第八章：配置参考

BIND 9的操作功能是使用文件 named.conf 定义的，该文件通常位于 /etc/local/etc/namedb 中，具体取决于操作系统或发行版。如果rndc从远程主机运行，则会出现另一个文件 rndc.conf ，但如果 rndc 是从 localhost 运行的（与BIND 9运行的系统相同），则不需要该文件。

8.1. 配置文件 (named.conf)

named.conf 的文件可能包含三种类型的实体：

Comment 支持多种评论格式。
Block blocks(块)是语句的容器，这些语句要么具有共同的功能，例如，在 key 块中定义加密密钥，要么定义语句的范围，例如，出现在 zone 块中的语句仅对该区域具有范围。
块在 named.conf 中按层次组织，可能具有许多不同的属性：
- 某些块不能嵌套在其他块中，因此可以被视为最顶层的块：例如，options 块和 logging 块。
- 某些块可以出现多次，在这种情况下，它们有一个相关的名称来消除歧义：例如，zone 块（ zone example.com{…};）或 key 块（ key mykey{…} ）。
- 某些块可能“嵌套”在其他块中。例如，zone 块可能出现在视图块内。
本手册中每个块的描述列出了其允许的位置。
Statement
- 语句定义和控制特定的BIND行为。
- 语句可以有一个参数（Value —— 值）或多个参数（Argument/Value —— 参数/值对）。例如，recursion 语句只接受一个值参数——在这种情况下，是字符串 yes 或 no （recursion yes;）——而 port 语句接受一个定义DNS端口号的数值（ port 53; ）。更复杂的语句需要一个或多个参数/值对。also-notify port 5353 语句可以采用多个这样的参数/值对，其中 port 是参数， 5353 是相应的值。
- 语句可以出现在单个块中，例如， algorithm 语句只能出现在一个 key 块中，也可以出现在多个块中。例如，一条 also-notify 语句可能出现在具有全局（服务器范围）作用域的 options 块中，出现在仅具有特定区域作用域的 zone 块中（并覆盖任何全局语句），甚至出现在仅具有该视图作用域（并覆盖所有全局语句）的 view 块中。

named.conf 文件可能还包含一个或多个include Directive 的实例。提供此指令是为了在组装完整的 named.conf 文件时便于管理，在BIND 9的操作特性或功能中不起后续作用。

注意：多年来，BIND ARM获得了一系列令人困惑的术语。使用的许多术语描述了类似的概念，只会给BIND 9配置增加一层复杂性，可能是混乱，也可能是神秘感。ARM现在只使用术语Block(块)、Statement(语句)、Argument(参数)、Value(值) 和 Directive(指令)来描述BIND 9配置中使用的所有实体。

8.1.1. 注释语法

BIND 9注释语法允许注释出现在BIND配置文件中可能出现空白的任何地方。为了吸引各种程序员，它们可以用C、C++或shell/Perl风格编写。

8.1.1.1. 语法


xxxxxxxxxx
/* This is a BIND comment as in C */


xxxxxxxxxx
// This is a BIND comment as in C++


xxxxxxxxxx
# This is a BIND comment as in common Unix shells
# and Perl

8.1.1.2. 定义和用法

注释可以插入BIND配置文件中可能出现空白的任何位置。

C风格的注释以两个字符 /*（斜线、星号）开头，以*/（星号、斜线）结尾。因为它们完全由这些字符分隔，所以它们只能用于注释一行的一部分或跨越多行。

C风格的注释不能嵌套。例如，以下内容无效，因为整个注释以第一个*/结尾：


xxxxxxxxxx
/* This is the start of a comment.
   This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
   This is no longer in any comment. */

C++风格的注释以两个字符//（斜线、斜线）开头，并一直持续到物理行的末尾。它们不能跨越多条物理线；要使一个逻辑注释跨越多行，每行都必须使用//对。例如：


xxxxxxxxxx
// This is the start of a comment.  The next line
// is a new comment, even though it is logically
// part of the previous comment.

Shell风格（或Perl风格）的注释以字符#（数字/磅符号）开头，并继续到物理行的末尾，就像C++注释一样。例如：


xxxxxxxxxx
# This is the start of a comment.  The next line
# is a new comment, even though it is logically
# part of the previous comment.

警告：与区域文件不同，分号（;）字符不能开始注释。分号表示配置语句的结束。

8.1.2. 配置布局样式

BIND对打开和关闭括号/大括号、分号以及后面部分形式语法中定义的所有其他分隔符都非常挑剔。有许多布局样式可以帮助减少错误，如下例所示：


xxxxxxxxxx
// dense single-line style
zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
//  single-statement-per-line style
zone "example.com" in{
        type secondary;
        file "secondary.example.com";
        primaries {10.0.0.1;};
};
// spot the difference
zone "example.com" in{
        type secondary;
file "sec.secondary.com";
primaries {10.0.0.1;}; };

8.1.3. `include` 指令


xxxxxxxxxx
include filename;

8.1.3.1. `include` 指令定义和使用

include指令在遇到include指令的位置插入指定的文件（如果检测到有效的glob表达式，则插入多个文件）。include指令允许读取或写入某些内容，但不允许读取或写其他内容，从而方便了配置文件的管理。例如，该语句可能包含只能由名称服务器读取的私钥。

8.1.4. 地址匹配列表

8.1.4.1. 语法

地址匹配列表是以分号分隔的address_match_element s的列表。


xxxxxxxxxx
{ <address_match_element>; ... };

然后将每个元素定义为：

address_match_element


xxxxxxxxxx
[ ! ] ( <ip_address> | <netprefix> | key <server_key> | <acl_name> | { address_match_list } )

8.1.4.2. 定义和用法

地址匹配列表主要用于确定各种服务器操作的访问控制。它们也用于 listen-on 和 sortlist 语句。构成地址匹配列表的元素可以是以下任何一种：

ip_address：ip地址（IPv4或IPv6）
netprefix：IP前缀（用 / 表示法）
server_key：密钥ID，由 key 语句定义
acl_name：用 acl 语句定义的地址匹配列表的名称
用大括号括起来的嵌套地址匹配列表

元素可以用前导感叹号（! ）否定，匹配列表名称 “any”、 “none”、 “localhost” 和 “localnets” 是预定义的。有关这些名称的更多信息，请参阅acl语句的描述。

添加key子句使这个语法元素的名称有点用词不当，因为安全密钥可用于验证访问，而不考虑主机或网络地址。尽管如此，"address match list“(地址匹配列表)一词仍在整个文档中使用。

当将给定的IP地址或前缀与地址匹配列表进行比较时，比较大约需要O(1)时间。然而，密钥比较要求遍历密钥列表，直到找到匹配的密钥，因此可能会稍微慢一些。

匹配的解释取决于列表是用于访问控制、定义 listen-on 端口还是用于 sortlist ，以及元素是否被否定。

当用作访问控制列表时，非否定匹配允许访问，否定匹配拒绝访问。如果没有匹配，则拒绝访问。这些子句 allow-notify 、 allow-recursion 、 allow-recursion-on 、 allow-query 、 allow-query-cache 、 allow-query-cache-on 、 allow-transfer 、 allow-update 、 allow-update-forwarding 和 blackhole 都使用地址匹配列表。同样， listen-on 选项会导致服务器拒绝对任何与列表不匹配的机器地址进行查询。

插入顺序很重要。如果发现ACL中有多个元素与给定的IP地址或前缀匹配，则首选ACL定义中的第一个元素。由于这种首次匹配行为，定义列表中另一个元素子集的元素应该位于更广泛的元素之前，无论其中任何一个是否被否定。例如，在 1.2.3/24; !1.2.3.13; 1.2.3.13元素完全无用，因为该算法将1.2.3.13的任何查找与1.2.3/24元素相匹配。使用 ! 1.2.3.13; 1.2.3/24 通过否定阻塞1.2.3.13来修复该问题，但所有其他1.2.3.*主机都通过。

8.1.5. 所用术语表

以下是BIND配置文件文档中使用的术语列表：

acl_name
acl 语句定义的address_match_list的名称。
address_match_list
参阅 Address Match Lists。
boolean
yes 或 no 。单词 true 和 false 也被接受，数字 1 和 0 也是如此。
domain_name
用作DNS名称的引号字符串；例如：my.test.domain。
duration
BIND 9中的持续时间(duration)可以用三种方式编写：作为表示秒的单个数字，作为具有TTL风格时间单位后缀的数字串，或采用ISO 6801持续时间格式。
允许的TTL时间单位后缀为：“W”（周）、“D”（日）、“H”（小时）、“M”（分钟）和“S”（秒）。示例：“1W”（1周），“3d12h”（3天12小时）。
ISO 8601持续时间格式由字母“P”组成，后面是一系列可选的数字，单位后缀为“Y”（年）、“M”（月）、“W”（周）和“D”（日）；这可以选择后面跟着字母“T”，以及另一系列带有单位后缀“H”（小时）、“M”（分钟）和“S”（秒）的数字。示例：“P3M10D”（3个月10天）、“P2WT12H”（2周12小时）、“pt15m”（15分钟）。有关ISO 8601持续时间格式的更多信息，请参阅RFC 3339附录A。
TTL样式和ISO 8601持续时间格式都不区分大小写。
fixedpoint
一个非负实数，可以精确到百分之一。小数点前最多可指定五位数字，小数点后最多可指定两位数字，因此最大值为9999.99。可接受的值可能会受到使用它们的上下文的进一步限制。
integer
一个非负的32位整数（即介于0和4294967295之间的数字，包括0和42949267295）。其可接受的价值可能会受到使用环境的进一步限制。
ip_address
ipv4_address或ipv6——address。
ipv4_address
一个IPv4地址，有四个值为0到255的整数元素，用点（.）分隔，如 192.168.1.1 （一种所有四个元素都存在的“点分十进制”表示法）。
ipv6_address
IPv6地址，例如 2001:db8::1234 。IPv6范围内的地址在其范围区域上有歧义，必须用适当的区域ID来消除歧义，并用百分比字符（%）作为分隔符。强烈建议使用字符串区域名称而不是数字标识符，以对系统配置更改具有鲁棒性。但是，由于此类名称和标识符值没有标准映射，因此只支持作为链接标识符的接口名称，假设接口和链接之间存在一对一映射。例如，连接到接口 ne0 的链接上的链接本地地址 fe80::1 可以指定为 fe80::1%ne0 。请注意，在大多数系统中，链路本地地址总是存在歧义，需要消除歧义。
netprefix
指定为IP_address的IP网络，后跟斜线（/），然后是网络掩码中的位数。ip_address中的尾随零可以省略。例如，127/8 是具有子网掩码 255.0.0.0 的网络 127.0.0.0 ， 1.2.3.0/28 是具有子网掩码 255.255.255.240 的网络 1.2.3.0 。当指定涉及IPv6作用域地址的前缀时，可以省略作用域。在这种情况下，前缀会匹配来自任何范围的数据包。
percentage
一个整数值，后跟%表示百分比。
port
IP端口整数。它被限制在0到65535之间，低于1024的值通常仅限于以root身份运行的进程使用。在某些情况下，星号（*）字符可以用作占位符，以选择随机的高编号端口。
portrange
端口或端口范围的列表。端口范围以 range 的形式指定，后跟两个端口，port_low 和 port_high ，表示从 port_low 到 port_high 的端口号。port_low 不能大于 port_high 。例如，range 1024 65535 表示1024到65535之间的端口。星号（*）字符不允许作为有效端口或端口范围边界。
remote-servers
一个或多个ip_address的命名列表，具有可选的 tls_id、server_key和/或端口。 remote-servers 列表可能包括其他远程服务器列表。请参见 primaries 模块。
size
sizeval
一个64位无符号整数。整数可能取值0<=值<=18446744073709551615，尽管某些参数（如 max-journal-size ）在这些极端值内可能使用更有限的范围。在大多数情况下，将值设置为0并不意味着零；它的意思是“未定义”或“尽可能大”，具体取决于上下文。有关如何解释其使用的详细信息，请参阅使用 size 的特定参数的解释。数值后面可以选择一个缩放因子：K 或 k 表示千字节，M 或 m 表示兆字节，G 或 g 表示千兆字节，分别按1024、1024*1024 和 1024*1024*1024 缩放。
一些语句也接受关键字 unlimited 或 default:unlimited 通常意味着“尽可能大”，通常是安全设置非常大的数字的最佳方式。default 使用服务器启动时生效的限制。
tls-id
定义TLS密钥和证书的命名TLS配置对象。请参阅 tls 块。

8.2. 块

BIND 9配置由blocks(块)、statements(语句)和comment(注释)组成。

支持以下块：

acl
定义一个命名IP地址匹配列表，用于访问控制和其他用途。
controls
声明 rndc 实用程序要使用的控制通道。
dnssec-policy
描述区域的DNSSEC密钥和签名策略。详见 dnssec-policy 。
key
指定用于使用TSIG进行身份验证和授权的密钥信息。
key-store
描述DNSSEC密钥存储。有关详细信息，请参阅 key-store Grammar。
logging
指定服务器记录的信息以及日志消息的发送位置。
masters
primaries 的同义词。
options
控制全局服务器配置选项，并为其他语句设置默认值。
parental-agents
定义一个命名的服务器列表，以包含在主区域和辅助区域的 parental-agents 列表中。
primaries
定义一个命名的服务器列表，以包含在存根和辅助区域的 primaries 或 also-notify 列表中。（注意：这是原始关键字 master 的同义词，仍然可以使用，但不再是首选术语。）
server
在每台服务器的基础上设置某些配置选项。
statistics-channels
声明通信通道以访问 named 统计信息。
tls
指定TLS连接的配置信息，包括 key-file 、cert-file 、 ca-file 、 dhparam-file 、remote-hostname 、 ciphers 、 protocols 、prefer-server-ciphers 和 session-tickets 。
http
指定HTTP连接的配置信息，包括 endpoints 、 listener-clients 和 streams-per-connection 。
trust-anchors
定义DNSSEC信任锚(anchors)：如果与 initial-key 或 initial-ds 关键字一起使用，则使用 RFC 5011 信任锚维护使信任锚保持最新；如果与 static-key 或 static-dc 一起使用，密钥是永久的。
managed-key
与 trust-anchors 相同；此选项已被弃用，取而代之的是带有 initial-key 关键字的 trust-anchors ，并可能在未来的版本中被删除。
trusted-keys
定义永久可信DNSSEC密钥；此选项已被弃用，取而代之的是使用 static-key 关键字的 trust-anchors ，并可能在未来的版本中被删除。
view
定义视图。
zone
定义区域。

logging 和 options 语句在每个配置中只能出现一次。

8.2.1. `acl` 块语法

acl
Grammar: acl <string> { <address_match_element>; ... }; // may occur multiple times
Blocks: topmost
Tags: server
为地址匹配列表分配符号名称。

8.2.2. `acl` 块定义和使用

acl 语句为地址匹配列表分配一个符号名称。它的名称来自地址匹配列表的主要用途之一：访问控制列表（Access Control Lists —— ACL）。

内置了以下ACL：

any
匹配所有主机。
none
不匹配主机。
localhost
匹配系统上所有网络接口的IPv4和IPv6地址。当添加或删除地址时，localhost ACL元素会更新以反映更改。
localnets
匹配系统具有接口的IPv4或IPv6网络上的任何主机。当添加或删除地址时， localnets ACL元素会更新以反映这些更改。一些系统不提供确定本地IPv6地址前缀长度的方法；在这种情况下，localnets 只匹配本地IPv6地址，就像 localhost 一样。

8.2.3. `controls` 块语法

controls

Gammar:


xxxxxxxxxx
controls {
    inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
    unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
}; // may occur multiple times

Blocks: topmost

Tags: server

指定用于管理名称服务器的控制通道。

8.2.4. `controls` 块定义和使用

controls 语句声明了系统管理员用于管理名称服务器操作的控制通道。rndc 实用程序使用这些控制通道向名称服务器发送命令并从名称服务器检索非DNS结果。

unix
Grammar: unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
Blocks: controls
Tags: obsolete
指定Unix域套接字作为控制通道。
此选项已被删除，使用它将导致致命错误。
inet
Grammar controls: inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
Grammar statistics-channels: inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
Blocks: controls, statistics-channels
Tags: server
指定TCP套接字作为控制通道。
inet 控制通道是一个TCP套接字，在指定的ip_address（可以是IPv4或IPv6地址）上的指定端口侦听。*（星号）的ip_address被解释为IPv4通配符地址；在系统的任何IPv4地址上都接受连接。要监听IPv6通配符地址，请使用ip_address :: 。如果 rndc 仅在本地主机上使用，建议使用环回地址（127.0.0.1 或 ::1）以获得最大安全性。
如果没有指定端口，则使用端口953。星号 * 不能用于端口。
通过控制信道发出命令的能力受到 allow 和 keys 子句的限制。
- allow
  根据 address_match_list ，允许连接到控制通道。这仅用于基于IP地址的简单过滤； address_match_list 中的任何 server_key 元素都将被忽略。
- keys
  命令通道的主要授权机制是 server_key 列表。每个列出的 key 都有权通过控制通道执行命令。有关在 rndc 中配置密钥的信息，请参阅管理工具。
read-only
如果 read-only 设置为 on ，则控制通道仅限于以下一组只读命令：nta-dump 、null 、status 、showzone 、 testgen 和 zonestatus 。默认情况下， read-only 未启用，控制通道允许读写访问。

如果不存在 controls 语句，named 将设置一个默认控制信道，监听环回地址127.0.0.1及其IPv6对应地址::1。在这种情况下，以及当 controls 语句存在但没有 keys 子句时， named 会尝试从 /etc/rndc.key 文件加载命令通道键。要创建 rndc.key 文件，请运行 rndc-confgen -a 。

要禁用命令通道，请使用空的 controls 语句：controls { }; 。

8.2.5. `key` 块语法

key

Grammar:


xxxxxxxxxx
key <string> {
    algorithm <string>;
    secret <string>;
}; // may occur multiple times

Blocks: topmost,view

Tags: security

定义与TSIG或命令通道一起使用的共享密钥。

8.2.6. `key` 块定义和使用

key 语句定义了一个共享密钥，用于TSIG（见TSIG）或命令通道（见 controls ）。

key 语句可以出现在配置文件的顶层或 view 语句中。顶级 key 语句中定义的密钥可以在所有视图中使用。用于 controls 语句的密钥必须在顶层定义。

server_key ，也称为密钥名，是唯一标识密钥的域名。它可以在 server 语句中用于使发送到该服务器的请求使用此密钥进行签名，也可以在地址匹配列表中用于验证传入请求是否已使用与此名称、算法和密钥匹配的密钥进行签名。

algorithm
Gammar : algorithm <string>;
Blocks : key, view.key
Tags : security
定义要在键子句中使用的算法。
algorithm_id 是一个指定安全/身份验证算法的字符串。 named 服务器支持 hmac-md5 、 hmac-sha1 、 hmac-sha224 、 hmac-shah256 、 hmac-sha384 和 hmac-sha512 TSIG身份验证。通过在破折号前附加所需比特的最小数量来支持截断哈希，例如 hmac-sha1-80 。
secret
Gammar : secret <string>;
Blocks : key, view.key
Tags : security
定义一个Base64编码的字符串，作为算法的秘密。
secret_string 是算法使用的秘密，被视为Base64编码的字符串。

8.2.7. `key-store` 块语法

key-store

Grammar :


xxxxxxxxxx
key-store <string> {
    directory <string>;
    pkcs11-uri <quoted_string>;
}; // may occur multiple times

Blocks : topmost

Tags : dnssec

配置DNSSEC密钥存储。

8.2.8. `key-store` 快定义和使用

key-store 声明定义了DNSSEC密钥的存储方式。

有一个名为 key-directroy 的内置密钥存储。配置密钥以使用 key-store key-directroy 与使用 key-directroy 相同。

可以在密钥存储语句中指定以下选项：

pkcs11-uri
Grammar : pkcs11-uri <quoted_string>;
Blocks : key-store
Tags : dnssec, pkcs11
uri 是一个指定PKCS#11 URI 方案（在RFC 7512中定义）的字符串。设置后， named 会尝试在相应的PKCS#11令牌内创建密钥。这要求BIND使用OpenSSL 3构建，并配置PKCS#11提供程序。

8.2.9. `logging` Block Grammar

8.2.10. `logging` Block Definition and Usage

8.2.10.1. The `channel` Phrase

8.2.10.2. The `category` Phrase

8.2.10.3. The `query-errors` Category

8.2.11. `parental-agents` Block Grammar

8.2.12. `parental-agents` Block Definition and Usage

8.2.13. `primaries` Block Grammar

8.2.14. `primaries` Block Definition and Usage

8.2.15. `options` Block Grammar

8.2.16. `options` Block Definition and Usage

8.2.16.1. Boolean Options

8.2.16.2. Forwarding

8.2.16.3. Dual-stack Servers

8.2.16.4. Access Control

8.2.16.5. Interfaces

8.2.16.6. Query Address

8.2.16.7. Zone Transfers

8.2.16.8. Server Resource Limits

8.2.16.9. Periodic Task Intervals

8.2.16.10. The `sortlist` Statement

8.2.16.11. RRset Ordering

8.2.16.12. Tuning

8.2.16.13. Built-in Server Information Zones

8.2.16.14. Built-in Empty Zones

8.2.16.15. Content Filtering

8.2.16.16. Response Policy Zone (RPZ) Rewriting

8.2.16.17. Response Rate Limiting

8.2.16.18. NXDOMAIN Redirection

8.2.17. `server` Block Grammar

8.2.18. `server` Block Definition and Usage

8.2.19. `statistics-channels` Block Grammar

8.2.20. `statistics-channels` Block Definition and Usage

8.2.21. `tls` Block Grammar

8.2.22. `tls` Block Definition and Usage

8.2.23. `http` Block Grammar

8.2.24. `http` Block Definition and Usage

8.2.25. `trust-anchors` Block Grammar

8.2.26. `trust-anchors` Block Definition and Usage

8.2.27. `dnssec-policy` Block Grammar

8.2.28. `dnssec-policy` Block Definition and Usage

8.2.28.1. Automated KSK Rollovers

8.2.29. `managed-keys` Block Grammar

8.2.30. `managed-keys` Block Definition and Usage

8.2.31. `trusted-keys` Block Grammar

8.2.32. `trusted-keys` Block Definition and Usage

8.2.33. `view` Block Grammar

8.2.34. `view` Block Definition and Usage

8.2.35. `zone` Block Grammar

8.2.36. `zone` Block Definition and Usage

8.2.36.1. Zone Types

8.2.36.2. Class

8.2.36.3. Zone Options

8.2.36.4. Dynamic Update Policies

8.2.36.5. Multiple Views

8.3. 声明

BIND 9支持数百条语句；找到正确的陈述来控制特定的行为或解决特定的问题可能是一项艰巨的任务。为了简化用户的任务，所有语句都被分配了一个或多个标签（tags）。标签旨在将具有大致相似功能的语句组合在一起；因此，例如，所有控制查询处理或区域传输的语句都分别标记在 query 和 transfer 下。

DNSSEC Tag Statements 【8.4.1.】
是与DNSSEC相关或控制DNSSEC的部分。
Logging Tag Statements 【8.4.2.】
与日志记录相关或控制日志记录并且通常仅出现在日志记录块中。
Query Tag Statements 【8.4.3.】
与查询相关或控制查询。

Security Tag Statements 【8.4.4.】
涉及或控制安全特征。
Server Tag Statements 【8.4.5.】
与服务器行为相关或控制服务器行为并且通常仅出现在服务器块中。
Transfer Tag Statements 【8.4.6.】
涉及或控制区域转移。
View Tag Statements 【8.4.7.】
与视图选择标准相关或控制视图选择标准并且通常仅出现在视图块中。
Zone Tag Statements 【8.4.8.】
与区域行为相关或控制区域行为并且通常仅出现在区域块中。
Deprecated Tag Statements 【8.4.9.】
这些是现在已弃用的，但此处包含以供历史参考。

下表列出了 named.conf 中允许的所有语句及其相关标签；下一节将按标签对语句进行分组。请注意，这些部分仍在进行中。

Statement	Description	Tags
acl	Assigns a symbolic name to an address match list. 为地址匹配列表分配符号名称。	server
algorithm	Defines the algorithm to be used in a key clause. 定义要在键子句中使用的算法。	security
all-per-second	Limits UDP responses of all kinds. 限制所有类型的UDP响应。	query
allow-new-zones	Controls the ability to add zones at runtime via `rndc addzone`. 通过 `rndc-addzone` 控制在运行时添加区域的能力	server, zone
allow-notify	Defines an `address_match_list` that is allowed to send `NOTIFY` messages for the zone, in addition to addresses defined in the `primaries` option for the zone. 定义一个 `address_match_list` ，除了在该区域的 `primarys` 选项中定义的地址外，还允许该区域发送 `NOTIFY` 消息。	transfer
allow-proxy	Defines an `address_match_list` for the client addresses allowed to send PROXYv2 headers. 为允许发送PROXYv2标头的客户端地址定义一个 `address_match_list` 。	server
allow-proxy-on	Defines an `address_match_list` for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations. 为允许接受PROXYv2标头的接口地址定义一个`address_match_list`。该选项主要用于多宿主配置。	server
allow-query	Specifies which hosts (an IP address list) are allowed to send queries to this resolver. 指定允许哪些主机（IP地址列表）向此解析器发送查询。	query
allow-query-cache	Specifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion. 指定哪些主机（IP地址列表）可以访问此服务器的缓存，从而有效地控制递归。	query
allow-query-cache-on	Specifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces. 指定哪些主机（来自IP地址列表）可以访问此服务器的缓存。它用于具有多个接口的服务器。	query
allow-query-on	Specifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations. 指定允许哪些本地地址（IP地址列表）向此解析器发送查询。此选项用于多宿主配置。	query
allow-recursion	Defines an `address_match_list` of clients that are allowed to perform recursive queries. 定义允许执行递归查询的客户端的 `address_match_list` 。	query
allow-recursion-on	Specifies which local addresses can accept recursive queries. 指定哪些本地地址可以接受递归查询。	query, server
allow-transfer	Defines an `address_match_list` of hosts that are allowed to transfer the zone information from this server. 定义一个 `address_match_list` 允许从该服务器传输区域信息的主机。	transfer
allow-update	Defines an `address_match_list` of hosts that are allowed to submit dynamic updates for primary zones. 定义允许从该服务器传输区域信息的主机的 `address_match_list` 。	transfer
allow-update-forwarding	Defines an `address_match_list` of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary. 定义允许向辅助服务器提交动态更新以传输到主服务器的主机的 `address_match_list` 。	transfer
also-notify	Defines one or more hosts that are sent `NOTIFY` messages when zone changes occur. 定义一个或多个在发生区域更改时发送 `NOTIFY` 消息的主机。	transfer
answer-cookie	Controls whether COOKIE EDNS replies are sent in response to client queries. 控制是否发送COOKIE EDNS回复以响应客户端查询。	query
attach-cache	Allows multiple views to share a single cache database. 允许多个视图共享单个缓存数据库。	view
auth-nxdomain	Controls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers. 控制充当解析器的BIND是否提供权威的NXDOMAIN（域不存在）答案。	query
automatic-interface-scan	Controls the automatic rescanning of network interfaces when addresses are added or removed. 控制添加或删除地址时网络接口的自动重新扫描。	server
avoid-v4-udp-ports	Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages. 指定要排除用作UDP/IPv4消息源的端口范围。	deprecated
avoid-v6-udp-ports	Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages. 指定要排除用作UDP/IPv6消息源的端口范围。	deprecated
bindkeys-file	Specifies the pathname of a file to override the built-in trusted keys provided by `named`. 指定文件的路径名，以覆盖 `named` 提供的内置可信密钥。	dnssec
blackhole	Defines an `address_match_list` of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses. 定义一个 `address_match_list` 来忽略主机。服务器既不会响应来自这些地址的查询，也不会向这些地址发送查询。	query
bogus	Allows a remote server to be ignored. 允许忽略远程服务器。	server
break-dnssec	Enables `dns64` synthesis even if the validated result would cause a DNSSEC validation failure. 启用 `dns64` 合成，即使验证结果会导致DNSSEC验证失败。	query
buffered	Controls flushing of log messages. 控制日志消息的刷新。	logging
ca-file	Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates. 指定包含受信任CA机构的TLS证书的文件的路径，用于验证远程对等证书。	server, security
catalog-zones	Configures catalog zones in `named.conf`. 在 `named.conf` 中配置目录区域。	zone
category	Specifies the type of data logged to a particular channel. 指定记录到特定通道的数据类型。	logging
cdnskey	Specifies whether a CDNSKEY record should be published during KSK rollover. 指定在KSK滚动期间是否应发布CDNSKEY记录。	dnssec
cds-digest-types	Specifies the digest types to use for CDS resource records. 指定用于CDS资源记录的摘要类型。	dnssec
cert-file	Specifies the path to a file containing the TLS certificate for a connection. 指定包含连接TLS证书的文件的路径。	server, security
channel	Defines a stream of data that can be independently logged. 定义可以独立记录的数据流。	logging
check-dup-records	Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. 检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。	dnssec, query
check-integrity	Performs post-load zone integrity checks on primary zones. 对主区域执行加载后区域完整性检查。	zone
check-mx	Checks whether an MX record appears to refer to an IP address. 检查MX记录是否指向IP地址。	zone
check-mx-cname	Sets the response to MX records that refer to CNAMEs. 设置对引用CNAME的MX记录的响应。	zone
check-names	Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network. 限制从网络接收到的主文件和/或DNS响应中某些域名的字符集和语法。	query, server
check-sibling	Specifies whether to check for sibling glue when performing integrity checks. 指定在执行完整性检查时是否检查兄弟胶水。	zone
check-spf	Specifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present. 指定是否检查TXT发件人策略框架记录（如果存在SPF记录）。	zone
check-srv-cname	Sets the response to SRV records that refer to CNAMEs. 设置对引用CNAME的SRV记录的响应。	zone
check-svcb	Specifies whether to perform additional checks on SVCB records. 指定是否对SVCB记录执行其他检查。	zone
check-wildcard	Checks for non-terminal wildcards. 检查非终端通配符。	zone
checkds	Controls whether `DS` queries are sent to parental agents. 控制是否将“DS”查询发送给家长代理。	dnssec
cipher-suites	Specifies a list of allowed cipher suites in the order of preference for TLSv1.3 only. 仅按TLSv1.3的优先顺序指定允许的密码套件列表。	security
ciphers	Specifies a list of allowed ciphers in the order of preference for TLSv1.2 only. 仅按TLSv1.2的优先顺序指定允许的密码列表。	security
clients	Specifies an access control list (ACL) of clients that are affected by a given `dns64` directive. 指定受给定 `dns64` 影响的客户端的访问控制列表（ACL）指令。	query
clients-per-query	Sets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. 设置服务器在删除其他客户端之前，为任何给定查询接受的并发递归客户端的初始最小数量。	server
controls	Specifies control channels to be used to manage the name server. 指定用于管理名称服务器的控制通道。	server
cookie-algorithm	Sets the algorithm to be used when generating a server cookie. 设置生成服务器cookie时使用的算法。	server
cookie-secret	Specifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster. 指定用于在任意播群集中生成和验证EDNS COOKIE选项的共享密钥。	server
database	Specifies the type of database to be used to store zone data. 指定用于存储区域数据的数据库类型。	zone
deny-answer-addresses	Rejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given `address_match_list`. 如果相应的IPv4或IPv6地址与给定的 `address_match_list` 匹配，则拒绝A或AAAA记录。	query
deny-answer-aliases	Rejects CNAME or DNAME records if the "alias" name matches a given list of `domain_name` elements. 如果“别名”名称与给定的 `domain_name` 列表匹配，则拒绝CNAME或DNAME记录元素。	query
dhparam-file	Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites. 指定包含Diffie-Hellman参数的文件的路径，以启用密码套件。	server, security
dialup	Concentrates zone maintenance so that all transfers take place once every `heartbeat-interval`, ideally during a single call. 集中区域维护，以便所有传输每 `heartbeat-interval` 发生一次，理想情况下是在单个呼叫期间。	deprecated
directory	Sets the server's working directory. 设置服务器的工作目录。	server
disable-algorithms	Disables DNSSEC algorithms from a specified zone. 从指定区域禁用DNSSEC算法。	dnssec
disable-ds-digests	Disables DS digest types from a specified zone. 禁用指定区域中的DS摘要类型。	dnssec, zone
disable-empty-zone	Disables individual empty zones. 禁用单个空白区域。	server, zone
dlz	Configures a Dynamically Loadable Zone (DLZ) database in `named.conf`. 在 `named.conf` 中配置动态可加载区域（DLZ）数据库。	zone
dns64	Instructs `named` to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. 指令 `named` ，以便在没有AAAA记录时将映射的IPv4地址返回给AAAA查询。	query
dns64-contact	Specifies the name of the contact for `dns64` zones. 指定 `dns64` 的联系人姓名区域。	server
dns64-server	Specifies the name of the server for `dns64` zones. 指定 `dns64` 的服务器名称区域。	server
dnskey-sig-validity	(过时了)	obsolete
dnskey-ttl	Specifies the time-to-live (TTL) for DNSKEY resource records. 指定DNSKEY资源记录的生存时间（TTL）。	dnssec
dnsrps-enable	Turns on the DNS Response Policy Service (DNSRPS) interface. 打开DNS响应策略服务（DNSRPS）接口。	server, security
dnsrps-library	Specifies the path to the DNS Response Policy Service (DNSRPS) provider library. 指定DNS响应策略服务（DNSRPS）提供程序库的路径。	server, security
dnsrps-options	Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. 提供额外的RPZ配置设置，这些设置将传递给DNS响应策略服务（DNSRPS）提供程序库。	server, security
dnssec-accept-expired	Instructs BIND 9 to accept expired DNSSEC signatures when validating. 指示BIND 9在验证时接受过期的DNSSEC签名。	dnssec
dnssec-dnskey-kskonly	(过时了)	obsolete
dnssec-loadkeys-interval	Sets the frequency of automatic checks of the DNSSEC key repository. 设置DNSSEC密钥存储库的自动检查频率。	dnssec
dnssec-must-be-secure	Defines hierarchies that must or may not be secure (signed and validated). 定义必须或可能不安全的层次结构（签名和验证）。	deprecated
dnssec-policy	Defines a key and signing policy (KASP) for zones. 为区域定义密钥和签名策略（KASP）。	dnssec
dnssec-secure-to-insecure	(过时了)	obsolete
dnssec-update-mode	(过时了)	obsolete
dnssec-validation	Enables DNSSEC validation in `named`. 在 `named` 中启用DNSSEC验证。	dnssec
dnstap	Enables logging of `dnstap` messages. 允许记录 `dnstap` 消息。	logging
dnstap-identity	Specifies an `identity` string to send in `dnstap` messages. 指定要在 `dnstap` 中发送的 `identity` 字符串消息。	logging
dnstap-output	Configures the path to which the `dnstap` frame stream is sent. 配置 `dnstap` 的路径帧流被发送。	logging
dnstap-version	Specifies a `version` string to send in `dnstap` messages. 指定 `version` 要发送的字符串 `dnstap` 消息。	logging
dual-stack-servers	Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. 指定可以访问IPv4和IPv6传输的计算机的主机名或地址。	server
dump-file	Indicates the pathname of the file where the server dumps the database after `rndc dumpdb`. 指示服务器在 `rndc-dumpdb` 之后转储数据库的文件的路径名。	logging
dyndb	Configures a DynDB database in `named.conf`. 在 `named.conf` 中配置DynDB数据库。	zone
edns	Controls the use of the EDNS0 (RFC 2671) feature. 控制EDNS0的使用（RFC 2671）功能。	server
edns-udp-size	Sets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries. 设置最大播发EDNS UDP缓冲区大小，以控制从权威服务器接收到的响应递归查询的数据包大小。	query
edns-version	Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver. 设置解析器发送到服务器的最大EDNS VERSION。	server
empty-contact	Specifies the contact name in the returned SOA record for empty zones. 在返回的SOA记录中为空区域指定联系人姓名。	server, zone
empty-server	Specifies the server name in the returned SOA record for empty zones. 在返回的SOA记录中为空区域指定服务器名称。	server, zone
empty-zones-enable	Enables or disables all empty zones. 启用或禁用所有空区域。	server, zone
endpoints	Specifies a list of HTTP query paths on which to listen. 指定要侦听的HTTP查询路径列表。	server, query
errors-per-second	Limits the number of errors for a valid domain name and record type. 限制有效域名和记录类型的错误数。	server
exclude	Allows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in `dns64`. 允许忽略出现在 `dns64` 中域名AAAA记录中的IPv6地址列表。	query
exempt-clients	Exempts specific clients or client groups from rate limiting. 免除特定客户或客户群体的费率限制。	query
fetch-quota-params	Sets the parameters for dynamic resizing of the `fetches-per-server` quota in response to detected congestion. 设置参数以动态调整 `fetches-per-server` 的大小配额。	server, query
fetches-per-server	Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. 设置服务器在阻止其他查询之前允许向上游名称服务器发送的最大并发迭代查询数。	server, query
fetches-per-zone	Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. 设置在服务器阻止对该区域内或区域下的数据进行新查询之前，允许对任何一个域同时进行的迭代查询的最大数量。	server, query
file	Specifies the zone's filename. 指定区域的文件名。	zone
flush-zones-on-shutdown	Controls whether pending zone writes are flushed when the name server exits. 控制在名称服务器退出时是否刷新挂起的区域写入。	zone
forward	Allows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the `forwarders` statement. 如果转发失败，允许或不允许回退到递归；它总是与 `forwarders` 结合使用声明。	query
forwarders	Defines one or more hosts to which queries are forwarded. 定义查询转发到的一个或多个主机。	query
fstrm-set-buffer-hint	Sets the number of accumulated bytes in the output buffer before forcing a buffer flush. 在强制刷新缓冲区之前，设置输出缓冲区中的累积字节数。	logging
fstrm-set-flush-timeout	Sets the number of seconds that unflushed data remains in the output buffer. 设置未刷新数据在输出缓冲区中保留的秒数。	logging
fstrm-set-input-queue-size	Sets the number of queue entries to allocate for each input queue. 设置为每个输入队列分配的队列条目数。	logging
fstrm-set-output-notify-threshold	Sets the number of outstanding queue entries allowed on an input queue before waking the I/O thread. 设置在唤醒I/O线程之前，输入队列上允许的未完成队列条目数。	logging
fstrm-set-output-queue-model	Sets the queuing semantics to use for queue objects. 设置用于队列对象的排队语义。	logging
fstrm-set-output-queue-size	Sets the number of queue entries allocated for each output queue. 设置为每个输出队列分配的队列条目数。	logging
fstrm-set-reopen-interval	Sets the number of seconds to wait between attempts to reopen a closed output stream. 设置尝试重新打开已关闭的输出流之间等待的秒数。	logging
geoip-directory	Specifies the directory containing GeoIP database files. 指定包含GeoIP数据库文件的目录。	server
heartbeat-interval	Sets the interval at which the server performs zone maintenance tasks for all zones marked as `dialup`. 设置服务器对标记为 `dialup` 的所有区域执行区域维护任务的间隔。	deprecated
hostname	Specifies the hostname of the server to return in response to a `hostname.bind` query. 指定服务器的主机名，以响应 `hostname.bind` 查询。	server
http	Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries. 配置在其上侦听DNS over HTTPS（DoH）查询的HTTP终结点。	server, query
http-listener-clients	Limits the number of active concurrent connections on a per-listener basis. 限制每个侦听器的活动并发连接数。	server
http-port	Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP. 指定服务器用于通过HTTP接收和发送未加密DNS流量的TCP端口号。	server, query
http-streams-per-connection	Limits the number of active concurrent HTTP/2 streams on a per-connection basis. 限制每个连接上活动的并发HTTP/2流的数量。	server
https-port	Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic. 指定服务器用于通过HTTPS协议接收和发送DNS流量的TCP端口号。	server, query
in-view	Specifies the view in which a given zone is defined. 指定定义给定分区的视图。	view, zone
inet	Specifies a TCP socket as a control channel. 指定TCP套接字作为控制通道。	server
inline-signing	Specifies whether BIND 9 maintains a separate signed version of a zone. 指定BIND 9是否维护区域的单独签名版本。	dnssec, zone
interface-interval	Sets the interval at which the server scans the network interface list. 设置服务器扫描网络接口列表的间隔。	server
ipv4-prefix-length	Specifies the prefix lengths of IPv4 address blocks. 指定IPv4地址块的前缀长度。	server
ipv4only-contact	Specifies the contact for the IPV4ONLY.ARPA zone created by `dns64`. 指定IPV4ONLY的联系人。由 `dns64` 创建的ARPA区域。	server
ipv4only-enable	Enables automatic IPv4 zones if a `dns64` block is configured. 如果存在 `dns64` ，则启用自动IPv4区域块已配置。	query
ipv4only-server	Specifies the name of the server for the IPV4ONLY.ARPA zone created by `dns64`. 指定IPV4ONLY的服务器名称。由 `dns64` 创建的ARPA区域。	server, query
ipv6-prefix-length	Specifies the prefix lengths of IPv6 address blocks. 指定IPv6地址块的前缀长度。	server
ixfr-from-differences	Controls how IXFR transfers are calculated. 控制IXFR转账的计算方式。	transfer
journal	Allows the default journal's filename to be overridden. 允许覆盖默认日志的文件名。	zone
key	Defines a shared secret key for use with TSIG or the command channel. 定义与 TSIG 一起使用的共享密钥或命令通道。	security
key-directory	Indicates the directory where public and private DNSSEC key files are found. 指示查找公共和私有DNSSEC密钥文件的目录。	dnssec
key-file	Specifies the path to a file containing the private TLS key for a connection. 指定包含连接专用TLS密钥的文件的路径。	server, security
key-store	Configures a DNSSEC key store. 配置DNSSEC密钥存储。	dnssec
keys	Specifies one or more `server_key` s to be used with a remote server. 指定一个或多个 `server_key` 与远程服务器一起使用。	server, security
lame-ttl	Sets the resolver's lame cache. 设置解析器的蹩脚缓存。	server
listen-on	Specifies the IPv4 addresses on which a server listens for DNS queries. 指定服务器侦听DNS查询的IPv4地址。	server
listen-on-v6	Specifies the IPv6 addresses on which a server listens for DNS queries. 指定服务器监听DNS查询的IPv6地址。	server
listener-clients	Specifies a per-listener quota for active connections. 为活动连接指定每个侦听器的配额。	server, query
lmdb-mapsize	Sets a maximum size for the memory map of the new-zone database in LMDB database format. 为LMDB数据库格式的新区域数据库的内存映射设置最大大小。	server
log-only	Tests rate-limiting parameters without actually dropping any requests. 在不实际丢弃任何请求的情况下测试限速参数。	logging, query
logging	Configures logging options for the name server. 配置名称服务器的日志记录选项。	logging
managed-keys	(强烈不建议用)	deprecated
managed-keys-directory	Specifies the directory in which to store the files that track managed DNSSEC keys. 指定用于存储跟踪托管DNSSEC密钥的文件的目录。	dnssec
mapped	Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in `dns64`. 指定IPv4地址的访问控制列表（ACL），这些地址将映射到 `dns64` 中的相应A RRset。	query
masterfile-format	Specifies the file format of zone files. 指定区域文件的文件格式。	zone, server
masterfile-style	Specifies the format of zone files during a dump, when the `masterfile-format` is `text`. 指定转储期间区域文件的格式，当 `masterfile-format` 是“文本”。	server
match-clients	Specifies a view of DNS namespace for a given subset of client IP addresses. 指定给定客户端IP地址子集的DNS命名空间视图。	view
match-destinations	Specifies a view of DNS namespace for a given subset of destination IP addresses. 指定给定目标IP地址子集的DNS命名空间视图。	view
match-mapped-addresses	Allows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses. 允许IPv4映射的IPv6地址与相应IPv4地址的地址匹配列表条目相匹配。	server
match-recursive-only	Specifies that only recursive requests can match this view of the DNS namespace. 指定只有递归请求才能匹配DNS命名空间的此视图。	view
max-cache-size	Sets the maximum amount of memory to use for an individual cache database and its associated metadata. 设置用于单个缓存数据库及其关联元数据的最大内存量。	server
max-cache-ttl	Specifies the maximum time (in seconds) that the server caches ordinary (positive) answers. 指定服务器缓存普通（肯定）答案的最长时间（秒）。	server
max-clients-per-query	Sets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. 设置服务器在删除其他客户端之前，为任何给定查询接受的最大并发递归客户端数。	server
max-ixfr-ratio	Sets the maximum size for IXFR responses to zone transfer requests. 设置IXFR对区域传输请求的响应的最大大小。	transfer
max-journal-size	Controls the size of journal files. 控制日志文件的大小。	transfer
max-ncache-ttl	Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache. 指定在服务器缓存中存储否定答案的最大保留时间（秒）。	server
max-query-count	Sets the maximum number of iterative queries while servicing a recursive query. 设置为递归查询提供服务时迭代查询的最大数量。	server, query
max-query-restarts	Sets the maximum number of chained CNAMEs to follow 设置要遵循的链式CNAME的最大数量	server, query
max-records	Sets the maximum number of records permitted in a zone. 设置区域中允许的最大记录数。	zone, server
max-records-per-type	Sets the maximum number of records that can be stored in an RRset. 设置RRset中可以存储的最大记录数。	server
max-recursion-depth	Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query. 设置在为递归查询提供服务时，任何时候允许的最大递归级别数。	server
max-recursion-queries	Sets the maximum number of iterative queries while servicing a recursive query. 设置为递归查询提供服务时迭代查询的最大数量。	server, query
max-refresh-time	Limits the zone refresh interval to no less often than the specified value, in seconds. 将区域刷新间隔限制为不低于指定值的频率（秒）。	transfer
max-retry-time	Limits the zone refresh retry interval to no less often than the specified value, in seconds. 将区域刷新重试间隔限制为不低于指定值的频率（秒）。	transfer
max-rsa-exponent-size	Sets the maximum RSA exponent size (in bits) when validating. 设置验证时的最大RSA指数大小（以位为单位）。	dnssec, query
max-stale-ttl	Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records. 指定服务器保留超过正常到期时间的记录的最长时间，以将其作为过时记录返回。	server
max-table-size	Sets the maximum size of the table used to track requests and rate-limit responses. 设置用于跟踪请求和速率限制响应的表的最大大小。	server
max-transfer-idle-in	Specifies the number of minutes after which inbound zone transfers making no progress are terminated. 指定终止无进展的入站区域传输的分钟数。	transfer
max-transfer-idle-out	Specifies the number of minutes after which outbound zone transfers making no progress are terminated. 指定终止无进展的出站区域传输的分钟数。	transfer
max-transfer-time-in	Specifies the number of minutes after which inbound zone transfers are terminated. 指定终止入站区域传输的分钟数。	transfer
max-transfer-time-out	Specifies the number of minutes after which outbound zone transfers are terminated. 指定终止出站区域传输的分钟数。	transfer
max-types-per-name	Sets the maximum number of RR types that can be stored for an owner name. 设置所有者名称可以存储的RR类型的最大数量。	server
max-udp-size	Sets the maximum EDNS UDP message size sent by `named`. 设置 `named` 发送的最大EDNS UDP消息大小。	query
max-validation-failures-per-fetch	Sets the maximum number of DNSSEC validation failures that can happen in a single fetch. 设置单次获取中可能发生的DNSSEC验证失败的最大次数。	server
max-validations-per-fetch	Sets the maximum number of DNSSEC validations that can happen in a single fetch. 设置单次获取中可以发生的DNSSEC验证的最大数量。	server
max-zone-ttl	Specifies a maximum permissible time-to-live (TTL) value, in seconds. 指定最大允许生存时间（TTL）值，单位为秒。	deprecated
memstatistics	Controls whether memory statistics are written to the file specified by `memstatistics-file` at exit. 控制是否将内存统计信息写入 `memstatistics file` 指定的文件。	server, logging
memstatistics-file	Sets the pathname of the file where the server writes memory usage statistics on exit. 设置服务器在退出时写入内存使用统计信息的文件的路径名。	logging
message-compression	Controls whether DNS name compression is used in responses to regular queries. 控制在响应常规查询时是否使用DNS名称压缩。	query
min-cache-ttl	Specifies the minimum time (in seconds) that the server caches ordinary (positive) answers. 指定服务器缓存普通（肯定）答案的最短时间（秒）。	server
min-ncache-ttl	Specifies the minimum retention time (in seconds) for storage of negative answers in the server's cache. 指定在服务器缓存中存储否定答案的最小保留时间（秒）。	server
min-refresh-time	Limits the zone refresh interval to no more often than the specified value, in seconds. 将区域刷新间隔限制为不超过指定值的频率（秒）。	transfer
min-retry-time	Limits the zone refresh retry interval to no more often than the specified value, in seconds. 将区域刷新重试间隔限制为不超过指定值的频率（秒）。	transfer
min-table-size	Sets the minimum size of the table used to track requests and rate-limit responses. 设置用于跟踪请求和速率限制响应的表的最小大小。	query
min-transfer-rate-in	Specifies the minimum traffic rate below which inbound zone transfers are terminated. 指定最低流量速率，低于该速率时，入站区域传输将终止。	transfer
minimal-any	Controls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP. 控制在UDP上对ANY类型的查询生成肯定响应时，服务器是否仅使用查询名称的一个RR集进行回复。	query
minimal-responses	Controls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance. 控制服务器是否仅在需要时（例如委托、否定响应）将记录添加到权限和其他数据部分。这提高了服务器性能。	query
multi-master	Controls whether serial number mismatch errors are logged. 控制是否记录序列号不匹配错误。	transfer
new-zones-directory	Specifies the directory where configuration parameters are stored for zones added by `rndc addzone`. 指定存储由 `rndc-addzone` 添加的区域的配置参数的目录。	zone
no-case-compress	Specifies a list of addresses that require case-insensitive compression in responses. 指定在响应中需要不区分大小写压缩的地址列表。	server
nocookie-udp-size	Sets the maximum size of UDP responses that are sent to queries without a valid server COOKIE. 设置发送到没有有效服务器COOKIE的查询的UDP响应的最大大小。	query
nodata-per-second	Limits the number of empty (NODATA) responses for a valid domain name. 限制有效域名的空（NODATA）响应数。	query
notify	Controls whether `NOTIFY` messages are sent on zone changes. 控制是否在区域更改时发送 `NOTIFY` 消息。	transfer
notify-delay	Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone. 设置区域发送NOTIFY消息集之间的延迟（秒）。	transfer, zone
notify-rate	Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations. 指定在正常区域维护操作期间发送NOTIFY请求的速率。	transfer, zone
notify-source	Defines the IPv4 address (and optional port) to be used for outgoing `NOTIFY` messages. 定义用于传出 `NOTIFY` 消息的IPv4地址（和可选端口）。	transfer
notify-source-v6	Defines the IPv6 address (and optional port) to be used for outgoing `NOTIFY` messages. 定义用于传出 `NOTIFY` 消息的IPv6地址（和可选端口）。	transfer
notify-to-soa	Controls whether the name servers in the NS RRset are checked against the SOA MNAME. 控制是否根据SOA MNAME检查NS RRset中的名称服务器。	transfer
nsec3param	Specifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters. 指定使用NSEC3而不是NSEC，并设置NSEC3参数。	dnssec
nta-lifetime	Specifies the lifetime, in seconds, for negative trust anchors added via `rndc nta`. 指定通过 `rndc-nta` 添加的负信任锚点的生存期（秒）。	dnssec
nta-recheck	Specifies the time interval for checking whether negative trust anchors added via `rndc nta` are still necessary. 指定检查是否通过 `rndc-nta` 添加了负信任锚点的时间间隔仍然是必要的。	dnssec
null	Causes all messages sent to the logging channel to be discarded. 导致发送到日志记录通道的所有消息都被丢弃。	logging
nxdomain-redirect	Appends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace. 当用重定向命名空间替换NXDOMAIN时，将指定的后缀附加到原始查询名称。	query
nxdomains-per-second	Limits the number of undefined subdomains for a valid domain name. 限制有效域名的未定义子域的数量。	query
offline-ksk	Specifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline. 指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。	dnssec
options	Defines global options to be used by BIND 9. 定义BIND 9要使用的全局选项。	server
padding	Adds EDNS Padding options to outgoing messages to increase the packet size. 向传出消息添加EDNS填充选项以增加数据包大小。	server
parent-ds-ttl	Sets the time to live (TTL) of the DS RRset used by the parent zone. 设置父区域使用的DS RRset的生存时间（TTL）。	dnssec
parent-propagation-delay	Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers. 设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。	dnssec, zone
parental-agents		dnssec
parental-source	Specifies which local IPv4 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv4源地址。	dnssec
parental-source-v6	Specifies which local IPv6 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv6源地址。	dnssec
pid-file	Specifies the pathname of the file where the server writes its process ID. 指定服务器写入其进程ID的文件的路径名。	server
pkcs11-uri		dnssec, pkcs11
plugin	Configures plugins in `named.conf`. 在 `named.conf` 中配置插件。	server
port	Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic. 指定服务器用于接收和发送DNS协议流量的UDP/TCP端口号。	server, query
prefer-server-ciphers	Specifies that server ciphers should be preferred over client ones. 指定服务器密码应优先于客户端密码。	server, security
preferred-glue	Controls the order of glue records in an A or AAAA response. 控制A或AAAA响应中胶水记录的顺序。	query
prefetch	Specifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place. 指定当前查询预取发生时的“触发”生存时间（TTL）值。	query
primaries	Defines one or more servers that zone transfer can be requested from. 定义一个或多个可以请求区域传输的服务器。	transfer, zone
print-category	Includes the category in log messages. 在日志消息中包含该类别。	logging
print-severity	Includes the severity in log messages. 在日志消息中包括严重性。	logging
print-time	Specifies the time format for log messages. 指定日志消息的时间格式。	logging
protocols	Specifies the allowed versions of the TLS protocol. 指定允许的TLS协议版本。	security
provide-ixfr	Controls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR). 控制主服务器是响应增量区域请求（IXFR）还是仅响应完整区域传输（AXFR）。	transfer
publish-safety	Increases the amount of time between when keys are published and when they become active, to allow for unforeseen events. 增加密钥发布与激活之间的时间间隔，以应对不可预见的事件。	dnssec
purge-keys	Specifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk. 指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。	dnssec
qname-minimization	Controls QNAME minimization behavior in the BIND 9 resolver. 控制BIND 9解析器中的QNAME最小化行为。	query
qps-scale	Tightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate. 通过降低当前每秒查询率的比率，加强DNS攻击期间的防御。	query
query-source	Controls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried. 控制发出查询的IPv4地址。如果没有，则不会使用IPv4地址发出查询，因此只查询IPv6服务器。	query
query-source-v6	Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried. 控制发出查询的IPv6地址。如果没有，则不会使用IPv6地址来发出查询，因此只需要IPv4服务器。	query
querylog	Specifies whether query logging should be active when `named` first starts. 指定在 `named` 时是否应激活查询日志记录首先开始。	logging, server
rate-limit	Controls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks. 控制过多的UDP响应，以防止BIND 9被用于放大反射拒绝服务（DoS）攻击。	query
recursing-file	Specifies the pathname of the file where the server dumps queries that are currently recursing via `rndc recursing`. 指定服务器转储当前通过 `rndc recursing` 递归的查询的文件的路径名。	server
recursion	Defines whether recursion and caching are allowed. 定义是否允许递归和缓存。	query
recursive-clients	Specifies the maximum number of concurrent recursive queries the server can perform. 指定服务器可以执行的并发递归查询的最大数量。	query
recursive-only	Toggles whether `dns64` synthesis occurs only for recursive queries. 切换是否 `dns64` 合成仅发生在递归查询中。	query
referrals-per-second	Limits the number of referrals or delegations to a server for a given domain. 限制给定域对服务器的推荐或委派数量。	query
remote-hostname	Specifies the expected hostname in the TLS certificate of the remote server. 指定远程服务器的TLS证书中的预期主机名。	security
remote-servers	Defines a list of servers to be used by primary and secondary zones. 定义主区域和辅助区域使用的服务器列表。	server
request-expire	Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary. 指定本地服务器在充当辅助服务器时是否请求EDNS EXPIRE值。	transfer, query
request-ixfr	Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR). 控制辅助服务器是请求增量区域传输（IXFR）还是请求完整区域传输（AXFR）。	transfer
request-nsid	Controls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. 控制在迭代解析期间是否将空的EDNS(0) NSID（名称服务器标识符）选项与所有查询一起发送到权威名称服务器。	query
require-cookie	Controls whether responses without a server cookie are accepted. 控制是否接受没有服务器cookie的响应。	query
require-server-cookie	Controls whether a valid server cookie is required before sending a full response to a UDP request. 控制在向UDP请求发送完整响应之前是否需要有效的服务器cookie。	query
resolver-query-timeout	Specifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing. 指定解析器在失败之前尝试解析递归查询的时间长度（以毫秒为单位）。	query
resolver-use-dns64	Specifies whether to apply DNS64 mappings when sending queries. 指定在发送查询时是否应用DNS64映射。	server
response-padding	Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size. 为加密消息添加EDNS填充选项，以减少根据大小猜测内容的机会。	query
response-policy	Specifies response policy zones for the view or among global options. 为视图或全局选项指定响应策略区域。	server, query, zone, security
responselog	Specifies whether response logging should be active when `named` first starts. 指定在 `named` 时是否应激活响应日志记录首先开始。	logging, server
responses-per-second	Limits the number of non-empty responses for a valid domain name and record type. 限制有效域名和记录类型的非空响应数。	query
retire-safety	Increases the amount of time a key remains published after it is no longer active, to allow for unforeseen events. 增加密钥在不再活动后保持发布的时间，以考虑不可预见的事件。	dnssec
reuseport	Enables kernel load-balancing of sockets. 启用套接字的内核负载平衡。	server
root-key-sentinel	Controls whether BIND 9 responds to root key sentinel probes. 控制BIND 9是否响应根密钥哨兵探针。	server
rrset-order	Defines the order in which equal RRs (RRsets) are returned. 定义返回相等RRs（RRset）的顺序。	query
search	Specifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name. 指定是否向动态可加载区域（DLZ）模块查询查询名称的答案。	query
secret	Defines a Base64-encoded string to be used as the secret by the algorithm. 定义一个Base64编码的字符串，作为算法的秘密。	security
secroots-file	Specifies the pathname of the file where the server dumps security roots, when using `rndc secroots`. 指定服务器在使用 `rndc-securots` 时转储安全根的文件的路径名。	dnssec
send-cookie	Controls whether a COOKIE EDNS option is sent along with a query. 控制COOKIE EDNS选项是否与查询一起发送。	query
serial-query-rate	Defines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers. 在查询用于区域传输的SOA RRs时，定义服务器每秒发出的查询次数的上限。	transfer
serial-update-method	Specifies the update method to be used for the zone serial number in the SOA record. 指定用于SOA记录中区域序列号的更新方法。	zone
server	Defines characteristics to be associated with a remote name server. 定义与远程名称服务器关联的特征。	server
server-addresses	Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone. 指定静态存根区域的递归解析中应向其发送查询的IP地址列表。	query, zone
server-id	Specifies the ID of the server to return in response to a `ID.SERVER` query. 指定响应 `ID.server` 查询时返回的服务器的ID。	server
server-names	Specifies a list of domain names of name servers that act as authoritative servers of a static-stub zone. 指定充当静态存根区域的权威服务器的名称服务器的域名列表。	zone
servfail-ttl	Sets the length of time (in seconds) that a SERVFAIL response is cached. 设置缓存SERVFAIL响应的时间长度（秒）。	server
session-keyalg	Specifies the algorithm to use for the TSIG session key. 指定用于TSIG会话密钥的算法。	security
session-keyfile	Specifies the pathname of the file where a TSIG session key is written, when generated by `named` for use by `nsupdate -l`. 指定写入TSIG会话密钥的文件的路径名，当由 `named` 生成时供 `nsupdate-l` 使用。	security
session-keyname	Specifies the key name for the TSIG session key. 指定TSIG会话密钥的密钥名称。	security
session-tickets	Enables or disables session resumption through TLS session tickets. 通过TLS会话票证启用或禁用会话恢复。	security
severity	Defines the priority level of log messages. 定义日志消息的优先级。	logging
sig-signing-nodes	Specifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时，每个量子中要检查的最大节点数。	dnssec
sig-signing-signatures	Specifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。	dnssec
sig-signing-type	Specifies a private RDATA type to use when generating signing-state records. 指定生成签名状态记录时使用的专用RDATA类型。	dnssec
sig-validity-interval	(过时了)	obsolete
sig0checks-quota	Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server. 指定服务器可以处理的并发SIG(0)签名检查的最大数量。	server
sig0checks-quota-exempt	Exempts specific clients or client groups from SIG(0) signature checking quota. 免除特定客户或客户组的SIG(0)签名检查配额。	server
sig0key-checks-limit	Specifies the maximum number of SIG(0) keys to consider when trying to verify a message. 指定在尝试验证消息时要考虑的SIG(0)密钥的最大数量。	server
sig0message-checks-limit	Specifies the maximum number of matching SIG(0) keys to try to verify a message. 指定尝试验证消息的匹配SIG(0)密钥的最大数量。	server
signatures-jitter	Specifies a range for signature expirations. 指定签名过期的范围。	dnssec
signatures-refresh	Specifies how frequently an RRSIG record is refreshed. 指定刷新RRSIG记录的频率。	dnssec
signatures-validity	Indicates the validity period of an RRSIG record. 指示RRSIG记录的有效期。	dnssec
signatures-validity-dnskey	Indicates the validity period of DNSKEY records. 表示DNSKEY记录的有效期。	dnssec
slip	Sets the number of "slipped" responses to minimize the use of forged source addresses for an attack. 设置“滑动”响应的数量，以尽量减少使用伪造的源地址进行攻击。	query
sortlist	Controls the ordering of RRs returned to the client, based on the client's IP address. 根据客户端的IP地址控制返回给客户端的RR的顺序。	query, deprecated
stale-answer-client-timeout	Defines the amount of time (in milliseconds) that `named` waits before attempting to answer a query with a stale RRset from cache. 定义 `named` 的时间量（以毫秒为单位）在尝试使用缓存中的过时RRset回答查询之前会等待。	server, query
stale-answer-enable	Enables the returning of "stale" cached answers when the name servers for a zone are not answering. 当区域的名称服务器没有应答时，允许返回“过时”的缓存答案。	server, query
stale-answer-ttl	Specifies the time to live (TTL) to be returned on stale answers, in seconds. 指定对过时答案返回的生存时间（TTL），以秒为单位。	query
stale-cache-enable	Enables the retention of "stale" cached answers. 允许保留“过时”的缓存答案。	server, query
stale-refresh-time	Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding. 如果给定区域的名称服务器没有响应，则设置在下次尝试联系之前返回“过时”缓存答案的时间窗口。	server, query
startup-notify-rate	Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. 指定名称服务器首次启动或添加新区域时发送NOTIFY请求的速率。	transfer, zone
statistics-channels	Specifies the communication channels to be used by system administrators to access statistics information on the name server. 指定系统管理员用于访问名称服务器上的统计信息的通信通道。	logging
statistics-file	Specifies the pathname of the file where the server appends statistics, when using `rndc stats`. 指定服务器在使用 `rndc-stasts` 时附加统计信息的文件的路径名。	logging, server
stderr	Directs the logging channel output to the server's standard error stream. 将日志记录通道输出定向到服务器的标准错误流。	logging
streams-per-connection	Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection. 指定HTTP/2连接上并发HTTP/2流的最大数量。	server, query
suffix	Defines trailing bits for mapped IPv4 address bits in `dns64`. 定义 `dns64` 中映射的IPv4地址位的尾随位。	query
synth-from-dnssec	Enables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache. 支持 RFC 8198，积极使用DNSSEC验证的缓存。	dnssec
syslog	Directs the logging channel to the system log. 将日志记录通道定向到系统日志。	logging
tcp-advertised-timeout	Sets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option. 设置服务器在包含EDNS TCP keepalive选项的响应中发送的超时值（以毫秒为单位）。	query
tcp-clients	Specifies the maximum number of simultaneous client TCP connections accepted by the server. 指定服务器同时接受的客户端TCP连接的最大数量。	server
tcp-idle-timeout	Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use. 如果未使用EDNS TCP keepalive选项，则设置服务器在关闭空闲TCP连接之前等待的时间量（以毫秒为单位）。	query
tcp-initial-timeout	Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client. 设置服务器在新TCP连接上等待来自客户端的第一条消息的时间量（以毫秒为单位）。	server, query
tcp-keepalive	Adds EDNS TCP keepalive to messages sent over TCP. 将EDNS TCP keepalive添加到通过TCP发送的消息中。	server
tcp-keepalive-timeout	Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use. 如果正在使用EDNS TCP keepalive选项，则设置服务器在关闭空闲TCP连接之前等待的时间量（以毫秒为单位）。	query
tcp-listen-queue	Sets the listen-queue depth. 设置侦听队列深度。	server
tcp-only	Sets the transport protocol to TCP. 将传输协议设置为TCP。	server
tcp-receive-buffer	Sets the operating system's receive buffer size for TCP sockets. 为TCP套接字设置操作系统的接收缓冲区大小。	server
tcp-send-buffer	Sets the operating system's send buffer size for TCP sockets. 为TCP套接字设置操作系统的发送缓冲区大小。	server
tkey-domain	Sets the domain appended to the names of all shared keys generated with `TKEY`. 设置附加到使用 `TKEY` 生成的所有共享密钥名称的域。	security
tkey-gssapi-credential	Sets the security credential for authentication keys requested by the GSS-TSIG protocol. 为GSS-TSIG协议请求的身份验证密钥设置安全凭据。	security
tkey-gssapi-keytab	Sets the KRB5 keytab file to use for GSS-TSIG updates. 设置用于GSS-TSIG更新的KRB5 keytab文件。	security
tls	Configures a TLS connection. 配置TLS连接。	security
tls-port	Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic. 指定服务器用于接收和发送DNS-over-TLS协议流量的TCP端口号。	server, query
transfer-format	Controls whether multiple records can be packed into a message during zone transfers. 控制在区域传输期间是否可以将多条记录打包到消息中。	transfer
transfer-message-size	Limits the uncompressed size of DNS messages used in zone transfers over TCP. 限制通过TCP进行区域传输时使用的DNS消息的未压缩大小。	transfer
transfer-source	Defines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. 定义哪些本地IPv4地址绑定到用于获取服务器入站传输的区域的TCP连接。	transfer
transfer-source-v6	Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. 定义哪些本地IPv6地址绑定到用于获取服务器入站传输的区域的TCP连接。	transfer
transfers	Limits the number of concurrent inbound zone transfers from a server. 限制服务器并发入站区域传输的数量。	server
transfers-in	Limits the number of concurrent inbound zone transfers. 限制并发入站区域传输的数量。	transfer
transfers-out	Limits the number of concurrent outbound zone transfers. 限制并发出站区域传输的数量。	transfer
transfers-per-ns	Limits the number of concurrent inbound zone transfers from a remote server. 限制来自远程服务器的并发入站区域传输的数量。	transfer
trust-anchor-telemetry	Instructs `named` to send specially formed queries once per day to domains for which trust anchors have been configured. 指令 `named` 每天向已配置信任锚的域发送一次特殊格式的查询。	dnssec
trust-anchors	Defines DNSSEC trust anchors. 定义 DNSSEC 信任锚。	dnssec
trusted-keys		deprecated
try-tcp-refresh	Specifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail. 指定如果UDP查询失败，BIND 9应尝试使用TCP刷新区域。	transfer
type	Specifies the kind of zone in a given configuration. 指定给定配置中的区域类型。	zone
type forward	Contains forwarding statements that apply to queries within a given domain. 包含适用于给定域内查询的转发语句。	zone
type hint	Contains the initial set of root name servers to be used at BIND 9 startup. 包含BIND 9启动时使用的初始根名称服务器集。	zone
type mirror	Contains a DNSSEC-validated duplicate of the main data for a zone. 包含区域主数据的DNSSEC验证副本。	zone
type primary	Contains the main copy of the data for a zone. 包含区域数据的主副本。	zone
type redirect	Contains information to answer queries when normal resolution would return NXDOMAIN. 包含在正常解析将返回NXDOMAIN时回答查询的信息。	zone
type secondary	Contains a duplicate of the data for a zone that has been transferred from a primary server. 包含从主服务器传输的区域的数据副本。	zone
type static-stub	Contains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server. 包含主区域的NS记录的副本，但是静态配置的，而不是从主服务器传输的。	zone
type stub	Contains a duplicate of the NS records of a primary zone. 包含主区域的NS记录的副本。	zone
udp-receive-buffer	Sets the operating system's receive buffer size for UDP sockets. 设置UDP套接字的操作系统接收缓冲区大小。	server
udp-send-buffer	Sets the operating system's send buffer size for UDP sockets. 设置UDP套接字的操作系统发送缓冲区大小。	server
unix	Specifies a Unix domain socket as a control channel. 指定Unix域套接字作为控制通道。	obsolete
update-check-ksk	(过时了)	obsolete
update-policy	Sets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc. 根据请求者身份、更新内容等设置细粒度规则以允许或拒绝动态更新（DDNS）。	transfer
update-quota	Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server. 指定服务器可以处理的并发DNS UPDATE消息的最大数量。	server
use-v4-udp-ports	Specifies a list of ports that are valid sources for UDP/IPv4 messages. 指定UDP/IPv4消息的有效源端口列表。	deprecated
use-v6-udp-ports	Specifies a list of ports that are valid sources for UDP/IPv6 messages. 指定UDP/IPv6消息的有效源端口列表。	deprecated
v6-bias	Indicates the number of milliseconds of preference to give to IPv6 name servers. 指示给予IPv6名称服务器的首选毫秒数。	server, query
validate-except	Specifies a list of domain names at and beneath which DNSSEC validation should not be performed. 指定一个域名列表，在该列表及其下方不应执行DNSSEC验证。	dnssec
version	Specifies the version number of the server to return in response to a `version.bind` query. 指定响应 `version.bind` 查询时返回的服务器的版本号。	server
view	Allows a name server to answer a DNS query differently depending on who is asking. 允许名称服务器根据询问者的不同来回答DNS查询。	view
window	Specifies the length of time during which responses are tracked. 指定跟踪响应的时间长度。	query
zero-no-soa-ttl	Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. 指定在向SOA查询返回权威否定响应时，是否将SOA记录的生存时间（TTL）设置为零。	zone, query, server
zero-no-soa-ttl-cache	Sets the time to live (TTL) to zero when caching a negative response to an SOA query. 在缓存对SOA查询的否定响应时，将生存时间（TTL）设置为零。	zone, query, server
zone	Specifies the zone in a BIND 9 configuration. 指定BIND 9配置中的区域。	zone
zone-propagation-delay	Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers. 设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。	dnssec, zone
zone-statistics	Controls the level of statistics gathered for all zones. 控制为所有区域收集的统计级别。	zone, logging

8.4. 标签声明

这些表通过相应的标签将 named.conf 中允许的各种语句分组。

8.4.1. DNSSEC标签声明

Statement	Description
bindkeys-file	Specifies the pathname of a file to override the built-in trusted keys provided by `named`. 指定文件的路径名，以覆盖 `named` 提供的内置受信任密钥。
cdnskey	Specifies whether a CDNSKEY record should be published during KSK rollover. 指定在KSK滚动期间是否应发布CDNSKEY记录。
cds-digest-types	Specifies the digest types to use for CDS resource records. 指定用于CDS资源记录的摘要类型。
check-dup-records	Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. 检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。
checkds	Controls whether `DS` queries are sent to parental agents. 控制是否将 `DS` 查询发送给家长代理。
disable-algorithms	Disables DNSSEC algorithms from a specified zone. 从指定区域禁用DNSSEC算法。
disable-ds-digests	Disables DS digest types from a specified zone. 禁用指定区域中的DS摘要类型。
dnskey-ttl	Specifies the time-to-live (TTL) for DNSKEY resource records. 指定DNSKEY资源记录的生存时间（TTL）。
dnssec-accept-expired	Instructs BIND 9 to accept expired DNSSEC signatures when validating. 指示BIND 9在验证时接受过期的DNSSEC签名。
dnssec-loadkeys-interval	Sets the frequency of automatic checks of the DNSSEC key repository. 设置DNSSEC密钥存储库的自动检查频率。
dnssec-policy	Defines a key and signing policy (KASP) for zones. 为区域定义密钥和签名策略（KASP）。
dnssec-validation	Enables DNSSEC validation in `named`. 在 `named` 中启用DNSSEC验证。
inline-signing	Specifies whether BIND 9 maintains a separate signed version of a zone. 指定BIND 9是否维护区域的单独签名版本。
key-directory	Indicates the directory where public and private DNSSEC key files are found. 指示查找公共和私有DNSSEC密钥文件的目录。
key-store	Configures a DNSSEC key store. 配置DNSSEC密钥存储。
managed-keys-directory	Specifies the directory in which to store the files that track managed DNSSEC keys. 指定用于存储跟踪托管DNSSEC密钥的文件的目录。
max-rsa-exponent-size	Sets the maximum RSA exponent size (in bits) when validating. 设置验证时的最大RSA指数大小（以位为单位）。
nsec3param	Specifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters. 指定使用NSEC3而不是NSEC，并设置NSEC3参数。
nta-lifetime	Specifies the lifetime, in seconds, for negative trust anchors added via `rndc nta`. 指定通过 `rndc-nta` 添加的负信任锚点的生存期（秒）。
nta-recheck	Specifies the time interval for checking whether negative trust anchors added via `rndc nta` are still necessary. 指定检查是否通过 `rndc-nta` 添加了负信任锚点的时间间隔仍然是必要的。
offline-ksk	Specifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline. 指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。
parent-ds-ttl	Sets the time to live (TTL) of the DS RRset used by the parent zone. 设置父区域使用的DS RRset的生存时间（TTL）。
parent-propagation-delay	Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers. 设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。
parental-agents
parental-source	Specifies which local IPv4 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv4源地址。
parental-source-v6	Specifies which local IPv6 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv6源地址。
pkcs11-uri
publish-safety	Increases the amount of time between when keys are published and when they become active, to allow for unforeseen events. 增加密钥发布与激活之间的时间间隔，以应对不可预见的事件。
purge-keys	Specifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk. 指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。
retire-safety	Increases the amount of time a key remains published after it is no longer active, to allow for unforeseen events. 增加密钥在不再活动后保持发布的时间，以考虑不可预见的事件。
secroots-file	Specifies the pathname of the file where the server dumps security roots, when using `rndc secroots`. 指定服务器在使用 `rndc-securots` 时转储安全根的文件的路径名。
sig-signing-nodes	Specifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时，每个量子中要检查的最大节点数。
sig-signing-signatures	Specifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。
sig-signing-type	Specifies a private RDATA type to use when generating signing-state records. 指定生成签名状态记录时使用的专用RDATA类型。
signatures-jitter	Specifies a range for signature expirations. 指定签名过期的范围。
signatures-refresh	Specifies how frequently an RRSIG record is refreshed. 指定刷新RRSIG记录的频率。
signatures-validity	Indicates the validity period of an RRSIG record. 指示RRSIG记录的有效期。
signatures-validity-dnskey	Indicates the validity period of DNSKEY records. 表示DNSKEY记录的有效期。
synth-from-dnssec	Enables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache. 支持 RFC 8198 ，积极使用DNSSEC验证的缓存。
trust-anchor-telemetry	Instructs `named` to send specially formed queries once per day to domains for which trust anchors have been configured. 指令 `named` 每天向已配置信任锚的域发送一次特殊格式的查询。
trust-anchors	Defines DNSSEC trust anchors. 定义 DNSSEC 信任锚。
validate-except	Specifies a list of domain names at and beneath which DNSSEC validation should not be performed. 指定一个域名列表，在该列表及其下方不应执行DNSSEC验证。
zone-propagation-delay	Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers. 设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。

8.4.2. 记录标签语句

Statement	Description
buffered	Controls flushing of log messages. 控制日志消息的刷新。
category	Specifies the type of data logged to a particular channel. 指定记录到特定通道的数据类型。
channel	Defines a stream of data that can be independently logged. 定义可以独立记录的数据流。
dnstap	Enables logging of `dnstap` messages. 允许记录 `dnstap` 消息。
dnstap-identity	Specifies an `identity` string to send in `dnstap` messages. 指定要在 `dnstap` 中发送的 `identity` 字符串消息。
dnstap-output	Configures the path to which the `dnstap` frame stream is sent. 配置 `dnstap` 的路径帧流被发送。
dnstap-version	Specifies a `version` string to send in `dnstap` messages. 指定 `version` 要发送的字符串 `dnstap` 消息。
dump-file	Indicates the pathname of the file where the server dumps the database after `rndc dumpdb`. 指示服务器在 `rndc-dumpdb` 之后转储数据库的文件的路径名。
fstrm-set-buffer-hint	Sets the number of accumulated bytes in the output buffer before forcing a buffer flush. 在强制刷新缓冲区之前，设置输出缓冲区中的累积字节数。
fstrm-set-flush-timeout	Sets the number of seconds that unflushed data remains in the output buffer. 设置未刷新数据在输出缓冲区中保留的秒数。
fstrm-set-input-queue-size	Sets the number of queue entries to allocate for each input queue. 设置为每个输入队列分配的队列条目数。
fstrm-set-output-notify-threshold	Sets the number of outstanding queue entries allowed on an input queue before waking the I/O thread. 设置在唤醒I/O线程之前，输入队列上允许的未完成队列条目数。
fstrm-set-output-queue-model	Sets the queuing semantics to use for queue objects. 设置用于队列对象的排队语义。
fstrm-set-output-queue-size	Sets the number of queue entries allocated for each output queue. 设置为每个输出队列分配的队列条目数。
fstrm-set-reopen-interval	Sets the number of seconds to wait between attempts to reopen a closed output stream. 设置尝试重新打开已关闭的输出流之间等待的秒数。
log-only	Tests rate-limiting parameters without actually dropping any requests. 在不实际丢弃任何请求的情况下测试限速参数。
logging	Configures logging options for the name server. 配置名称服务器的日志记录选项。
memstatistics	Controls whether memory statistics are written to the file specified by `memstatistics-file` at exit. 控制是否将内存统计信息写入 `memstatistics-file` 指定的文件。
memstatistics-file	Sets the pathname of the file where the server writes memory usage statistics on exit. 设置服务器在退出时写入内存使用统计信息的文件的路径名。
null	Causes all messages sent to the logging channel to be discarded. 导致发送到日志记录通道的所有消息都被丢弃。
print-category	Includes the category in log messages. 在日志消息中包含该类别。
print-severity	Includes the severity in log messages. 在日志消息中包括严重性。
print-time	Specifies the time format for log messages. 指定日志消息的时间格式。
querylog	Specifies whether query logging should be active when `named` first starts. 指定在 `named` 时是否应激活查询日志记录首先开始。
responselog	Specifies whether response logging should be active when `named` first starts. 指定在 `named` 时是否应激活响应日志记录首先开始。
severity	Defines the priority level of log messages. 定义日志消息的优先级。
statistics-channels	Specifies the communication channels to be used by system administrators to access statistics information on the name server. 指定系统管理员用于访问名称服务器上的统计信息的通信通道。
statistics-file	Specifies the pathname of the file where the server appends statistics, when using `rndc stats`. 指定服务器在使用 `rndc-stasts` 时附加统计信息的文件的路径名。
stderr	Directs the logging channel output to the server's standard error stream. 将日志记录通道输出定向到服务器的标准错误流。
syslog	Directs the logging channel to the system log. 将日志记录通道定向到系统日志。
zone-statistics	Controls the level of statistics gathered for all zones. 控制为所有区域收集的统计级别。

8.4.3. 查询标签语句

Statement	Description
all-per-second	Limits UDP responses of all kinds. 限制所有类型的UDP响应。
allow-query	Specifies which hosts (an IP address list) are allowed to send queries to this resolver. 指定允许哪些主机（IP地址列表）向此解析器发送查询。
allow-query-cache	Specifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion. 指定哪些主机（IP地址列表）可以访问此服务器的缓存，从而有效地控制递归。
allow-query-cache-on	Specifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces. 指定哪些主机（来自IP地址列表）可以访问此服务器的缓存。它用于具有多个接口的服务器。
allow-query-on	Specifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations. 指定允许哪些本地地址（IP地址列表）向此解析器发送查询。此选项用于多宿主配置。
allow-recursion	Defines an `address_match_list` of clients that are allowed to perform recursive queries. 定义一个 `address_match_list` 允许执行递归查询的客户端。
allow-recursion-on	Specifies which local addresses can accept recursive queries. 指定哪些本地地址可以接受递归查询。
answer-cookie	Controls whether COOKIE EDNS replies are sent in response to client queries. 控制是否发送COOKIE EDNS回复以响应客户端查询。
auth-nxdomain	Controls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers.
blackhole	Defines an `address_match_list` of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses.
break-dnssec	Enables `dns64` synthesis even if the validated result would cause a DNSSEC validation failure.
check-dup-records	Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
check-names	Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.
clients	Specifies an access control list (ACL) of clients that are affected by a given `dns64` directive.
deny-answer-addresses	Rejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given `address_match_list`.
deny-answer-aliases	Rejects CNAME or DNAME records if the "alias" name matches a given list of `domain_name` elements.
dns64	Instructs `named` to return mapped IPv4 addresses to AAAA queries when there are no AAAA records.
edns-udp-size	Sets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries.
endpoints	Specifies a list of HTTP query paths on which to listen.
exclude	Allows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in `dns64`.
exempt-clients	Exempts specific clients or client groups from rate limiting.
fetch-quota-params	Sets the parameters for dynamic resizing of the `fetches-per-server` quota in response to detected congestion.
fetches-per-server	Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.
fetches-per-zone	Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.
forward	Allows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the `forwarders` statement.
forwarders	Defines one or more hosts to which queries are forwarded.
http	Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.
http-port	Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.
https-port	Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
ipv4only-enable	Enables automatic IPv4 zones if a `dns64` block is configured.
ipv4only-server	Specifies the name of the server for the IPV4ONLY.ARPA zone created by `dns64`.
listener-clients	Specifies a per-listener quota for active connections.
log-only	Tests rate-limiting parameters without actually dropping any requests.
mapped	Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in `dns64`.
max-query-count	Sets the maximum number of iterative queries while servicing a recursive query.
max-query-restarts	Sets the maximum number of chained CNAMEs to follow
max-recursion-queries	Sets the maximum number of iterative queries while servicing a recursive query.
max-rsa-exponent-size	Sets the maximum RSA exponent size (in bits) when validating.
max-udp-size	Sets the maximum EDNS UDP message size sent by `named`.
message-compression	Controls whether DNS name compression is used in responses to regular queries.
min-table-size	Sets the minimum size of the table used to track requests and rate-limit responses.
minimal-any	Controls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP.
minimal-responses	Controls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance.
nocookie-udp-size	Sets the maximum size of UDP responses that are sent to queries without a valid server COOKIE.
nodata-per-second	Limits the number of empty (NODATA) responses for a valid domain name.
nxdomain-redirect	Appends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace.
nxdomains-per-second	Limits the number of undefined subdomains for a valid domain name.
port	Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.
preferred-glue	Controls the order of glue records in an A or AAAA response.
prefetch	Specifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place.
qname-minimization	Controls QNAME minimization behavior in the BIND 9 resolver.
qps-scale	Tightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate.
query-source	Controls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried.
query-source-v6	Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried.
rate-limit	Controls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks.
recursion	Defines whether recursion and caching are allowed.
recursive-clients	Specifies the maximum number of concurrent recursive queries the server can perform.
recursive-only	Toggles whether `dns64` synthesis occurs only for recursive queries.
referrals-per-second	Limits the number of referrals or delegations to a server for a given domain.
request-expire	Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
request-nsid	Controls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution.
require-cookie	Controls whether responses without a server cookie are accepted.
require-server-cookie	Controls whether a valid server cookie is required before sending a full response to a UDP request.
resolver-query-timeout	Specifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing.
response-padding	Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.
response-policy	Specifies response policy zones for the view or among global options.
responses-per-second	Limits the number of non-empty responses for a valid domain name and record type.
rrset-order	Defines the order in which equal RRs (RRsets) are returned.
search	Specifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name.
send-cookie	Controls whether a COOKIE EDNS option is sent along with a query.
server-addresses	Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
slip	Sets the number of "slipped" responses to minimize the use of forged source addresses for an attack.
sortlist	Controls the ordering of RRs returned to the client, based on the client's IP address.
stale-answer-client-timeout	Defines the amount of time (in milliseconds) that `named` waits before attempting to answer a query with a stale RRset from cache.
stale-answer-enable	Enables the returning of "stale" cached answers when the name servers for a zone are not answering.
stale-answer-ttl	Specifies the time to live (TTL) to be returned on stale answers, in seconds.
stale-cache-enable	Enables the retention of "stale" cached answers.
stale-refresh-time	Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
streams-per-connection	Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.
suffix	Defines trailing bits for mapped IPv4 address bits in `dns64`.
tcp-advertised-timeout	Sets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option.
tcp-idle-timeout	Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use.
tcp-initial-timeout	Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.
tcp-keepalive-timeout	Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use.
tls-port	Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.
v6-bias	Indicates the number of milliseconds of preference to give to IPv6 name servers.
window	Specifies the length of time during which responses are tracked.
zero-no-soa-ttl	Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cache	Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

8.4.4. 安全标签声明

Statement	Description
algorithm	Defines the algorithm to be used in a key clause.
ca-file	Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.
cert-file	Specifies the path to a file containing the TLS certificate for a connection.
cipher-suites	Specifies a list of allowed cipher suites in the order of preference for TLSv1.3 only.
ciphers	Specifies a list of allowed ciphers in the order of preference for TLSv1.2 only.
dhparam-file	Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.
dnsrps-enable	Turns on the DNS Response Policy Service (DNSRPS) interface.
dnsrps-library	Specifies the path to the DNS Response Policy Service (DNSRPS) provider library.
dnsrps-options	Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
key	Defines a shared secret key for use with TSIG or the command channel.
key-file	Specifies the path to a file containing the private TLS key for a connection.
keys	Specifies one or more `server_key` s to be used with a remote server.
prefer-server-ciphers	Specifies that server ciphers should be preferred over client ones.
protocols	Specifies the allowed versions of the TLS protocol.
remote-hostname	Specifies the expected hostname in the TLS certificate of the remote server.
response-policy	Specifies response policy zones for the view or among global options.
secret	Defines a Base64-encoded string to be used as the secret by the algorithm.
session-keyalg	Specifies the algorithm to use for the TSIG session key.
session-keyfile	Specifies the pathname of the file where a TSIG session key is written, when generated by `named` for use by `nsupdate -l`.
session-keyname	Specifies the key name for the TSIG session key.
session-tickets	Enables or disables session resumption through TLS session tickets.
tkey-domain	Sets the domain appended to the names of all shared keys generated with `TKEY`.
tkey-gssapi-credential	Sets the security credential for authentication keys requested by the GSS-TSIG protocol.
tkey-gssapi-keytab	Sets the KRB5 keytab file to use for GSS-TSIG updates.
tls	Configures a TLS connection.

8.4.5. 服务器标签声明

Statement	Description
acl	Assigns a symbolic name to an address match list.
allow-new-zones	Controls the ability to add zones at runtime via `rndc addzone`.
allow-proxy	Defines an `address_match_list` for the client addresses allowed to send PROXYv2 headers.
allow-proxy-on	Defines an `address_match_list` for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations.
allow-recursion-on	Specifies which local addresses can accept recursive queries.
automatic-interface-scan	Controls the automatic rescanning of network interfaces when addresses are added or removed.
bogus	Allows a remote server to be ignored.
ca-file	Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.
cert-file	Specifies the path to a file containing the TLS certificate for a connection.
check-names	Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.
clients-per-query	Sets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
controls	Specifies control channels to be used to manage the name server.
cookie-algorithm	Sets the algorithm to be used when generating a server cookie.
cookie-secret	Specifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster.
dhparam-file	Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.
directory	Sets the server's working directory.
disable-empty-zone	Disables individual empty zones.
dns64-contact	Specifies the name of the contact for `dns64` zones.
dns64-server	Specifies the name of the server for `dns64` zones.
dnsrps-enable	Turns on the DNS Response Policy Service (DNSRPS) interface.
dnsrps-library	Specifies the path to the DNS Response Policy Service (DNSRPS) provider library.
dnsrps-options	Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
dual-stack-servers	Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports.
edns	Controls the use of the EDNS0 (RFC 2671) feature.
edns-version	Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver.
empty-contact	Specifies the contact name in the returned SOA record for empty zones.
empty-server	Specifies the server name in the returned SOA record for empty zones.
empty-zones-enable	Enables or disables all empty zones.
endpoints	Specifies a list of HTTP query paths on which to listen.
errors-per-second	Limits the number of errors for a valid domain name and record type.
fetch-quota-params	Sets the parameters for dynamic resizing of the `fetches-per-server` quota in response to detected congestion.
fetches-per-server	Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.
fetches-per-zone	Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.
geoip-directory	Specifies the directory containing GeoIP database files.
hostname	Specifies the hostname of the server to return in response to a `hostname.bind` query.
http	Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.
http-listener-clients	Limits the number of active concurrent connections on a per-listener basis.
http-port	Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.
http-streams-per-connection	Limits the number of active concurrent HTTP/2 streams on a per-connection basis.
https-port	Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
inet	Specifies a TCP socket as a control channel.
interface-interval	Sets the interval at which the server scans the network interface list.
ipv4-prefix-length	Specifies the prefix lengths of IPv4 address blocks.
ipv4only-contact	Specifies the contact for the IPV4ONLY.ARPA zone created by `dns64`.
ipv4only-server	Specifies the name of the server for the IPV4ONLY.ARPA zone created by `dns64`.
ipv6-prefix-length	Specifies the prefix lengths of IPv6 address blocks.
key-file	Specifies the path to a file containing the private TLS key for a connection.
keys	Specifies one or more `server_key` s to be used with a remote server.
lame-ttl	Sets the resolver's lame cache.
listen-on	Specifies the IPv4 addresses on which a server listens for DNS queries.
listen-on-v6	Specifies the IPv6 addresses on which a server listens for DNS queries.
listener-clients	Specifies a per-listener quota for active connections.
lmdb-mapsize	Sets a maximum size for the memory map of the new-zone database in LMDB database format.
masterfile-format	Specifies the file format of zone files.
masterfile-style	Specifies the format of zone files during a dump, when the `masterfile-format` is `text`.
match-mapped-addresses	Allows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses.
max-cache-size	Sets the maximum amount of memory to use for an individual cache database and its associated metadata.
max-cache-ttl	Specifies the maximum time (in seconds) that the server caches ordinary (positive) answers.
max-clients-per-query	Sets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
max-ncache-ttl	Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.
max-query-count	Sets the maximum number of iterative queries while servicing a recursive query.
max-query-restarts	Sets the maximum number of chained CNAMEs to follow
max-records	Sets the maximum number of records permitted in a zone.
max-records-per-type	Sets the maximum number of records that can be stored in an RRset.
max-recursion-depth	Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query.
max-recursion-queries	Sets the maximum number of iterative queries while servicing a recursive query.
max-stale-ttl	Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records.
max-table-size	Sets the maximum size of the table used to track requests and rate-limit responses.
max-types-per-name	Sets the maximum number of RR types that can be stored for an owner name.
max-validation-failures-per-fetch	Sets the maximum number of DNSSEC validation failures that can happen in a single fetch.
max-validations-per-fetch	Sets the maximum number of DNSSEC validations that can happen in a single fetch.
memstatistics	Controls whether memory statistics are written to the file specified by `memstatistics-file` at exit.
min-cache-ttl	Specifies the minimum time (in seconds) that the server caches ordinary (positive) answers.
min-ncache-ttl	Specifies the minimum retention time (in seconds) for storage of negative answers in the server's cache.
no-case-compress	Specifies a list of addresses that require case-insensitive compression in responses.
options	Defines global options to be used by BIND 9.
padding	Adds EDNS Padding options to outgoing messages to increase the packet size.
pid-file	Specifies the pathname of the file where the server writes its process ID.
plugin	Configures plugins in `named.conf`.
port	Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.
prefer-server-ciphers	Specifies that server ciphers should be preferred over client ones.
querylog	Specifies whether query logging should be active when `named` first starts.
recursing-file	Specifies the pathname of the file where the server dumps queries that are currently recursing via `rndc recursing`.
remote-servers	Defines a list of servers to be used by primary and secondary zones.
resolver-use-dns64	Specifies whether to apply DNS64 mappings when sending queries.
response-policy	Specifies response policy zones for the view or among global options.
responselog	Specifies whether response logging should be active when `named` first starts.
reuseport	Enables kernel load-balancing of sockets.
root-key-sentinel	Controls whether BIND 9 responds to root key sentinel probes.
server	Defines characteristics to be associated with a remote name server.
server-id	Specifies the ID of the server to return in response to a `ID.SERVER` query.
servfail-ttl	Sets the length of time (in seconds) that a SERVFAIL response is cached.
sig0checks-quota	Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server.
sig0checks-quota-exempt	Exempts specific clients or client groups from SIG(0) signature checking quota.
sig0key-checks-limit	Specifies the maximum number of SIG(0) keys to consider when trying to verify a message.
sig0message-checks-limit	Specifies the maximum number of matching SIG(0) keys to try to verify a message.
stale-answer-client-timeout	Defines the amount of time (in milliseconds) that `named` waits before attempting to answer a query with a stale RRset from cache.
stale-answer-enable	Enables the returning of "stale" cached answers when the name servers for a zone are not answering.
stale-cache-enable	Enables the retention of "stale" cached answers.
stale-refresh-time	Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
statistics-file	Specifies the pathname of the file where the server appends statistics, when using `rndc stats`.
streams-per-connection	Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.
tcp-clients	Specifies the maximum number of simultaneous client TCP connections accepted by the server.
tcp-initial-timeout	Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.
tcp-keepalive	Adds EDNS TCP keepalive to messages sent over TCP.
tcp-listen-queue	Sets the listen-queue depth.
tcp-only	Sets the transport protocol to TCP.
tcp-receive-buffer	Sets the operating system's receive buffer size for TCP sockets.
tcp-send-buffer	Sets the operating system's send buffer size for TCP sockets.
tls-port	Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.
transfers	Limits the number of concurrent inbound zone transfers from a server.
udp-receive-buffer	Sets the operating system's receive buffer size for UDP sockets.
udp-send-buffer	Sets the operating system's send buffer size for UDP sockets.
update-quota	Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server.
v6-bias	Indicates the number of milliseconds of preference to give to IPv6 name servers.
version	Specifies the version number of the server to return in response to a `version.bind` query.
zero-no-soa-ttl	Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cache	Sets the time to live (TTL) to zero when caching a negative response to an SOA query.

8.4.6. 转移标签声明

Statement	Description
allow-notify	Defines an `address_match_list` that is allowed to send `NOTIFY` messages for the zone, in addition to addresses defined in the `primaries` option for the zone.
allow-transfer	Defines an `address_match_list` of hosts that are allowed to transfer the zone information from this server.
allow-update	Defines an `address_match_list` of hosts that are allowed to submit dynamic updates for primary zones.
allow-update-forwarding	Defines an `address_match_list` of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary.
also-notify	Defines one or more hosts that are sent `NOTIFY` messages when zone changes occur.
ixfr-from-differences	Controls how IXFR transfers are calculated.
max-ixfr-ratio	Sets the maximum size for IXFR responses to zone transfer requests.
max-journal-size	Controls the size of journal files.
max-refresh-time	Limits the zone refresh interval to no less often than the specified value, in seconds.
max-retry-time	Limits the zone refresh retry interval to no less often than the specified value, in seconds.
max-transfer-idle-in	Specifies the number of minutes after which inbound zone transfers making no progress are terminated.
max-transfer-idle-out	Specifies the number of minutes after which outbound zone transfers making no progress are terminated.
max-transfer-time-in	Specifies the number of minutes after which inbound zone transfers are terminated.
max-transfer-time-out	Specifies the number of minutes after which outbound zone transfers are terminated.
min-refresh-time	Limits the zone refresh interval to no more often than the specified value, in seconds.
min-retry-time	Limits the zone refresh retry interval to no more often than the specified value, in seconds.
min-transfer-rate-in	Specifies the minimum traffic rate below which inbound zone transfers are terminated.
multi-master	Controls whether serial number mismatch errors are logged.
notify	Controls whether `NOTIFY` messages are sent on zone changes.
notify-delay	Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
notify-rate	Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
notify-source	Defines the IPv4 address (and optional port) to be used for outgoing `NOTIFY` messages.
notify-source-v6	Defines the IPv6 address (and optional port) to be used for outgoing `NOTIFY` messages.
notify-to-soa	Controls whether the name servers in the NS RRset are checked against the SOA MNAME.
primaries	Defines one or more servers that zone transfer can be requested from.
provide-ixfr	Controls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR).
request-expire	Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
request-ixfr	Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR).
serial-query-rate	Defines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers.
startup-notify-rate	Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
transfer-format	Controls whether multiple records can be packed into a message during zone transfers.
transfer-message-size	Limits the uncompressed size of DNS messages used in zone transfers over TCP.
transfer-source	Defines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
transfer-source-v6	Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
transfers-in	Limits the number of concurrent inbound zone transfers.
transfers-out	Limits the number of concurrent outbound zone transfers.
transfers-per-ns	Limits the number of concurrent inbound zone transfers from a remote server.
try-tcp-refresh	Specifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail.
update-policy	Sets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc.

8.4.7. 查看标签声明

Statement	Description
attach-cache	Allows multiple views to share a single cache database.
in-view	Specifies the view in which a given zone is defined.
match-clients	Specifies a view of DNS namespace for a given subset of client IP addresses.
match-destinations	Specifies a view of DNS namespace for a given subset of destination IP addresses.
match-recursive-only	Specifies that only recursive requests can match this view of the DNS namespace.
view	Allows a name server to answer a DNS query differently depending on who is asking.

8.4.8. 区域标签声明

Statement	Description
allow-new-zones	Controls the ability to add zones at runtime via `rndc addzone`.
catalog-zones	Configures catalog zones in `named.conf`.
check-integrity	Performs post-load zone integrity checks on primary zones.
check-mx	Checks whether an MX record appears to refer to an IP address.
check-mx-cname	Sets the response to MX records that refer to CNAMEs.
check-sibling	Specifies whether to check for sibling glue when performing integrity checks.
check-spf	Specifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present.
check-srv-cname	Sets the response to SRV records that refer to CNAMEs.
check-svcb	Specifies whether to perform additional checks on SVCB records.
check-wildcard	Checks for non-terminal wildcards.
database	Specifies the type of database to be used to store zone data.
disable-ds-digests	Disables DS digest types from a specified zone.
disable-empty-zone	Disables individual empty zones.
dlz	Configures a Dynamically Loadable Zone (DLZ) database in `named.conf`.
dyndb	Configures a DynDB database in `named.conf`.
empty-contact	Specifies the contact name in the returned SOA record for empty zones.
empty-server	Specifies the server name in the returned SOA record for empty zones.
empty-zones-enable	Enables or disables all empty zones.
file	Specifies the zone's filename.
flush-zones-on-shutdown	Controls whether pending zone writes are flushed when the name server exits.
in-view	Specifies the view in which a given zone is defined.
inline-signing	Specifies whether BIND 9 maintains a separate signed version of a zone.
journal	Allows the default journal's filename to be overridden.
masterfile-format	Specifies the file format of zone files.
max-records	Sets the maximum number of records permitted in a zone.
new-zones-directory	Specifies the directory where configuration parameters are stored for zones added by `rndc addzone`.
notify-delay	Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
notify-rate	Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
parent-propagation-delay	Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers.
primaries	Defines one or more servers that zone transfer can be requested from.
response-policy	Specifies response policy zones for the view or among global options.
serial-update-method	Specifies the update method to be used for the zone serial number in the SOA record.
server-addresses	Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
server-names	Specifies a list of domain names of name servers that act as authoritative servers of a static-stub zone.
startup-notify-rate	Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
type	Specifies the kind of zone in a given configuration.
type forward	Contains forwarding statements that apply to queries within a given domain.
type hint	Contains the initial set of root name servers to be used at BIND 9 startup.
type mirror	Contains a DNSSEC-validated duplicate of the main data for a zone.
type primary	Contains the main copy of the data for a zone.
type redirect	Contains information to answer queries when normal resolution would return NXDOMAIN.
type secondary	Contains a duplicate of the data for a zone that has been transferred from a primary server.
type static-stub	Contains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server.
type stub	Contains a duplicate of the NS records of a primary zone.
zero-no-soa-ttl	Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cache	Sets the time to live (TTL) to zero when caching a negative response to an SOA query.
zone	Specifies the zone in a BIND 9 configuration.
zone-propagation-delay	Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
zone-statistics	Controls the level of statistics gathered for all zones.

8.4.9. 弃用的标记语句

Statement	Description
avoid-v4-udp-ports	Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages.
avoid-v6-udp-ports	Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages.
dialup	Concentrates zone maintenance so that all transfers take place once every `heartbeat-interval`, ideally during a single call.
dnssec-must-be-secure	Defines hierarchies that must or may not be secure (signed and validated).
heartbeat-interval	Sets the interval at which the server performs zone maintenance tasks for all zones marked as `dialup`.
managed-keys
max-zone-ttl	Specifies a maximum permissible time-to-live (TTL) value, in seconds.
sortlist	Controls the ordering of RRs returned to the client, based on the client's IP address.
trusted-keys
use-v4-udp-ports	Specifies a list of ports that are valid sources for UDP/IPv4 messages.
use-v6-udp-ports	Specifies a list of ports that are valid sources for UDP/IPv6 messages.

第八章：配置参考

8.1. 配置文件 (named.conf)

8.1.1. 注释语法

8.1.1.1. 语法

8.1.1.2. 定义和用法

8.1.2. 配置布局样式

8.1.3. include 指令

8.1.3.1. include 指令定义和使用

8.1.4. 地址匹配列表

8.1.4.1. 语法

8.1.4.2. 定义和用法

8.1.5. 所用术语表

8.2. 块

8.2.1. acl 块语法

8.2.2. acl 块定义和使用

8.2.3. controls 块语法

8.2.4. controls 块定义和使用

8.2.5. key 块语法

8.2.6. key 块定义和使用

8.2.7. key-store 块语法

8.2.8. key-store 快定义和使用

8.2.9. logging Block Grammar

8.2.10. logging Block Definition and Usage

8.2.10.1. The channel Phrase

8.2.10.2. The category Phrase

8.2.10.3. The query-errors Category

8.2.11. parental-agents Block Grammar

8.2.12. parental-agents Block Definition and Usage

8.2.13. primaries Block Grammar

8.2.14. primaries Block Definition and Usage

8.2.15. options Block Grammar

8.2.16. options Block Definition and Usage