FreeBSD Manual Pages
NAMED.CONF(5) BIND 9 NAMED.CONF(5) NAME named.conf - configuration file for **named** SYNOPSIS named.conf DESCRIPTION named.conf is the configuration file for named. For complete documentation about the configuration statements, please refer to the Configuration Reference section in the BIND 9 Administra- tor Reference Manual. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment styles are supported: C style: /* */ C++ style: // to end of line Unix style: # to end of line acl <string> { <address_match_element>; ... }; // may occur multiple times controls { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times }; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dnssec-policy <string> { cdnskey <boolean>; cds-digest-types { <string>; ... }; dnskey-ttl <duration>; inline-signing <boolean>; keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... }; max-zone-ttl <duration>; nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ]; offline-ksk <boolean>; parent-ds-ttl <duration>; parent-propagation-delay <duration>; publish-safety <duration>; purge-keys <duration>; retire-safety <duration>; signatures-jitter <duration>; signatures-refresh <duration>; signatures-validity <duration>; signatures-validity-dnskey <duration>; zone-propagation-delay <duration>; }; // may occur multiple times dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times http <string> { endpoints { <quoted_string>; ... }; listener-clients <integer>; streams-per-connection <integer>; }; // may occur multiple times key <string> { algorithm <string>; secret <string>; }; // may occur multiple times key-store <string> { directory <string>; pkcs11-uri <quoted_string>; }; // may occur multiple times logging { category <string> { <string>; ... }; // may occur multiple times channel <string> { buffered <boolean>; file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ]; null; print-category <boolean>; print-severity <boolean>; print-time ( iso8601 | iso8601-utc | local | <boolean> ); severity <log_severity>; stderr; syslog [ <syslog_facility> ]; }; // may occur multiple times }; managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated options { allow-new-zones <boolean>; allow-notify { <address_match_element>; ... }; allow-proxy { <address_match_element>; ... }; // experimental allow-proxy-on { <address_match_element>; ... }; // experimental allow-query { <address_match_element>; ... }; allow-query-cache { <address_match_element>; ... }; allow-query-cache-on { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-recursion { <address_match_element>; ... }; allow-recursion-on { <address_match_element>; ... }; allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; answer-cookie <boolean>; attach-cache <string>; auth-nxdomain <boolean>; automatic-interface-scan <boolean>; avoid-v4-udp-ports { <portrange>; ... }; // deprecated avoid-v6-udp-ports { <portrange>; ... }; // deprecated bindkeys-file <quoted_string>; // test only blackhole { <address_match_element>; ... }; catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-svcb <boolean>; check-wildcard <boolean>; clients-per-query <integer>; cookie-algorithm ( siphash24 ); cookie-secret <string>; // may occur multiple times deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ]; deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ]; dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated directory <quoted_string>; disable-algorithms <string> { <string>; ... }; // may occur multiple times disable-ds-digests <string> { <string>; ... }; // may occur multiple times disable-empty-zone <string>; // may occur multiple times dns64 <netprefix> { break-dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive-only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64-contact <string>; dns64-server <string>; dnskey-sig-validity <integer>; // obsolete dnsrps-enable <boolean>; dnsrps-library <quoted_string>; dnsrps-options { <unspecified-text> }; dnssec-accept-expired <boolean>; dnssec-dnskey-kskonly <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; dnstap-identity ( <quoted_string> | none | hostname ); dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; dnstap-version ( <quoted_string> | none ); dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... }; dump-file <quoted_string>; edns-udp-size <integer>; empty-contact <string>; empty-server <string>; empty-zones-enable <boolean>; fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches-per-server <integer> [ ( drop | fail ) ]; fetches-per-zone <integer> [ ( drop | fail ) ]; flush-zones-on-shutdown <boolean>; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; fstrm-set-buffer-hint <integer>; fstrm-set-flush-timeout <integer>; fstrm-set-input-queue-size <integer>; fstrm-set-output-notify-threshold <integer>; fstrm-set-output-queue-model ( mpsc | spsc ); fstrm-set-output-queue-size <integer>; fstrm-set-reopen-interval <duration>; geoip-directory ( <quoted_string> | none ); // not configured heartbeat-interval <integer>; // deprecated hostname ( <quoted_string> | none ); http-listener-clients <integer>; http-port <integer>; http-streams-per-connection <integer>; https-port <integer>; interface-interval <duration>; ipv4only-contact <string>; ipv4only-enable <boolean>; ipv4only-server <string>; ixfr-from-differences ( primary | master | secondary | slave | <boolean> ); keep-response-order { <address_match_element>; ... }; // obsolete key-directory <quoted_string>; lame-ttl <duration>; listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times lmdb-mapsize <sizeval>; managed-keys-directory <quoted_string>; masterfile-format ( raw | text ); masterfile-style ( full | relative ); match-mapped-addresses <boolean>; max-cache-size ( default | unlimited | <sizeval> | <percentage> ); max-cache-ttl <duration>; max-clients-per-query <integer>; max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-ncache-ttl <duration>; max-query-count <integer>; max-query-restarts <integer>; max-records <integer>; max-records-per-type <integer>; max-recursion-depth <integer>; max-recursion-queries <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-rsa-exponent-size <integer>; max-stale-ttl <duration>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-types-per-name <integer>; max-udp-size <integer>; max-validation-failures-per-fetch <integer>; // experimental max-validations-per-fetch <integer>; // experimental max-zone-ttl ( unlimited | <duration> ); // deprecated memstatistics <boolean>; memstatistics-file <quoted_string>; message-compression <boolean>; min-cache-ttl <duration>; min-ncache-ttl <duration>; min-refresh-time <integer>; min-retry-time <integer>; min-transfer-rate-in <integer> <integer>; minimal-any <boolean>; minimal-responses ( no-auth | no-auth-recursive | <boolean> ); multi-master <boolean>; new-zones-directory <quoted_string>; no-case-compress { <address_match_element>; ... }; nocookie-udp-size <integer>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-rate <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only nta-lifetime <duration>; nta-recheck <duration>; nxdomain-redirect <string>; parental-source ( <ipv4_address> | * ); parental-source-v6 ( <ipv6_address> | * ); pid-file ( <quoted_string> | none ); port <integer>; preferred-glue <string>; prefetch <integer> [ <integer> ]; provide-ixfr <boolean>; qname-minimization ( strict | relaxed | disabled | off ); query-source [ address ] ( <ipv4_address> | * | none ); query-source-v6 [ address ] ( <ipv6_address> | * | none ); querylog <boolean>; rate-limit { all-per-second <integer>; errors-per-second <integer>; exempt-clients { <address_match_element>; ... }; ipv4-prefix-length <integer>; ipv6-prefix-length <integer>; log-only <boolean>; max-table-size <integer>; min-table-size <integer>; nodata-per-second <integer>; nxdomains-per-second <integer>; qps-scale <integer>; referrals-per-second <integer>; responses-per-second <integer>; slip <integer>; window <integer>; }; recursing-file <quoted_string>; recursion <boolean>; recursive-clients <integer>; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; require-server-cookie <boolean>; resolver-query-timeout <integer>; resolver-use-dns64 <boolean>; response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; responselog <boolean>; reuseport <boolean>; root-key-sentinel <boolean>; rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; secroots-file <quoted_string>; send-cookie <boolean>; serial-query-rate <integer>; serial-update-method ( date | increment | unixtime ); server-id ( <quoted_string> | none | hostname ); servfail-ttl <duration>; session-keyalg <string>; session-keyfile ( <quoted_string> | none ); session-keyname <string>; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; // obsolete sig0checks-quota <integer>; // experimental sig0checks-quota-exempt { <address_match_element>; ... }; // experimental sig0key-checks-limit <integer>; sig0message-checks-limit <integer>; sortlist { <address_match_element>; ... }; // deprecated stale-answer-client-timeout ( disabled | off | <integer> ); stale-answer-enable <boolean>; stale-answer-ttl <duration>; stale-cache-enable <boolean>; stale-refresh-time <duration>; startup-notify-rate <integer>; statistics-file <quoted_string>; synth-from-dnssec <boolean>; tcp-advertised-timeout <integer>; tcp-clients <integer>; tcp-idle-timeout <integer>; tcp-initial-timeout <integer>; tcp-keepalive-timeout <integer>; tcp-listen-queue <integer>; tcp-receive-buffer <integer>; tcp-send-buffer <integer>; tkey-domain <quoted_string>; tkey-gssapi-credential <quoted_string>; tkey-gssapi-keytab <quoted_string>; tls-port <integer>; transfer-format ( many-answers | one-answer ); transfer-message-size <integer>; transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); transfers-in <integer>; transfers-out <integer>; transfers-per-ns <integer>; trust-anchor-telemetry <boolean>; try-tcp-refresh <boolean>; udp-receive-buffer <integer>; udp-send-buffer <integer>; update-check-ksk <boolean>; // obsolete update-quota <integer>; use-v4-udp-ports { <portrange>; ... }; // deprecated use-v6-udp-ports { <portrange>; ... }; // deprecated v6-bias <integer>; validate-except { <string>; ... }; version ( <quoted_string> | none ); zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times remote-servers <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times server <netprefix> { bogus <boolean>; edns <boolean>; edns-udp-size <integer>; edns-version <integer>; keys <server_key>; max-udp-size <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); padding <integer>; provide-ixfr <boolean>; query-source [ address ] ( <ipv4_address> | * ); query-source-v6 [ address ] ( <ipv6_address> | * ); request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; require-cookie <boolean>; send-cookie <boolean>; tcp-keepalive <boolean>; tcp-only <boolean>; transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); transfers <integer>; }; // may occur multiple times statistics-channels { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times }; // may occur multiple times tls <string> { ca-file <quoted_string>; cert-file <quoted_string>; cipher-suites <string>; ciphers <string>; dhparam-file <quoted_string>; key-file <quoted_string>; prefer-server-ciphers <boolean>; protocols { <string>; ... }; remote-hostname <quoted_string>; session-tickets <boolean>; }; // may occur multiple times trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated view <string> [ <class> ] { allow-new-zones <boolean>; allow-notify { <address_match_element>; ... }; allow-proxy { <address_match_element>; ... }; // experimental allow-proxy-on { <address_match_element>; ... }; // experimental allow-query { <address_match_element>; ... }; allow-query-cache { <address_match_element>; ... }; allow-query-cache-on { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-recursion { <address_match_element>; ... }; allow-recursion-on { <address_match_element>; ... }; allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; attach-cache <string>; auth-nxdomain <boolean>; catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-svcb <boolean>; check-wildcard <boolean>; clients-per-query <integer>; deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ]; deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ]; dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated disable-algorithms <string> { <string>; ... }; // may occur multiple times disable-ds-digests <string> { <string>; ... }; // may occur multiple times disable-empty-zone <string>; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dns64 <netprefix> { break-dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive-only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64-contact <string>; dns64-server <string>; dnskey-sig-validity <integer>; // obsolete dnsrps-enable <boolean>; dnsrps-options { <unspecified-text> }; dnssec-accept-expired <boolean>; dnssec-dnskey-kskonly <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... }; dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times edns-udp-size <integer>; empty-contact <string>; empty-server <string>; empty-zones-enable <boolean>; fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches-per-server <integer> [ ( drop | fail ) ]; fetches-per-zone <integer> [ ( drop | fail ) ]; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; ipv4only-contact <string>; ipv4only-enable <boolean>; ipv4only-server <string>; ixfr-from-differences ( primary | master | secondary | slave | <boolean> ); key <string> { algorithm <string>; secret <string>; }; // may occur multiple times key-directory <quoted_string>; lame-ttl <duration>; lmdb-mapsize <sizeval>; managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated masterfile-format ( raw | text ); masterfile-style ( full | relative ); match-clients { <address_match_element>; ... }; match-destinations { <address_match_element>; ... }; match-recursive-only <boolean>; max-cache-size ( default | unlimited | <sizeval> | <percentage> ); max-cache-ttl <duration>; max-clients-per-query <integer>; max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-ncache-ttl <duration>; max-query-count <integer>; max-query-restarts <integer>; max-records <integer>; max-records-per-type <integer>; max-recursion-depth <integer>; max-recursion-queries <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-stale-ttl <duration>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-types-per-name <integer>; max-udp-size <integer>; max-validation-failures-per-fetch <integer>; // experimental max-validations-per-fetch <integer>; // experimental max-zone-ttl ( unlimited | <duration> ); // deprecated message-compression <boolean>; min-cache-ttl <duration>; min-ncache-ttl <duration>; min-refresh-time <integer>; min-retry-time <integer>; min-transfer-rate-in <integer> <integer>; minimal-any <boolean>; minimal-responses ( no-auth | no-auth-recursive | <boolean> ); multi-master <boolean>; new-zones-directory <quoted_string>; no-case-compress { <address_match_element>; ... }; nocookie-udp-size <integer>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only nta-lifetime <duration>; nta-recheck <duration>; nxdomain-redirect <string>; parental-source ( <ipv4_address> | * ); parental-source-v6 ( <ipv6_address> | * ); plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times preferred-glue <string>; prefetch <integer> [ <integer> ]; provide-ixfr <boolean>; qname-minimization ( strict | relaxed | disabled | off ); query-source [ address ] ( <ipv4_address> | * | none ); query-source-v6 [ address ] ( <ipv6_address> | * | none ); rate-limit { all-per-second <integer>; errors-per-second <integer>; exempt-clients { <address_match_element>; ... }; ipv4-prefix-length <integer>; ipv6-prefix-length <integer>; log-only <boolean>; max-table-size <integer>; min-table-size <integer>; nodata-per-second <integer>; nxdomains-per-second <integer>; qps-scale <integer>; referrals-per-second <integer>; responses-per-second <integer>; slip <integer>; window <integer>; }; recursion <boolean>; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; require-server-cookie <boolean>; resolver-query-timeout <integer>; resolver-use-dns64 <boolean>; response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; root-key-sentinel <boolean>; rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; send-cookie <boolean>; serial-update-method ( date | increment | unixtime ); server <netprefix> { bogus <boolean>; edns <boolean>; edns-udp-size <integer>; edns-version <integer>; keys <server_key>; max-udp-size <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); padding <integer>; provide-ixfr <boolean>; query-source [ address ] ( <ipv4_address> | * ); query-source-v6 [ address ] ( <ipv6_address> | * ); request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; require-cookie <boolean>; send-cookie <boolean>; tcp-keepalive <boolean>; tcp-only <boolean>; transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); transfers <integer>; }; // may occur multiple times servfail-ttl <duration>; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; // obsolete sig0key-checks-limit <integer>; sig0message-checks-limit <integer>; sortlist { <address_match_element>; ... }; // deprecated stale-answer-client-timeout ( disabled | off | <integer> ); stale-answer-enable <boolean>; stale-answer-ttl <duration>; stale-cache-enable <boolean>; stale-refresh-time <duration>; synth-from-dnssec <boolean>; transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); trust-anchor-telemetry <boolean>; trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated try-tcp-refresh <boolean>; update-check-ksk <boolean>; // obsolete v6-bias <integer>; validate-except { <string>; ... }; zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; // may occur multiple times Any of these zone statements can also be set inside the view statement. zone <string> [ <class> ] { type primary; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( fail | warn | ignore ); check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-svcb <boolean>; check-wildcard <boolean>; checkds ( explicit | <boolean> ); database <string>; dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated dlz <string>; dnskey-sig-validity <integer>; // obsolete dnssec-dnskey-kskonly <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; inline-signing <boolean>; ixfr-from-differences <boolean>; journal <quoted_string>; key-directory <quoted_string>; masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-records <integer>; max-records-per-type <integer>; max-transfer-idle-out <integer>; max-transfer-time-out <integer>; max-types-per-name <integer>; max-zone-ttl ( unlimited | <duration> ); // deprecated notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; parental-source ( <ipv4_address> | * ); parental-source-v6 ( <ipv6_address> | * ); serial-update-method ( date | increment | unixtime ); sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; // obsolete update-check-ksk <boolean>; // obsolete update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } ); zero-no-soa-ttl <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type secondary; allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; check-names ( fail | warn | ignore ); checkds ( explicit | <boolean> ); database <string>; dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated dlz <string>; dnskey-sig-validity <integer>; // obsolete dnssec-dnskey-kskonly <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-policy <string>; dnssec-update-mode ( maintain | no-resign ); // obsolete file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; inline-signing <boolean>; ixfr-from-differences <boolean>; journal <quoted_string>; key-directory <quoted_string>; masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-records <integer>; max-records-per-type <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-types-per-name <integer>; min-refresh-time <integer>; min-retry-time <integer>; min-transfer-rate-in <integer> <integer>; multi-master <boolean>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only parental-agents [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; parental-source ( <ipv4_address> | * ); parental-source-v6 ( <ipv6_address> | * ); primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; request-expire <boolean>; request-ixfr <boolean>; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; // obsolete transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); try-tcp-refresh <boolean>; update-check-ksk <boolean>; // obsolete zero-no-soa-ttl <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type mirror; allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; check-names ( fail | warn | ignore ); database <string>; file <quoted_string>; ixfr-from-differences <boolean>; journal <quoted_string>; masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-records <integer>; max-records-per-type <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-types-per-name <integer>; min-refresh-time <integer>; min-retry-time <integer>; min-transfer-rate-in <integer> <integer>; multi-master <boolean>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ); notify-source-v6 ( <ipv6_address> | * ); primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; request-expire <boolean>; request-ixfr <boolean>; transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); try-tcp-refresh <boolean>; zero-no-soa-ttl <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type forward; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; }; zone <string> [ <class> ] { type hint; check-names ( fail | warn | ignore ); file <quoted_string>; }; zone <string> [ <class> ] { type redirect; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; dlz <string>; file <quoted_string>; masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-records <integer>; max-records-per-type <integer>; max-types-per-name <integer>; max-zone-ttl ( unlimited | <duration> ); // deprecated primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type static-stub; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; max-records <integer>; max-records-per-type <integer>; max-types-per-name <integer>; server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; server-names { <string>; ... }; zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { type stub; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; check-names ( fail | warn | ignore ); database <string>; dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... }; masterfile-format ( raw | text ); masterfile-style ( full | relative ); max-records <integer>; max-records-per-type <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-transfer-idle-in <integer>; max-transfer-time-in <integer>; max-types-per-name <integer>; min-refresh-time <integer>; min-retry-time <integer>; min-transfer-rate-in <integer> <integer>; multi-master <boolean>; primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; transfer-source ( <ipv4_address> | * ); transfer-source-v6 ( <ipv6_address> | * ); zone-statistics ( full | terse | none | <boolean> ); }; zone <string> [ <class> ] { in-view <string>; }; FILES /usr/local/etc/namedb/named.conf SEE ALSO named(8), named-checkconf(8), rndc(8), rndc-confgen(8), tsig-keygen(8), BIND 9 Administrator Reference Manual. AUTHOR Internet Systems Consortium COPYRIGHT 2025, Internet Systems Consortium 9.20.9 2025-05-08 NAMED.CONF(5)
NAME | SYNOPSIS | DESCRIPTION | FILES | SEE ALSO | AUTHOR | COPYRIGHT
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=named.conf&sektion=5&manpath=FreeBSD+14.3-RELEASE+and+Ports>