow-query-cache-on { <address_match_element>; ... };
	allow-query-on { <address_match_element>; ... };
	allow-recursion { <address_match_element>; ... };
	allow-recursion-on { <address_match_element>; ... };
	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow-update { <address_match_element>; ... };
	allow-update-forwarding { <address_match_element>; ... };
	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	attach-cache <string>;
	auth-nxdomain <boolean>;
	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
	check-dup-records ( fail | warn | ignore );
	check-integrity <boolean>;
	check-mx ( fail | warn | ignore );
	check-mx-cname ( fail | warn | ignore );
	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
	check-sibling <boolean>;
	check-spf ( warn | ignore );
	check-srv-cname ( fail | warn | ignore );
	check-svcb <boolean>;
	check-wildcard <boolean>;
	clients-per-query <integer>;
	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
	dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
	disable-algorithms <string> { <string>; ... }; // may occur multiple times
	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
	disable-empty-zone <string>; // may occur multiple times
	dlz <string> {
		database <string>;
		search <boolean>;
	}; // may occur multiple times
	dns64 <netprefix> {
		break-dnssec <boolean>;
		clients { <address_match_element>; ... };
		exclude { <address_match_element>; ... };
		mapped { <address_match_element>; ... };
		recursive-only <boolean>;
		suffix <ipv6_address>;
	}; // may occur multiple times
	dns64-contact <string>;
	dns64-server <string>;
	dnskey-sig-validity <integer>; // obsolete
	dnsrps-enable <boolean>; // not configured
	dnsrps-options { <unspecified-text> }; // not configured
	dnssec-accept-expired <boolean>;
	dnssec-dnskey-kskonly <boolean>; // obsolete
	dnssec-loadkeys-interval <integer>;
	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
	dnssec-policy <string>;
	dnssec-secure-to-insecure <boolean>; // obsolete
	dnssec-update-mode ( maintain | no-resign ); // obsolete
	dnssec-validation ( yes | no | auto );
	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
	dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
	edns-udp-size <integer>;
	empty-contact <string>;
	empty-server <string>;
	empty-zones-enable <boolean>;
	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
	fetches-per-server <integer> [ ( drop | fail ) ];
	fetches-per-zone <integer> [ ( drop | fail ) ];
	forward ( first | only );
	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
	ipv4only-contact <string>;
	ipv4only-enable <boolean>;
	ipv4only-server <string>;
	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
	key <string> {
		algorithm <string>;
		secret <string>;
	}; // may occur multiple times
	key-directory <quoted_string>;
	lame-ttl <duration>;
	lmdb-mapsize <sizeval>;
	managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
	masterfile-format ( raw | text );
	masterfile-style ( full | relative );
	match-clients { <address_match_element>; ... };
	match-destinations { <address_match_element>; ... };
	match-recursive-only <boolean>;
	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
	max-cache-ttl <duration>;
	max-clients-per-query <integer>;
	max-ixfr-ratio ( unlimited | <percentage> );
	max-journal-size ( default | unlimited | <sizeval> );
	max-ncache-ttl <duration>;
	max-query-count <integer>;
	max-query-restarts <integer>;
	max-records <integer>;
	max-records-per-type <integer>;
	max-recursion-depth <integer>;
	max-recursion-queries <integer>;
	max-refresh-time <integer>;
	max-retry-time <integer>;
	max-stale-ttl <duration>;
	max-transfer-idle-in <integer>;
	max-transfer-idle-out <integer>;
	max-transfer-time-in <integer>;
	max-transfer-time-out <integer>;
	max-types-per-name <integer>;
	max-udp-size <integer>;
	max-validation-failures-per-fetch <integer>; // experimental
	max-validations-per-fetch <integer>; // experimental
	max-zone-ttl ( unlimited | <duration> ); // deprecated
	message-compression <boolean>;
	min-cache-ttl <duration>;
	min-ncache-ttl <duration>;
	min-refresh-time <integer>;
	min-retry-time <integer>;
	min-transfer-rate-in <integer> <integer>;
	minimal-any <boolean>;
	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
	multi-master <boolean>;
	new-zones-directory <quoted_string>;
	no-case-compress { <address_match_element>; ... };
	nocookie-udp-size <integer>;
	notify ( explicit | master-only | primary-only | <boolean> );
	notify-defer <integer>;
	notify-delay <integer>;
	notify-source ( <ipv4_address> | * );
	notify-source-v6 ( <ipv6_address> | * );
	notify-to-soa <boolean>;
	nsec3-test-zone <boolean>; // test only
	nta-lifetime <duration>;
	nta-recheck <duration>;
	nxdomain-redirect <string>;
	parental-source ( <ipv4_address> | * );
	parental-source-v6 ( <ipv6_address> | * );
	plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
	preferred-glue <string>;
	prefetch <integer> [ <integer> ];
	provide-ixfr <boolean>;
	qname-minimization ( strict | relaxed | disabled | off );
	query-source [ address ] ( <ipv4_address> | * | none );
	query-source-v6 [ address ] ( <ipv6_address> | * | none );
	rate-limit {
		all-per-second <integer>;
		errors-per-second <integer>;
		exempt-clients { <address_match_element>; ... };
		ipv4-prefix-length <integer>;
		ipv6-prefix-length <integer>;
		log-only <boolean>;
		max-table-size <integer>;
		min-table-size <integer>;
		nodata-per-second <integer>;
		nxdomains-per-second <integer>;
		qps-scale <integer>;
		referrals-per-second <integer>;
		responses-per-second <integer>;
		slip <integer>;
		window <integer>;
	};
	recursion <boolean>;
	request-expire <boolean>;
	request-ixfr <boolean>;
	request-nsid <boolean>;
	require-server-cookie <boolean>;
	resolver-query-timeout <integer>;
	resolver-use-dns64 <boolean>;
	response-padding { <address_match_element>; ... } block-size <integer>;
	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ servfail-until-ready <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
	root-key-sentinel <boolean>;
	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
	send-cookie <boolean>;
	serial-update-method ( date | increment | unixtime );
	server <netprefix> {
		bogus <boolean>;
		edns <boolean>;
		edns-udp-size <integer>;
		edns-version <integer>;
		keys <server_key>;
		max-udp-size <integer>;
		notify-source ( <ipv4_address> | * );
		notify-source-v6 ( <ipv6_address> | * );
		padding <integer>;
		provide-ixfr <boolean>;
		query-source [ address ] ( <ipv4_address> | * );
		query-source-v6 [ address ] ( <ipv6_address> | * );
		request-expire <boolean>;
		request-ixfr <boolean>;
		request-nsid <boolean>;
		require-cookie <boolean>;
		send-cookie <boolean>;
		tcp-keepalive <boolean>;
		tcp-only <boolean>;
		transfer-format ( many-answers | one-answer );
		transfer-source ( <ipv4_address> | * );
		transfer-source-v6 ( <ipv6_address> | * );
		transfers <integer>;
	}; // may occur multiple times
	servfail-ttl <duration>;
	sig-signing-nodes <integer>;
	sig-signing-signatures <integer>;
	sig-signing-type <integer>;
	sig-validity-interval <integer> [ <integer> ]; // obsolete
	sig0key-checks-limit <integer>;
	sig0message-checks-limit <integer>;
	sortlist { <address_match_element>; ... }; // deprecated
	stale-answer-client-timeout ( disabled | off | <integer> );
	stale-answer-enable <boolean>;
	stale-answer-ttl <duration>;
	stale-cache-enable <boolean>;
	stale-refresh-time <duration>;
	synth-from-dnssec <boolean>;
	transfer-format ( many-answers | one-answer );
	transfer-source ( <ipv4_address> | * );
	transfer-source-v6 ( <ipv6_address> | * );
	trust-anchor-telemetry <boolean>;
	trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
	trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
	try-tcp-refresh <boolean>;
	update-check-ksk <boolean>; // obsolete
	v6-bias <integer>;
	validate-except { <string>; ... };
	zero-no-soa-ttl <boolean>;
	zero-no-soa-ttl-cache <boolean>;
	zone-statistics ( full | terse | none | <boolean> );
}; // may occur multiple times