1 /* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12 /* 13 * This is a worthless, nonrunnable example of a named.conf file that has 14 * every conceivable syntax element in use. We use it to test the parser. 15 * It could also be used as a conceptual template for users of new features. 16 */ 17 18 /* 19 * C-style comments are OK 20 */ 21 22 // So are C++-style comments 23 24 #So are shell - style comments 25 26 // watch out for ";" -- it's important! 27 28 options { 29 additional - from - auth true; 30 additional - from - cache false; 31 32 version "my version string"; 33 random - device "/dev/random"; 34 directory "/tmp"; 35 36 port 666; 37 38 sig - validity - interval 33; 39 40 #Obsolete 41 named - xfer "/usr/libexec/named-xfer"; // _PATH_XFER 42 43 dump - file "named_dump.db"; // _PATH_DUMPFILE 44 pid - file "/var/run/named.pid"; // _PATH_PIDFILE 45 statistics - file "named.stats"; // _PATH_STATS 46 memstatistics - file "named.memstats"; // _PATH_MEMSTATS 47 48 max - cache - ttl 999; 49 min - cache - ttl 66; 50 auth - nxdomain yes; // always set AA on NXDOMAIN. 51 // don't set this to 'no' unless 52 // you know what you're doing -- older 53 // servers won't like it. 54 55 #Obsolete 56 deallocate - on - exit no; 57 58 dialup yes; 59 60 #Obsolete 61 fake - iquery no; 62 63 fetch - glue yes; 64 has - old - clients yes; 65 host - statistics no; 66 67 #Obsolete 68 multiple - cnames no; // if yes, then a name my have more 69 // than one CNAME RR. This use 70 // is non-standard and is not 71 // recommended, but it is available 72 // because previous releases supported 73 // it and it was used by large sites 74 // for load balancing. 75 76 notify yes; // send NOTIFY messages. You can set 77 // notify on a zone-by-zone 78 // basis in the "zone" statement 79 // see (below) 80 recursion yes; 81 rfc2308 - type1 no; 82 83 #Obsolete 84 use - id - pool yes; 85 86 #Obsolete 87 treat - cr - as - space yes; 88 89 also - notify { 10.0.2.3; }; 90 91 // The "forward" option is only meaningful if you've defined 92 // forwarders. "first" gives the normal BIND 93 // forwarding behavior, i.e. ask the forwarders first, and if that 94 // doesn't work then do the full lookup. You can also say 95 // "forward only;" which is what used to be specified with 96 // "secondary" or "options forward-only". "only" will never attempt 97 // a full lookup; only the forwarders will be used. 98 forward first; 99 forwarders { 100 1.2.3.4; 101 5.6.7.8; 102 }; 103 104 check - names primary fail; 105 check - names secondary warn; 106 check - names response ignore; 107 108 allow - query { any; }; 109 allow - transfer { any; }; 110 allow - recursion { !any; }; 111 blackhole { 45 / 24; }; 112 keep - response - order { 46 / 24; }; 113 114 listen - on { 115 10 / 24; 116 10.0.0.3; 117 }; 118 119 listen - on port 53 { any; }; 120 121 listen - on { 5.6.7.8; }; 122 123 listen - on port 1234 { 124 !1.2.3.4; 125 1.2.3 / 24; 126 }; 127 128 listen - on - v6 { 1 : 1 : 1 : 1 : 1 : 1 : 1 : 1; }; 129 130 listen - on - v6 port 777 { 2 : 2 : 2 : 2 : 2 : 2 : 2 : 2; }; 131 132 query - source - v6 address 8 : 7 : 6 : 5 : 4 : 3 : 2 : 1 port *; 133 query - source port *address 10.0.0.54; 134 135 lame - ttl 444; 136 137 max - transfer - time - in 300; 138 max - transfer - time - out 10; 139 max - transfer - idle - in 100; 140 max - transfer - idle - out 11; 141 142 max - retry - time 1234; 143 min - retry - time 1111; 144 max - refresh - time 888; 145 min - refresh - time 777; 146 147 max - ncache - ttl 333; 148 min - ncache - ttl 22; 149 min - roots 15; 150 serial - queries 34; 151 152 transfer - format one - answer; 153 154 transfers - in 10; 155 transfers - per - ns 2; 156 transfers - out 0; 157 158 transfer - source 10.0.0.5; 159 transfer - source - v6 4 : 3 : 2 : 1 : 5 : 6 : 7 : 8; 160 161 request - ixfr yes; 162 provide - ixfr yes; 163 164 #Now called 'provide-ixfr' 165 #maintain - ixfr - base no; // If yes, keep transaction log file for IXFR 166 167 max - ixfr - log - size 20m; 168 max - cache - size 1m; 169 heartbeat - interval 1001; 170 interface - interval 1002; 171 statistics - interval 1003; 172 173 topology { 174 10 / 8; 175 176 !1.2.3 / 24; 177 178 { 179 1.2 / 16; 180 3 / 8; 181 }; 182 }; 183 184 sortlist { 185 10 / 8; 186 11 / 8; 187 }; 188 189 tkey - domain "foo.com"; 190 tkey - dhkey "xyz" 666; 191 192 rrset - order { 193 class IN type A name "foo" order random; 194 order cyclic; 195 }; 196 }; 197 198 /* 199 * Control listeners, for "ndc". Every nameserver needs at least one. 200 */ 201 controls { 202 // 'inet' lines without a 'port' defaults to 'port 953' 203 // 'keys' must be used and the list must have at least one entry 204 inet *port 52 allow { any; } 205 keys { "key2"; }; 206 unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named. 207 inet 10.0.0.1 allow { 208 any; 209 key foo; 210 } 211 keys { "key4"; }; 212 inet 10.0.0.2 allow { none; } 213 keys { 214 "key-1"; 215 "key-2"; 216 }; 217 inet 10.0.0.2 allow { none; }; 218 }; 219 220 zone "primary.demo.zone" { 221 type primaryr; 222 database "somedb -option1 -option2 arg1 arg2 arg3"; 223 file "primary.demo.zone"; 224 check - names fail; 225 allow - update { none; }; 226 allow - update - forwarding { 227 10.0.0.5; 228 !any; 229 }; 230 allow - transfer { any; }; 231 allow - query { any; }; 232 sig - validity - interval 990; 233 notify explicit; 234 also - notify { 235 1.0.0.1; 236 }; // don't notify any nameservers other 237 // than those on the NS list for this 238 // zone 239 forward first; 240 forwarders { 241 10.0.0.3; 242 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8; 243 }; 244 }; 245 246 zone "secondary.demo.zone" { 247 type secondary; 248 file "secondary.demo.zone"; 249 ixfr - base "secondary.demo.zone.ixfr"; // File name for IXFR transaction 250 // log file 251 primaries { 252 1.2.3.4 port 10 key "foo"; // where to zone transfer from 253 5.6.7.8; 254 6.7.8.9 key "zippo"; 255 }; 256 transfer - source 10.0.0.53; // fixes multihoming problems 257 check - names warn; 258 allow - update { none; }; 259 allow - transfer { any; }; 260 allow - update - forwarding { any; }; 261 allow - query { any; }; 262 max - transfer - time - in 120; // if not set, global option is used. 263 max - transfer - time - out 1; // if not set, global option is used. 264 max - transfer - idle - in 2; // if not set, global option is used. 265 max - transfer - idle - out 3; // if not set, global option is used. 266 also - notify { 1.0.0.2; }; 267 forward only; 268 forwarders { 269 10.45.45.45; 270 10.0.0.3; 271 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8; 272 }; 273 }; 274 275 key "non-viewkey" { 276 secret "YWFh"; 277 algorithm "zzz"; 278 }; 279 280 view "test-view" in { 281 key "viewkey" { 282 algorithm "xxx"; 283 secret "eXl5"; 284 }; 285 also - notify { 10.2.2.3; }; 286 managed - keys { foo.com.static 4 3 2 "abdefghijklmnopqrstuvwxyz"; }; 287 sig - validity - interval 45; 288 max - cache - size 100000; 289 allow - query { 10.0.0.30; }; 290 additional - from - cache false; 291 additional - from - auth no; 292 match - clients { 10.0.0.1; }; 293 check - names primary warn; 294 check - names secondary ignore; 295 check - names response fail; 296 auth - nxdomain false; 297 recursion true; 298 provide - ixfr false; 299 request - ixfr true; 300 fetch - glue true; 301 notify false; 302 rfc2308 - type1 false; 303 transfer - source 10.0.0.55; 304 transfer - source - v6 4 : 3 : 8 : 1 : 5 : 6 : 7 : 8; 305 query - source port *address 10.0.0.54; 306 query - source - v6 address 6 : 6 : 6 : 6 : 6 : 6 : 6 : 6 port *; 307 max - transfer - time - out 45; 308 max - transfer - idle - out 55; 309 min - roots 3; 310 lame - ttl 477; 311 max - ncache - ttl 333; 312 max - cache - ttl 777; 313 transfer - format many - answers; 314 max - retry - time 7; 315 min - retry - time 4; 316 max - refresh - time 999; 317 min - refresh - time 111; 318 319 zone "view-zone.com" { 320 type primary; 321 allow - update - forwarding { 10.0.0.34; }; 322 file "view-zone-primary"; 323 }; 324 325 server 5.6.7.8 { keys "viewkey"; }; 326 327 server 10.9.8.7 { keys "non-viewkey"; }; 328 dialup yes; 329 }; 330 331 zone "stub.demo.zone" { 332 type stub; // stub zones are like secondary zones, 333 // except that only the NS records 334 // are transferred. 335 dialup yes; 336 file "stub.demo.zone"; 337 primaries { 338 1.2.3.4; // where to zone transfer from 339 5.6.7.8 port 999; 340 }; 341 check - names warn; 342 allow - update { none; }; 343 allow - transfer { any; }; 344 allow - query { any; }; 345 346 max - retry - time 10; 347 min - retry - time 11; 348 max - refresh - time 12; 349 min - refresh - time 13; 350 351 max - transfer - time - in 120; // if not set, global option is used. 352 pubkey 257 255 1 "a useless key"; 353 pubkey 257 255 1 "another useless key"; 354 }; 355 356 zone "." { 357 type hint; // used to be specified w/ "cache" 358 file "cache.db"; 359 // pubkey 257 255 1 360 //"AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; 361 }; 362 363 managed - keys { 364 "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/" 365 "KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP" 366 "/rick6gvEer5VcDEkLR5Q=="; 367 }; 368 369 acl can_query { 370 !1.2.3 / 24; 371 any; 372 }; // network 1.2.3.0 mask 255.255.255.0 373 // is disallowed; rest are OK 374 acl can_axfr { 375 1.2.3.4; 376 can_query; 377 }; // host 1.2.3.4 and any host allowed 378 // by can_query are OK 379 380 zone "disabled-zone.com" { 381 type primary; 382 file "bar"; 383 384 max - retry - time 100; 385 min - retry - time 110; 386 max - refresh - time 120; 387 min - refresh - time 130; 388 }; 389 390 zone "non-default-acl.demo.zone" { 391 type primary; 392 file "foo"; 393 allow - query { can_query; }; 394 allow - transfer { can_axfr; }; 395 allow - update { 396 1.2.3.4; 397 5.6.7.8; 398 }; 399 pubkey 666 665 664 "key of the beast"; 400 // Errors trapped by parser: 401 // identity or name not absolute 402 // 'wildcard' match type and no wildcard character in name 403 // 404 // issues: 405 // - certain rdatatype values (such as "key") are config file 406 // keywords and 407 // must be quoted or a syntax error will occur. 408 // 409 410 update - policy { 411 grant root.domain.subdomain host.domain.A MX CNAME; 412 grant sub.root.domain.wildcard *.host.domain.A; 413 grant root.domain.name host.domain.a ns md mf cname soa mb mg mr 414 "null" wks ptr hinfo minfo mx txt rp afsdb x25 isdn rt 415 nsap sig "key" px gpos aaaa loc nxt srv naptr kx 416 cert a6 dname opt unspec uri tkey tsig; 417 grant foo.bar.com.self foo.bar.com.a; 418 }; 419 }; 420 421 key sample_key { // for TSIG; supported by parser 422 algorithm hmac - md5; // but not yet implemented in the 423 secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server 424 }; 425 426 key key2 { 427 algorithm hmac - md5; 428 secret "ZXJlaCB0ZXJjZXMgcm91eQ=="; 429 }; 430 431 acl key_acl { key sample_key; }; // a request signed with sample_key 432 433 server 1.2.3.4 { 434 request - ixfr no; 435 provide - ixfr no; 436 bogus no; // if yes, we won't query or listen 437 // to this server 438 transfer - format one - answer; // set transfer format for this 439 // server (see the description of 440 // 'transfer-format' above) 441 // if not specified, the global option 442 // will be used 443 transfers 0; // not implemented 444 keys{ "sample_key" }; // for TSIG; supported by the parser 445 // but not yet implemented in the 446 // rest of the server 447 #Now called 'request-ixfr' 448 #support - ixfr yes; // for IXFR supported by server 449 // if yes, the listed server talks IXFR 450 }; 451 452 logging { 453 /* 454 * All log output goes to one or more "channels"; you can make as 455 * many of them as you want. 456 */ 457 458 channel syslog_errors { // this channel will send errors or 459 syslog user; // or worse to syslog (user facility) 460 severity error; 461 }; 462 463 channel stderr_errors { stderr; }; 464 465 /* 466 * Channels have a severity level. Messages at severity levels 467 * greater than or equal to the channel's level will be logged on 468 * the channel. In order of decreasing severity, the levels are: 469 * 470 * critical a fatal error 471 * error 472 * warning 473 * notice a normal, but significant event 474 * info an informational message 475 * debug 1 the least detailed debugging info 476 * ... 477 * debug 99 the most detailed debugging info 478 */ 479 480 /* 481 * Here are the built-in channels: 482 * 483 * channel default_syslog { 484 * syslog daemon; 485 * severity info; 486 * }; 487 * 488 * channel default_debug { 489 * file "named.run"; // note: stderr is used instead 490 * // of "named.run" if the server 491 * // is started with the "-f" 492 * // option. 493 * severity dynamic; // this means log debugging 494 * // at whatever debugging level 495 * // the server is at, and don't 496 * // log anything if not 497 * // debugging. 498 * }; 499 * 500 * channel null { // this is the bit bucket; 501 * file "/dev/null"; // any logging to this channel 502 * // is discarded. 503 * }; 504 * 505 * channel default_stderr { // writes to stderr 506 * file "<stderr>"; // this is illustrative only; 507 * // there's currently no way 508 * // of saying "stderr" in the 509 * // configuration language. 510 * // i.e. don't try this at home. 511 * severity info; 512 * }; 513 * 514 * default_stderr only works before the server daemonizes (i.e. 515 * during initial startup) or when it is running in foreground 516 * mode (-f command line option). 517 */ 518 519 /* 520 * There are many categories, so you can send the logs 521 * you want to see wherever you want, without seeing logs you 522 * don't want. Right now the categories are 523 * 524 * default the catch-all. many things still 525 * aren't classified into categories, and 526 * they all end up here. also, if you 527 * don't specify any channels for a 528 * category, the default category is used 529 * instead. 530 * config high-level configuration file 531 * processing 532 * parser low-level configuration file processing 533 * queries what used to be called "query logging" 534 * lame-servers messages like "Lame server on ..." 535 * statistics 536 * panic if the server has to shut itself 537 * down due to an internal problem, it 538 * logs the problem here (as well as 539 * in the problem's native category) 540 * update dynamic update 541 * ncache negative caching 542 * xfer-in zone transfers we're receiving 543 * xfer-out zone transfers we're sending 544 * db all database operations 545 * eventlib debugging info from the event system 546 * (see below) 547 * packet dumps of packets received and sent 548 * (see below) 549 * notify the NOTIFY protocol 550 * cname messages like "XX points to a CNAME" 551 * security approved/unapproved requests 552 * os operating system problems 553 * insist consistency check failures 554 * maintenance periodic maintenance 555 * load zone loading 556 * response-checks messages like 557 * "Malformed response ..." 558 * "wrong ans. name ..." 559 * "unrelated additional info ..." 560 * "invalid RR type ..." 561 * "bad referral ..." 562 */ 563 564 category parser { 565 syslog_errors; // you can log to as many channels 566 default_syslog; // as you want 567 }; 568 569 category lame - servers { null; }; // don't log these at all 570 571 channel moderate_debug { 572 file "foo"; // foo 573 severity debug 3; // level 3 debugging to file 574 print - time yes; // timestamp log entries 575 print - category yes; // print category name 576 print - severity yes; // print severity level 577 /* 578 * Note that debugging must have been turned on either 579 * on the command line or with a signal to get debugging 580 * output (non-debugging output will still be written to 581 * this channel). 582 */ 583 }; 584 585 channel another { 586 file "bar" versions 99 size 10M; 587 severity info; 588 }; 589 590 channel third { 591 file "bar" size 100000 versions unlimited; 592 severity debug; // use default debug level 593 }; 594 595 /* 596 * If you don't want to see "zone XXXX loaded" messages but do 597 * want to see any problems, you could do the following. 598 */ 599 channel no_info_messages { 600 syslog; 601 severity notice; 602 }; 603 604 category load { no_info_messages; }; 605 606 /* 607 * You can also define category "default"; it gets used when no 608 * "category" statement has been given for a category. 609 */ 610 category default { 611 default_syslog; 612 moderate_debug; 613 }; 614 615 /* 616 * If you don't define category default yourself, the default 617 * default category will be used. It is 618 * 619 * category default { default_syslog; default_debug; }; 620 */ 621 622 /* 623 * If you don't define category panic yourself, the default 624 * panic category will be used. It is 625 * 626 * category panic { default_syslog; default_stderr; }; 627 */ 628 629 /* 630 * Two categories, 'packet' and 'eventlib', are special. Only one 631 * channel may be assigned to each of them, and it must be a 632 * file channel. If you don't define them yourself, they default to 633 * 634 * category eventlib { default_debug; }; 635 * 636 * category packet { default_debug; }; 637 */ 638 }; 639 640 #include "filename"; // can't do within a statement 641
Indexes created Sat Feb 28 05:31:39 UTC 2026