BIND 9的操作功能是使用文件 named.conf
定义的,该文件通常位于 /etc/local/etc/namedb
中,具体取决于操作系统或发行版。如果rndc从远程主机运行,则会出现另一个文件 rndc.conf ,但如果 rndc 是从 localhost 运行的(与BIND 9运行的系统相同),则不需要该文件。
第八章:配置参考8.1. 配置文件 (named.conf)8.1.1. 注释语法8.1.1.1. 语法8.1.1.2. 定义和用法8.1.2. 配置布局样式8.1.3. include
指令8.1.3.1. include
指令定义和使用8.1.4. 地址匹配列表8.1.4.1. 语法8.1.4.2. 定义和用法8.1.5. 所用术语表8.2. 块8.2.1. acl
块语法8.2.2. acl
块定义和使用8.2.3. controls
块语法8.2.4. controls
块定义和使用8.2.5. key
块语法8.2.6. key
块定义和使用8.2.7. key-store
块语法8.2.8. key-store
快定义和使用8.2.9. logging
Block Grammar8.2.10. logging
Block Definition and Usage8.2.10.1. The channel
Phrase8.2.10.2. The category
Phrase8.2.10.3. The query-errors
Category8.2.11. parental-agents
Block Grammar8.2.12. parental-agents
Block Definition and Usage8.2.13. primaries
Block Grammar8.2.14. primaries
Block Definition and Usage8.2.15. options
Block Grammar8.2.16. options
Block Definition and Usage8.2.16.1. Boolean Options8.2.16.2. Forwarding8.2.16.3. Dual-stack Servers8.2.16.4. Access Control8.2.16.5. Interfaces8.2.16.6. Query Address8.2.16.7. Zone Transfers8.2.16.8. Server Resource Limits8.2.16.9. Periodic Task Intervals8.2.16.10. The sortlist
Statement8.2.16.11. RRset Ordering8.2.16.12. Tuning8.2.16.13. Built-in Server Information Zones8.2.16.14. Built-in Empty Zones8.2.16.15. Content Filtering8.2.16.16. Response Policy Zone (RPZ) Rewriting8.2.16.17. Response Rate Limiting8.2.16.18. NXDOMAIN Redirection8.2.17. server
Block Grammar8.2.18. server
Block Definition and Usage8.2.19. statistics-channels
Block Grammar8.2.20. statistics-channels
Block Definition and Usage8.2.21. tls
Block Grammar8.2.22. tls
Block Definition and Usage8.2.23. http
Block Grammar8.2.24. http
Block Definition and Usage8.2.25. trust-anchors
Block Grammar8.2.26. trust-anchors
Block Definition and Usage8.2.27. dnssec-policy
Block Grammar8.2.28. dnssec-policy
Block Definition and Usage8.2.28.1. Automated KSK Rollovers8.2.29. managed-keys
Block Grammar8.2.30. managed-keys
Block Definition and Usage8.2.31. trusted-keys
Block Grammar8.2.32. trusted-keys
Block Definition and Usage8.2.33. view
Block Grammar8.2.34. view
Block Definition and Usage8.2.35. zone
Block Grammar8.2.36. zone
Block Definition and Usage8.2.36.1. Zone Types8.2.36.2. Class8.2.36.3. Zone Options8.2.36.4. Dynamic Update Policies8.2.36.5. Multiple Views8.3. 声明8.4. 标签声明8.4.1. DNSSEC标签声明8.4.2. 记录标签语句8.4.3. 查询标签语句8.4.4. 安全标签声明8.4.5. 服务器标签声明8.4.6. 转移标签声明8.4.7. 查看标签声明8.4.8. 区域标签声明8.4.9. 弃用的标记语句8.5. BIND 9 Statistics8.5.1. The Statistics File8.5.2. Statistics Counters8.5.2.1. Name Server Statistics Counters8.5.2.2. Zone Maintenance Statistics Counters8.5.2.3. Resolver Statistics Counters8.5.2.4. Socket I/O Statistics Counters
named.conf
的文件可能包含三种类型的实体:
Comment 支持多种评论格式。
Block
blocks(块)是语句的容器,这些语句要么具有共同的功能,例如,在 key
块中定义加密密钥,要么定义语句的范围,例如,出现在 zone
块中的语句仅对该区域具有范围。
块在 named.conf
中按层次组织,可能具有许多不同的属性:
options
块和 logging
块。zone
块( zone example.com{…};
)或 key
块( key mykey{…}
)。zone
块可能出现在视图块内。本手册中每个块的描述列出了其允许的位置。
Statement
recursion
语句只接受一个值参数——在这种情况下,是字符串 yes
或 no
(recursion yes;
)——而 port
语句接受一个定义DNS端口号的数值( port 53;
)。更复杂的语句需要一个或多个参数/值对。also-notify port 5353
语句可以采用多个这样的参数/值对,其中 port
是参数, 5353
是相应的值。algorithm
语句只能出现在一个 key
块中,也可以出现在多个块中。例如,一条 also-notify
语句可能出现在具有全局(服务器范围)作用域的 options
块中,出现在仅具有特定区域作用域的 zone
块中(并覆盖任何全局语句),甚至出现在仅具有该视图作用域(并覆盖所有全局语句)的 view
块中。named.conf
文件可能还包含一个或多个include Directive 的实例。提供此指令是为了在组装完整的 named.conf
文件时便于管理,在BIND 9的操作特性或功能中不起后续作用。
注意: 多年来,BIND ARM获得了一系列令人困惑的术语。使用的许多术语描述了类似的概念,只会给BIND 9配置增加一层复杂性,可能是混乱,也可能是神秘感。ARM现在只使用术语Block(块)、Statement(语句)、Argument(参数)、Value(值) 和 Directive(指令)来描述BIND 9配置中使用的所有实体。
BIND 9注释语法允许注释出现在BIND配置文件中可能出现空白的任何地方。为了吸引各种程序员,它们可以用C、C++或shell/Perl风格编写。
xxxxxxxxxx
/* This is a BIND comment as in C */
xxxxxxxxxx
// This is a BIND comment as in C++
xxxxxxxxxx
# This is a BIND comment as in common Unix shells
# and Perl
注释可以插入BIND配置文件中可能出现空白的任何位置。
C风格的注释以两个字符 /*(斜线、星号)开头,以*/(星号、斜线)结尾。因为它们完全由这些字符分隔,所以它们只能用于注释一行的一部分或跨越多行。
C风格的注释不能嵌套。例如,以下内容无效,因为整个注释以第一个*/结尾:
xxxxxxxxxx
/* This is the start of a comment.
This is still part of the comment.
/* This is an incorrect attempt at nesting a comment. */
This is no longer in any comment. */
C++风格的注释以两个字符//(斜线、斜线)开头,并一直持续到物理行的末尾。它们不能跨越多条物理线;要使一个逻辑注释跨越多行,每行都必须使用//对。例如:
xxxxxxxxxx
// This is the start of a comment. The next line
// is a new comment, even though it is logically
// part of the previous comment.
Shell风格(或Perl风格)的注释以字符#(数字/磅符号)开头,并继续到物理行的末尾,就像C++注释一样。例如:
xxxxxxxxxx
# This is the start of a comment. The next line
# is a new comment, even though it is logically
# part of the previous comment.
警告:
与区域文件不同,分号(;
)字符不能开始注释。分号表示配置语句的结束。
BIND对打开和关闭括号/大括号、分号以及后面部分形式语法中定义的所有其他分隔符都非常挑剔。有许多布局样式可以帮助减少错误,如下例所示:
xxxxxxxxxx
// dense single-line style
zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};};
// single-statement-per-line style
zone "example.com" in{
type secondary;
file "secondary.example.com";
primaries {10.0.0.1;};
};
// spot the difference
zone "example.com" in{
type secondary;
file "sec.secondary.com";
primaries {10.0.0.1;}; };
include
指令xxxxxxxxxx
include filename;
include
指令定义和使用include指令在遇到include指令的位置插入指定的文件(如果检测到有效的glob表达式,则插入多个文件)。include指令允许读取或写入某些内容,但不允许读取或写其他内容,从而方便了配置文件的管理。例如,该语句可能包含只能由名称服务器读取的私钥。
地址匹配列表是以分号分隔的address_match_element s的列表。
xxxxxxxxxx
{ <address_match_element>; ... };
然后将每个元素定义为:
address_match_element
xxxxxxxxxx
[ ! ] ( <ip_address> | <netprefix> | key <server_key> | <acl_name> | { address_match_list } )
地址匹配列表主要用于确定各种服务器操作的访问控制。它们也用于 listen-on
和 sortlist
语句。构成地址匹配列表的元素可以是以下任何一种:
/
表示法)key
语句定义acl
语句定义的地址匹配列表的名称元素可以用前导感叹号(!
)否定,匹配列表名称 “any”、 “none”、 “localhost” 和 “localnets” 是预定义的。有关这些名称的更多信息,请参阅acl语句的描述。
添加key子句使这个语法元素的名称有点用词不当,因为安全密钥可用于验证访问,而不考虑主机或网络地址。尽管如此,"address match list“(地址匹配列表)一词仍在整个文档中使用。
当将给定的IP地址或前缀与地址匹配列表进行比较时,比较大约需要O(1)时间。然而,密钥比较要求遍历密钥列表,直到找到匹配的密钥,因此可能会稍微慢一些。
匹配的解释取决于列表是用于访问控制、定义 listen-on
端口还是用于 sortlist
,以及元素是否被否定。
当用作访问控制列表时,非否定匹配允许访问,否定匹配拒绝访问。如果没有匹配,则拒绝访问。这些子句 allow-notify
、 allow-recursion
、 allow-recursion-on
、 allow-query
、 allow-query-cache
、 allow-query-cache-on
、 allow-transfer
、 allow-update
、 allow-update-forwarding
和 blackhole
都使用地址匹配列表。同样, listen-on
选项会导致服务器拒绝对任何与列表不匹配的机器地址进行查询。
插入顺序很重要。如果发现ACL中有多个元素与给定的IP地址或前缀匹配,则首选ACL定义中的第一个元素。由于这种首次匹配行为,定义列表中另一个元素子集的元素应该位于更广泛的元素之前,无论其中任何一个是否被否定。例如,在 1.2.3/24; !1.2.3.13;
1.2.3.13元素完全无用,因为该算法将1.2.3.13的任何查找与1.2.3/24元素相匹配。使用 ! 1.2.3.13; 1.2.3/24
通过否定阻塞1.2.3.13来修复该问题,但所有其他1.2.3.*主机都通过。
以下是BIND配置文件文档中使用的术语列表:
acl_name
acl
语句定义的address_match_list的名称。
address_match_list
参阅 Address Match Lists。
boolean
yes
或 no
。单词 true
和 false
也被接受,数字 1
和 0
也是如此。
domain_name
用作DNS名称的引号字符串;例如:my.test.domain
。
duration
BIND 9中的持续时间(duration)可以用三种方式编写:作为表示秒的单个数字,作为具有TTL风格时间单位后缀的数字串,或采用ISO 6801持续时间格式。
允许的TTL时间单位后缀为:“W”(周)、“D”(日)、“H”(小时)、“M”(分钟)和“S”(秒)。示例:“1W”(1周),“3d12h”(3天12小时)。
ISO 8601持续时间格式由字母“P”组成,后面是一系列可选的数字,单位后缀为“Y”(年)、“M”(月)、“W”(周)和“D”(日);这可以选择后面跟着字母“T”,以及另一系列带有单位后缀“H”(小时)、“M”(分钟)和“S”(秒)的数字。示例:“P3M10D”(3个月10天)、“P2WT12H”(2周12小时)、“pt15m”(15分钟)。有关ISO 8601持续时间格式的更多信息,请参阅RFC 3339附录A。
TTL样式和ISO 8601持续时间格式都不区分大小写。
fixedpoint
一个非负实数,可以精确到百分之一。小数点前最多可指定五位数字,小数点后最多可指定两位数字,因此最大值为9999.99。可接受的值可能会受到使用它们的上下文的进一步限制。
integer
一个非负的32位整数(即介于0和4294967295之间的数字,包括0和42949267295)。其可接受的价值可能会受到使用环境的进一步限制。
ip_address
ipv4_address或ipv6——address。
ipv4_address
一个IPv4地址,有四个值为0到255的整数元素,用点(.
)分隔,如 192.168.1.1
(一种所有四个元素都存在的“点分十进制”表示法)。
ipv6_address
IPv6地址,例如 2001:db8::1234
。IPv6范围内的地址在其范围区域上有歧义,必须用适当的区域ID来消除歧义,并用百分比字符(%
)作为分隔符。强烈建议使用字符串区域名称而不是数字标识符,以对系统配置更改具有鲁棒性。但是,由于此类名称和标识符值没有标准映射,因此只支持作为链接标识符的接口名称,假设接口和链接之间存在一对一映射。例如,连接到接口 ne0
的链接上的链接本地地址 fe80::1
可以指定为 fe80::1%ne0
。请注意,在大多数系统中,链路本地地址总是存在歧义,需要消除歧义。
netprefix
指定为IP_address的IP网络,后跟斜线(/
),然后是网络掩码中的位数。ip_address中的尾随零可以省略。例如,127/8
是具有子网掩码 255.0.0.0
的网络 127.0.0.0
, 1.2.3.0/28
是具有子网掩码 255.255.255.240
的网络 1.2.3.0
。当指定涉及IPv6作用域地址的前缀时,可以省略作用域。在这种情况下,前缀会匹配来自任何范围的数据包。
percentage
一个整数值,后跟%表示百分比。
port
IP端口整数。它被限制在0到65535之间,低于1024的值通常仅限于以root身份运行的进程使用。在某些情况下,星号(*
)字符可以用作占位符,以选择随机的高编号端口。
portrange
端口或端口范围的列表。端口范围以 range
的形式指定,后跟两个端口,port_low
和 port_high
,表示从 port_low
到 port_high
的端口号。port_low
不能大于 port_high
。例如,range 1024 65535
表示1024到65535之间的端口。星号(*
)字符不允许作为有效端口或端口范围边界。
remote-servers
一个或多个ip_address的命名列表,具有可选的 tls_id、server_key和/或端口。 remote-servers
列表可能包括其他远程服务器列表。请参见 primaries
模块。
size
sizeval
一个64位无符号整数。整数可能取值0<=值<=18446744073709551615,尽管某些参数(如 max-journal-size
)在这些极端值内可能使用更有限的范围。在大多数情况下,将值设置为0并不意味着零;它的意思是“未定义”或“尽可能大”,具体取决于上下文。有关如何解释其使用的详细信息,请参阅使用 size
的特定参数的解释。数值后面可以选择一个缩放因子:K
或 k
表示千字节,M
或 m
表示兆字节,G
或 g
表示千兆字节,分别按1024、1024*1024 和 1024*1024*1024 缩放。
一些语句也接受关键字 unlimited
或 default
:unlimited
通常意味着“尽可能大”,通常是安全设置非常大的数字的最佳方式。default
使用服务器启动时生效的限制。
tls-id
定义TLS密钥和证书的命名TLS配置对象。请参阅 tls
块。
BIND 9配置由blocks(块)、statements(语句)和comment(注释)组成。
支持以下块:
acl
定义一个命名IP地址匹配列表,用于访问控制和其他用途。
controls
声明 rndc
实用程序要使用的控制通道。
dnssec-policy
描述区域的DNSSEC密钥和签名策略。详见 dnssec-policy
。
key
指定用于使用TSIG进行身份验证和授权的密钥信息。
key-store
描述DNSSEC密钥存储。有关详细信息,请参阅 key-store Grammar。
logging
指定服务器记录的信息以及日志消息的发送位置。
masters
primaries
的同义词。
options
控制全局服务器配置选项,并为其他语句设置默认值。
parental-agents
定义一个命名的服务器列表,以包含在主区域和辅助区域的 parental-agents
列表中。
primaries
定义一个命名的服务器列表,以包含在存根和辅助区域的 primaries
或 also-notify
列表中。(注意:这是原始关键字 master
的同义词,仍然可以使用,但不再是首选术语。)
server
在每台服务器的基础上设置某些配置选项。
statistics-channels
声明通信通道以访问 named
统计信息。
tls
指定TLS连接的配置信息,包括 key-file
、cert-file
、 ca-file
、 dhparam-file
、remote-hostname
、 ciphers
、 protocols
、prefer-server-ciphers
和 session-tickets
。
http
指定HTTP连接的配置信息,包括 endpoints
、 listener-clients
和 streams-per-connection
。
trust-anchors
定义DNSSEC信任锚(anchors):如果与 initial-key
或 initial-ds
关键字一起使用,则使用 RFC 5011 信任锚维护使信任锚保持最新;如果与 static-key
或 static-dc
一起使用,密钥是永久的。
managed-key
与 trust-anchors
相同;此选项已被弃用,取而代之的是带有 initial-key
关键字的 trust-anchors
,并可能在未来的版本中被删除。
trusted-keys
定义永久可信DNSSEC密钥;此选项已被弃用,取而代之的是使用 static-key
关键字的 trust-anchors
,并可能在未来的版本中被删除。
view
定义视图。
zone
定义区域。
logging
和 options
语句在每个配置中只能出现一次。
acl
块语法acl
Grammar: acl <string> { <address_match_element>; ... }; // may occur multiple times
Blocks: topmost
Tags: server
为地址匹配列表分配符号名称。
acl
块定义和使用acl
语句为地址匹配列表分配一个符号名称。它的名称来自地址匹配列表的主要用途之一:访问控制列表(Access Control Lists —— ACL)。
内置了以下ACL:
any
匹配所有主机。
none
不匹配主机。
localhost
匹配系统上所有网络接口的IPv4和IPv6地址。当添加或删除地址时,localhost
ACL元素会更新以反映更改。
localnets
匹配系统具有接口的IPv4或IPv6网络上的任何主机。当添加或删除地址时, localnets
ACL元素会更新以反映这些更改。一些系统不提供确定本地IPv6地址前缀长度的方法;在这种情况下,localnets
只匹配本地IPv6地址,就像 localhost
一样。
controls
块语法controls
Gammar:
xxxxxxxxxx
controls {
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
}; // may occur multiple times
Blocks: topmost
Tags: server
指定用于管理名称服务器的控制通道。
controls
块定义和使用controls
语句声明了系统管理员用于管理名称服务器操作的控制通道。rndc
实用程序使用这些控制通道向名称服务器发送命令并从名称服务器检索非DNS结果。
unix
Grammar: unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
Blocks: controls
Tags: obsolete
指定Unix域套接字作为控制通道。
此选项已被删除,使用它将导致致命错误。
inet
Grammar controls: inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
Grammar statistics-channels: inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
Blocks: controls, statistics-channels
Tags: server
指定TCP套接字作为控制通道。
inet
控制通道是一个TCP套接字,在指定的ip_address(可以是IPv4或IPv6地址)上的指定端口侦听。*
(星号)的ip_address被解释为IPv4通配符地址;在系统的任何IPv4地址上都接受连接。要监听IPv6通配符地址,请使用ip_address ::
。如果 rndc
仅在本地主机上使用,建议使用环回地址(127.0.0.1
或 ::1
)以获得最大安全性。
如果没有指定端口,则使用端口953。星号 *
不能用于端口。
通过控制信道发出命令的能力受到 allow
和 keys
子句的限制。
allow
根据 address_match_list
,允许连接到控制通道。这仅用于基于IP地址的简单过滤; address_match_list
中的任何 server_key
元素都将被忽略。
keys
命令通道的主要授权机制是 server_key
列表。每个列出的 key
都有权通过控制通道执行命令。有关在 rndc
中配置密钥的信息,请参阅管理工具。
read-only
如果 read-only
设置为 on
,则控制通道仅限于以下一组只读命令:nta-dump
、null
、status
、showzone
、 testgen
和 zonestatus
。默认情况下, read-only
未启用,控制通道允许读写访问。
如果不存在 controls
语句,named
将设置一个默认控制信道,监听环回地址127.0.0.1及其IPv6对应地址::1。在这种情况下,以及当 controls
语句存在但没有 keys
子句时, named
会尝试从 /etc/rndc.key
文件加载命令通道键。要创建 rndc.key
文件,请运行 rndc-confgen -a
。
要禁用命令通道,请使用空的 controls
语句:controls { };
。
key
块语法key
Grammar:
xxxxxxxxxx
key <string> {
algorithm <string>;
secret <string>;
}; // may occur multiple times
Blocks: topmost,view
Tags: security
定义与TSIG或命令通道一起使用的共享密钥。
key
块定义和使用key
语句定义了一个共享密钥,用于TSIG(见TSIG)或命令通道(见 controls
)。
key
语句可以出现在配置文件的顶层或 view
语句中。顶级 key
语句中定义的密钥可以在所有视图中使用。用于 controls
语句的密钥必须在顶层定义。
server_key
,也称为密钥名,是唯一标识密钥的域名。它可以在 server
语句中用于使发送到该服务器的请求使用此密钥进行签名,也可以在地址匹配列表中用于验证传入请求是否已使用与此名称、算法和密钥匹配的密钥进行签名。
algorithm
Gammar : algorithm <string>;
Blocks : key, view.key
Tags : security
定义要在键子句中使用的算法。
algorithm_id
是一个指定安全/身份验证算法的字符串。 named
服务器支持 hmac-md5
、 hmac-sha1
、 hmac-sha224
、 hmac-shah256
、 hmac-sha384
和 hmac-sha512
TSIG身份验证。通过在破折号前附加所需比特的最小数量来支持截断哈希,例如 hmac-sha1-80
。
secret
Gammar : secret <string>;
Blocks : key, view.key
Tags : security
定义一个Base64编码的字符串,作为算法的秘密。
secret_string
是算法使用的秘密,被视为Base64编码的字符串。
key-store
块语法key-store
Grammar :
xxxxxxxxxx
key-store <string> {
directory <string>;
pkcs11-uri <quoted_string>;
}; // may occur multiple times
Blocks : topmost
Tags : dnssec
配置DNSSEC密钥存储。
key-store
快定义和使用key-store
声明定义了DNSSEC密钥的存储方式。
有一个名为 key-directroy
的内置密钥存储。配置密钥以使用 key-store key-directroy
与使用 key-directroy
相同。
可以在密钥存储语句中指定以下选项:
pkcs11-uri
Grammar : pkcs11-uri <quoted_string>;
Blocks : key-store
Tags : dnssec, pkcs11
uri
是一个指定PKCS#11 URI 方案(在RFC 7512中定义)的字符串。设置后, named
会尝试在相应的PKCS#11令牌内创建密钥。这要求BIND使用OpenSSL 3构建,并配置PKCS#11提供程序。
logging
Block Grammarlogging
Block Definition and Usagechannel
Phrasecategory
Phrasequery-errors
Categoryparental-agents
Block Grammarparental-agents
Block Definition and Usageprimaries
Block Grammarprimaries
Block Definition and Usageoptions
Block Grammaroptions
Block Definition and Usagesortlist
Statementserver
Block Grammarserver
Block Definition and Usagestatistics-channels
Block Grammarstatistics-channels
Block Definition and Usagetls
Block Grammartls
Block Definition and Usagehttp
Block Grammarhttp
Block Definition and Usagetrust-anchors
Block Grammartrust-anchors
Block Definition and Usagednssec-policy
Block Grammardnssec-policy
Block Definition and Usagemanaged-keys
Block Grammarmanaged-keys
Block Definition and Usagetrusted-keys
Block Grammartrusted-keys
Block Definition and Usageview
Block Grammarview
Block Definition and Usagezone
Block Grammarzone
Block Definition and UsageBIND 9支持数百条语句;找到正确的陈述来控制特定的行为或解决特定的问题可能是一项艰巨的任务。为了简化用户的任务,所有语句都被分配了一个或多个标签(tags)。标签旨在将具有大致相似功能的语句组合在一起;因此,例如,所有控制查询处理或区域传输的语句都分别标记在 query
和 transfer
下。
DNSSEC Tag Statements 【8.4.1.】
是与DNSSEC相关或控制DNSSEC的部分。
Logging Tag Statements 【8.4.2.】
与日志记录相关或控制日志记录并且通常仅出现在日志记录块中。
Query Tag Statements 【8.4.3.】
与查询相关或控制查询。
Security Tag Statements 【8.4.4.】
涉及或控制安全特征。
Server Tag Statements 【8.4.5.】
与服务器行为相关或控制服务器行为并且通常仅出现在服务器块中。
Transfer Tag Statements 【8.4.6.】
涉及或控制区域转移。
View Tag Statements 【8.4.7.】
与视图选择标准相关或控制视图选择标准并且通常仅出现在视图块中。
Zone Tag Statements 【8.4.8.】
与区域行为相关或控制区域行为并且通常仅出现在区域块中。
Deprecated Tag Statements 【8.4.9.】
这些是现在已弃用的,但此处包含以供历史参考。
下表列出了 named.conf 中允许的所有语句及其相关标签;下一节将按标签对语句进行分组。请注意,这些部分仍在进行中。
Statement | Description | Tags |
---|---|---|
acl | Assigns a symbolic name to an address match list. 为地址匹配列表分配符号名称。 | server |
algorithm | Defines the algorithm to be used in a key clause. 定义要在键子句中使用的算法。 | security |
all-per-second | Limits UDP responses of all kinds. 限制所有类型的UDP响应。 | query |
allow-new-zones | Controls the ability to add zones at runtime via rndc addzone .通过 rndc-addzone 控制在运行时添加区域的能力 | server, zone |
allow-notify | Defines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone.定义一个 address_match_list ,除了在该区域的 primarys 选项中定义的地址外,还允许该区域发送 NOTIFY 消息。 | transfer |
allow-proxy | Defines an address_match_list for the client addresses allowed to send PROXYv2 headers.为允许发送PROXYv2标头的客户端地址定义一个 address_match_list 。 | server |
allow-proxy-on | Defines an address_match_list for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations.为允许接受PROXYv2标头的接口地址定义一个 address_match_list 。该选项主要用于多宿主配置。 | server |
allow-query | Specifies which hosts (an IP address list) are allowed to send queries to this resolver. 指定允许哪些主机(IP地址列表)向此解析器发送查询。 | query |
allow-query-cache | Specifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion. 指定哪些主机(IP地址列表)可以访问此服务器的缓存,从而有效地控制递归。 | query |
allow-query-cache-on | Specifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces. 指定哪些主机(来自IP地址列表)可以访问此服务器的缓存。它用于具有多个接口的服务器。 | query |
allow-query-on | Specifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations. 指定允许哪些本地地址(IP地址列表)向此解析器发送查询。此选项用于多宿主配置。 | query |
allow-recursion | Defines an address_match_list of clients that are allowed to perform recursive queries.定义允许执行递归查询的客户端的 address_match_list 。 | query |
allow-recursion-on | Specifies which local addresses can accept recursive queries. 指定哪些本地地址可以接受递归查询。 | query, server |
allow-transfer | Defines an address_match_list of hosts that are allowed to transfer the zone information from this server.定义一个 address_match_list 允许从该服务器传输区域信息的主机。 | transfer |
allow-update | Defines an address_match_list of hosts that are allowed to submit dynamic updates for primary zones.定义允许从该服务器传输区域信息的主机的 address_match_list 。 | transfer |
allow-update-forwarding | Defines an address_match_list of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary.定义允许向辅助服务器提交动态更新以传输到主服务器的主机的 address_match_list 。 | transfer |
also-notify | Defines one or more hosts that are sent NOTIFY messages when zone changes occur.定义一个或多个在发生区域更改时发送 NOTIFY 消息的主机。 | transfer |
answer-cookie | Controls whether COOKIE EDNS replies are sent in response to client queries. 控制是否发送COOKIE EDNS回复以响应客户端查询。 | query |
attach-cache | Allows multiple views to share a single cache database. 允许多个视图共享单个缓存数据库。 | view |
auth-nxdomain | Controls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers. 控制充当解析器的BIND是否提供权威的NXDOMAIN(域不存在)答案。 | query |
automatic-interface-scan | Controls the automatic rescanning of network interfaces when addresses are added or removed. 控制添加或删除地址时网络接口的自动重新扫描。 | server |
avoid-v4-udp-ports | Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages. 指定要排除用作UDP/IPv4消息源的端口范围。 | deprecated |
avoid-v6-udp-ports | Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages. 指定要排除用作UDP/IPv6消息源的端口范围。 | deprecated |
bindkeys-file | Specifies the pathname of a file to override the built-in trusted keys provided by named .指定文件的路径名,以覆盖 named 提供的内置可信密钥。 | dnssec |
blackhole | Defines an address_match_list of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses.定义一个 address_match_list 来忽略主机。服务器既不会响应来自这些地址的查询,也不会向这些地址发送查询。 | query |
bogus | Allows a remote server to be ignored. 允许忽略远程服务器。 | server |
break-dnssec | Enables dns64 synthesis even if the validated result would cause a DNSSEC validation failure.启用 dns64 合成,即使验证结果会导致DNSSEC验证失败。 | query |
buffered | Controls flushing of log messages. 控制日志消息的刷新。 | logging |
ca-file | Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates. 指定包含受信任CA机构的TLS证书的文件的路径,用于验证远程对等证书。 | server, security |
catalog-zones | Configures catalog zones in named.conf .在 named.conf 中配置目录区域。 | zone |
category | Specifies the type of data logged to a particular channel. 指定记录到特定通道的数据类型。 | logging |
cdnskey | Specifies whether a CDNSKEY record should be published during KSK rollover. 指定在KSK滚动期间是否应发布CDNSKEY记录。 | dnssec |
cds-digest-types | Specifies the digest types to use for CDS resource records. 指定用于CDS资源记录的摘要类型。 | dnssec |
cert-file | Specifies the path to a file containing the TLS certificate for a connection. 指定包含连接TLS证书的文件的路径。 | server, security |
channel | Defines a stream of data that can be independently logged. 定义可以独立记录的数据流。 | logging |
check-dup-records | Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. 检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。 | dnssec, query |
check-integrity | Performs post-load zone integrity checks on primary zones. 对主区域执行加载后区域完整性检查。 | zone |
check-mx | Checks whether an MX record appears to refer to an IP address. 检查MX记录是否指向IP地址。 | zone |
check-mx-cname | Sets the response to MX records that refer to CNAMEs. 设置对引用CNAME的MX记录的响应。 | zone |
check-names | Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network. 限制从网络接收到的主文件和/或DNS响应中某些域名的字符集和语法。 | query, server |
check-sibling | Specifies whether to check for sibling glue when performing integrity checks. 指定在执行完整性检查时是否检查兄弟胶水。 | zone |
check-spf | Specifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present. 指定是否检查TXT发件人策略框架记录(如果存在SPF记录)。 | zone |
check-srv-cname | Sets the response to SRV records that refer to CNAMEs. 设置对引用CNAME的SRV记录的响应。 | zone |
check-svcb | Specifies whether to perform additional checks on SVCB records. 指定是否对SVCB记录执行其他检查。 | zone |
check-wildcard | Checks for non-terminal wildcards. 检查非终端通配符。 | zone |
checkds | Controls whether DS queries are sent to parental agents.控制是否将“DS”查询发送给家长代理。 | dnssec |
cipher-suites | Specifies a list of allowed cipher suites in the order of preference for TLSv1.3 only. 仅按TLSv1.3的优先顺序指定允许的密码套件列表。 | security |
ciphers | Specifies a list of allowed ciphers in the order of preference for TLSv1.2 only. 仅按TLSv1.2的优先顺序指定允许的密码列表。 | security |
clients | Specifies an access control list (ACL) of clients that are affected by a given dns64 directive.指定受给定 dns64 影响的客户端的访问控制列表(ACL)指令。 | query |
clients-per-query | Sets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. 设置服务器在删除其他客户端之前,为任何给定查询接受的并发递归客户端的初始最小数量。 | server |
controls | Specifies control channels to be used to manage the name server. 指定用于管理名称服务器的控制通道。 | server |
cookie-algorithm | Sets the algorithm to be used when generating a server cookie. 设置生成服务器cookie时使用的算法。 | server |
cookie-secret | Specifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster. 指定用于在任意播群集中生成和验证EDNS COOKIE选项的共享密钥。 | server |
database | Specifies the type of database to be used to store zone data. 指定用于存储区域数据的数据库类型。 | zone |
deny-answer-addresses | Rejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given address_match_list .如果相应的IPv4或IPv6地址与给定的 address_match_list 匹配,则拒绝A或AAAA记录。 | query |
deny-answer-aliases | Rejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements.如果“别名”名称与给定的 domain_name 列表匹配,则拒绝CNAME或DNAME记录元素。 | query |
dhparam-file | Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites. 指定包含Diffie-Hellman参数的文件的路径,以启用密码套件。 | server, security |
dialup | Concentrates zone maintenance so that all transfers take place once every heartbeat-interval , ideally during a single call.集中区域维护,以便所有传输每 heartbeat-interval 发生一次,理想情况下是在单个呼叫期间。 | deprecated |
directory | Sets the server's working directory. 设置服务器的工作目录。 | server |
disable-algorithms | Disables DNSSEC algorithms from a specified zone. 从指定区域禁用DNSSEC算法。 | dnssec |
disable-ds-digests | Disables DS digest types from a specified zone. 禁用指定区域中的DS摘要类型。 | dnssec, zone |
disable-empty-zone | Disables individual empty zones. 禁用单个空白区域。 | server, zone |
dlz | Configures a Dynamically Loadable Zone (DLZ) database in named.conf .在 named.conf 中配置动态可加载区域(DLZ)数据库。 | zone |
dns64 | Instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records.指令 named ,以便在没有AAAA记录时将映射的IPv4地址返回给AAAA查询。 | query |
dns64-contact | Specifies the name of the contact for dns64 zones.指定 dns64 的联系人姓名区域。 | server |
dns64-server | Specifies the name of the server for dns64 zones.指定 dns64 的服务器名称区域。 | server |
dnskey-sig-validity | (过时了) | obsolete |
dnskey-ttl | Specifies the time-to-live (TTL) for DNSKEY resource records. 指定DNSKEY资源记录的生存时间(TTL)。 | dnssec |
dnsrps-enable | Turns on the DNS Response Policy Service (DNSRPS) interface. 打开DNS响应策略服务(DNSRPS)接口。 | server, security |
dnsrps-library | Specifies the path to the DNS Response Policy Service (DNSRPS) provider library. 指定DNS响应策略服务(DNSRPS)提供程序库的路径。 | server, security |
dnsrps-options | Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. 提供额外的RPZ配置设置,这些设置将传递给DNS响应策略服务(DNSRPS)提供程序库。 | server, security |
dnssec-accept-expired | Instructs BIND 9 to accept expired DNSSEC signatures when validating. 指示BIND 9在验证时接受过期的DNSSEC签名。 | dnssec |
dnssec-dnskey-kskonly | (过时了) | obsolete |
dnssec-loadkeys-interval | Sets the frequency of automatic checks of the DNSSEC key repository. 设置DNSSEC密钥存储库的自动检查频率。 | dnssec |
dnssec-must-be-secure | Defines hierarchies that must or may not be secure (signed and validated). 定义必须或可能不安全的层次结构(签名和验证)。 | deprecated |
dnssec-policy | Defines a key and signing policy (KASP) for zones. 为区域定义密钥和签名策略(KASP)。 | dnssec |
dnssec-secure-to-insecure | (过时了) | obsolete |
dnssec-update-mode | (过时了) | obsolete |
dnssec-validation | Enables DNSSEC validation in named .在 named 中启用DNSSEC验证。 | dnssec |
dnstap | Enables logging of dnstap messages.允许记录 dnstap 消息。 | logging |
dnstap-identity | Specifies an identity string to send in dnstap messages.指定要在 dnstap 中发送的 identity 字符串消息。 | logging |
dnstap-output | Configures the path to which the dnstap frame stream is sent.配置 dnstap 的路径帧流被发送。 | logging |
dnstap-version | Specifies a version string to send in dnstap messages.指定 version 要发送的字符串 dnstap 消息。 | logging |
dual-stack-servers | Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. 指定可以访问IPv4和IPv6传输的计算机的主机名或地址。 | server |
dump-file | Indicates the pathname of the file where the server dumps the database after rndc dumpdb .指示服务器在 rndc-dumpdb 之后转储数据库的文件的路径名。 | logging |
dyndb | Configures a DynDB database in named.conf .在 named.conf 中配置DynDB数据库。 | zone |
edns | Controls the use of the EDNS0 (RFC 2671) feature. 控制EDNS0的使用(RFC 2671)功能。 | server |
edns-udp-size | Sets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries. 设置最大播发EDNS UDP缓冲区大小,以控制从权威服务器接收到的响应递归查询的数据包大小。 | query |
edns-version | Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver. 设置解析器发送到服务器的最大EDNS VERSION。 | server |
empty-contact | Specifies the contact name in the returned SOA record for empty zones. 在返回的SOA记录中为空区域指定联系人姓名。 | server, zone |
empty-server | Specifies the server name in the returned SOA record for empty zones. 在返回的SOA记录中为空区域指定服务器名称。 | server, zone |
empty-zones-enable | Enables or disables all empty zones. 启用或禁用所有空区域。 | server, zone |
endpoints | Specifies a list of HTTP query paths on which to listen. 指定要侦听的HTTP查询路径列表。 | server, query |
errors-per-second | Limits the number of errors for a valid domain name and record type. 限制有效域名和记录类型的错误数。 | server |
exclude | Allows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in dns64 .允许忽略出现在 dns64 中域名AAAA记录中的IPv6地址列表。 | query |
exempt-clients | Exempts specific clients or client groups from rate limiting. 免除特定客户或客户群体的费率限制。 | query |
fetch-quota-params | Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.设置参数以动态调整 fetches-per-server 的大小配额。 | server, query |
fetches-per-server | Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. 设置服务器在阻止其他查询之前允许向上游名称服务器发送的最大并发迭代查询数。 | server, query |
fetches-per-zone | Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. 设置在服务器阻止对该区域内或区域下的数据进行新查询之前,允许对任何一个域同时进行的迭代查询的最大数量。 | server, query |
file | Specifies the zone's filename. 指定区域的文件名。 | zone |
flush-zones-on-shutdown | Controls whether pending zone writes are flushed when the name server exits. 控制在名称服务器退出时是否刷新挂起的区域写入。 | zone |
forward | Allows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the forwarders statement.如果转发失败,允许或不允许回退到递归;它总是与 forwarders 结合使用声明。 | query |
forwarders | Defines one or more hosts to which queries are forwarded. 定义查询转发到的一个或多个主机。 | query |
fstrm-set-buffer-hint | Sets the number of accumulated bytes in the output buffer before forcing a buffer flush. 在强制刷新缓冲区之前,设置输出缓冲区中的累积字节数。 | logging |
fstrm-set-flush-timeout | Sets the number of seconds that unflushed data remains in the output buffer. 设置未刷新数据在输出缓冲区中保留的秒数。 | logging |
fstrm-set-input-queue-size | Sets the number of queue entries to allocate for each input queue. 设置为每个输入队列分配的队列条目数。 | logging |
fstrm-set-output-notify-threshold | Sets the number of outstanding queue entries allowed on an input queue before waking the I/O thread. 设置在唤醒I/O线程之前,输入队列上允许的未完成队列条目数。 | logging |
fstrm-set-output-queue-model | Sets the queuing semantics to use for queue objects. 设置用于队列对象的排队语义。 | logging |
fstrm-set-output-queue-size | Sets the number of queue entries allocated for each output queue. 设置为每个输出队列分配的队列条目数。 | logging |
fstrm-set-reopen-interval | Sets the number of seconds to wait between attempts to reopen a closed output stream. 设置尝试重新打开已关闭的输出流之间等待的秒数。 | logging |
geoip-directory | Specifies the directory containing GeoIP database files. 指定包含GeoIP数据库文件的目录。 | server |
heartbeat-interval | Sets the interval at which the server performs zone maintenance tasks for all zones marked as dialup .设置服务器对标记为 dialup 的所有区域执行区域维护任务的间隔。 | deprecated |
hostname | Specifies the hostname of the server to return in response to a hostname.bind query.指定服务器的主机名,以响应 hostname.bind 查询。 | server |
http | Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries. 配置在其上侦听DNS over HTTPS(DoH)查询的HTTP终结点。 | server, query |
http-listener-clients | Limits the number of active concurrent connections on a per-listener basis. 限制每个侦听器的活动并发连接数。 | server |
http-port | Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP. 指定服务器用于通过HTTP接收和发送未加密DNS流量的TCP端口号。 | server, query |
http-streams-per-connection | Limits the number of active concurrent HTTP/2 streams on a per-connection basis. 限制每个连接上活动的并发HTTP/2流的数量。 | server |
https-port | Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic. 指定服务器用于通过HTTPS协议接收和发送DNS流量的TCP端口号。 | server, query |
in-view | Specifies the view in which a given zone is defined. 指定定义给定分区的视图。 | view, zone |
inet | Specifies a TCP socket as a control channel. 指定TCP套接字作为控制通道。 | server |
inline-signing | Specifies whether BIND 9 maintains a separate signed version of a zone. 指定BIND 9是否维护区域的单独签名版本。 | dnssec, zone |
interface-interval | Sets the interval at which the server scans the network interface list. 设置服务器扫描网络接口列表的间隔。 | server |
ipv4-prefix-length | Specifies the prefix lengths of IPv4 address blocks. 指定IPv4地址块的前缀长度。 | server |
ipv4only-contact | Specifies the contact for the IPV4ONLY.ARPA zone created by dns64 .指定IPV4ONLY的联系人。由 dns64 创建的ARPA区域。 | server |
ipv4only-enable | Enables automatic IPv4 zones if a dns64 block is configured.如果存在 dns64 ,则启用自动IPv4区域块已配置。 | query |
ipv4only-server | Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64 .指定IPV4ONLY的服务器名称。由 dns64 创建的ARPA区域。 | server, query |
ipv6-prefix-length | Specifies the prefix lengths of IPv6 address blocks. 指定IPv6地址块的前缀长度。 | server |
ixfr-from-differences | Controls how IXFR transfers are calculated. 控制IXFR转账的计算方式。 | transfer |
journal | Allows the default journal's filename to be overridden. 允许覆盖默认日志的文件名。 | zone |
key | Defines a shared secret key for use with TSIG or the command channel. 定义与 TSIG 一起使用的共享密钥或命令通道。 | security |
key-directory | Indicates the directory where public and private DNSSEC key files are found. 指示查找公共和私有DNSSEC密钥文件的目录。 | dnssec |
key-file | Specifies the path to a file containing the private TLS key for a connection. 指定包含连接专用TLS密钥的文件的路径。 | server, security |
key-store | Configures a DNSSEC key store. 配置DNSSEC密钥存储。 | dnssec |
keys | Specifies one or more server_key s to be used with a remote server.指定一个或多个 server_key 与远程服务器一起使用。 | server, security |
lame-ttl | Sets the resolver's lame cache. 设置解析器的蹩脚缓存。 | server |
listen-on | Specifies the IPv4 addresses on which a server listens for DNS queries. 指定服务器侦听DNS查询的IPv4地址。 | server |
listen-on-v6 | Specifies the IPv6 addresses on which a server listens for DNS queries. 指定服务器监听DNS查询的IPv6地址。 | server |
listener-clients | Specifies a per-listener quota for active connections. 为活动连接指定每个侦听器的配额。 | server, query |
lmdb-mapsize | Sets a maximum size for the memory map of the new-zone database in LMDB database format. 为LMDB数据库格式的新区域数据库的内存映射设置最大大小。 | server |
log-only | Tests rate-limiting parameters without actually dropping any requests. 在不实际丢弃任何请求的情况下测试限速参数。 | logging, query |
logging | Configures logging options for the name server. 配置名称服务器的日志记录选项。 | logging |
managed-keys | (强烈不建议用) | deprecated |
managed-keys-directory | Specifies the directory in which to store the files that track managed DNSSEC keys. 指定用于存储跟踪托管DNSSEC密钥的文件的目录。 | dnssec |
mapped | Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64 .指定IPv4地址的访问控制列表(ACL),这些地址将映射到 dns64 中的相应A RRset。 | query |
masterfile-format | Specifies the file format of zone files. 指定区域文件的文件格式。 | zone, server |
masterfile-style | Specifies the format of zone files during a dump, when the masterfile-format is text .指定转储期间区域文件的格式,当 masterfile-format 是“文本”。 | server |
match-clients | Specifies a view of DNS namespace for a given subset of client IP addresses. 指定给定客户端IP地址子集的DNS命名空间视图。 | view |
match-destinations | Specifies a view of DNS namespace for a given subset of destination IP addresses. 指定给定目标IP地址子集的DNS命名空间视图。 | view |
match-mapped-addresses | Allows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses. 允许IPv4映射的IPv6地址与相应IPv4地址的地址匹配列表条目相匹配。 | server |
match-recursive-only | Specifies that only recursive requests can match this view of the DNS namespace. 指定只有递归请求才能匹配DNS命名空间的此视图。 | view |
max-cache-size | Sets the maximum amount of memory to use for an individual cache database and its associated metadata. 设置用于单个缓存数据库及其关联元数据的最大内存量。 | server |
max-cache-ttl | Specifies the maximum time (in seconds) that the server caches ordinary (positive) answers. 指定服务器缓存普通(肯定)答案的最长时间(秒)。 | server |
max-clients-per-query | Sets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. 设置服务器在删除其他客户端之前,为任何给定查询接受的最大并发递归客户端数。 | server |
max-ixfr-ratio | Sets the maximum size for IXFR responses to zone transfer requests. 设置IXFR对区域传输请求的响应的最大大小。 | transfer |
max-journal-size | Controls the size of journal files. 控制日志文件的大小。 | transfer |
max-ncache-ttl | Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache. 指定在服务器缓存中存储否定答案的最大保留时间(秒)。 | server |
max-query-count | Sets the maximum number of iterative queries while servicing a recursive query. 设置为递归查询提供服务时迭代查询的最大数量。 | server, query |
max-query-restarts | Sets the maximum number of chained CNAMEs to follow 设置要遵循的链式CNAME的最大数量 | server, query |
max-records | Sets the maximum number of records permitted in a zone. 设置区域中允许的最大记录数。 | zone, server |
max-records-per-type | Sets the maximum number of records that can be stored in an RRset. 设置RRset中可以存储的最大记录数。 | server |
max-recursion-depth | Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query. 设置在为递归查询提供服务时,任何时候允许的最大递归级别数。 | server |
max-recursion-queries | Sets the maximum number of iterative queries while servicing a recursive query. 设置为递归查询提供服务时迭代查询的最大数量。 | server, query |
max-refresh-time | Limits the zone refresh interval to no less often than the specified value, in seconds. 将区域刷新间隔限制为不低于指定值的频率(秒)。 | transfer |
max-retry-time | Limits the zone refresh retry interval to no less often than the specified value, in seconds. 将区域刷新重试间隔限制为不低于指定值的频率(秒)。 | transfer |
max-rsa-exponent-size | Sets the maximum RSA exponent size (in bits) when validating. 设置验证时的最大RSA指数大小(以位为单位)。 | dnssec, query |
max-stale-ttl | Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records. 指定服务器保留超过正常到期时间的记录的最长时间,以将其作为过时记录返回。 | server |
max-table-size | Sets the maximum size of the table used to track requests and rate-limit responses. 设置用于跟踪请求和速率限制响应的表的最大大小。 | server |
max-transfer-idle-in | Specifies the number of minutes after which inbound zone transfers making no progress are terminated. 指定终止无进展的入站区域传输的分钟数。 | transfer |
max-transfer-idle-out | Specifies the number of minutes after which outbound zone transfers making no progress are terminated. 指定终止无进展的出站区域传输的分钟数。 | transfer |
max-transfer-time-in | Specifies the number of minutes after which inbound zone transfers are terminated. 指定终止入站区域传输的分钟数。 | transfer |
max-transfer-time-out | Specifies the number of minutes after which outbound zone transfers are terminated. 指定终止出站区域传输的分钟数。 | transfer |
max-types-per-name | Sets the maximum number of RR types that can be stored for an owner name. 设置所有者名称可以存储的RR类型的最大数量。 | server |
max-udp-size | Sets the maximum EDNS UDP message size sent by named .设置 named 发送的最大EDNS UDP消息大小。 | query |
max-validation-failures-per-fetch | Sets the maximum number of DNSSEC validation failures that can happen in a single fetch. 设置单次获取中可能发生的DNSSEC验证失败的最大次数。 | server |
max-validations-per-fetch | Sets the maximum number of DNSSEC validations that can happen in a single fetch. 设置单次获取中可以发生的DNSSEC验证的最大数量。 | server |
max-zone-ttl | Specifies a maximum permissible time-to-live (TTL) value, in seconds. 指定最大允许生存时间(TTL)值,单位为秒。 | deprecated |
memstatistics | Controls whether memory statistics are written to the file specified by memstatistics-file at exit.控制是否将内存统计信息写入 memstatistics file 指定的文件。 | server, logging |
memstatistics-file | Sets the pathname of the file where the server writes memory usage statistics on exit. 设置服务器在退出时写入内存使用统计信息的文件的路径名。 | logging |
message-compression | Controls whether DNS name compression is used in responses to regular queries. 控制在响应常规查询时是否使用DNS名称压缩。 | query |
min-cache-ttl | Specifies the minimum time (in seconds) that the server caches ordinary (positive) answers. 指定服务器缓存普通(肯定)答案的最短时间(秒)。 | server |
min-ncache-ttl | Specifies the minimum retention time (in seconds) for storage of negative answers in the server's cache. 指定在服务器缓存中存储否定答案的最小保留时间(秒)。 | server |
min-refresh-time | Limits the zone refresh interval to no more often than the specified value, in seconds. 将区域刷新间隔限制为不超过指定值的频率(秒)。 | transfer |
min-retry-time | Limits the zone refresh retry interval to no more often than the specified value, in seconds. 将区域刷新重试间隔限制为不超过指定值的频率(秒)。 | transfer |
min-table-size | Sets the minimum size of the table used to track requests and rate-limit responses. 设置用于跟踪请求和速率限制响应的表的最小大小。 | query |
min-transfer-rate-in | Specifies the minimum traffic rate below which inbound zone transfers are terminated. 指定最低流量速率,低于该速率时,入站区域传输将终止。 | transfer |
minimal-any | Controls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP. 控制在UDP上对ANY类型的查询生成肯定响应时,服务器是否仅使用查询名称的一个RR集进行回复。 | query |
minimal-responses | Controls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance. 控制服务器是否仅在需要时(例如委托、否定响应)将记录添加到权限和其他数据部分。这提高了服务器性能。 | query |
multi-master | Controls whether serial number mismatch errors are logged. 控制是否记录序列号不匹配错误。 | transfer |
new-zones-directory | Specifies the directory where configuration parameters are stored for zones added by rndc addzone .指定存储由 rndc-addzone 添加的区域的配置参数的目录。 | zone |
no-case-compress | Specifies a list of addresses that require case-insensitive compression in responses. 指定在响应中需要不区分大小写压缩的地址列表。 | server |
nocookie-udp-size | Sets the maximum size of UDP responses that are sent to queries without a valid server COOKIE. 设置发送到没有有效服务器COOKIE的查询的UDP响应的最大大小。 | query |
nodata-per-second | Limits the number of empty (NODATA) responses for a valid domain name. 限制有效域名的空(NODATA)响应数。 | query |
notify | Controls whether NOTIFY messages are sent on zone changes.控制是否在区域更改时发送 NOTIFY 消息。 | transfer |
notify-delay | Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone. 设置区域发送NOTIFY消息集之间的延迟(秒)。 | transfer, zone |
notify-rate | Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations. 指定在正常区域维护操作期间发送NOTIFY请求的速率。 | transfer, zone |
notify-source | Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.定义用于传出 NOTIFY 消息的IPv4地址(和可选端口)。 | transfer |
notify-source-v6 | Defines the IPv6 address (and optional port) to be used for outgoing NOTIFY messages.定义用于传出 NOTIFY 消息的IPv6地址(和可选端口)。 | transfer |
notify-to-soa | Controls whether the name servers in the NS RRset are checked against the SOA MNAME. 控制是否根据SOA MNAME检查NS RRset中的名称服务器。 | transfer |
nsec3param | Specifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters. 指定使用NSEC3而不是NSEC,并设置NSEC3参数。 | dnssec |
nta-lifetime | Specifies the lifetime, in seconds, for negative trust anchors added via rndc nta .指定通过 rndc-nta 添加的负信任锚点的生存期(秒)。 | dnssec |
nta-recheck | Specifies the time interval for checking whether negative trust anchors added via rndc nta are still necessary.指定检查是否通过 rndc-nta 添加了负信任锚点的时间间隔仍然是必要的。 | dnssec |
null | Causes all messages sent to the logging channel to be discarded. 导致发送到日志记录通道的所有消息都被丢弃。 | logging |
nxdomain-redirect | Appends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace. 当用重定向命名空间替换NXDOMAIN时,将指定的后缀附加到原始查询名称。 | query |
nxdomains-per-second | Limits the number of undefined subdomains for a valid domain name. 限制有效域名的未定义子域的数量。 | query |
offline-ksk | Specifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline. 指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。 | dnssec |
options | Defines global options to be used by BIND 9. 定义BIND 9要使用的全局选项。 | server |
padding | Adds EDNS Padding options to outgoing messages to increase the packet size. 向传出消息添加EDNS填充选项以增加数据包大小。 | server |
parent-ds-ttl | Sets the time to live (TTL) of the DS RRset used by the parent zone. 设置父区域使用的DS RRset的生存时间(TTL)。 | dnssec |
parent-propagation-delay | Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers. 设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。 | dnssec, zone |
parental-agents | dnssec | |
parental-source | Specifies which local IPv4 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv4源地址。 | dnssec |
parental-source-v6 | Specifies which local IPv6 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv6源地址。 | dnssec |
pid-file | Specifies the pathname of the file where the server writes its process ID. 指定服务器写入其进程ID的文件的路径名。 | server |
pkcs11-uri | dnssec, pkcs11 | |
plugin | Configures plugins in named.conf .在 named.conf 中配置插件。 | server |
port | Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic. 指定服务器用于接收和发送DNS协议流量的UDP/TCP端口号。 | server, query |
prefer-server-ciphers | Specifies that server ciphers should be preferred over client ones. 指定服务器密码应优先于客户端密码。 | server, security |
preferred-glue | Controls the order of glue records in an A or AAAA response. 控制A或AAAA响应中胶水记录的顺序。 | query |
prefetch | Specifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place. 指定当前查询预取发生时的“触发”生存时间(TTL)值。 | query |
primaries | Defines one or more servers that zone transfer can be requested from. 定义一个或多个可以请求区域传输的服务器。 | transfer, zone |
print-category | Includes the category in log messages. 在日志消息中包含该类别。 | logging |
print-severity | Includes the severity in log messages. 在日志消息中包括严重性。 | logging |
print-time | Specifies the time format for log messages. 指定日志消息的时间格式。 | logging |
protocols | Specifies the allowed versions of the TLS protocol. 指定允许的TLS协议版本。 | security |
provide-ixfr | Controls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR). 控制主服务器是响应增量区域请求(IXFR)还是仅响应完整区域传输(AXFR)。 | transfer |
publish-safety | Increases the amount of time between when keys are published and when they become active, to allow for unforeseen events. 增加密钥发布与激活之间的时间间隔,以应对不可预见的事件。 | dnssec |
purge-keys | Specifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk. 指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。 | dnssec |
qname-minimization | Controls QNAME minimization behavior in the BIND 9 resolver. 控制BIND 9解析器中的QNAME最小化行为。 | query |
qps-scale | Tightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate. 通过降低当前每秒查询率的比率,加强DNS攻击期间的防御。 | query |
query-source | Controls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried. 控制发出查询的IPv4地址。如果没有,则不会使用IPv4地址发出查询,因此只查询IPv6服务器。 | query |
query-source-v6 | Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried. 控制发出查询的IPv6地址。如果没有,则不会使用IPv6地址来发出查询,因此只需要IPv4服务器。 | query |
querylog | Specifies whether query logging should be active when named first starts.指定在 named 时是否应激活查询日志记录首先开始。 | logging, server |
rate-limit | Controls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks. 控制过多的UDP响应,以防止BIND 9被用于放大反射拒绝服务(DoS)攻击。 | query |
recursing-file | Specifies the pathname of the file where the server dumps queries that are currently recursing via rndc recursing .指定服务器转储当前通过 rndc recursing 递归的查询的文件的路径名。 | server |
recursion | Defines whether recursion and caching are allowed. 定义是否允许递归和缓存。 | query |
recursive-clients | Specifies the maximum number of concurrent recursive queries the server can perform. 指定服务器可以执行的并发递归查询的最大数量。 | query |
recursive-only | Toggles whether dns64 synthesis occurs only for recursive queries.切换是否 dns64 合成仅发生在递归查询中。 | query |
referrals-per-second | Limits the number of referrals or delegations to a server for a given domain. 限制给定域对服务器的推荐或委派数量。 | query |
remote-hostname | Specifies the expected hostname in the TLS certificate of the remote server. 指定远程服务器的TLS证书中的预期主机名。 | security |
remote-servers | Defines a list of servers to be used by primary and secondary zones. 定义主区域和辅助区域使用的服务器列表。 | server |
request-expire | Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary. 指定本地服务器在充当辅助服务器时是否请求EDNS EXPIRE值。 | transfer, query |
request-ixfr | Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR). 控制辅助服务器是请求增量区域传输(IXFR)还是请求完整区域传输(AXFR)。 | transfer |
request-nsid | Controls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. 控制在迭代解析期间是否将空的EDNS(0) NSID(名称服务器标识符)选项与所有查询一起发送到权威名称服务器。 | query |
require-cookie | Controls whether responses without a server cookie are accepted. 控制是否接受没有服务器cookie的响应。 | query |
require-server-cookie | Controls whether a valid server cookie is required before sending a full response to a UDP request. 控制在向UDP请求发送完整响应之前是否需要有效的服务器cookie。 | query |
resolver-query-timeout | Specifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing. 指定解析器在失败之前尝试解析递归查询的时间长度(以毫秒为单位)。 | query |
resolver-use-dns64 | Specifies whether to apply DNS64 mappings when sending queries. 指定在发送查询时是否应用DNS64映射。 | server |
response-padding | Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size. 为加密消息添加EDNS填充选项,以减少根据大小猜测内容的机会。 | query |
response-policy | Specifies response policy zones for the view or among global options. 为视图或全局选项指定响应策略区域。 | server, query, zone, security |
responselog | Specifies whether response logging should be active when named first starts.指定在 named 时是否应激活响应日志记录首先开始。 | logging, server |
responses-per-second | Limits the number of non-empty responses for a valid domain name and record type. 限制有效域名和记录类型的非空响应数。 | query |
retire-safety | Increases the amount of time a key remains published after it is no longer active, to allow for unforeseen events. 增加密钥在不再活动后保持发布的时间,以考虑不可预见的事件。 | dnssec |
reuseport | Enables kernel load-balancing of sockets. 启用套接字的内核负载平衡。 | server |
root-key-sentinel | Controls whether BIND 9 responds to root key sentinel probes. 控制BIND 9是否响应根密钥哨兵探针。 | server |
rrset-order | Defines the order in which equal RRs (RRsets) are returned. 定义返回相等RRs(RRset)的顺序。 | query |
search | Specifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name. 指定是否向动态可加载区域(DLZ)模块查询查询名称的答案。 | query |
secret | Defines a Base64-encoded string to be used as the secret by the algorithm. 定义一个Base64编码的字符串,作为算法的秘密。 | security |
secroots-file | Specifies the pathname of the file where the server dumps security roots, when using rndc secroots .指定服务器在使用 rndc-securots 时转储安全根的文件的路径名。 | dnssec |
send-cookie | Controls whether a COOKIE EDNS option is sent along with a query. 控制COOKIE EDNS选项是否与查询一起发送。 | query |
serial-query-rate | Defines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers. 在查询用于区域传输的SOA RRs时,定义服务器每秒发出的查询次数的上限。 | transfer |
serial-update-method | Specifies the update method to be used for the zone serial number in the SOA record. 指定用于SOA记录中区域序列号的更新方法。 | zone |
server | Defines characteristics to be associated with a remote name server. 定义与远程名称服务器关联的特征。 | server |
server-addresses | Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone. 指定静态存根区域的递归解析中应向其发送查询的IP地址列表。 | query, zone |
server-id | Specifies the ID of the server to return in response to a ID.SERVER query.指定响应 ID.server 查询时返回的服务器的ID。 | server |
server-names | Specifies a list of domain names of name servers that act as authoritative servers of a static-stub zone. 指定充当静态存根区域的权威服务器的名称服务器的域名列表。 | zone |
servfail-ttl | Sets the length of time (in seconds) that a SERVFAIL response is cached. 设置缓存SERVFAIL响应的时间长度(秒)。 | server |
session-keyalg | Specifies the algorithm to use for the TSIG session key. 指定用于TSIG会话密钥的算法。 | security |
session-keyfile | Specifies the pathname of the file where a TSIG session key is written, when generated by named for use by nsupdate -l .指定写入TSIG会话密钥的文件的路径名,当由 named 生成时供 nsupdate-l 使用。 | security |
session-keyname | Specifies the key name for the TSIG session key. 指定TSIG会话密钥的密钥名称。 | security |
session-tickets | Enables or disables session resumption through TLS session tickets. 通过TLS会话票证启用或禁用会话恢复。 | security |
severity | Defines the priority level of log messages. 定义日志消息的优先级。 | logging |
sig-signing-nodes | Specifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时,每个量子中要检查的最大节点数。 | dnssec |
sig-signing-signatures | Specifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。 | dnssec |
sig-signing-type | Specifies a private RDATA type to use when generating signing-state records. 指定生成签名状态记录时使用的专用RDATA类型。 | dnssec |
sig-validity-interval | (过时了) | obsolete |
sig0checks-quota | Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server. 指定服务器可以处理的并发SIG(0)签名检查的最大数量。 | server |
sig0checks-quota-exempt | Exempts specific clients or client groups from SIG(0) signature checking quota. 免除特定客户或客户组的SIG(0)签名检查配额。 | server |
sig0key-checks-limit | Specifies the maximum number of SIG(0) keys to consider when trying to verify a message. 指定在尝试验证消息时要考虑的SIG(0)密钥的最大数量。 | server |
sig0message-checks-limit | Specifies the maximum number of matching SIG(0) keys to try to verify a message. 指定尝试验证消息的匹配SIG(0)密钥的最大数量。 | server |
signatures-jitter | Specifies a range for signature expirations. 指定签名过期的范围。 | dnssec |
signatures-refresh | Specifies how frequently an RRSIG record is refreshed. 指定刷新RRSIG记录的频率。 | dnssec |
signatures-validity | Indicates the validity period of an RRSIG record. 指示RRSIG记录的有效期。 | dnssec |
signatures-validity-dnskey | Indicates the validity period of DNSKEY records. 表示DNSKEY记录的有效期。 | dnssec |
slip | Sets the number of "slipped" responses to minimize the use of forged source addresses for an attack. 设置“滑动”响应的数量,以尽量减少使用伪造的源地址进行攻击。 | query |
sortlist | Controls the ordering of RRs returned to the client, based on the client's IP address. 根据客户端的IP地址控制返回给客户端的RR的顺序。 | query, deprecated |
stale-answer-client-timeout | Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.定义 named 的时间量(以毫秒为单位)在尝试使用缓存中的过时RRset回答查询之前会等待。 | server, query |
stale-answer-enable | Enables the returning of "stale" cached answers when the name servers for a zone are not answering. 当区域的名称服务器没有应答时,允许返回“过时”的缓存答案。 | server, query |
stale-answer-ttl | Specifies the time to live (TTL) to be returned on stale answers, in seconds. 指定对过时答案返回的生存时间(TTL),以秒为单位。 | query |
stale-cache-enable | Enables the retention of "stale" cached answers. 允许保留“过时”的缓存答案。 | server, query |
stale-refresh-time | Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding. 如果给定区域的名称服务器没有响应,则设置在下次尝试联系之前返回“过时”缓存答案的时间窗口。 | server, query |
startup-notify-rate | Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. 指定名称服务器首次启动或添加新区域时发送NOTIFY请求的速率。 | transfer, zone |
statistics-channels | Specifies the communication channels to be used by system administrators to access statistics information on the name server. 指定系统管理员用于访问名称服务器上的统计信息的通信通道。 | logging |
statistics-file | Specifies the pathname of the file where the server appends statistics, when using rndc stats .指定服务器在使用 rndc-stasts 时附加统计信息的文件的路径名。 | logging, server |
stderr | Directs the logging channel output to the server's standard error stream. 将日志记录通道输出定向到服务器的标准错误流。 | logging |
streams-per-connection | Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection. 指定HTTP/2连接上并发HTTP/2流的最大数量。 | server, query |
suffix | Defines trailing bits for mapped IPv4 address bits in dns64 .定义 dns64 中映射的IPv4地址位的尾随位。 | query |
synth-from-dnssec | Enables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache. 支持 RFC 8198,积极使用DNSSEC验证的缓存。 | dnssec |
syslog | Directs the logging channel to the system log. 将日志记录通道定向到系统日志。 | logging |
tcp-advertised-timeout | Sets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option. 设置服务器在包含EDNS TCP keepalive选项的响应中发送的超时值(以毫秒为单位)。 | query |
tcp-clients | Specifies the maximum number of simultaneous client TCP connections accepted by the server. 指定服务器同时接受的客户端TCP连接的最大数量。 | server |
tcp-idle-timeout | Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use. 如果未使用EDNS TCP keepalive选项,则设置服务器在关闭空闲TCP连接之前等待的时间量(以毫秒为单位)。 | query |
tcp-initial-timeout | Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client. 设置服务器在新TCP连接上等待来自客户端的第一条消息的时间量(以毫秒为单位)。 | server, query |
tcp-keepalive | Adds EDNS TCP keepalive to messages sent over TCP. 将EDNS TCP keepalive添加到通过TCP发送的消息中。 | server |
tcp-keepalive-timeout | Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use. 如果正在使用EDNS TCP keepalive选项,则设置服务器在关闭空闲TCP连接之前等待的时间量(以毫秒为单位)。 | query |
tcp-listen-queue | Sets the listen-queue depth. 设置侦听队列深度。 | server |
tcp-only | Sets the transport protocol to TCP. 将传输协议设置为TCP。 | server |
tcp-receive-buffer | Sets the operating system's receive buffer size for TCP sockets. 为TCP套接字设置操作系统的接收缓冲区大小。 | server |
tcp-send-buffer | Sets the operating system's send buffer size for TCP sockets. 为TCP套接字设置操作系统的发送缓冲区大小。 | server |
tkey-domain | Sets the domain appended to the names of all shared keys generated with TKEY .设置附加到使用 TKEY 生成的所有共享密钥名称的域。 | security |
tkey-gssapi-credential | Sets the security credential for authentication keys requested by the GSS-TSIG protocol. 为GSS-TSIG协议请求的身份验证密钥设置安全凭据。 | security |
tkey-gssapi-keytab | Sets the KRB5 keytab file to use for GSS-TSIG updates. 设置用于GSS-TSIG更新的KRB5 keytab文件。 | security |
tls | Configures a TLS connection. 配置TLS连接。 | security |
tls-port | Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic. 指定服务器用于接收和发送DNS-over-TLS协议流量的TCP端口号。 | server, query |
transfer-format | Controls whether multiple records can be packed into a message during zone transfers. 控制在区域传输期间是否可以将多条记录打包到消息中。 | transfer |
transfer-message-size | Limits the uncompressed size of DNS messages used in zone transfers over TCP. 限制通过TCP进行区域传输时使用的DNS消息的未压缩大小。 | transfer |
transfer-source | Defines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. 定义哪些本地IPv4地址绑定到用于获取服务器入站传输的区域的TCP连接。 | transfer |
transfer-source-v6 | Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. 定义哪些本地IPv6地址绑定到用于获取服务器入站传输的区域的TCP连接。 | transfer |
transfers | Limits the number of concurrent inbound zone transfers from a server. 限制服务器并发入站区域传输的数量。 | server |
transfers-in | Limits the number of concurrent inbound zone transfers. 限制并发入站区域传输的数量。 | transfer |
transfers-out | Limits the number of concurrent outbound zone transfers. 限制并发出站区域传输的数量。 | transfer |
transfers-per-ns | Limits the number of concurrent inbound zone transfers from a remote server. 限制来自远程服务器的并发入站区域传输的数量。 | transfer |
trust-anchor-telemetry | Instructs named to send specially formed queries once per day to domains for which trust anchors have been configured.指令 named 每天向已配置信任锚的域发送一次特殊格式的查询。 | dnssec |
trust-anchors | Defines DNSSEC trust anchors. 定义 DNSSEC 信任锚。 | dnssec |
trusted-keys | deprecated | |
try-tcp-refresh | Specifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail. 指定如果UDP查询失败,BIND 9应尝试使用TCP刷新区域。 | transfer |
type | Specifies the kind of zone in a given configuration. 指定给定配置中的区域类型。 | zone |
type forward | Contains forwarding statements that apply to queries within a given domain. 包含适用于给定域内查询的转发语句。 | zone |
type hint | Contains the initial set of root name servers to be used at BIND 9 startup. 包含BIND 9启动时使用的初始根名称服务器集。 | zone |
type mirror | Contains a DNSSEC-validated duplicate of the main data for a zone. 包含区域主数据的DNSSEC验证副本。 | zone |
type primary | Contains the main copy of the data for a zone. 包含区域数据的主副本。 | zone |
type redirect | Contains information to answer queries when normal resolution would return NXDOMAIN. 包含在正常解析将返回NXDOMAIN时回答查询的信息。 | zone |
type secondary | Contains a duplicate of the data for a zone that has been transferred from a primary server. 包含从主服务器传输的区域的数据副本。 | zone |
type static-stub | Contains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server. 包含主区域的NS记录的副本,但是静态配置的,而不是从主服务器传输的。 | zone |
type stub | Contains a duplicate of the NS records of a primary zone. 包含主区域的NS记录的副本。 | zone |
udp-receive-buffer | Sets the operating system's receive buffer size for UDP sockets. 设置UDP套接字的操作系统接收缓冲区大小。 | server |
udp-send-buffer | Sets the operating system's send buffer size for UDP sockets. 设置UDP套接字的操作系统发送缓冲区大小。 | server |
unix | Specifies a Unix domain socket as a control channel. 指定Unix域套接字作为控制通道。 | obsolete |
update-check-ksk | (过时了) | obsolete |
update-policy | Sets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc. 根据请求者身份、更新内容等设置细粒度规则以允许或拒绝动态更新(DDNS)。 | transfer |
update-quota | Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server. 指定服务器可以处理的并发DNS UPDATE消息的最大数量。 | server |
use-v4-udp-ports | Specifies a list of ports that are valid sources for UDP/IPv4 messages. 指定UDP/IPv4消息的有效源端口列表。 | deprecated |
use-v6-udp-ports | Specifies a list of ports that are valid sources for UDP/IPv6 messages. 指定UDP/IPv6消息的有效源端口列表。 | deprecated |
v6-bias | Indicates the number of milliseconds of preference to give to IPv6 name servers. 指示给予IPv6名称服务器的首选毫秒数。 | server, query |
validate-except | Specifies a list of domain names at and beneath which DNSSEC validation should not be performed. 指定一个域名列表,在该列表及其下方不应执行DNSSEC验证。 | dnssec |
version | Specifies the version number of the server to return in response to a version.bind query.指定响应 version.bind 查询时返回的服务器的版本号。 | server |
view | Allows a name server to answer a DNS query differently depending on who is asking. 允许名称服务器根据询问者的不同来回答DNS查询。 | view |
window | Specifies the length of time during which responses are tracked. 指定跟踪响应的时间长度。 | query |
zero-no-soa-ttl | Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. 指定在向SOA查询返回权威否定响应时,是否将SOA记录的生存时间(TTL)设置为零。 | zone, query, server |
zero-no-soa-ttl-cache | Sets the time to live (TTL) to zero when caching a negative response to an SOA query. 在缓存对SOA查询的否定响应时,将生存时间(TTL)设置为零。 | zone, query, server |
zone | Specifies the zone in a BIND 9 configuration. 指定BIND 9配置中的区域。 | zone |
zone-propagation-delay | Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers. 设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。 | dnssec, zone |
zone-statistics | Controls the level of statistics gathered for all zones. 控制为所有区域收集的统计级别。 | zone, logging |
这些表通过相应的标签将 named.conf 中允许的各种语句分组。
Statement | Description |
---|---|
bindkeys-file | Specifies the pathname of a file to override the built-in trusted keys provided by named .指定文件的路径名,以覆盖 named 提供的内置受信任密钥。 |
cdnskey | Specifies whether a CDNSKEY record should be published during KSK rollover. 指定在KSK滚动期间是否应发布CDNSKEY记录。 |
cds-digest-types | Specifies the digest types to use for CDS resource records. 指定用于CDS资源记录的摘要类型。 |
check-dup-records | Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. 检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。 |
checkds | Controls whether DS queries are sent to parental agents.控制是否将 DS 查询发送给家长代理。 |
disable-algorithms | Disables DNSSEC algorithms from a specified zone. 从指定区域禁用DNSSEC算法。 |
disable-ds-digests | Disables DS digest types from a specified zone. 禁用指定区域中的DS摘要类型。 |
dnskey-ttl | Specifies the time-to-live (TTL) for DNSKEY resource records. 指定DNSKEY资源记录的生存时间(TTL)。 |
dnssec-accept-expired | Instructs BIND 9 to accept expired DNSSEC signatures when validating. 指示BIND 9在验证时接受过期的DNSSEC签名。 |
dnssec-loadkeys-interval | Sets the frequency of automatic checks of the DNSSEC key repository. 设置DNSSEC密钥存储库的自动检查频率。 |
dnssec-policy | Defines a key and signing policy (KASP) for zones. 为区域定义密钥和签名策略(KASP)。 |
dnssec-validation | Enables DNSSEC validation in named .在 named 中启用DNSSEC验证。 |
inline-signing | Specifies whether BIND 9 maintains a separate signed version of a zone. 指定BIND 9是否维护区域的单独签名版本。 |
key-directory | Indicates the directory where public and private DNSSEC key files are found. 指示查找公共和私有DNSSEC密钥文件的目录。 |
key-store | Configures a DNSSEC key store. 配置DNSSEC密钥存储。 |
managed-keys-directory | Specifies the directory in which to store the files that track managed DNSSEC keys. 指定用于存储跟踪托管DNSSEC密钥的文件的目录。 |
max-rsa-exponent-size | Sets the maximum RSA exponent size (in bits) when validating. 设置验证时的最大RSA指数大小(以位为单位)。 |
nsec3param | Specifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters. 指定使用NSEC3而不是NSEC,并设置NSEC3参数。 |
nta-lifetime | Specifies the lifetime, in seconds, for negative trust anchors added via rndc nta .指定通过 rndc-nta 添加的负信任锚点的生存期(秒)。 |
nta-recheck | Specifies the time interval for checking whether negative trust anchors added via rndc nta are still necessary.指定检查是否通过 rndc-nta 添加了负信任锚点的时间间隔仍然是必要的。 |
offline-ksk | Specifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline. 指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。 |
parent-ds-ttl | Sets the time to live (TTL) of the DS RRset used by the parent zone. 设置父区域使用的DS RRset的生存时间(TTL)。 |
parent-propagation-delay | Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers. 设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。 |
parental-agents | |
parental-source | Specifies which local IPv4 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv4源地址。 |
parental-source-v6 | Specifies which local IPv6 source address is used to send parental DS queries. 指定用于发送家长DS查询的本地IPv6源地址。 |
pkcs11-uri | |
publish-safety | Increases the amount of time between when keys are published and when they become active, to allow for unforeseen events. 增加密钥发布与激活之间的时间间隔,以应对不可预见的事件。 |
purge-keys | Specifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk. 指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。 |
retire-safety | Increases the amount of time a key remains published after it is no longer active, to allow for unforeseen events. 增加密钥在不再活动后保持发布的时间,以考虑不可预见的事件。 |
secroots-file | Specifies the pathname of the file where the server dumps security roots, when using rndc secroots .指定服务器在使用 rndc-securots 时转储安全根的文件的路径名。 |
sig-signing-nodes | Specifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时,每个量子中要检查的最大节点数。 |
sig-signing-signatures | Specifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY. 指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。 |
sig-signing-type | Specifies a private RDATA type to use when generating signing-state records. 指定生成签名状态记录时使用的专用RDATA类型。 |
signatures-jitter | Specifies a range for signature expirations. 指定签名过期的范围。 |
signatures-refresh | Specifies how frequently an RRSIG record is refreshed. 指定刷新RRSIG记录的频率。 |
signatures-validity | Indicates the validity period of an RRSIG record. 指示RRSIG记录的有效期。 |
signatures-validity-dnskey | Indicates the validity period of DNSKEY records. 表示DNSKEY记录的有效期。 |
synth-from-dnssec | Enables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache. 支持 RFC 8198 ,积极使用DNSSEC验证的缓存。 |
trust-anchor-telemetry | Instructs named to send specially formed queries once per day to domains for which trust anchors have been configured.指令 named 每天向已配置信任锚的域发送一次特殊格式的查询。 |
trust-anchors | Defines DNSSEC trust anchors. 定义 DNSSEC 信任锚。 |
validate-except | Specifies a list of domain names at and beneath which DNSSEC validation should not be performed. 指定一个域名列表,在该列表及其下方不应执行DNSSEC验证。 |
zone-propagation-delay | Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers. 设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。 |
Statement | Description |
---|---|
buffered | Controls flushing of log messages. 控制日志消息的刷新。 |
category | Specifies the type of data logged to a particular channel. 指定记录到特定通道的数据类型。 |
channel | Defines a stream of data that can be independently logged. 定义可以独立记录的数据流。 |
dnstap | Enables logging of dnstap messages.允许记录 dnstap 消息。 |
dnstap-identity | Specifies an identity string to send in dnstap messages.指定要在 dnstap 中发送的 identity 字符串消息。 |
dnstap-output | Configures the path to which the dnstap frame stream is sent.配置 dnstap 的路径帧流被发送。 |
dnstap-version | Specifies a version string to send in dnstap messages.指定 version 要发送的字符串 dnstap 消息。 |
dump-file | Indicates the pathname of the file where the server dumps the database after rndc dumpdb .指示服务器在 rndc-dumpdb 之后转储数据库的文件的路径名。 |
fstrm-set-buffer-hint | Sets the number of accumulated bytes in the output buffer before forcing a buffer flush. 在强制刷新缓冲区之前,设置输出缓冲区中的累积字节数。 |
fstrm-set-flush-timeout | Sets the number of seconds that unflushed data remains in the output buffer. 设置未刷新数据在输出缓冲区中保留的秒数。 |
fstrm-set-input-queue-size | Sets the number of queue entries to allocate for each input queue. 设置为每个输入队列分配的队列条目数。 |
fstrm-set-output-notify-threshold | Sets the number of outstanding queue entries allowed on an input queue before waking the I/O thread. 设置在唤醒I/O线程之前,输入队列上允许的未完成队列条目数。 |
fstrm-set-output-queue-model | Sets the queuing semantics to use for queue objects. 设置用于队列对象的排队语义。 |
fstrm-set-output-queue-size | Sets the number of queue entries allocated for each output queue. 设置为每个输出队列分配的队列条目数。 |
fstrm-set-reopen-interval | Sets the number of seconds to wait between attempts to reopen a closed output stream. 设置尝试重新打开已关闭的输出流之间等待的秒数。 |
log-only | Tests rate-limiting parameters without actually dropping any requests. 在不实际丢弃任何请求的情况下测试限速参数。 |
logging | Configures logging options for the name server. 配置名称服务器的日志记录选项。 |
memstatistics | Controls whether memory statistics are written to the file specified by memstatistics-file at exit.控制是否将内存统计信息写入 memstatistics-file 指定的文件。 |
memstatistics-file | Sets the pathname of the file where the server writes memory usage statistics on exit. 设置服务器在退出时写入内存使用统计信息的文件的路径名。 |
null | Causes all messages sent to the logging channel to be discarded. 导致发送到日志记录通道的所有消息都被丢弃。 |
print-category | Includes the category in log messages. 在日志消息中包含该类别。 |
print-severity | Includes the severity in log messages. 在日志消息中包括严重性。 |
print-time | Specifies the time format for log messages. 指定日志消息的时间格式。 |
querylog | Specifies whether query logging should be active when named first starts.指定在 named 时是否应激活查询日志记录首先开始。 |
responselog | Specifies whether response logging should be active when named first starts.指定在 named 时是否应激活响应日志记录首先开始。 |
severity | Defines the priority level of log messages. 定义日志消息的优先级。 |
statistics-channels | Specifies the communication channels to be used by system administrators to access statistics information on the name server. 指定系统管理员用于访问名称服务器上的统计信息的通信通道。 |
statistics-file | Specifies the pathname of the file where the server appends statistics, when using rndc stats .指定服务器在使用 rndc-stasts 时附加统计信息的文件的路径名。 |
stderr | Directs the logging channel output to the server's standard error stream. 将日志记录通道输出定向到服务器的标准错误流。 |
syslog | Directs the logging channel to the system log. 将日志记录通道定向到系统日志。 |
zone-statistics | Controls the level of statistics gathered for all zones. 控制为所有区域收集的统计级别。 |
Statement | Description |
---|---|
all-per-second | Limits UDP responses of all kinds. 限制所有类型的UDP响应。 |
allow-query | Specifies which hosts (an IP address list) are allowed to send queries to this resolver. 指定允许哪些主机(IP地址列表)向此解析器发送查询。 |
allow-query-cache | Specifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion. 指定哪些主机(IP地址列表)可以访问此服务器的缓存,从而有效地控制递归。 |
allow-query-cache-on | Specifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces. 指定哪些主机(来自IP地址列表)可以访问此服务器的缓存。它用于具有多个接口的服务器。 |
allow-query-on | Specifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations. 指定允许哪些本地地址(IP地址列表)向此解析器发送查询。此选项用于多宿主配置。 |
allow-recursion | Defines an address_match_list of clients that are allowed to perform recursive queries.定义一个 address_match_list 允许执行递归查询的客户端。 |
allow-recursion-on | Specifies which local addresses can accept recursive queries. 指定哪些本地地址可以接受递归查询。 |
answer-cookie | Controls whether COOKIE EDNS replies are sent in response to client queries. 控制是否发送COOKIE EDNS回复以响应客户端查询。 |
auth-nxdomain | Controls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers. |
blackhole | Defines an address_match_list of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses. |
break-dnssec | Enables dns64 synthesis even if the validated result would cause a DNSSEC validation failure. |
check-dup-records | Checks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS. |
check-names | Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network. |
clients | Specifies an access control list (ACL) of clients that are affected by a given dns64 directive. |
deny-answer-addresses | Rejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given address_match_list . |
deny-answer-aliases | Rejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements. |
dns64 | Instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records. |
edns-udp-size | Sets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries. |
endpoints | Specifies a list of HTTP query paths on which to listen. |
exclude | Allows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in dns64 . |
exempt-clients | Exempts specific clients or client groups from rate limiting. |
fetch-quota-params | Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion. |
fetches-per-server | Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. |
fetches-per-zone | Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. |
forward | Allows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the forwarders statement. |
forwarders | Defines one or more hosts to which queries are forwarded. |
http | Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries. |
http-port | Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP. |
https-port | Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic. |
ipv4only-enable | Enables automatic IPv4 zones if a dns64 block is configured. |
ipv4only-server | Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64 . |
listener-clients | Specifies a per-listener quota for active connections. |
log-only | Tests rate-limiting parameters without actually dropping any requests. |
mapped | Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64 . |
max-query-count | Sets the maximum number of iterative queries while servicing a recursive query. |
max-query-restarts | Sets the maximum number of chained CNAMEs to follow |
max-recursion-queries | Sets the maximum number of iterative queries while servicing a recursive query. |
max-rsa-exponent-size | Sets the maximum RSA exponent size (in bits) when validating. |
max-udp-size | Sets the maximum EDNS UDP message size sent by named . |
message-compression | Controls whether DNS name compression is used in responses to regular queries. |
min-table-size | Sets the minimum size of the table used to track requests and rate-limit responses. |
minimal-any | Controls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP. |
minimal-responses | Controls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance. |
nocookie-udp-size | Sets the maximum size of UDP responses that are sent to queries without a valid server COOKIE. |
nodata-per-second | Limits the number of empty (NODATA) responses for a valid domain name. |
nxdomain-redirect | Appends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace. |
nxdomains-per-second | Limits the number of undefined subdomains for a valid domain name. |
port | Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic. |
preferred-glue | Controls the order of glue records in an A or AAAA response. |
prefetch | Specifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place. |
qname-minimization | Controls QNAME minimization behavior in the BIND 9 resolver. |
qps-scale | Tightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate. |
query-source | Controls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried. |
query-source-v6 | Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried. |
rate-limit | Controls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks. |
recursion | Defines whether recursion and caching are allowed. |
recursive-clients | Specifies the maximum number of concurrent recursive queries the server can perform. |
recursive-only | Toggles whether dns64 synthesis occurs only for recursive queries. |
referrals-per-second | Limits the number of referrals or delegations to a server for a given domain. |
request-expire | Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary. |
request-nsid | Controls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution. |
require-cookie | Controls whether responses without a server cookie are accepted. |
require-server-cookie | Controls whether a valid server cookie is required before sending a full response to a UDP request. |
resolver-query-timeout | Specifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing. |
response-padding | Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size. |
response-policy | Specifies response policy zones for the view or among global options. |
responses-per-second | Limits the number of non-empty responses for a valid domain name and record type. |
rrset-order | Defines the order in which equal RRs (RRsets) are returned. |
search | Specifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name. |
send-cookie | Controls whether a COOKIE EDNS option is sent along with a query. |
server-addresses | Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone. |
slip | Sets the number of "slipped" responses to minimize the use of forged source addresses for an attack. |
sortlist | Controls the ordering of RRs returned to the client, based on the client's IP address. |
stale-answer-client-timeout | Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache. |
stale-answer-enable | Enables the returning of "stale" cached answers when the name servers for a zone are not answering. |
stale-answer-ttl | Specifies the time to live (TTL) to be returned on stale answers, in seconds. |
stale-cache-enable | Enables the retention of "stale" cached answers. |
stale-refresh-time | Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding. |
streams-per-connection | Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection. |
suffix | Defines trailing bits for mapped IPv4 address bits in dns64 . |
tcp-advertised-timeout | Sets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option. |
tcp-idle-timeout | Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use. |
tcp-initial-timeout | Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client. |
tcp-keepalive-timeout | Sets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use. |
tls-port | Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic. |
v6-bias | Indicates the number of milliseconds of preference to give to IPv6 name servers. |
window | Specifies the length of time during which responses are tracked. |
zero-no-soa-ttl | Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. |
zero-no-soa-ttl-cache | Sets the time to live (TTL) to zero when caching a negative response to an SOA query. |
Statement | Description |
---|---|
algorithm | Defines the algorithm to be used in a key clause. |
ca-file | Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates. |
cert-file | Specifies the path to a file containing the TLS certificate for a connection. |
cipher-suites | Specifies a list of allowed cipher suites in the order of preference for TLSv1.3 only. |
ciphers | Specifies a list of allowed ciphers in the order of preference for TLSv1.2 only. |
dhparam-file | Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites. |
dnsrps-enable | Turns on the DNS Response Policy Service (DNSRPS) interface. |
dnsrps-library | Specifies the path to the DNS Response Policy Service (DNSRPS) provider library. |
dnsrps-options | Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. |
key | Defines a shared secret key for use with TSIG or the command channel. |
key-file | Specifies the path to a file containing the private TLS key for a connection. |
keys | Specifies one or more server_key s to be used with a remote server. |
prefer-server-ciphers | Specifies that server ciphers should be preferred over client ones. |
protocols | Specifies the allowed versions of the TLS protocol. |
remote-hostname | Specifies the expected hostname in the TLS certificate of the remote server. |
response-policy | Specifies response policy zones for the view or among global options. |
secret | Defines a Base64-encoded string to be used as the secret by the algorithm. |
session-keyalg | Specifies the algorithm to use for the TSIG session key. |
session-keyfile | Specifies the pathname of the file where a TSIG session key is written, when generated by named for use by nsupdate -l . |
session-keyname | Specifies the key name for the TSIG session key. |
session-tickets | Enables or disables session resumption through TLS session tickets. |
tkey-domain | Sets the domain appended to the names of all shared keys generated with TKEY . |
tkey-gssapi-credential | Sets the security credential for authentication keys requested by the GSS-TSIG protocol. |
tkey-gssapi-keytab | Sets the KRB5 keytab file to use for GSS-TSIG updates. |
tls | Configures a TLS connection. |
Statement | Description |
---|---|
acl | Assigns a symbolic name to an address match list. |
allow-new-zones | Controls the ability to add zones at runtime via rndc addzone . |
allow-proxy | Defines an address_match_list for the client addresses allowed to send PROXYv2 headers. |
allow-proxy-on | Defines an address_match_list for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations. |
allow-recursion-on | Specifies which local addresses can accept recursive queries. |
automatic-interface-scan | Controls the automatic rescanning of network interfaces when addresses are added or removed. |
bogus | Allows a remote server to be ignored. |
ca-file | Specifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates. |
cert-file | Specifies the path to a file containing the TLS certificate for a connection. |
check-names | Restricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network. |
clients-per-query | Sets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. |
controls | Specifies control channels to be used to manage the name server. |
cookie-algorithm | Sets the algorithm to be used when generating a server cookie. |
cookie-secret | Specifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster. |
dhparam-file | Specifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites. |
directory | Sets the server's working directory. |
disable-empty-zone | Disables individual empty zones. |
dns64-contact | Specifies the name of the contact for dns64 zones. |
dns64-server | Specifies the name of the server for dns64 zones. |
dnsrps-enable | Turns on the DNS Response Policy Service (DNSRPS) interface. |
dnsrps-library | Specifies the path to the DNS Response Policy Service (DNSRPS) provider library. |
dnsrps-options | Provides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library. |
dual-stack-servers | Specifies host names or addresses of machines with access to both IPv4 and IPv6 transports. |
edns | Controls the use of the EDNS0 (RFC 2671) feature. |
edns-version | Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver. |
empty-contact | Specifies the contact name in the returned SOA record for empty zones. |
empty-server | Specifies the server name in the returned SOA record for empty zones. |
empty-zones-enable | Enables or disables all empty zones. |
endpoints | Specifies a list of HTTP query paths on which to listen. |
errors-per-second | Limits the number of errors for a valid domain name and record type. |
fetch-quota-params | Sets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion. |
fetches-per-server | Sets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. |
fetches-per-zone | Sets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. |
geoip-directory | Specifies the directory containing GeoIP database files. |
hostname | Specifies the hostname of the server to return in response to a hostname.bind query. |
http | Configures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries. |
http-listener-clients | Limits the number of active concurrent connections on a per-listener basis. |
http-port | Specifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP. |
http-streams-per-connection | Limits the number of active concurrent HTTP/2 streams on a per-connection basis. |
https-port | Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic. |
inet | Specifies a TCP socket as a control channel. |
interface-interval | Sets the interval at which the server scans the network interface list. |
ipv4-prefix-length | Specifies the prefix lengths of IPv4 address blocks. |
ipv4only-contact | Specifies the contact for the IPV4ONLY.ARPA zone created by dns64 . |
ipv4only-server | Specifies the name of the server for the IPV4ONLY.ARPA zone created by dns64 . |
ipv6-prefix-length | Specifies the prefix lengths of IPv6 address blocks. |
key-file | Specifies the path to a file containing the private TLS key for a connection. |
keys | Specifies one or more server_key s to be used with a remote server. |
lame-ttl | Sets the resolver's lame cache. |
listen-on | Specifies the IPv4 addresses on which a server listens for DNS queries. |
listen-on-v6 | Specifies the IPv6 addresses on which a server listens for DNS queries. |
listener-clients | Specifies a per-listener quota for active connections. |
lmdb-mapsize | Sets a maximum size for the memory map of the new-zone database in LMDB database format. |
masterfile-format | Specifies the file format of zone files. |
masterfile-style | Specifies the format of zone files during a dump, when the masterfile-format is text . |
match-mapped-addresses | Allows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses. |
max-cache-size | Sets the maximum amount of memory to use for an individual cache database and its associated metadata. |
max-cache-ttl | Specifies the maximum time (in seconds) that the server caches ordinary (positive) answers. |
max-clients-per-query | Sets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients. |
max-ncache-ttl | Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache. |
max-query-count | Sets the maximum number of iterative queries while servicing a recursive query. |
max-query-restarts | Sets the maximum number of chained CNAMEs to follow |
max-records | Sets the maximum number of records permitted in a zone. |
max-records-per-type | Sets the maximum number of records that can be stored in an RRset. |
max-recursion-depth | Sets the maximum number of levels of recursion permitted at any one time while servicing a recursive query. |
max-recursion-queries | Sets the maximum number of iterative queries while servicing a recursive query. |
max-stale-ttl | Specifies the maximum time that the server retains records past their normal expiry, to return them as stale records. |
max-table-size | Sets the maximum size of the table used to track requests and rate-limit responses. |
max-types-per-name | Sets the maximum number of RR types that can be stored for an owner name. |
max-validation-failures-per-fetch | Sets the maximum number of DNSSEC validation failures that can happen in a single fetch. |
max-validations-per-fetch | Sets the maximum number of DNSSEC validations that can happen in a single fetch. |
memstatistics | Controls whether memory statistics are written to the file specified by memstatistics-file at exit. |
min-cache-ttl | Specifies the minimum time (in seconds) that the server caches ordinary (positive) answers. |
min-ncache-ttl | Specifies the minimum retention time (in seconds) for storage of negative answers in the server's cache. |
no-case-compress | Specifies a list of addresses that require case-insensitive compression in responses. |
options | Defines global options to be used by BIND 9. |
padding | Adds EDNS Padding options to outgoing messages to increase the packet size. |
pid-file | Specifies the pathname of the file where the server writes its process ID. |
plugin | Configures plugins in named.conf . |
port | Specifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic. |
prefer-server-ciphers | Specifies that server ciphers should be preferred over client ones. |
querylog | Specifies whether query logging should be active when named first starts. |
recursing-file | Specifies the pathname of the file where the server dumps queries that are currently recursing via rndc recursing . |
remote-servers | Defines a list of servers to be used by primary and secondary zones. |
resolver-use-dns64 | Specifies whether to apply DNS64 mappings when sending queries. |
response-policy | Specifies response policy zones for the view or among global options. |
responselog | Specifies whether response logging should be active when named first starts. |
reuseport | Enables kernel load-balancing of sockets. |
root-key-sentinel | Controls whether BIND 9 responds to root key sentinel probes. |
server | Defines characteristics to be associated with a remote name server. |
server-id | Specifies the ID of the server to return in response to a ID.SERVER query. |
servfail-ttl | Sets the length of time (in seconds) that a SERVFAIL response is cached. |
sig0checks-quota | Specifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server. |
sig0checks-quota-exempt | Exempts specific clients or client groups from SIG(0) signature checking quota. |
sig0key-checks-limit | Specifies the maximum number of SIG(0) keys to consider when trying to verify a message. |
sig0message-checks-limit | Specifies the maximum number of matching SIG(0) keys to try to verify a message. |
stale-answer-client-timeout | Defines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache. |
stale-answer-enable | Enables the returning of "stale" cached answers when the name servers for a zone are not answering. |
stale-cache-enable | Enables the retention of "stale" cached answers. |
stale-refresh-time | Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding. |
statistics-file | Specifies the pathname of the file where the server appends statistics, when using rndc stats . |
streams-per-connection | Specifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection. |
tcp-clients | Specifies the maximum number of simultaneous client TCP connections accepted by the server. |
tcp-initial-timeout | Sets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client. |
tcp-keepalive | Adds EDNS TCP keepalive to messages sent over TCP. |
tcp-listen-queue | Sets the listen-queue depth. |
tcp-only | Sets the transport protocol to TCP. |
tcp-receive-buffer | Sets the operating system's receive buffer size for TCP sockets. |
tcp-send-buffer | Sets the operating system's send buffer size for TCP sockets. |
tls-port | Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic. |
transfers | Limits the number of concurrent inbound zone transfers from a server. |
udp-receive-buffer | Sets the operating system's receive buffer size for UDP sockets. |
udp-send-buffer | Sets the operating system's send buffer size for UDP sockets. |
update-quota | Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server. |
v6-bias | Indicates the number of milliseconds of preference to give to IPv6 name servers. |
version | Specifies the version number of the server to return in response to a version.bind query. |
zero-no-soa-ttl | Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. |
zero-no-soa-ttl-cache | Sets the time to live (TTL) to zero when caching a negative response to an SOA query. |
Statement | Description |
---|---|
allow-notify | Defines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone. |
allow-transfer | Defines an address_match_list of hosts that are allowed to transfer the zone information from this server. |
allow-update | Defines an address_match_list of hosts that are allowed to submit dynamic updates for primary zones. |
allow-update-forwarding | Defines an address_match_list of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary. |
also-notify | Defines one or more hosts that are sent NOTIFY messages when zone changes occur. |
ixfr-from-differences | Controls how IXFR transfers are calculated. |
max-ixfr-ratio | Sets the maximum size for IXFR responses to zone transfer requests. |
max-journal-size | Controls the size of journal files. |
max-refresh-time | Limits the zone refresh interval to no less often than the specified value, in seconds. |
max-retry-time | Limits the zone refresh retry interval to no less often than the specified value, in seconds. |
max-transfer-idle-in | Specifies the number of minutes after which inbound zone transfers making no progress are terminated. |
max-transfer-idle-out | Specifies the number of minutes after which outbound zone transfers making no progress are terminated. |
max-transfer-time-in | Specifies the number of minutes after which inbound zone transfers are terminated. |
max-transfer-time-out | Specifies the number of minutes after which outbound zone transfers are terminated. |
min-refresh-time | Limits the zone refresh interval to no more often than the specified value, in seconds. |
min-retry-time | Limits the zone refresh retry interval to no more often than the specified value, in seconds. |
min-transfer-rate-in | Specifies the minimum traffic rate below which inbound zone transfers are terminated. |
multi-master | Controls whether serial number mismatch errors are logged. |
notify | Controls whether NOTIFY messages are sent on zone changes. |
notify-delay | Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone. |
notify-rate | Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations. |
notify-source | Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages. |
notify-source-v6 | Defines the IPv6 address (and optional port) to be used for outgoing NOTIFY messages. |
notify-to-soa | Controls whether the name servers in the NS RRset are checked against the SOA MNAME. |
primaries | Defines one or more servers that zone transfer can be requested from. |
provide-ixfr | Controls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR). |
request-expire | Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary. |
request-ixfr | Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR). |
serial-query-rate | Defines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers. |
startup-notify-rate | Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. |
transfer-format | Controls whether multiple records can be packed into a message during zone transfers. |
transfer-message-size | Limits the uncompressed size of DNS messages used in zone transfers over TCP. |
transfer-source | Defines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. |
transfer-source-v6 | Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. |
transfers-in | Limits the number of concurrent inbound zone transfers. |
transfers-out | Limits the number of concurrent outbound zone transfers. |
transfers-per-ns | Limits the number of concurrent inbound zone transfers from a remote server. |
try-tcp-refresh | Specifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail. |
update-policy | Sets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc. |
Statement | Description |
---|---|
attach-cache | Allows multiple views to share a single cache database. |
in-view | Specifies the view in which a given zone is defined. |
match-clients | Specifies a view of DNS namespace for a given subset of client IP addresses. |
match-destinations | Specifies a view of DNS namespace for a given subset of destination IP addresses. |
match-recursive-only | Specifies that only recursive requests can match this view of the DNS namespace. |
view | Allows a name server to answer a DNS query differently depending on who is asking. |
Statement | Description |
---|---|
allow-new-zones | Controls the ability to add zones at runtime via rndc addzone . |
catalog-zones | Configures catalog zones in named.conf . |
check-integrity | Performs post-load zone integrity checks on primary zones. |
check-mx | Checks whether an MX record appears to refer to an IP address. |
check-mx-cname | Sets the response to MX records that refer to CNAMEs. |
check-sibling | Specifies whether to check for sibling glue when performing integrity checks. |
check-spf | Specifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present. |
check-srv-cname | Sets the response to SRV records that refer to CNAMEs. |
check-svcb | Specifies whether to perform additional checks on SVCB records. |
check-wildcard | Checks for non-terminal wildcards. |
database | Specifies the type of database to be used to store zone data. |
disable-ds-digests | Disables DS digest types from a specified zone. |
disable-empty-zone | Disables individual empty zones. |
dlz | Configures a Dynamically Loadable Zone (DLZ) database in named.conf . |
dyndb | Configures a DynDB database in named.conf . |
empty-contact | Specifies the contact name in the returned SOA record for empty zones. |
empty-server | Specifies the server name in the returned SOA record for empty zones. |
empty-zones-enable | Enables or disables all empty zones. |
file | Specifies the zone's filename. |
flush-zones-on-shutdown | Controls whether pending zone writes are flushed when the name server exits. |
in-view | Specifies the view in which a given zone is defined. |
inline-signing | Specifies whether BIND 9 maintains a separate signed version of a zone. |
journal | Allows the default journal's filename to be overridden. |
masterfile-format | Specifies the file format of zone files. |
max-records | Sets the maximum number of records permitted in a zone. |
new-zones-directory | Specifies the directory where configuration parameters are stored for zones added by rndc addzone . |
notify-delay | Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone. |
notify-rate | Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations. |
parent-propagation-delay | Sets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers. |
primaries | Defines one or more servers that zone transfer can be requested from. |
response-policy | Specifies response policy zones for the view or among global options. |
serial-update-method | Specifies the update method to be used for the zone serial number in the SOA record. |
server-addresses | Specifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone. |
server-names | Specifies a list of domain names of name servers that act as authoritative servers of a static-stub zone. |
startup-notify-rate | Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added. |
type | Specifies the kind of zone in a given configuration. |
type forward | Contains forwarding statements that apply to queries within a given domain. |
type hint | Contains the initial set of root name servers to be used at BIND 9 startup. |
type mirror | Contains a DNSSEC-validated duplicate of the main data for a zone. |
type primary | Contains the main copy of the data for a zone. |
type redirect | Contains information to answer queries when normal resolution would return NXDOMAIN. |
type secondary | Contains a duplicate of the data for a zone that has been transferred from a primary server. |
type static-stub | Contains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server. |
type stub | Contains a duplicate of the NS records of a primary zone. |
zero-no-soa-ttl | Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries. |
zero-no-soa-ttl-cache | Sets the time to live (TTL) to zero when caching a negative response to an SOA query. |
zone | Specifies the zone in a BIND 9 configuration. |
zone-propagation-delay | Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers. |
zone-statistics | Controls the level of statistics gathered for all zones. |
Statement | Description |
---|---|
avoid-v4-udp-ports | Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages. |
avoid-v6-udp-ports | Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages. |
dialup | Concentrates zone maintenance so that all transfers take place once every heartbeat-interval , ideally during a single call. |
dnssec-must-be-secure | Defines hierarchies that must or may not be secure (signed and validated). |
heartbeat-interval | Sets the interval at which the server performs zone maintenance tasks for all zones marked as dialup . |
managed-keys | |
max-zone-ttl | Specifies a maximum permissible time-to-live (TTL) value, in seconds. |
sortlist | Controls the ordering of RRs returned to the client, based on the client's IP address. |
trusted-keys | |
use-v4-udp-ports | Specifies a list of ports that are valid sources for UDP/IPv4 messages. |
use-v6-udp-ports | Specifies a list of ports that are valid sources for UDP/IPv6 messages. |