第八章:配置参考

BIND 9的操作功能是使用文件 named.conf 定义的,该文件通常位于 /etc/local/etc/namedb 中,具体取决于操作系统或发行版。如果rndc从远程主机运行,则会出现另一个文件 rndc.conf ,但如果 rndc 是从 localhost 运行的(与BIND 9运行的系统相同),则不需要该文件。

第八章:配置参考8.1. 配置文件 (named.conf)8.1.1. 注释语法8.1.1.1. 语法8.1.1.2. 定义和用法8.1.2. 配置布局样式8.1.3. include 指令8.1.3.1. include 指令定义和使用8.1.4. 地址匹配列表8.1.4.1. 语法8.1.4.2. 定义和用法8.1.5. 所用术语表8.2. 块8.2.1. acl 块语法8.2.2. acl 块定义和使用8.2.3. controls 块语法8.2.4. controls 块定义和使用8.2.5. key 块语法8.2.6. key 块定义和使用8.2.7. key-store 块语法8.2.8. key-store 快定义和使用8.2.9. logging Block Grammar8.2.10. logging Block Definition and Usage8.2.10.1. The channel Phrase8.2.10.2. The category Phrase8.2.10.3. The query-errors Category8.2.11. parental-agents Block Grammar8.2.12. parental-agents Block Definition and Usage8.2.13. primaries Block Grammar8.2.14. primaries Block Definition and Usage8.2.15. options Block Grammar8.2.16. options Block Definition and Usage8.2.16.1. Boolean Options8.2.16.2. Forwarding8.2.16.3. Dual-stack Servers8.2.16.4. Access Control8.2.16.5. Interfaces8.2.16.6. Query Address8.2.16.7. Zone Transfers8.2.16.8. Server Resource Limits8.2.16.9. Periodic Task Intervals8.2.16.10. The sortlist Statement8.2.16.11. RRset Ordering8.2.16.12. Tuning8.2.16.13. Built-in Server Information Zones8.2.16.14. Built-in Empty Zones8.2.16.15. Content Filtering8.2.16.16. Response Policy Zone (RPZ) Rewriting8.2.16.17. Response Rate Limiting8.2.16.18. NXDOMAIN Redirection8.2.17. server Block Grammar8.2.18. server Block Definition and Usage8.2.19. statistics-channels Block Grammar8.2.20. statistics-channels Block Definition and Usage8.2.21. tls Block Grammar8.2.22. tls Block Definition and Usage8.2.23. http Block Grammar8.2.24. http Block Definition and Usage8.2.25. trust-anchors Block Grammar8.2.26. trust-anchors Block Definition and Usage8.2.27. dnssec-policy Block Grammar8.2.28. dnssec-policy Block Definition and Usage8.2.28.1. Automated KSK Rollovers8.2.29. managed-keys Block Grammar8.2.30. managed-keys Block Definition and Usage8.2.31. trusted-keys Block Grammar8.2.32. trusted-keys Block Definition and Usage8.2.33. view Block Grammar8.2.34. view Block Definition and Usage8.2.35. zone Block Grammar8.2.36. zone Block Definition and Usage8.2.36.1. Zone Types8.2.36.2. Class8.2.36.3. Zone Options8.2.36.4. Dynamic Update Policies8.2.36.5. Multiple Views8.3. 声明8.4. 标签声明8.4.1. DNSSEC标签声明8.4.2. 记录标签语句8.4.3. 查询标签语句8.4.4. 安全标签声明8.4.5. 服务器标签声明8.4.6. 转移标签声明8.4.7. 查看标签声明8.4.8. 区域标签声明8.4.9. 弃用的标记语句8.5. BIND 9 Statistics8.5.1. The Statistics File8.5.2. Statistics Counters8.5.2.1. Name Server Statistics Counters8.5.2.2. Zone Maintenance Statistics Counters8.5.2.3. Resolver Statistics Counters8.5.2.4. Socket I/O Statistics Counters

8.1. 配置文件 (named.conf)

named.conf 的文件可能包含三种类型的实体:

named.conf 文件可能还包含一个或多个include Directive 的实例。提供此指令是为了在组装完整的 named.conf 文件时便于管理,在BIND 9的操作特性或功能中不起后续作用。

注意: 多年来,BIND ARM获得了一系列令人困惑的术语。使用的许多术语描述了类似的概念,只会给BIND 9配置增加一层复杂性,可能是混乱,也可能是神秘感。ARM现在只使用术语Block(块)、Statement(语句)、Argument(参数)、Value(值) 和 Directive(指令)来描述BIND 9配置中使用的所有实体。

8.1.1. 注释语法

BIND 9注释语法允许注释出现在BIND配置文件中可能出现空白的任何地方。为了吸引各种程序员,它们可以用C、C++或shell/Perl风格编写。

8.1.1.1. 语法

8.1.1.2. 定义和用法

注释可以插入BIND配置文件中可能出现空白的任何位置。

C风格的注释以两个字符 /*(斜线、星号)开头,以*/(星号、斜线)结尾。因为它们完全由这些字符分隔,所以它们只能用于注释一行的一部分或跨越多行。

C风格的注释不能嵌套。例如,以下内容无效,因为整个注释以第一个*/结尾:

C++风格的注释以两个字符//(斜线、斜线)开头,并一直持续到物理行的末尾。它们不能跨越多条物理线;要使一个逻辑注释跨越多行,每行都必须使用//对。例如:

Shell风格(或Perl风格)的注释以字符#(数字/磅符号)开头,并继续到物理行的末尾,就像C++注释一样。例如:

警告: 与区域文件不同,分号(;)字符不能开始注释。分号表示配置语句的结束。

8.1.2. 配置布局样式

BIND对打开和关闭括号/大括号、分号以及后面部分形式语法中定义的所有其他分隔符都非常挑剔。有许多布局样式可以帮助减少错误,如下例所示:

8.1.3. include 指令

8.1.3.1. include 指令定义和使用

include指令在遇到include指令的位置插入指定的文件(如果检测到有效的glob表达式,则插入多个文件)。include指令允许读取或写入某些内容,但不允许读取或写其他内容,从而方便了配置文件的管理。例如,该语句可能包含只能由名称服务器读取的私钥。

8.1.4. 地址匹配列表

8.1.4.1. 语法

地址匹配列表是以分号分隔的address_match_element s的列表。

然后将每个元素定义为:

address_match_element

8.1.4.2. 定义和用法

地址匹配列表主要用于确定各种服务器操作的访问控制。它们也用于 listen-onsortlist 语句。构成地址匹配列表的元素可以是以下任何一种:

元素可以用前导感叹号(! )否定,匹配列表名称 “any”、 “none”、 “localhost” 和 “localnets” 是预定义的。有关这些名称的更多信息,请参阅acl语句的描述。

添加key子句使这个语法元素的名称有点用词不当,因为安全密钥可用于验证访问,而不考虑主机或网络地址。尽管如此,"address match list“(地址匹配列表)一词仍在整个文档中使用。

当将给定的IP地址或前缀与地址匹配列表进行比较时,比较大约需要O(1)时间。然而,密钥比较要求遍历密钥列表,直到找到匹配的密钥,因此可能会稍微慢一些。

匹配的解释取决于列表是用于访问控制、定义 listen-on 端口还是用于 sortlist ,以及元素是否被否定。

当用作访问控制列表时,非否定匹配允许访问,否定匹配拒绝访问。如果没有匹配,则拒绝访问。这些子句 allow-notifyallow-recursionallow-recursion-onallow-queryallow-query-cacheallow-query-cache-onallow-transferallow-updateallow-update-forwardingblackhole 都使用地址匹配列表。同样, listen-on 选项会导致服务器拒绝对任何与列表不匹配的机器地址进行查询。

插入顺序很重要。如果发现ACL中有多个元素与给定的IP地址或前缀匹配,则首选ACL定义中的第一个元素。由于这种首次匹配行为,定义列表中另一个元素子集的元素应该位于更广泛的元素之前,无论其中任何一个是否被否定。例如,在 1.2.3/24; !1.2.3.13; 1.2.3.13元素完全无用,因为该算法将1.2.3.13的任何查找与1.2.3/24元素相匹配。使用 ! 1.2.3.13; 1.2.3/24 通过否定阻塞1.2.3.13来修复该问题,但所有其他1.2.3.*主机都通过。

8.1.5. 所用术语表

以下是BIND配置文件文档中使用的术语列表:

8.2. 块

BIND 9配置由blocks(块)、statements(语句)和comment(注释)组成。

支持以下块:

loggingoptions 语句在每个配置中只能出现一次。

8.2.1. acl 块语法

8.2.2. acl 块定义和使用

acl 语句为地址匹配列表分配一个符号名称。它的名称来自地址匹配列表的主要用途之一:访问控制列表(Access Control Lists —— ACL)。

内置了以下ACL:

8.2.3. controls 块语法

8.2.4. controls 块定义和使用

controls 语句声明了系统管理员用于管理名称服务器操作的控制通道。rndc 实用程序使用这些控制通道向名称服务器发送命令并从名称服务器检索非DNS结果。

如果不存在 controls 语句,named 将设置一个默认控制信道,监听环回地址127.0.0.1及其IPv6对应地址::1。在这种情况下,以及当 controls 语句存在但没有 keys 子句时, named 会尝试从 /etc/rndc.key 文件加载命令通道键。要创建 rndc.key 文件,请运行 rndc-confgen -a

要禁用命令通道,请使用空的 controls 语句:controls { };

8.2.5. key 块语法

8.2.6. key 块定义和使用

key 语句定义了一个共享密钥,用于TSIG(见TSIG)或命令通道(见 controls )。

key 语句可以出现在配置文件的顶层或 view 语句中。顶级 key 语句中定义的密钥可以在所有视图中使用。用于 controls 语句的密钥必须在顶层定义。

server_key ,也称为密钥名,是唯一标识密钥的域名。它可以在 server 语句中用于使发送到该服务器的请求使用此密钥进行签名,也可以在地址匹配列表中用于验证传入请求是否已使用与此名称、算法和密钥匹配的密钥进行签名。

8.2.7. key-store 块语法

8.2.8. key-store 快定义和使用

key-store 声明定义了DNSSEC密钥的存储方式。

有一个名为 key-directroy 的内置密钥存储。配置密钥以使用 key-store key-directroy 与使用 key-directroy 相同。

可以在密钥存储语句中指定以下选项:

8.2.9. logging Block Grammar

8.2.10. logging Block Definition and Usage

8.2.10.1. The channel Phrase

8.2.10.2. The category Phrase

8.2.10.3. The query-errors Category

8.2.11. parental-agents Block Grammar

8.2.12. parental-agents Block Definition and Usage

8.2.13. primaries Block Grammar

8.2.14. primaries Block Definition and Usage

8.2.15. options Block Grammar

8.2.16. options Block Definition and Usage

8.2.16.1. Boolean Options

8.2.16.2. Forwarding

8.2.16.3. Dual-stack Servers

8.2.16.4. Access Control

8.2.16.5. Interfaces

8.2.16.6. Query Address

8.2.16.7. Zone Transfers

8.2.16.8. Server Resource Limits

8.2.16.9. Periodic Task Intervals

8.2.16.10. The sortlist Statement

8.2.16.11. RRset Ordering

8.2.16.12. Tuning

8.2.16.13. Built-in Server Information Zones

8.2.16.14. Built-in Empty Zones

8.2.16.15. Content Filtering

8.2.16.16. Response Policy Zone (RPZ) Rewriting

8.2.16.17. Response Rate Limiting

8.2.16.18. NXDOMAIN Redirection

8.2.17. server Block Grammar

8.2.18. server Block Definition and Usage

8.2.19. statistics-channels Block Grammar

8.2.20. statistics-channels Block Definition and Usage

8.2.21. tls Block Grammar

8.2.22. tls Block Definition and Usage

8.2.23. http Block Grammar

8.2.24. http Block Definition and Usage

8.2.25. trust-anchors Block Grammar

8.2.26. trust-anchors Block Definition and Usage

8.2.27. dnssec-policy Block Grammar

8.2.28. dnssec-policy Block Definition and Usage

8.2.28.1. Automated KSK Rollovers

8.2.29. managed-keys Block Grammar

8.2.30. managed-keys Block Definition and Usage

8.2.31. trusted-keys Block Grammar

8.2.32. trusted-keys Block Definition and Usage

8.2.33. view Block Grammar

8.2.34. view Block Definition and Usage

8.2.35. zone Block Grammar

8.2.36. zone Block Definition and Usage

8.2.36.1. Zone Types

8.2.36.2. Class

8.2.36.3. Zone Options

8.2.36.4. Dynamic Update Policies

8.2.36.5. Multiple Views

8.3. 声明

BIND 9支持数百条语句;找到正确的陈述来控制特定的行为或解决特定的问题可能是一项艰巨的任务。为了简化用户的任务,所有语句都被分配了一个或多个标签(tags)。标签旨在将具有大致相似功能的语句组合在一起;因此,例如,所有控制查询处理或区域传输的语句都分别标记在 querytransfer 下。

下表列出了 named.conf 中允许的所有语句及其相关标签;下一节将按标签对语句进行分组。请注意,这些部分仍在进行中。

StatementDescriptionTags
aclAssigns a symbolic name to an address match list.
为地址匹配列表分配符号名称。
server
algorithmDefines the algorithm to be used in a key clause.
定义要在键子句中使用的算法。
security
all-per-secondLimits UDP responses of all kinds.
限制所有类型的UDP响应。
query
allow-new-zonesControls the ability to add zones at runtime via rndc addzone.
通过 rndc-addzone 控制在运行时添加区域的能力
server, zone
allow-notifyDefines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone.
定义一个 address_match_list ,除了在该区域的 primarys 选项中定义的地址外,还允许该区域发送 NOTIFY 消息。
transfer
allow-proxyDefines an address_match_list for the client addresses allowed to send PROXYv2 headers.
为允许发送PROXYv2标头的客户端地址定义一个 address_match_list
server
allow-proxy-onDefines an address_match_list for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations.
为允许接受PROXYv2标头的接口地址定义一个address_match_list。该选项主要用于多宿主配置。
server
allow-querySpecifies which hosts (an IP address list) are allowed to send queries to this resolver.
指定允许哪些主机(IP地址列表)向此解析器发送查询。
query
allow-query-cacheSpecifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion.
指定哪些主机(IP地址列表)可以访问此服务器的缓存,从而有效地控制递归。
query
allow-query-cache-onSpecifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces.
指定哪些主机(来自IP地址列表)可以访问此服务器的缓存。它用于具有多个接口的服务器。
query
allow-query-onSpecifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations.
指定允许哪些本地地址(IP地址列表)向此解析器发送查询。此选项用于多宿主配置。
query
allow-recursionDefines an address_match_list of clients that are allowed to perform recursive queries.
定义允许执行递归查询的客户端的 address_match_list
query
allow-recursion-onSpecifies which local addresses can accept recursive queries.
指定哪些本地地址可以接受递归查询。
query, server
allow-transferDefines an address_match_list of hosts that are allowed to transfer the zone information from this server.
定义一个 address_match_list 允许从该服务器传输区域信息的主机。
transfer
allow-updateDefines an address_match_list of hosts that are allowed to submit dynamic updates for primary zones.
定义允许从该服务器传输区域信息的主机的 address_match_list
transfer
allow-update-forwardingDefines an address_match_list of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary.
定义允许向辅助服务器提交动态更新以传输到主服务器的主机的 address_match_list
transfer
also-notifyDefines one or more hosts that are sent NOTIFY messages when zone changes occur.
定义一个或多个在发生区域更改时发送 NOTIFY 消息的主机。
transfer
answer-cookieControls whether COOKIE EDNS replies are sent in response to client queries.
控制是否发送COOKIE EDNS回复以响应客户端查询。
query
attach-cacheAllows multiple views to share a single cache database.
允许多个视图共享单个缓存数据库。
view
auth-nxdomainControls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers.
控制充当解析器的BIND是否提供权威的NXDOMAIN(域不存在)答案。
query
automatic-interface-scanControls the automatic rescanning of network interfaces when addresses are added or removed.
控制添加或删除地址时网络接口的自动重新扫描。
server
avoid-v4-udp-portsSpecifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages.
指定要排除用作UDP/IPv4消息源的端口范围。
deprecated
avoid-v6-udp-portsSpecifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages.
指定要排除用作UDP/IPv6消息源的端口范围。
deprecated
bindkeys-fileSpecifies the pathname of a file to override the built-in trusted keys provided by named.
指定文件的路径名,以覆盖 named 提供的内置可信密钥。
dnssec
blackholeDefines an address_match_list of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses.
定义一个 address_match_list 来忽略主机。服务器既不会响应来自这些地址的查询,也不会向这些地址发送查询。
query
bogusAllows a remote server to be ignored.
允许忽略远程服务器。
server
break-dnssecEnables dns64 synthesis even if the validated result would cause a DNSSEC validation failure.
启用 dns64 合成,即使验证结果会导致DNSSEC验证失败。
query
bufferedControls flushing of log messages.
控制日志消息的刷新。
logging
ca-fileSpecifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.
指定包含受信任CA机构的TLS证书的文件的路径,用于验证远程对等证书。
server, security
catalog-zonesConfigures catalog zones in named.conf.
named.conf 中配置目录区域。
zone
categorySpecifies the type of data logged to a particular channel.
指定记录到特定通道的数据类型。
logging
cdnskeySpecifies whether a CDNSKEY record should be published during KSK rollover.
指定在KSK滚动期间是否应发布CDNSKEY记录。
dnssec
cds-digest-typesSpecifies the digest types to use for CDS resource records.
指定用于CDS资源记录的摘要类型。
dnssec
cert-fileSpecifies the path to a file containing the TLS certificate for a connection.
指定包含连接TLS证书的文件的路径。
server, security
channelDefines a stream of data that can be independently logged.
定义可以独立记录的数据流。
logging
check-dup-recordsChecks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。
dnssec, query
check-integrityPerforms post-load zone integrity checks on primary zones.
对主区域执行加载后区域完整性检查。
zone
check-mxChecks whether an MX record appears to refer to an IP address.
检查MX记录是否指向IP地址。
zone
check-mx-cnameSets the response to MX records that refer to CNAMEs.
设置对引用CNAME的MX记录的响应。
zone
check-namesRestricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.
限制从网络接收到的主文件和/或DNS响应中某些域名的字符集和语法。
query, server
check-siblingSpecifies whether to check for sibling glue when performing integrity checks.
指定在执行完整性检查时是否检查兄弟胶水。
zone
check-spfSpecifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present.
指定是否检查TXT发件人策略框架记录(如果存在SPF记录)。
zone
check-srv-cnameSets the response to SRV records that refer to CNAMEs.
设置对引用CNAME的SRV记录的响应。
zone
check-svcbSpecifies whether to perform additional checks on SVCB records.
指定是否对SVCB记录执行其他检查。
zone
check-wildcardChecks for non-terminal wildcards.
检查非终端通配符。
zone
checkdsControls whether DS queries are sent to parental agents.
控制是否将“DS”查询发送给家长代理。
dnssec
cipher-suitesSpecifies a list of allowed cipher suites in the order of preference for TLSv1.3 only.
仅按TLSv1.3的优先顺序指定允许的密码套件列表。
security
ciphersSpecifies a list of allowed ciphers in the order of preference for TLSv1.2 only.
仅按TLSv1.2的优先顺序指定允许的密码列表。
security
clientsSpecifies an access control list (ACL) of clients that are affected by a given dns64 directive.
指定受给定 dns64 影响的客户端的访问控制列表(ACL)指令。
query
clients-per-querySets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
设置服务器在删除其他客户端之前,为任何给定查询接受的并发递归客户端的初始最小数量。
server
controlsSpecifies control channels to be used to manage the name server.
指定用于管理名称服务器的控制通道。
server
cookie-algorithmSets the algorithm to be used when generating a server cookie.
设置生成服务器cookie时使用的算法。
server
cookie-secretSpecifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster.
指定用于在任意播群集中生成和验证EDNS COOKIE选项的共享密钥。
server
databaseSpecifies the type of database to be used to store zone data.
指定用于存储区域数据的数据库类型。
zone
deny-answer-addressesRejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given address_match_list.
如果相应的IPv4或IPv6地址与给定的 address_match_list 匹配,则拒绝A或AAAA记录。
query
deny-answer-aliasesRejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements.
如果“别名”名称与给定的 domain_name 列表匹配,则拒绝CNAME或DNAME记录元素。
query
dhparam-fileSpecifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.
指定包含Diffie-Hellman参数的文件的路径,以启用密码套件。
server, security
dialupConcentrates zone maintenance so that all transfers take place once every heartbeat-interval, ideally during a single call.
集中区域维护,以便所有传输每 heartbeat-interval 发生一次,理想情况下是在单个呼叫期间。
deprecated
directorySets the server's working directory.
设置服务器的工作目录。
server
disable-algorithmsDisables DNSSEC algorithms from a specified zone.
从指定区域禁用DNSSEC算法。
dnssec
disable-ds-digestsDisables DS digest types from a specified zone.
禁用指定区域中的DS摘要类型。
dnssec, zone
disable-empty-zoneDisables individual empty zones.
禁用单个空白区域。
server, zone
dlzConfigures a Dynamically Loadable Zone (DLZ) database in named.conf.
named.conf 中配置动态可加载区域(DLZ)数据库。
zone
dns64Instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records.
指令 named ,以便在没有AAAA记录时将映射的IPv4地址返回给AAAA查询。
query
dns64-contactSpecifies the name of the contact for dns64 zones.
指定 dns64 的联系人姓名区域。
server
dns64-serverSpecifies the name of the server for dns64 zones.
指定 dns64 的服务器名称区域。
server
dnskey-sig-validity(过时了)obsolete
dnskey-ttlSpecifies the time-to-live (TTL) for DNSKEY resource records.
指定DNSKEY资源记录的生存时间(TTL)。
dnssec
dnsrps-enableTurns on the DNS Response Policy Service (DNSRPS) interface.
打开DNS响应策略服务(DNSRPS)接口。
server, security
dnsrps-librarySpecifies the path to the DNS Response Policy Service (DNSRPS) provider library.
指定DNS响应策略服务(DNSRPS)提供程序库的路径。
server, security
dnsrps-optionsProvides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
提供额外的RPZ配置设置,这些设置将传递给DNS响应策略服务(DNSRPS)提供程序库。
server, security
dnssec-accept-expiredInstructs BIND 9 to accept expired DNSSEC signatures when validating.
指示BIND 9在验证时接受过期的DNSSEC签名。
dnssec
dnssec-dnskey-kskonly(过时了)obsolete
dnssec-loadkeys-intervalSets the frequency of automatic checks of the DNSSEC key repository.
设置DNSSEC密钥存储库的自动检查频率。
dnssec
dnssec-must-be-secureDefines hierarchies that must or may not be secure (signed and validated).
定义必须或可能不安全的层次结构(签名和验证)。
deprecated
dnssec-policyDefines a key and signing policy (KASP) for zones.
为区域定义密钥和签名策略(KASP)。
dnssec
dnssec-secure-to-insecure(过时了)obsolete
dnssec-update-mode(过时了)obsolete
dnssec-validationEnables DNSSEC validation in named.
named 中启用DNSSEC验证。
dnssec
dnstapEnables logging of dnstap messages.
允许记录 dnstap 消息。
logging
dnstap-identitySpecifies an identity string to send in dnstap messages.
指定要在 dnstap 中发送的 identity 字符串消息。
logging
dnstap-outputConfigures the path to which the dnstap frame stream is sent.
配置 dnstap 的路径帧流被发送。
logging
dnstap-versionSpecifies a version string to send in dnstap messages.
指定 version 要发送的字符串 dnstap 消息。
logging
dual-stack-serversSpecifies host names or addresses of machines with access to both IPv4 and IPv6 transports.
指定可以访问IPv4和IPv6传输的计算机的主机名或地址。
server
dump-fileIndicates the pathname of the file where the server dumps the database after rndc dumpdb.
指示服务器在 rndc-dumpdb 之后转储数据库的文件的路径名。
logging
dyndbConfigures a DynDB database in named.conf.
named.conf 中配置DynDB数据库。
zone
ednsControls the use of the EDNS0 (RFC 2671) feature.
控制EDNS0的使用(RFC 2671)功能。
server
edns-udp-sizeSets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries.
设置最大播发EDNS UDP缓冲区大小,以控制从权威服务器接收到的响应递归查询的数据包大小。
query
edns-versionSets the maximum EDNS VERSION that is sent to the server(s) by the resolver.
设置解析器发送到服务器的最大EDNS VERSION。
server
empty-contactSpecifies the contact name in the returned SOA record for empty zones.
在返回的SOA记录中为空区域指定联系人姓名。
server, zone
empty-serverSpecifies the server name in the returned SOA record for empty zones.
在返回的SOA记录中为空区域指定服务器名称。
server, zone
empty-zones-enableEnables or disables all empty zones.
启用或禁用所有空区域。
server, zone
endpointsSpecifies a list of HTTP query paths on which to listen.
指定要侦听的HTTP查询路径列表。
server, query
errors-per-secondLimits the number of errors for a valid domain name and record type.
限制有效域名和记录类型的错误数。
server
excludeAllows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in dns64.
允许忽略出现在 dns64 中域名AAAA记录中的IPv6地址列表。
query
exempt-clientsExempts specific clients or client groups from rate limiting.
免除特定客户或客户群体的费率限制。
query
fetch-quota-paramsSets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.
设置参数以动态调整 fetches-per-server 的大小配额。
server, query
fetches-per-serverSets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.
设置服务器在阻止其他查询之前允许向上游名称服务器发送的最大并发迭代查询数。
server, query
fetches-per-zoneSets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.
设置在服务器阻止对该区域内或区域下的数据进行新查询之前,允许对任何一个域同时进行的迭代查询的最大数量。
server, query
fileSpecifies the zone's filename.
指定区域的文件名。
zone
flush-zones-on-shutdownControls whether pending zone writes are flushed when the name server exits.
控制在名称服务器退出时是否刷新挂起的区域写入。
zone
forwardAllows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the forwarders statement.
如果转发失败,允许或不允许回退到递归;它总是与 forwarders 结合使用声明。
query
forwardersDefines one or more hosts to which queries are forwarded.
定义查询转发到的一个或多个主机。
query
fstrm-set-buffer-hintSets the number of accumulated bytes in the output buffer before forcing a buffer flush.
在强制刷新缓冲区之前,设置输出缓冲区中的累积字节数。
logging
fstrm-set-flush-timeoutSets the number of seconds that unflushed data remains in the output buffer.
设置未刷新数据在输出缓冲区中保留的秒数。
logging
fstrm-set-input-queue-sizeSets the number of queue entries to allocate for each input queue.
设置为每个输入队列分配的队列条目数。
logging
fstrm-set-output-notify-thresholdSets the number of outstanding queue entries allowed on an input queue before waking the I/O thread.
设置在唤醒I/O线程之前,输入队列上允许的未完成队列条目数。
logging
fstrm-set-output-queue-modelSets the queuing semantics to use for queue objects.
设置用于队列对象的排队语义。
logging
fstrm-set-output-queue-sizeSets the number of queue entries allocated for each output queue.
设置为每个输出队列分配的队列条目数。
logging
fstrm-set-reopen-intervalSets the number of seconds to wait between attempts to reopen a closed output stream.
设置尝试重新打开已关闭的输出流之间等待的秒数。
logging
geoip-directorySpecifies the directory containing GeoIP database files.
指定包含GeoIP数据库文件的目录。
server
heartbeat-intervalSets the interval at which the server performs zone maintenance tasks for all zones marked as dialup.
设置服务器对标记为 dialup 的所有区域执行区域维护任务的间隔。
deprecated
hostnameSpecifies the hostname of the server to return in response to a hostname.bind query.
指定服务器的主机名,以响应 hostname.bind 查询。
server
httpConfigures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.
配置在其上侦听DNS over HTTPS(DoH)查询的HTTP终结点。
server, query
http-listener-clientsLimits the number of active concurrent connections on a per-listener basis.
限制每个侦听器的活动并发连接数。
server
http-portSpecifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.
指定服务器用于通过HTTP接收和发送未加密DNS流量的TCP端口号。
server, query
http-streams-per-connectionLimits the number of active concurrent HTTP/2 streams on a per-connection basis.
限制每个连接上活动的并发HTTP/2流的数量。
server
https-portSpecifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
指定服务器用于通过HTTPS协议接收和发送DNS流量的TCP端口号。
server, query
in-viewSpecifies the view in which a given zone is defined.
指定定义给定分区的视图。
view, zone
inetSpecifies a TCP socket as a control channel.
指定TCP套接字作为控制通道。
server
inline-signingSpecifies whether BIND 9 maintains a separate signed version of a zone.
指定BIND 9是否维护区域的单独签名版本。
dnssec, zone
interface-intervalSets the interval at which the server scans the network interface list.
设置服务器扫描网络接口列表的间隔。
server
ipv4-prefix-lengthSpecifies the prefix lengths of IPv4 address blocks.
指定IPv4地址块的前缀长度。
server
ipv4only-contactSpecifies the contact for the IPV4ONLY.ARPA zone created by dns64.
指定IPV4ONLY的联系人。由 dns64 创建的ARPA区域。
server
ipv4only-enableEnables automatic IPv4 zones if a dns64 block is configured.
如果存在 dns64 ,则启用自动IPv4区域块已配置。
query
ipv4only-serverSpecifies the name of the server for the IPV4ONLY.ARPA zone created by dns64.
指定IPV4ONLY的服务器名称。由 dns64 创建的ARPA区域。
server, query
ipv6-prefix-lengthSpecifies the prefix lengths of IPv6 address blocks.
指定IPv6地址块的前缀长度。
server
ixfr-from-differencesControls how IXFR transfers are calculated.
控制IXFR转账的计算方式。
transfer
journalAllows the default journal's filename to be overridden.
允许覆盖默认日志的文件名。
zone
keyDefines a shared secret key for use with TSIG or the command channel.
定义与 TSIG 一起使用的共享密钥或命令通道。
security
key-directoryIndicates the directory where public and private DNSSEC key files are found.
指示查找公共和私有DNSSEC密钥文件的目录。
dnssec
key-fileSpecifies the path to a file containing the private TLS key for a connection.
指定包含连接专用TLS密钥的文件的路径。
server, security
key-storeConfigures a DNSSEC key store.
配置DNSSEC密钥存储。
dnssec
keysSpecifies one or more server_key s to be used with a remote server.
指定一个或多个 server_key 与远程服务器一起使用。
server, security
lame-ttlSets the resolver's lame cache.
设置解析器的蹩脚缓存。
server
listen-onSpecifies the IPv4 addresses on which a server listens for DNS queries.
指定服务器侦听DNS查询的IPv4地址。
server
listen-on-v6Specifies the IPv6 addresses on which a server listens for DNS queries.
指定服务器监听DNS查询的IPv6地址。
server
listener-clientsSpecifies a per-listener quota for active connections.
为活动连接指定每个侦听器的配额。
server, query
lmdb-mapsizeSets a maximum size for the memory map of the new-zone database in LMDB database format.
为LMDB数据库格式的新区域数据库的内存映射设置最大大小。
server
log-onlyTests rate-limiting parameters without actually dropping any requests.
在不实际丢弃任何请求的情况下测试限速参数。
logging, query
loggingConfigures logging options for the name server.
配置名称服务器的日志记录选项。
logging
managed-keys(强烈不建议用)deprecated
managed-keys-directorySpecifies the directory in which to store the files that track managed DNSSEC keys.
指定用于存储跟踪托管DNSSEC密钥的文件的目录。
dnssec
mappedSpecifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64.
指定IPv4地址的访问控制列表(ACL),这些地址将映射到 dns64 中的相应A RRset。
query
masterfile-formatSpecifies the file format of zone files.
指定区域文件的文件格式。
zone, server
masterfile-styleSpecifies the format of zone files during a dump, when the masterfile-format is text.
指定转储期间区域文件的格式,当 masterfile-format 是“文本”。
server
match-clientsSpecifies a view of DNS namespace for a given subset of client IP addresses.
指定给定客户端IP地址子集的DNS命名空间视图。
view
match-destinationsSpecifies a view of DNS namespace for a given subset of destination IP addresses.
指定给定目标IP地址子集的DNS命名空间视图。
view
match-mapped-addressesAllows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses.
允许IPv4映射的IPv6地址与相应IPv4地址的地址匹配列表条目相匹配。
server
match-recursive-onlySpecifies that only recursive requests can match this view of the DNS namespace.
指定只有递归请求才能匹配DNS命名空间的此视图。
view
max-cache-sizeSets the maximum amount of memory to use for an individual cache database and its associated metadata.
设置用于单个缓存数据库及其关联元数据的最大内存量。
server
max-cache-ttlSpecifies the maximum time (in seconds) that the server caches ordinary (positive) answers.
指定服务器缓存普通(肯定)答案的最长时间(秒)。
server
max-clients-per-querySets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
设置服务器在删除其他客户端之前,为任何给定查询接受的最大并发递归客户端数。
server
max-ixfr-ratioSets the maximum size for IXFR responses to zone transfer requests.
设置IXFR对区域传输请求的响应的最大大小。
transfer
max-journal-sizeControls the size of journal files.
控制日志文件的大小。
transfer
max-ncache-ttlSpecifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.
指定在服务器缓存中存储否定答案的最大保留时间(秒)。
server
max-query-countSets the maximum number of iterative queries while servicing a recursive query.
设置为递归查询提供服务时迭代查询的最大数量。
server, query
max-query-restartsSets the maximum number of chained CNAMEs to follow
设置要遵循的链式CNAME的最大数量
server, query
max-recordsSets the maximum number of records permitted in a zone.
设置区域中允许的最大记录数。
zone, server
max-records-per-typeSets the maximum number of records that can be stored in an RRset.
设置RRset中可以存储的最大记录数。
server
max-recursion-depthSets the maximum number of levels of recursion permitted at any one time while servicing a recursive query.
设置在为递归查询提供服务时,任何时候允许的最大递归级别数。
server
max-recursion-queriesSets the maximum number of iterative queries while servicing a recursive query.
设置为递归查询提供服务时迭代查询的最大数量。
server, query
max-refresh-timeLimits the zone refresh interval to no less often than the specified value, in seconds.
将区域刷新间隔限制为不低于指定值的频率(秒)。
transfer
max-retry-timeLimits the zone refresh retry interval to no less often than the specified value, in seconds.
将区域刷新重试间隔限制为不低于指定值的频率(秒)。
transfer
max-rsa-exponent-sizeSets the maximum RSA exponent size (in bits) when validating.
设置验证时的最大RSA指数大小(以位为单位)。
dnssec, query
max-stale-ttlSpecifies the maximum time that the server retains records past their normal expiry, to return them as stale records.
指定服务器保留超过正常到期时间的记录的最长时间,以将其作为过时记录返回。
server
max-table-sizeSets the maximum size of the table used to track requests and rate-limit responses.
设置用于跟踪请求和速率限制响应的表的最大大小。
server
max-transfer-idle-inSpecifies the number of minutes after which inbound zone transfers making no progress are terminated.
指定终止无进展的入站区域传输的分钟数。
transfer
max-transfer-idle-outSpecifies the number of minutes after which outbound zone transfers making no progress are terminated.
指定终止无进展的出站区域传输的分钟数。
transfer
max-transfer-time-inSpecifies the number of minutes after which inbound zone transfers are terminated.
指定终止入站区域传输的分钟数。
transfer
max-transfer-time-outSpecifies the number of minutes after which outbound zone transfers are terminated.
指定终止出站区域传输的分钟数。
transfer
max-types-per-nameSets the maximum number of RR types that can be stored for an owner name.
设置所有者名称可以存储的RR类型的最大数量。
server
max-udp-sizeSets the maximum EDNS UDP message size sent by named.
设置 named 发送的最大EDNS UDP消息大小。
query
max-validation-failures-per-fetchSets the maximum number of DNSSEC validation failures that can happen in a single fetch.
设置单次获取中可能发生的DNSSEC验证失败的最大次数。
server
max-validations-per-fetchSets the maximum number of DNSSEC validations that can happen in a single fetch.
设置单次获取中可以发生的DNSSEC验证的最大数量。
server
max-zone-ttlSpecifies a maximum permissible time-to-live (TTL) value, in seconds.
指定最大允许生存时间(TTL)值,单位为秒。
deprecated
memstatisticsControls whether memory statistics are written to the file specified by memstatistics-file at exit.
控制是否将内存统计信息写入 memstatistics file 指定的文件。
server, logging
memstatistics-fileSets the pathname of the file where the server writes memory usage statistics on exit.
设置服务器在退出时写入内存使用统计信息的文件的路径名。
logging
message-compressionControls whether DNS name compression is used in responses to regular queries.
控制在响应常规查询时是否使用DNS名称压缩。
query
min-cache-ttlSpecifies the minimum time (in seconds) that the server caches ordinary (positive) answers.
指定服务器缓存普通(肯定)答案的最短时间(秒)。
server
min-ncache-ttlSpecifies the minimum retention time (in seconds) for storage of negative answers in the server's cache.
指定在服务器缓存中存储否定答案的最小保留时间(秒)。
server
min-refresh-timeLimits the zone refresh interval to no more often than the specified value, in seconds.
将区域刷新间隔限制为不超过指定值的频率(秒)。
transfer
min-retry-timeLimits the zone refresh retry interval to no more often than the specified value, in seconds.
将区域刷新重试间隔限制为不超过指定值的频率(秒)。
transfer
min-table-sizeSets the minimum size of the table used to track requests and rate-limit responses.
设置用于跟踪请求和速率限制响应的表的最小大小。
query
min-transfer-rate-inSpecifies the minimum traffic rate below which inbound zone transfers are terminated.
指定最低流量速率,低于该速率时,入站区域传输将终止。
transfer
minimal-anyControls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP.
控制在UDP上对ANY类型的查询生成肯定响应时,服务器是否仅使用查询名称的一个RR集进行回复。
query
minimal-responsesControls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance.
控制服务器是否仅在需要时(例如委托、否定响应)将记录添加到权限和其他数据部分。这提高了服务器性能。
query
multi-masterControls whether serial number mismatch errors are logged.
控制是否记录序列号不匹配错误。
transfer
new-zones-directorySpecifies the directory where configuration parameters are stored for zones added by rndc addzone.
指定存储由 rndc-addzone 添加的区域的配置参数的目录。
zone
no-case-compressSpecifies a list of addresses that require case-insensitive compression in responses.
指定在响应中需要不区分大小写压缩的地址列表。
server
nocookie-udp-sizeSets the maximum size of UDP responses that are sent to queries without a valid server COOKIE.
设置发送到没有有效服务器COOKIE的查询的UDP响应的最大大小。
query
nodata-per-secondLimits the number of empty (NODATA) responses for a valid domain name.
限制有效域名的空(NODATA)响应数。
query
notifyControls whether NOTIFY messages are sent on zone changes.
控制是否在区域更改时发送 NOTIFY 消息。
transfer
notify-delaySets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
设置区域发送NOTIFY消息集之间的延迟(秒)。
transfer, zone
notify-rateSpecifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
指定在正常区域维护操作期间发送NOTIFY请求的速率。
transfer, zone
notify-sourceDefines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.
定义用于传出 NOTIFY 消息的IPv4地址(和可选端口)。
transfer
notify-source-v6Defines the IPv6 address (and optional port) to be used for outgoing NOTIFY messages.
定义用于传出 NOTIFY 消息的IPv6地址(和可选端口)。
transfer
notify-to-soaControls whether the name servers in the NS RRset are checked against the SOA MNAME.
控制是否根据SOA MNAME检查NS RRset中的名称服务器。
transfer
nsec3paramSpecifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters.
指定使用NSEC3而不是NSEC,并设置NSEC3参数。
dnssec
nta-lifetimeSpecifies the lifetime, in seconds, for negative trust anchors added via rndc nta.
指定通过 rndc-nta 添加的负信任锚点的生存期(秒)。
dnssec
nta-recheckSpecifies the time interval for checking whether negative trust anchors added via rndc nta are still necessary.
指定检查是否通过 rndc-nta 添加了负信任锚点的时间间隔仍然是必要的。
dnssec
nullCauses all messages sent to the logging channel to be discarded.
导致发送到日志记录通道的所有消息都被丢弃。
logging
nxdomain-redirectAppends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace.
当用重定向命名空间替换NXDOMAIN时,将指定的后缀附加到原始查询名称。
query
nxdomains-per-secondLimits the number of undefined subdomains for a valid domain name.
限制有效域名的未定义子域的数量。
query
offline-kskSpecifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline.
指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。
dnssec
optionsDefines global options to be used by BIND 9.
定义BIND 9要使用的全局选项。
server
paddingAdds EDNS Padding options to outgoing messages to increase the packet size.
向传出消息添加EDNS填充选项以增加数据包大小。
server
parent-ds-ttlSets the time to live (TTL) of the DS RRset used by the parent zone.
设置父区域使用的DS RRset的生存时间(TTL)。
dnssec
parent-propagation-delaySets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers.
设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。
dnssec, zone
parental-agents dnssec
parental-sourceSpecifies which local IPv4 source address is used to send parental DS queries.
指定用于发送家长DS查询的本地IPv4源地址。
dnssec
parental-source-v6Specifies which local IPv6 source address is used to send parental DS queries.
指定用于发送家长DS查询的本地IPv6源地址。
dnssec
pid-fileSpecifies the pathname of the file where the server writes its process ID.
指定服务器写入其进程ID的文件的路径名。
server
pkcs11-uri dnssec, pkcs11
pluginConfigures plugins in named.conf.
named.conf 中配置插件。
server
portSpecifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.
指定服务器用于接收和发送DNS协议流量的UDP/TCP端口号。
server, query
prefer-server-ciphersSpecifies that server ciphers should be preferred over client ones.
指定服务器密码应优先于客户端密码。
server, security
preferred-glueControls the order of glue records in an A or AAAA response.
控制A或AAAA响应中胶水记录的顺序。
query
prefetchSpecifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place.
指定当前查询预取发生时的“触发”生存时间(TTL)值。
query
primariesDefines one or more servers that zone transfer can be requested from.
定义一个或多个可以请求区域传输的服务器。
transfer, zone
print-categoryIncludes the category in log messages.
在日志消息中包含该类别。
logging
print-severityIncludes the severity in log messages.
在日志消息中包括严重性。
logging
print-timeSpecifies the time format for log messages.
指定日志消息的时间格式。
logging
protocolsSpecifies the allowed versions of the TLS protocol.
指定允许的TLS协议版本。
security
provide-ixfrControls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR).
控制主服务器是响应增量区域请求(IXFR)还是仅响应完整区域传输(AXFR)。
transfer
publish-safetyIncreases the amount of time between when keys are published and when they become active, to allow for unforeseen events.
增加密钥发布与激活之间的时间间隔,以应对不可预见的事件。
dnssec
purge-keysSpecifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk.
指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。
dnssec
qname-minimizationControls QNAME minimization behavior in the BIND 9 resolver.
控制BIND 9解析器中的QNAME最小化行为。
query
qps-scaleTightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate.
通过降低当前每秒查询率的比率,加强DNS攻击期间的防御。
query
query-sourceControls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried.
控制发出查询的IPv4地址。如果没有,则不会使用IPv4地址发出查询,因此只查询IPv6服务器。
query
query-source-v6Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried.
控制发出查询的IPv6地址。如果没有,则不会使用IPv6地址来发出查询,因此只需要IPv4服务器。
query
querylogSpecifies whether query logging should be active when named first starts.
指定在 named 时是否应激活查询日志记录首先开始。
logging, server
rate-limitControls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks.
控制过多的UDP响应,以防止BIND 9被用于放大反射拒绝服务(DoS)攻击。
query
recursing-fileSpecifies the pathname of the file where the server dumps queries that are currently recursing via rndc recursing.
指定服务器转储当前通过 rndc recursing 递归的查询的文件的路径名。
server
recursionDefines whether recursion and caching are allowed.
定义是否允许递归和缓存。
query
recursive-clientsSpecifies the maximum number of concurrent recursive queries the server can perform.
指定服务器可以执行的并发递归查询的最大数量。
query
recursive-onlyToggles whether dns64 synthesis occurs only for recursive queries.
切换是否 dns64 合成仅发生在递归查询中。
query
referrals-per-secondLimits the number of referrals or delegations to a server for a given domain.
限制给定域对服务器的推荐或委派数量。
query
remote-hostnameSpecifies the expected hostname in the TLS certificate of the remote server.
指定远程服务器的TLS证书中的预期主机名。
security
remote-serversDefines a list of servers to be used by primary and secondary zones.
定义主区域和辅助区域使用的服务器列表。
server
request-expireSpecifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
指定本地服务器在充当辅助服务器时是否请求EDNS EXPIRE值。
transfer, query
request-ixfrControls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR).
控制辅助服务器是请求增量区域传输(IXFR)还是请求完整区域传输(AXFR)。
transfer
request-nsidControls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution.
控制在迭代解析期间是否将空的EDNS(0) NSID(名称服务器标识符)选项与所有查询一起发送到权威名称服务器。
query
require-cookieControls whether responses without a server cookie are accepted.
控制是否接受没有服务器cookie的响应。
query
require-server-cookieControls whether a valid server cookie is required before sending a full response to a UDP request.
控制在向UDP请求发送完整响应之前是否需要有效的服务器cookie。
query
resolver-query-timeoutSpecifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing.
指定解析器在失败之前尝试解析递归查询的时间长度(以毫秒为单位)。
query
resolver-use-dns64Specifies whether to apply DNS64 mappings when sending queries.
指定在发送查询时是否应用DNS64映射。
server
response-paddingAdds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.
为加密消息添加EDNS填充选项,以减少根据大小猜测内容的机会。
query
response-policySpecifies response policy zones for the view or among global options.
为视图或全局选项指定响应策略区域。
server, query, zone, security
responselogSpecifies whether response logging should be active when named first starts.
指定在 named 时是否应激活响应日志记录首先开始。
logging, server
responses-per-secondLimits the number of non-empty responses for a valid domain name and record type.
限制有效域名和记录类型的非空响应数。
query
retire-safetyIncreases the amount of time a key remains published after it is no longer active, to allow for unforeseen events.
增加密钥在不再活动后保持发布的时间,以考虑不可预见的事件。
dnssec
reuseportEnables kernel load-balancing of sockets.
启用套接字的内核负载平衡。
server
root-key-sentinelControls whether BIND 9 responds to root key sentinel probes.
控制BIND 9是否响应根密钥哨兵探针。
server
rrset-orderDefines the order in which equal RRs (RRsets) are returned.
定义返回相等RRs(RRset)的顺序。
query
searchSpecifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name.
指定是否向动态可加载区域(DLZ)模块查询查询名称的答案。
query
secretDefines a Base64-encoded string to be used as the secret by the algorithm.
定义一个Base64编码的字符串,作为算法的秘密。
security
secroots-fileSpecifies the pathname of the file where the server dumps security roots, when using rndc secroots.
指定服务器在使用 rndc-securots 时转储安全根的文件的路径名。
dnssec
send-cookieControls whether a COOKIE EDNS option is sent along with a query.
控制COOKIE EDNS选项是否与查询一起发送。
query
serial-query-rateDefines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers.
在查询用于区域传输的SOA RRs时,定义服务器每秒发出的查询次数的上限。
transfer
serial-update-methodSpecifies the update method to be used for the zone serial number in the SOA record.
指定用于SOA记录中区域序列号的更新方法。
zone
serverDefines characteristics to be associated with a remote name server.
定义与远程名称服务器关联的特征。
server
server-addressesSpecifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
指定静态存根区域的递归解析中应向其发送查询的IP地址列表。
query, zone
server-idSpecifies the ID of the server to return in response to a ID.SERVER query.
指定响应 ID.server 查询时返回的服务器的ID。
server
server-namesSpecifies a list of domain names of name servers that act as authoritative servers of a static-stub zone.
指定充当静态存根区域的权威服务器的名称服务器的域名列表。
zone
servfail-ttlSets the length of time (in seconds) that a SERVFAIL response is cached.
设置缓存SERVFAIL响应的时间长度(秒)。
server
session-keyalgSpecifies the algorithm to use for the TSIG session key.
指定用于TSIG会话密钥的算法。
security
session-keyfileSpecifies the pathname of the file where a TSIG session key is written, when generated by named for use by nsupdate -l.
指定写入TSIG会话密钥的文件的路径名,当由 named 生成时供 nsupdate-l 使用。
security
session-keynameSpecifies the key name for the TSIG session key.
指定TSIG会话密钥的密钥名称。
security
session-ticketsEnables or disables session resumption through TLS session tickets.
通过TLS会话票证启用或禁用会话恢复。
security
severityDefines the priority level of log messages.
定义日志消息的优先级。
logging
sig-signing-nodesSpecifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY.
指定使用新的DNSKEY对区域进行签名时,每个量子中要检查的最大节点数。
dnssec
sig-signing-signaturesSpecifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY.
指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。
dnssec
sig-signing-typeSpecifies a private RDATA type to use when generating signing-state records.
指定生成签名状态记录时使用的专用RDATA类型。
dnssec
sig-validity-interval(过时了)obsolete
sig0checks-quotaSpecifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server.
指定服务器可以处理的并发SIG(0)签名检查的最大数量。
server
sig0checks-quota-exemptExempts specific clients or client groups from SIG(0) signature checking quota.
免除特定客户或客户组的SIG(0)签名检查配额。
server
sig0key-checks-limitSpecifies the maximum number of SIG(0) keys to consider when trying to verify a message.
指定在尝试验证消息时要考虑的SIG(0)密钥的最大数量。
server
sig0message-checks-limitSpecifies the maximum number of matching SIG(0) keys to try to verify a message.
指定尝试验证消息的匹配SIG(0)密钥的最大数量。
server
signatures-jitterSpecifies a range for signature expirations.
指定签名过期的范围。
dnssec
signatures-refreshSpecifies how frequently an RRSIG record is refreshed.
指定刷新RRSIG记录的频率。
dnssec
signatures-validityIndicates the validity period of an RRSIG record.
指示RRSIG记录的有效期。
dnssec
signatures-validity-dnskeyIndicates the validity period of DNSKEY records.
表示DNSKEY记录的有效期。
dnssec
slipSets the number of "slipped" responses to minimize the use of forged source addresses for an attack.
设置“滑动”响应的数量,以尽量减少使用伪造的源地址进行攻击。
query
sortlistControls the ordering of RRs returned to the client, based on the client's IP address.
根据客户端的IP地址控制返回给客户端的RR的顺序。
query, deprecated
stale-answer-client-timeoutDefines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.
定义 named 的时间量(以毫秒为单位)在尝试使用缓存中的过时RRset回答查询之前会等待。
server, query
stale-answer-enableEnables the returning of "stale" cached answers when the name servers for a zone are not answering.
当区域的名称服务器没有应答时,允许返回“过时”的缓存答案。
server, query
stale-answer-ttlSpecifies the time to live (TTL) to be returned on stale answers, in seconds.
指定对过时答案返回的生存时间(TTL),以秒为单位。
query
stale-cache-enableEnables the retention of "stale" cached answers.
允许保留“过时”的缓存答案。
server, query
stale-refresh-timeSets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
如果给定区域的名称服务器没有响应,则设置在下次尝试联系之前返回“过时”缓存答案的时间窗口。
server, query
startup-notify-rateSpecifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
指定名称服务器首次启动或添加新区域时发送NOTIFY请求的速率。
transfer, zone
statistics-channelsSpecifies the communication channels to be used by system administrators to access statistics information on the name server.
指定系统管理员用于访问名称服务器上的统计信息的通信通道。
logging
statistics-fileSpecifies the pathname of the file where the server appends statistics, when using rndc stats.
指定服务器在使用 rndc-stasts 时附加统计信息的文件的路径名。
logging, server
stderrDirects the logging channel output to the server's standard error stream.
将日志记录通道输出定向到服务器的标准错误流。
logging
streams-per-connectionSpecifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.
指定HTTP/2连接上并发HTTP/2流的最大数量。
server, query
suffixDefines trailing bits for mapped IPv4 address bits in dns64.
定义 dns64 中映射的IPv4地址位的尾随位。
query
synth-from-dnssecEnables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache.
支持 RFC 8198,积极使用DNSSEC验证的缓存。
dnssec
syslogDirects the logging channel to the system log.
将日志记录通道定向到系统日志。
logging
tcp-advertised-timeoutSets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option.
设置服务器在包含EDNS TCP keepalive选项的响应中发送的超时值(以毫秒为单位)。
query
tcp-clientsSpecifies the maximum number of simultaneous client TCP connections accepted by the server.
指定服务器同时接受的客户端TCP连接的最大数量。
server
tcp-idle-timeoutSets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use.
如果未使用EDNS TCP keepalive选项,则设置服务器在关闭空闲TCP连接之前等待的时间量(以毫秒为单位)。
query
tcp-initial-timeoutSets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.
设置服务器在新TCP连接上等待来自客户端的第一条消息的时间量(以毫秒为单位)。
server, query
tcp-keepaliveAdds EDNS TCP keepalive to messages sent over TCP.
将EDNS TCP keepalive添加到通过TCP发送的消息中。
server
tcp-keepalive-timeoutSets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use.
如果正在使用EDNS TCP keepalive选项,则设置服务器在关闭空闲TCP连接之前等待的时间量(以毫秒为单位)。
query
tcp-listen-queueSets the listen-queue depth.
设置侦听队列深度。
server
tcp-onlySets the transport protocol to TCP.
将传输协议设置为TCP。
server
tcp-receive-bufferSets the operating system's receive buffer size for TCP sockets.
为TCP套接字设置操作系统的接收缓冲区大小。
server
tcp-send-bufferSets the operating system's send buffer size for TCP sockets.
为TCP套接字设置操作系统的发送缓冲区大小。
server
tkey-domainSets the domain appended to the names of all shared keys generated with TKEY.
设置附加到使用 TKEY 生成的所有共享密钥名称的域。
security
tkey-gssapi-credentialSets the security credential for authentication keys requested by the GSS-TSIG protocol.
为GSS-TSIG协议请求的身份验证密钥设置安全凭据。
security
tkey-gssapi-keytabSets the KRB5 keytab file to use for GSS-TSIG updates.
设置用于GSS-TSIG更新的KRB5 keytab文件。
security
tlsConfigures a TLS connection.
配置TLS连接。
security
tls-portSpecifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.
指定服务器用于接收和发送DNS-over-TLS协议流量的TCP端口号。
server, query
transfer-formatControls whether multiple records can be packed into a message during zone transfers.
控制在区域传输期间是否可以将多条记录打包到消息中。
transfer
transfer-message-sizeLimits the uncompressed size of DNS messages used in zone transfers over TCP.
限制通过TCP进行区域传输时使用的DNS消息的未压缩大小。
transfer
transfer-sourceDefines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
定义哪些本地IPv4地址绑定到用于获取服务器入站传输的区域的TCP连接。
transfer
transfer-source-v6Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
定义哪些本地IPv6地址绑定到用于获取服务器入站传输的区域的TCP连接。
transfer
transfersLimits the number of concurrent inbound zone transfers from a server.
限制服务器并发入站区域传输的数量。
server
transfers-inLimits the number of concurrent inbound zone transfers.
限制并发入站区域传输的数量。
transfer
transfers-outLimits the number of concurrent outbound zone transfers.
限制并发出站区域传输的数量。
transfer
transfers-per-nsLimits the number of concurrent inbound zone transfers from a remote server.
限制来自远程服务器的并发入站区域传输的数量。
transfer
trust-anchor-telemetryInstructs named to send specially formed queries once per day to domains for which trust anchors have been configured.
指令 named 每天向已配置信任锚的域发送一次特殊格式的查询。
dnssec
trust-anchorsDefines DNSSEC trust anchors.
定义 DNSSEC 信任锚。
dnssec
trusted-keys deprecated
try-tcp-refreshSpecifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail.
指定如果UDP查询失败,BIND 9应尝试使用TCP刷新区域。
transfer
typeSpecifies the kind of zone in a given configuration.
指定给定配置中的区域类型。
zone
type forwardContains forwarding statements that apply to queries within a given domain.
包含适用于给定域内查询的转发语句。
zone
type hintContains the initial set of root name servers to be used at BIND 9 startup.
包含BIND 9启动时使用的初始根名称服务器集。
zone
type mirrorContains a DNSSEC-validated duplicate of the main data for a zone.
包含区域主数据的DNSSEC验证副本。
zone
type primaryContains the main copy of the data for a zone.
包含区域数据的主副本。
zone
type redirectContains information to answer queries when normal resolution would return NXDOMAIN.
包含在正常解析将返回NXDOMAIN时回答查询的信息。
zone
type secondaryContains a duplicate of the data for a zone that has been transferred from a primary server.
包含从主服务器传输的区域的数据副本。
zone
type static-stubContains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server.
包含主区域的NS记录的副本,但是静态配置的,而不是从主服务器传输的。
zone
type stubContains a duplicate of the NS records of a primary zone.
包含主区域的NS记录的副本。
zone
udp-receive-bufferSets the operating system's receive buffer size for UDP sockets.
设置UDP套接字的操作系统接收缓冲区大小。
server
udp-send-bufferSets the operating system's send buffer size for UDP sockets.
设置UDP套接字的操作系统发送缓冲区大小。
server
unixSpecifies a Unix domain socket as a control channel.
指定Unix域套接字作为控制通道。
obsolete
update-check-ksk(过时了)obsolete
update-policySets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc.
根据请求者身份、更新内容等设置细粒度规则以允许或拒绝动态更新(DDNS)。
transfer
update-quotaSpecifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server.
指定服务器可以处理的并发DNS UPDATE消息的最大数量。
server
use-v4-udp-portsSpecifies a list of ports that are valid sources for UDP/IPv4 messages.
指定UDP/IPv4消息的有效源端口列表。
deprecated
use-v6-udp-portsSpecifies a list of ports that are valid sources for UDP/IPv6 messages.
指定UDP/IPv6消息的有效源端口列表。
deprecated
v6-biasIndicates the number of milliseconds of preference to give to IPv6 name servers.
指示给予IPv6名称服务器的首选毫秒数。
server, query
validate-exceptSpecifies a list of domain names at and beneath which DNSSEC validation should not be performed.
指定一个域名列表,在该列表及其下方不应执行DNSSEC验证。
dnssec
versionSpecifies the version number of the server to return in response to a version.bind query.
指定响应 version.bind 查询时返回的服务器的版本号。
server
viewAllows a name server to answer a DNS query differently depending on who is asking.
允许名称服务器根据询问者的不同来回答DNS查询。
view
windowSpecifies the length of time during which responses are tracked.
指定跟踪响应的时间长度。
query
zero-no-soa-ttlSpecifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
指定在向SOA查询返回权威否定响应时,是否将SOA记录的生存时间(TTL)设置为零。
zone, query, server
zero-no-soa-ttl-cacheSets the time to live (TTL) to zero when caching a negative response to an SOA query.
在缓存对SOA查询的否定响应时,将生存时间(TTL)设置为零。
zone, query, server
zoneSpecifies the zone in a BIND 9 configuration.
指定BIND 9配置中的区域。
zone
zone-propagation-delaySets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。
dnssec, zone
zone-statisticsControls the level of statistics gathered for all zones.
控制为所有区域收集的统计级别。
zone, logging

8.4. 标签声明

这些表通过相应的标签将 named.conf 中允许的各种语句分组。

8.4.1. DNSSEC标签声明

StatementDescription
bindkeys-fileSpecifies the pathname of a file to override the built-in trusted keys provided by named.
指定文件的路径名,以覆盖 named 提供的内置受信任密钥。
cdnskeySpecifies whether a CDNSKEY record should be published during KSK rollover.
指定在KSK滚动期间是否应发布CDNSKEY记录。
cds-digest-typesSpecifies the digest types to use for CDS resource records.
指定用于CDS资源记录的摘要类型。
check-dup-recordsChecks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
检查主区域中DNSSEC视为不同但在纯DNS中语义相等的记录。
checkdsControls whether DS queries are sent to parental agents.
控制是否将 DS 查询发送给家长代理。
disable-algorithmsDisables DNSSEC algorithms from a specified zone.
从指定区域禁用DNSSEC算法。
disable-ds-digestsDisables DS digest types from a specified zone.
禁用指定区域中的DS摘要类型。
dnskey-ttlSpecifies the time-to-live (TTL) for DNSKEY resource records.
指定DNSKEY资源记录的生存时间(TTL)。
dnssec-accept-expiredInstructs BIND 9 to accept expired DNSSEC signatures when validating.
指示BIND 9在验证时接受过期的DNSSEC签名。
dnssec-loadkeys-intervalSets the frequency of automatic checks of the DNSSEC key repository.
设置DNSSEC密钥存储库的自动检查频率。
dnssec-policyDefines a key and signing policy (KASP) for zones.
为区域定义密钥和签名策略(KASP)。
dnssec-validationEnables DNSSEC validation in named.
named 中启用DNSSEC验证。
inline-signingSpecifies whether BIND 9 maintains a separate signed version of a zone.
指定BIND 9是否维护区域的单独签名版本。
key-directoryIndicates the directory where public and private DNSSEC key files are found.
指示查找公共和私有DNSSEC密钥文件的目录。
key-storeConfigures a DNSSEC key store.
配置DNSSEC密钥存储。
managed-keys-directorySpecifies the directory in which to store the files that track managed DNSSEC keys.
指定用于存储跟踪托管DNSSEC密钥的文件的目录。
max-rsa-exponent-sizeSets the maximum RSA exponent size (in bits) when validating.
设置验证时的最大RSA指数大小(以位为单位)。
nsec3paramSpecifies the use of NSEC3 instead of NSEC, and sets NSEC3 parameters.
指定使用NSEC3而不是NSEC,并设置NSEC3参数。
nta-lifetimeSpecifies the lifetime, in seconds, for negative trust anchors added via rndc nta.
指定通过 rndc-nta 添加的负信任锚点的生存期(秒)。
nta-recheckSpecifies the time interval for checking whether negative trust anchors added via rndc nta are still necessary.
指定检查是否通过 rndc-nta 添加了负信任锚点的时间间隔仍然是必要的。
offline-kskSpecifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline.
指定DNSKEY、CDS和CDNSKEY RR集是否正在脱机签名。
parent-ds-ttlSets the time to live (TTL) of the DS RRset used by the parent zone.
设置父区域使用的DS RRset的生存时间(TTL)。
parent-propagation-delaySets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers.
设置从父区域更新到所有父区域名称服务器提供新版本的传播延迟。
parental-agents 
parental-sourceSpecifies which local IPv4 source address is used to send parental DS queries.
指定用于发送家长DS查询的本地IPv4源地址。
parental-source-v6Specifies which local IPv6 source address is used to send parental DS queries.
指定用于发送家长DS查询的本地IPv6源地址。
pkcs11-uri 
publish-safetyIncreases the amount of time between when keys are published and when they become active, to allow for unforeseen events.
增加密钥发布与激活之间的时间间隔,以应对不可预见的事件。
purge-keysSpecifies the amount of time after which DNSSEC keys that have been deleted from the zone can be removed from disk.
指定从区域中删除的DNSSEC密钥可以从磁盘中删除的时间量。
retire-safetyIncreases the amount of time a key remains published after it is no longer active, to allow for unforeseen events.
增加密钥在不再活动后保持发布的时间,以考虑不可预见的事件。
secroots-fileSpecifies the pathname of the file where the server dumps security roots, when using rndc secroots.
指定服务器在使用 rndc-securots 时转储安全根的文件的路径名。
sig-signing-nodesSpecifies the maximum number of nodes to be examined in each quantum, when signing a zone with a new DNSKEY.
指定使用新的DNSKEY对区域进行签名时,每个量子中要检查的最大节点数。
sig-signing-signaturesSpecifies the threshold for the number of signatures that terminates processing a quantum, when signing a zone with a new DNSKEY.
指定使用新的DNSKEY对区域进行签名时终止处理量子的签名数量的阈值。
sig-signing-typeSpecifies a private RDATA type to use when generating signing-state records.
指定生成签名状态记录时使用的专用RDATA类型。
signatures-jitterSpecifies a range for signature expirations.
指定签名过期的范围。
signatures-refreshSpecifies how frequently an RRSIG record is refreshed.
指定刷新RRSIG记录的频率。
signatures-validityIndicates the validity period of an RRSIG record.
指示RRSIG记录的有效期。
signatures-validity-dnskeyIndicates the validity period of DNSKEY records.
表示DNSKEY记录的有效期。
synth-from-dnssecEnables support for RFC 8198, Aggressive Use of DNSSEC-Validated Cache.
支持 RFC 8198 ,积极使用DNSSEC验证的缓存。
trust-anchor-telemetryInstructs named to send specially formed queries once per day to domains for which trust anchors have been configured.
指令 named 每天向已配置信任锚的域发送一次特殊格式的查询。
trust-anchorsDefines DNSSEC trust anchors.
定义 DNSSEC 信任锚。
validate-exceptSpecifies a list of domain names at and beneath which DNSSEC validation should not be performed.
指定一个域名列表,在该列表及其下方不应执行DNSSEC验证。
zone-propagation-delaySets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
设置从区域首次更新到所有辅助服务器为该区域的新版本提供服务的传播延迟。

8.4.2. 记录标签语句

StatementDescription
bufferedControls flushing of log messages.
控制日志消息的刷新。
categorySpecifies the type of data logged to a particular channel.
指定记录到特定通道的数据类型。
channelDefines a stream of data that can be independently logged.
定义可以独立记录的数据流。
dnstapEnables logging of dnstap messages.
允许记录 dnstap 消息。
dnstap-identitySpecifies an identity string to send in dnstap messages.
指定要在 dnstap 中发送的 identity 字符串消息。
dnstap-outputConfigures the path to which the dnstap frame stream is sent.
配置 dnstap 的路径帧流被发送。
dnstap-versionSpecifies a version string to send in dnstap messages.
指定 version 要发送的字符串 dnstap 消息。
dump-fileIndicates the pathname of the file where the server dumps the database after rndc dumpdb.
指示服务器在 rndc-dumpdb 之后转储数据库的文件的路径名。
fstrm-set-buffer-hintSets the number of accumulated bytes in the output buffer before forcing a buffer flush.
在强制刷新缓冲区之前,设置输出缓冲区中的累积字节数。
fstrm-set-flush-timeoutSets the number of seconds that unflushed data remains in the output buffer.
设置未刷新数据在输出缓冲区中保留的秒数。
fstrm-set-input-queue-sizeSets the number of queue entries to allocate for each input queue.
设置为每个输入队列分配的队列条目数。
fstrm-set-output-notify-thresholdSets the number of outstanding queue entries allowed on an input queue before waking the I/O thread.
设置在唤醒I/O线程之前,输入队列上允许的未完成队列条目数。
fstrm-set-output-queue-modelSets the queuing semantics to use for queue objects.
设置用于队列对象的排队语义。
fstrm-set-output-queue-sizeSets the number of queue entries allocated for each output queue.
设置为每个输出队列分配的队列条目数。
fstrm-set-reopen-intervalSets the number of seconds to wait between attempts to reopen a closed output stream.
设置尝试重新打开已关闭的输出流之间等待的秒数。
log-onlyTests rate-limiting parameters without actually dropping any requests.
在不实际丢弃任何请求的情况下测试限速参数。
loggingConfigures logging options for the name server.
配置名称服务器的日志记录选项。
memstatisticsControls whether memory statistics are written to the file specified by memstatistics-file at exit.
控制是否将内存统计信息写入 memstatistics-file 指定的文件。
memstatistics-fileSets the pathname of the file where the server writes memory usage statistics on exit.
设置服务器在退出时写入内存使用统计信息的文件的路径名。
nullCauses all messages sent to the logging channel to be discarded.
导致发送到日志记录通道的所有消息都被丢弃。
print-categoryIncludes the category in log messages.
在日志消息中包含该类别。
print-severityIncludes the severity in log messages.
在日志消息中包括严重性。
print-timeSpecifies the time format for log messages.
指定日志消息的时间格式。
querylogSpecifies whether query logging should be active when named first starts.
指定在 named 时是否应激活查询日志记录首先开始。
responselogSpecifies whether response logging should be active when named first starts.
指定在 named 时是否应激活响应日志记录首先开始。
severityDefines the priority level of log messages.
定义日志消息的优先级。
statistics-channelsSpecifies the communication channels to be used by system administrators to access statistics information on the name server.
指定系统管理员用于访问名称服务器上的统计信息的通信通道。
statistics-fileSpecifies the pathname of the file where the server appends statistics, when using rndc stats.
指定服务器在使用 rndc-stasts 时附加统计信息的文件的路径名。
stderrDirects the logging channel output to the server's standard error stream.
将日志记录通道输出定向到服务器的标准错误流。
syslogDirects the logging channel to the system log.
将日志记录通道定向到系统日志。
zone-statisticsControls the level of statistics gathered for all zones.
控制为所有区域收集的统计级别。

8.4.3. 查询标签语句

StatementDescription
all-per-secondLimits UDP responses of all kinds.
限制所有类型的UDP响应。
allow-querySpecifies which hosts (an IP address list) are allowed to send queries to this resolver.
指定允许哪些主机(IP地址列表)向此解析器发送查询。
allow-query-cacheSpecifies which hosts (an IP address list) can access this server's cache and thus effectively controls recursion.
指定哪些主机(IP地址列表)可以访问此服务器的缓存,从而有效地控制递归。
allow-query-cache-onSpecifies which hosts (from an IP address list) can access this server's cache. It is used on servers with multiple interfaces.
指定哪些主机(来自IP地址列表)可以访问此服务器的缓存。它用于具有多个接口的服务器。
allow-query-onSpecifies which local addresses (an IP address list) are allowed to send queries to this resolver. This option is used in multi-homed configurations.
指定允许哪些本地地址(IP地址列表)向此解析器发送查询。此选项用于多宿主配置。
allow-recursionDefines an address_match_list of clients that are allowed to perform recursive queries.
定义一个 address_match_list 允许执行递归查询的客户端。
allow-recursion-onSpecifies which local addresses can accept recursive queries.
指定哪些本地地址可以接受递归查询。
answer-cookieControls whether COOKIE EDNS replies are sent in response to client queries.
控制是否发送COOKIE EDNS回复以响应客户端查询。
auth-nxdomainControls whether BIND, acting as a resolver, provides authoritative NXDOMAIN (domain does not exist) answers.
blackholeDefines an address_match_list of hosts to ignore. The server will neither respond to queries from nor send queries to these addresses.
break-dnssecEnables dns64 synthesis even if the validated result would cause a DNSSEC validation failure.
check-dup-recordsChecks primary zones for records that are treated as different by DNSSEC but are semantically equal in plain DNS.
check-namesRestricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.
clientsSpecifies an access control list (ACL) of clients that are affected by a given dns64 directive.
deny-answer-addressesRejects A or AAAA records if the corresponding IPv4 or IPv6 addresses match a given address_match_list.
deny-answer-aliasesRejects CNAME or DNAME records if the "alias" name matches a given list of domain_name elements.
dns64Instructs named to return mapped IPv4 addresses to AAAA queries when there are no AAAA records.
edns-udp-sizeSets the maximum advertised EDNS UDP buffer size to control the size of packets received from authoritative servers in response to recursive queries.
endpointsSpecifies a list of HTTP query paths on which to listen.
excludeAllows a list of IPv6 addresses to be ignored if they appear in a domain name's AAAA records in dns64.
exempt-clientsExempts specific clients or client groups from rate limiting.
fetch-quota-paramsSets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.
fetches-per-serverSets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.
fetches-per-zoneSets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.
forwardAllows or disallows fallback to recursion if forwarding has failed; it is always used in conjunction with the forwarders statement.
forwardersDefines one or more hosts to which queries are forwarded.
httpConfigures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.
http-portSpecifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.
https-portSpecifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
ipv4only-enableEnables automatic IPv4 zones if a dns64 block is configured.
ipv4only-serverSpecifies the name of the server for the IPV4ONLY.ARPA zone created by dns64.
listener-clientsSpecifies a per-listener quota for active connections.
log-onlyTests rate-limiting parameters without actually dropping any requests.
mappedSpecifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64.
max-query-countSets the maximum number of iterative queries while servicing a recursive query.
max-query-restartsSets the maximum number of chained CNAMEs to follow
max-recursion-queriesSets the maximum number of iterative queries while servicing a recursive query.
max-rsa-exponent-sizeSets the maximum RSA exponent size (in bits) when validating.
max-udp-sizeSets the maximum EDNS UDP message size sent by named.
message-compressionControls whether DNS name compression is used in responses to regular queries.
min-table-sizeSets the minimum size of the table used to track requests and rate-limit responses.
minimal-anyControls whether the server replies with only one of the RRsets for a query name, when generating a positive response to a query of type ANY over UDP.
minimal-responsesControls whether the server only adds records to the authority and additional data sections when they are required (e.g. delegations, negative responses). This improves server performance.
nocookie-udp-sizeSets the maximum size of UDP responses that are sent to queries without a valid server COOKIE.
nodata-per-secondLimits the number of empty (NODATA) responses for a valid domain name.
nxdomain-redirectAppends the specified suffix to the original query name, when replacing an NXDOMAIN with a redirect namespace.
nxdomains-per-secondLimits the number of undefined subdomains for a valid domain name.
portSpecifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.
preferred-glueControls the order of glue records in an A or AAAA response.
prefetchSpecifies the "trigger" time-to-live (TTL) value at which prefetch of the current query takes place.
qname-minimizationControls QNAME minimization behavior in the BIND 9 resolver.
qps-scaleTightens defenses during DNS attacks by scaling back the ratio of the current query-per-second rate.
query-sourceControls the IPv4 address from which queries are issued. If none, then no IPv4 address would be used to issue the query and therefore only IPv6 servers are queried.
query-source-v6Controls the IPv6 address from which queries are issued. If none, then no IPv6 address would be used to issue the query and therefore only IPv4 servers are quried.
rate-limitControls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks.
recursionDefines whether recursion and caching are allowed.
recursive-clientsSpecifies the maximum number of concurrent recursive queries the server can perform.
recursive-onlyToggles whether dns64 synthesis occurs only for recursive queries.
referrals-per-secondLimits the number of referrals or delegations to a server for a given domain.
request-expireSpecifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
request-nsidControls whether an empty EDNS(0) NSID (Name Server Identifier) option is sent with all queries to authoritative name servers during iterative resolution.
require-cookieControls whether responses without a server cookie are accepted.
require-server-cookieControls whether a valid server cookie is required before sending a full response to a UDP request.
resolver-query-timeoutSpecifies the length of time, in milliseconds, that a resolver attempts to resolve a recursive query before failing.
response-paddingAdds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.
response-policySpecifies response policy zones for the view or among global options.
responses-per-secondLimits the number of non-empty responses for a valid domain name and record type.
rrset-orderDefines the order in which equal RRs (RRsets) are returned.
searchSpecifies whether a Dynamically Loadable Zone (DLZ) module is queried for an answer to a query name.
send-cookieControls whether a COOKIE EDNS option is sent along with a query.
server-addressesSpecifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
slipSets the number of "slipped" responses to minimize the use of forged source addresses for an attack.
sortlistControls the ordering of RRs returned to the client, based on the client's IP address.
stale-answer-client-timeoutDefines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.
stale-answer-enableEnables the returning of "stale" cached answers when the name servers for a zone are not answering.
stale-answer-ttlSpecifies the time to live (TTL) to be returned on stale answers, in seconds.
stale-cache-enableEnables the retention of "stale" cached answers.
stale-refresh-timeSets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
streams-per-connectionSpecifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.
suffixDefines trailing bits for mapped IPv4 address bits in dns64.
tcp-advertised-timeoutSets the timeout value (in milliseconds) that the server sends in responses containing the EDNS TCP keepalive option.
tcp-idle-timeoutSets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is not in use.
tcp-initial-timeoutSets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.
tcp-keepalive-timeoutSets the amount of time (in milliseconds) that the server waits on an idle TCP connection before closing it, if the EDNS TCP keepalive option is in use.
tls-portSpecifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.
v6-biasIndicates the number of milliseconds of preference to give to IPv6 name servers.
windowSpecifies the length of time during which responses are tracked.
zero-no-soa-ttlSpecifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cacheSets the time to live (TTL) to zero when caching a negative response to an SOA query.

8.4.4. 安全标签声明

StatementDescription
algorithmDefines the algorithm to be used in a key clause.
ca-fileSpecifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.
cert-fileSpecifies the path to a file containing the TLS certificate for a connection.
cipher-suitesSpecifies a list of allowed cipher suites in the order of preference for TLSv1.3 only.
ciphersSpecifies a list of allowed ciphers in the order of preference for TLSv1.2 only.
dhparam-fileSpecifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.
dnsrps-enableTurns on the DNS Response Policy Service (DNSRPS) interface.
dnsrps-librarySpecifies the path to the DNS Response Policy Service (DNSRPS) provider library.
dnsrps-optionsProvides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
keyDefines a shared secret key for use with TSIG or the command channel.
key-fileSpecifies the path to a file containing the private TLS key for a connection.
keysSpecifies one or more server_key s to be used with a remote server.
prefer-server-ciphersSpecifies that server ciphers should be preferred over client ones.
protocolsSpecifies the allowed versions of the TLS protocol.
remote-hostnameSpecifies the expected hostname in the TLS certificate of the remote server.
response-policySpecifies response policy zones for the view or among global options.
secretDefines a Base64-encoded string to be used as the secret by the algorithm.
session-keyalgSpecifies the algorithm to use for the TSIG session key.
session-keyfileSpecifies the pathname of the file where a TSIG session key is written, when generated by named for use by nsupdate -l.
session-keynameSpecifies the key name for the TSIG session key.
session-ticketsEnables or disables session resumption through TLS session tickets.
tkey-domainSets the domain appended to the names of all shared keys generated with TKEY.
tkey-gssapi-credentialSets the security credential for authentication keys requested by the GSS-TSIG protocol.
tkey-gssapi-keytabSets the KRB5 keytab file to use for GSS-TSIG updates.
tlsConfigures a TLS connection.

8.4.5. 服务器标签声明

StatementDescription
aclAssigns a symbolic name to an address match list.
allow-new-zonesControls the ability to add zones at runtime via rndc addzone.
allow-proxyDefines an address_match_list for the client addresses allowed to send PROXYv2 headers.
allow-proxy-onDefines an address_match_list for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations.
allow-recursion-onSpecifies which local addresses can accept recursive queries.
automatic-interface-scanControls the automatic rescanning of network interfaces when addresses are added or removed.
bogusAllows a remote server to be ignored.
ca-fileSpecifies the path to a file containing TLS certificates for trusted CA authorities, used to verify remote peer certificates.
cert-fileSpecifies the path to a file containing the TLS certificate for a connection.
check-namesRestricts the character set and syntax of certain domain names in primary files and/or DNS responses received from the network.
clients-per-querySets the initial minimum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
controlsSpecifies control channels to be used to manage the name server.
cookie-algorithmSets the algorithm to be used when generating a server cookie.
cookie-secretSpecifies a shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster.
dhparam-fileSpecifies the path to a file containing Diffie-Hellman parameters, for enabling cipher suites.
directorySets the server's working directory.
disable-empty-zoneDisables individual empty zones.
dns64-contactSpecifies the name of the contact for dns64 zones.
dns64-serverSpecifies the name of the server for dns64 zones.
dnsrps-enableTurns on the DNS Response Policy Service (DNSRPS) interface.
dnsrps-librarySpecifies the path to the DNS Response Policy Service (DNSRPS) provider library.
dnsrps-optionsProvides additional RPZ configuration settings, which are passed to the DNS Response Policy Service (DNSRPS) provider library.
dual-stack-serversSpecifies host names or addresses of machines with access to both IPv4 and IPv6 transports.
ednsControls the use of the EDNS0 (RFC 2671) feature.
edns-versionSets the maximum EDNS VERSION that is sent to the server(s) by the resolver.
empty-contactSpecifies the contact name in the returned SOA record for empty zones.
empty-serverSpecifies the server name in the returned SOA record for empty zones.
empty-zones-enableEnables or disables all empty zones.
endpointsSpecifies a list of HTTP query paths on which to listen.
errors-per-secondLimits the number of errors for a valid domain name and record type.
fetch-quota-paramsSets the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion.
fetches-per-serverSets the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries.
fetches-per-zoneSets the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone.
geoip-directorySpecifies the directory containing GeoIP database files.
hostnameSpecifies the hostname of the server to return in response to a hostname.bind query.
httpConfigures HTTP endpoints on which to listen for DNS-over-HTTPS (DoH) queries.
http-listener-clientsLimits the number of active concurrent connections on a per-listener basis.
http-portSpecifies the TCP port number the server uses to receive and send unencrypted DNS traffic via HTTP.
http-streams-per-connectionLimits the number of active concurrent HTTP/2 streams on a per-connection basis.
https-portSpecifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
inetSpecifies a TCP socket as a control channel.
interface-intervalSets the interval at which the server scans the network interface list.
ipv4-prefix-lengthSpecifies the prefix lengths of IPv4 address blocks.
ipv4only-contactSpecifies the contact for the IPV4ONLY.ARPA zone created by dns64.
ipv4only-serverSpecifies the name of the server for the IPV4ONLY.ARPA zone created by dns64.
ipv6-prefix-lengthSpecifies the prefix lengths of IPv6 address blocks.
key-fileSpecifies the path to a file containing the private TLS key for a connection.
keysSpecifies one or more server_key s to be used with a remote server.
lame-ttlSets the resolver's lame cache.
listen-onSpecifies the IPv4 addresses on which a server listens for DNS queries.
listen-on-v6Specifies the IPv6 addresses on which a server listens for DNS queries.
listener-clientsSpecifies a per-listener quota for active connections.
lmdb-mapsizeSets a maximum size for the memory map of the new-zone database in LMDB database format.
masterfile-formatSpecifies the file format of zone files.
masterfile-styleSpecifies the format of zone files during a dump, when the masterfile-format is text.
match-mapped-addressesAllows IPv4-mapped IPv6 addresses to match address-match list entries for corresponding IPv4 addresses.
max-cache-sizeSets the maximum amount of memory to use for an individual cache database and its associated metadata.
max-cache-ttlSpecifies the maximum time (in seconds) that the server caches ordinary (positive) answers.
max-clients-per-querySets the maximum number of simultaneous recursive clients accepted by the server for any given query before the server drops additional clients.
max-ncache-ttlSpecifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.
max-query-countSets the maximum number of iterative queries while servicing a recursive query.
max-query-restartsSets the maximum number of chained CNAMEs to follow
max-recordsSets the maximum number of records permitted in a zone.
max-records-per-typeSets the maximum number of records that can be stored in an RRset.
max-recursion-depthSets the maximum number of levels of recursion permitted at any one time while servicing a recursive query.
max-recursion-queriesSets the maximum number of iterative queries while servicing a recursive query.
max-stale-ttlSpecifies the maximum time that the server retains records past their normal expiry, to return them as stale records.
max-table-sizeSets the maximum size of the table used to track requests and rate-limit responses.
max-types-per-nameSets the maximum number of RR types that can be stored for an owner name.
max-validation-failures-per-fetchSets the maximum number of DNSSEC validation failures that can happen in a single fetch.
max-validations-per-fetchSets the maximum number of DNSSEC validations that can happen in a single fetch.
memstatisticsControls whether memory statistics are written to the file specified by memstatistics-file at exit.
min-cache-ttlSpecifies the minimum time (in seconds) that the server caches ordinary (positive) answers.
min-ncache-ttlSpecifies the minimum retention time (in seconds) for storage of negative answers in the server's cache.
no-case-compressSpecifies a list of addresses that require case-insensitive compression in responses.
optionsDefines global options to be used by BIND 9.
paddingAdds EDNS Padding options to outgoing messages to increase the packet size.
pid-fileSpecifies the pathname of the file where the server writes its process ID.
pluginConfigures plugins in named.conf.
portSpecifies the UDP/TCP port number the server uses to receive and send DNS protocol traffic.
prefer-server-ciphersSpecifies that server ciphers should be preferred over client ones.
querylogSpecifies whether query logging should be active when named first starts.
recursing-fileSpecifies the pathname of the file where the server dumps queries that are currently recursing via rndc recursing.
remote-serversDefines a list of servers to be used by primary and secondary zones.
resolver-use-dns64Specifies whether to apply DNS64 mappings when sending queries.
response-policySpecifies response policy zones for the view or among global options.
responselogSpecifies whether response logging should be active when named first starts.
reuseportEnables kernel load-balancing of sockets.
root-key-sentinelControls whether BIND 9 responds to root key sentinel probes.
serverDefines characteristics to be associated with a remote name server.
server-idSpecifies the ID of the server to return in response to a ID.SERVER query.
servfail-ttlSets the length of time (in seconds) that a SERVFAIL response is cached.
sig0checks-quotaSpecifies the maximum number of concurrent SIG(0) signature checks that can be processed by the server.
sig0checks-quota-exemptExempts specific clients or client groups from SIG(0) signature checking quota.
sig0key-checks-limitSpecifies the maximum number of SIG(0) keys to consider when trying to verify a message.
sig0message-checks-limitSpecifies the maximum number of matching SIG(0) keys to try to verify a message.
stale-answer-client-timeoutDefines the amount of time (in milliseconds) that named waits before attempting to answer a query with a stale RRset from cache.
stale-answer-enableEnables the returning of "stale" cached answers when the name servers for a zone are not answering.
stale-cache-enableEnables the retention of "stale" cached answers.
stale-refresh-timeSets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
statistics-fileSpecifies the pathname of the file where the server appends statistics, when using rndc stats.
streams-per-connectionSpecifies the maximum number of concurrent HTTP/2 streams over an HTTP/2 connection.
tcp-clientsSpecifies the maximum number of simultaneous client TCP connections accepted by the server.
tcp-initial-timeoutSets the amount of time (in milliseconds) that the server waits on a new TCP connection for the first message from the client.
tcp-keepaliveAdds EDNS TCP keepalive to messages sent over TCP.
tcp-listen-queueSets the listen-queue depth.
tcp-onlySets the transport protocol to TCP.
tcp-receive-bufferSets the operating system's receive buffer size for TCP sockets.
tcp-send-bufferSets the operating system's send buffer size for TCP sockets.
tls-portSpecifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.
transfersLimits the number of concurrent inbound zone transfers from a server.
udp-receive-bufferSets the operating system's receive buffer size for UDP sockets.
udp-send-bufferSets the operating system's send buffer size for UDP sockets.
update-quotaSpecifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server.
v6-biasIndicates the number of milliseconds of preference to give to IPv6 name servers.
versionSpecifies the version number of the server to return in response to a version.bind query.
zero-no-soa-ttlSpecifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cacheSets the time to live (TTL) to zero when caching a negative response to an SOA query.

8.4.6. 转移标签声明

StatementDescription
allow-notifyDefines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone.
allow-transferDefines an address_match_list of hosts that are allowed to transfer the zone information from this server.
allow-updateDefines an address_match_list of hosts that are allowed to submit dynamic updates for primary zones.
allow-update-forwardingDefines an address_match_list of hosts that are allowed to submit dynamic updates to a secondary server for transmission to a primary.
also-notifyDefines one or more hosts that are sent NOTIFY messages when zone changes occur.
ixfr-from-differencesControls how IXFR transfers are calculated.
max-ixfr-ratioSets the maximum size for IXFR responses to zone transfer requests.
max-journal-sizeControls the size of journal files.
max-refresh-timeLimits the zone refresh interval to no less often than the specified value, in seconds.
max-retry-timeLimits the zone refresh retry interval to no less often than the specified value, in seconds.
max-transfer-idle-inSpecifies the number of minutes after which inbound zone transfers making no progress are terminated.
max-transfer-idle-outSpecifies the number of minutes after which outbound zone transfers making no progress are terminated.
max-transfer-time-inSpecifies the number of minutes after which inbound zone transfers are terminated.
max-transfer-time-outSpecifies the number of minutes after which outbound zone transfers are terminated.
min-refresh-timeLimits the zone refresh interval to no more often than the specified value, in seconds.
min-retry-timeLimits the zone refresh retry interval to no more often than the specified value, in seconds.
min-transfer-rate-inSpecifies the minimum traffic rate below which inbound zone transfers are terminated.
multi-masterControls whether serial number mismatch errors are logged.
notifyControls whether NOTIFY messages are sent on zone changes.
notify-delaySets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
notify-rateSpecifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
notify-sourceDefines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.
notify-source-v6Defines the IPv6 address (and optional port) to be used for outgoing NOTIFY messages.
notify-to-soaControls whether the name servers in the NS RRset are checked against the SOA MNAME.
primariesDefines one or more servers that zone transfer can be requested from.
provide-ixfrControls whether a primary responds to an incremental zone request (IXFR) or only responds with a full zone transfer (AXFR).
request-expireSpecifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
request-ixfrControls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR).
serial-query-rateDefines an upper limit on the number of queries per second issued by the server, when querying the SOA RRs used for zone transfers.
startup-notify-rateSpecifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
transfer-formatControls whether multiple records can be packed into a message during zone transfers.
transfer-message-sizeLimits the uncompressed size of DNS messages used in zone transfers over TCP.
transfer-sourceDefines which local IPv4 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
transfer-source-v6Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server.
transfers-inLimits the number of concurrent inbound zone transfers.
transfers-outLimits the number of concurrent outbound zone transfers.
transfers-per-nsLimits the number of concurrent inbound zone transfers from a remote server.
try-tcp-refreshSpecifies that BIND 9 should attempt to refresh a zone using TCP if UDP queries fail.
update-policySets fine-grained rules to allow or deny dynamic updates (DDNS), based on requester identity, updated content, etc.

8.4.7. 查看标签声明

StatementDescription
attach-cacheAllows multiple views to share a single cache database.
in-viewSpecifies the view in which a given zone is defined.
match-clientsSpecifies a view of DNS namespace for a given subset of client IP addresses.
match-destinationsSpecifies a view of DNS namespace for a given subset of destination IP addresses.
match-recursive-onlySpecifies that only recursive requests can match this view of the DNS namespace.
viewAllows a name server to answer a DNS query differently depending on who is asking.

8.4.8. 区域标签声明

StatementDescription
allow-new-zonesControls the ability to add zones at runtime via rndc addzone.
catalog-zonesConfigures catalog zones in named.conf.
check-integrityPerforms post-load zone integrity checks on primary zones.
check-mxChecks whether an MX record appears to refer to an IP address.
check-mx-cnameSets the response to MX records that refer to CNAMEs.
check-siblingSpecifies whether to check for sibling glue when performing integrity checks.
check-spfSpecifies whether to check for a TXT Sender Policy Framework record, if an SPF record is present.
check-srv-cnameSets the response to SRV records that refer to CNAMEs.
check-svcbSpecifies whether to perform additional checks on SVCB records.
check-wildcardChecks for non-terminal wildcards.
databaseSpecifies the type of database to be used to store zone data.
disable-ds-digestsDisables DS digest types from a specified zone.
disable-empty-zoneDisables individual empty zones.
dlzConfigures a Dynamically Loadable Zone (DLZ) database in named.conf.
dyndbConfigures a DynDB database in named.conf.
empty-contactSpecifies the contact name in the returned SOA record for empty zones.
empty-serverSpecifies the server name in the returned SOA record for empty zones.
empty-zones-enableEnables or disables all empty zones.
fileSpecifies the zone's filename.
flush-zones-on-shutdownControls whether pending zone writes are flushed when the name server exits.
in-viewSpecifies the view in which a given zone is defined.
inline-signingSpecifies whether BIND 9 maintains a separate signed version of a zone.
journalAllows the default journal's filename to be overridden.
masterfile-formatSpecifies the file format of zone files.
max-recordsSets the maximum number of records permitted in a zone.
new-zones-directorySpecifies the directory where configuration parameters are stored for zones added by rndc addzone.
notify-delaySets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
notify-rateSpecifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
parent-propagation-delaySets the propagation delay from the time the parent zone is updated to when the new version is served by all of the parent zone's name servers.
primariesDefines one or more servers that zone transfer can be requested from.
response-policySpecifies response policy zones for the view or among global options.
serial-update-methodSpecifies the update method to be used for the zone serial number in the SOA record.
server-addressesSpecifies a list of IP addresses to which queries should be sent in recursive resolution for a static-stub zone.
server-namesSpecifies a list of domain names of name servers that act as authoritative servers of a static-stub zone.
startup-notify-rateSpecifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
typeSpecifies the kind of zone in a given configuration.
type forwardContains forwarding statements that apply to queries within a given domain.
type hintContains the initial set of root name servers to be used at BIND 9 startup.
type mirrorContains a DNSSEC-validated duplicate of the main data for a zone.
type primaryContains the main copy of the data for a zone.
type redirectContains information to answer queries when normal resolution would return NXDOMAIN.
type secondaryContains a duplicate of the data for a zone that has been transferred from a primary server.
type static-stubContains a duplicate of the NS records of a primary zone, but statically configured rather than transferred from a primary server.
type stubContains a duplicate of the NS records of a primary zone.
zero-no-soa-ttlSpecifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
zero-no-soa-ttl-cacheSets the time to live (TTL) to zero when caching a negative response to an SOA query.
zoneSpecifies the zone in a BIND 9 configuration.
zone-propagation-delaySets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
zone-statisticsControls the level of statistics gathered for all zones.

8.4.9. 弃用的标记语句

StatementDescription
avoid-v4-udp-portsSpecifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages.
avoid-v6-udp-portsSpecifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages.
dialupConcentrates zone maintenance so that all transfers take place once every heartbeat-interval, ideally during a single call.
dnssec-must-be-secureDefines hierarchies that must or may not be secure (signed and validated).
heartbeat-intervalSets the interval at which the server performs zone maintenance tasks for all zones marked as dialup.
managed-keys 
max-zone-ttlSpecifies a maximum permissible time-to-live (TTL) value, in seconds.
sortlistControls the ordering of RRs returned to the client, based on the client's IP address.
trusted-keys 
use-v4-udp-portsSpecifies a list of ports that are valid sources for UDP/IPv4 messages.
use-v6-udp-portsSpecifies a list of ports that are valid sources for UDP/IPv6 messages.

8.5. BIND 9 Statistics

8.5.1. The Statistics File

8.5.2. Statistics Counters

8.5.2.1. Name Server Statistics Counters

8.5.2.2. Zone Maintenance Statistics Counters

8.5.2.3. Resolver Statistics Counters

8.5.2.4. Socket I/O Statistics Counters