The options statement in the /etc/named.conf file controls global server configuration options used in BIND. This statement can appear only once in a configuration file. If more than one occurrence is found, the first occurrence determines the actual options used. Also, a warning is generated if you define more than one options statement. If there is no options statement, an options block with each option set to its default value is used.
The options statement is of the following format:
options {
// General Options
[ directory path_name ; ]
[ disable-algorithms domain { algorithm ; [ algorithm ; ] }; ]
[ dnssec-lookaside domain trust-anchor domain ; ] [ dnssec-must-be-secure domain yes_or_no ; ] [ dump-file path_name ; ]
[ key-directory path_name ; ] [ memstatistics-file path_name ; ] [ pid-file path_name ; ]
[ port ip_port ; ]
[ preferred-glue ( A | AAAA | NONE ) ; ] [ random-device path_name ; ]
[ root-delegation-only [ exclude { namelist } ] ; ] [ statistics-file path_name ; ]
[ tkey-dhkey key_name key_tag ; ] [ tkey-domain domainname ; ] // Boolean Options
[ additional-from-auth yes_or_no ; ] [ additional-from-cache yes_or_no ; ] [ auth-nxdomain yes_or_no ; ]
[ check-names ( master | slave | response ) ( warn | fail | ignore ) ; ]
[ dialup dialup_option ; ] [ dnssec-enable yes_or_no ; ]
[ flush-zones-on-shutdown yes_or_no ; ] [ match-mapped-addresses yes_or_no ; ] [ minimal-responses yes_or_no ; ] [ notify ( yes_or_no | explicit ) ; ] [ provide-ixfr yes_or_no ; ]
[ querylog yes_or_no ; ] [ recursion yes_or_no ; ] [ request-ixfr yes_or_no ; ] [ zone-statistics yes_or_no ; ] // Access Control Options
[ allow-notify { address_match_list }; ] [ allow-query { address_match_list }; ] [ allow-recursion { address_match_list }; ] [ allow-transfer { address_match_list }; ] [ allow-update-forwarding { address_match_list }; ] [ blackhole { address_match_list }; ]
// Bad UDP Port List Options
[ avoid-v4-udp-ports { port_list }; ] [ avoid-v6-udp-ports { port_list }; ]
// Built-In Server Information Zone Options [ hostname hostname_string ; ]
[ server-id server_id_string ; ] [ version version_string ; ]
[ dual-stack-servers [ port ip_port ] { ( ( domain_name [ port ip_port ] | ip_addr [ port ip_port ] ) ;
)... }; ] // Forwarding Options
[ forward ( only | first ) ; ]
[ forwarders { ( ip_addr [ port ip_port ] ; )... }; ] // Interface Options
[ listen-on [ port ip_port ] { address_match_list }; ] [ listen-on-v6 [ port ip_port ] { address_match_list }; ] // Obsolete Option
[ allow-v6-synthesis yes_or_no ; ]
// Operating System Resource Limit Options [ coresize size_spec ; ]
[ datasize size_spec ; ] [ files size_spec ; ] [ stacksize size_spec ; ]
// Periodic Task Interval Options [ cleaning-interval number ; ] [ heartbeat-interval number ; ] [ interface-interval number ; ] // Query Address Options
[ query-source [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ] ; ]
[ query-source-v6 [ address ( ip_addr | * ) ] [ port ( ip_port | * ) ] ; ]
// RRset Ordering Option
[ rrset-order { order_spec ; [ order_spec ; ]... }; ] // Server Resource Limit Options
[ max-cache-size size_spec ; ] [ max-journal-size size_spec ; ] [ recursive-clients number ; ] [ tcp-clients number ; ] [ tcp-listen-queue number ; ] // Sorting Option [ sortlist { address_match_list }; ] // Tuning Options [ edns-udp-size number ; ] [ lame-ttl number ; ] [ max-cache-ttl number ; ] [ max-ncache-ttl number ; ] [ max-refresh-time number ; ] [ max-retry-time number ; ] [ min-refresh-time number ; ] [ min-retry-time number ; ] [ sig-validity-interval number ; ] // Zone Transfer Options
[ also-notify { ( ip_addr [ port ip_port ] ; )... }; ] [ alt-transfer-source ( ip4_addr | * ) [ port ip_port ] ; ] [ alt-transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ] [ max-transfer-idle-in number ; ]
[ max-transfer-idle-out number ; ] [ max-transfer-time-in number ; ] [ max-transfer-time-out number ; ]
[ notify-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ] [ serial-query-rate number ; ]
[ transfer-format ( one-answer | many-answers ) ; ] [ transfer-source ( ip4_addr | * ) [ port ip_port ] ; ] [ transfer-source-v6 ( ip6_addr | * ) [ port ip_port ] ; ] [ transfers-in number ; ]
[ transfers-out number ; ] [ transfers-per-ns number ; ]
[ use-alt-transfer-source yes_or_no ; ] };
The following sections explain the various options. Pathname Options
The pathname options specify information such as the working directory of the server, the pathname of the dump file, the memory statistics file and so on for the various options in the optionsstatement.Table 1-4describes all the available pathname options.
Table 1-4 Pathname Options
Description Option
This option specifies the working directory of the server. Any non-absolute pathnames in the configuration file are considered relative to this directory. directory specifies the default location for most of the server output files (for example, named.run). If you do not specify a directory, the working directory defaults to ‘.’, the directory from where the server is started. The directory specified must be an absolute path.
directory path_name;
This option specifies the pathname to the named-xfer program used by the server for inbound zone transfers. If you do not specify the pathname, the default pathname is system dependent (for example /usr/sbin/name-d-xfer).
named-xfer path_name;
This option specifies the pathname of the file to which the server dumps the database with the rndc dumpdb command. The default file name is dump.db.
dump-file path_name;
This option specifies the pathname of the file to which the server writes memory statistics on exit, if the value for the
deallocate-on-exitoption is yes. If you do not specify the pathname, the default file is named.memstats.
memstatistics-file path_name;
This option specifies the pathname of the file to which the server appends statistics using the rndc stats command. If you do not specify a file name in the pathname, the default file used is named.stats.
statistics-file path_name;
This option specifies the pathname of the file to which the server writes its process ID. If you do not specify the path name, the default pathname is /var/run/named.pid or /etc/named.pid. The pid-fileis used by programs that send signals to the running name server.
pid-file path_name;
Specifies the directory where the public and private key files can be found, if the current directory is not the working directory. key-directory path_name;
Specifies the path name of the file to which the server writes memory usage statistics. The default file name is named.memstats. memstatistics-file path_name;
Boolean Options
Boolean options are options in the options statement for which you can specify either the value yesor the value no, to active or deactivate the option, respectively.Table 1-5describes all the available Boolean options.
Table 1-5 Boolean Options
Description Option
If this option is set to yes, the AA bit is always set on NXDOMAIN responses, even though the server is not authoritative. The default value is yes.
auth-nxdomain yes_or_no;
If this option is set to yes, the server deallocates all the objects it has allocated and writes a memory usage report to the file specified by the memstatistics-file.
The default value is no because the operating system deallocates objects faster than the server.
However, you can use the deallocate-on-exit option to detect memory leaks.
deallocate-on-exit yes_or_no;
If this option is set to yes, the server simulates the obsolete DNS query type IQUERY. The default value is no.
fake-iquery yes_or_no;
If this option is set to yes (the default value) the sever fetches glue resource records that it does not posses, while constructing the additional data section of a response.
You can use fetch-glue no with the recursion no option to prevent the server’s cache from increasing in size or getting corrupted (at the cost of requiring more work from the client).
fetch-glue yes_or_no;
If this option is set to yes, then for every host that the name server interacts with, the statistics are maintained. The default value is no.
Setting host-statistics to yes consumes memory. host-statistics yes_or_no;
If this option is set to yes, then multiple CNAME resource records are allowed for a domain name.
HP recommends that you do not allow multiple CNAME records for a domain name due to nonconformance with the standard. The default value is no.
Multiple CNAME support is available because previous versions of BIND allowed multiple CNAME records, and these records have been used in the previous versions for load balancing.
multiple-cnames yes_or_no;
If this value is set to yes (the default value), DNS NOTIFY messages are sent when a zone for which the server is authorized changes. The NOTIFY message speeds the convergence between the master server and its slave servers. A slave server that receives a NOTIFY message contacts the master server for a zone and determines if a zone transfer is necessary. If a zone transfer is necessary, the slave server initiates the zone transfer immediately. You can also specify the notify option in the zone statement. This overrides the options notify statement. See“DNS Change Notification” (page 17)for more information.
notify yes_or_no;
If this option is set to yes, and a DNS query requests recursion, the server attempts to answer all the queries. If recursion is set to no, and the server is not aware of the answer, it returns a referral response to the client. The default value is yes. See the optionfetch-glue yes_or_nofor more information.
recursion yes_or_no;
This option determines whether the local server, acting as a master, responds with an incremental zone transfer when the remote server (a slave) requests the transfer. If this option is set to yes, incremental transfer is provided whenever possible. If set to no, all transfers to the remote server are non-incremental.
If not set, the value of the provide-ixfr option in the global options block is used as default.
Table 1-5 Boolean Options (continued)
Description Option
Determines whether the local server, that is acting as a master, responds with an incremental zone transfer when the remove slave server requests an IXFR. If the provide-ixfr option is set to yes, incremental transfer is provided whenever possible. If this option is set to no, all transfers to the remote server is non-incremental.
If the provide-ixfr option is not set, the value of provide-ixfr in the view or global options statement is used as default.
provide-ixfr
Determines whether the local server, acting as a slave, requests incremental zone transfers from a remote master server. If this option is not set, the value of request-ixfr in the view or global options statement is used as a default.
request-ixfr yes_or_no;
Loads a new version of a master zone from the zone file of the server or receives a new version of a slave file by a non-incremental zone transfer. The server compares the new version of the master zone with the previous version of master zone and calculates the set of differences. The differences are then logged in the journal file of the zone such that the changes can be transmitted to downstream slaves as an incremental zone transfer. ixfr-from-differenc es
yes_or_no;
Flushes pending zone writes if the name server exits, because of the SIGTERMsignal. The default value is no if the pending zone writes are not flushed when the name server exits, because of a SIGTERM signal. flush-zones-on-shut down
yes_or_no;
Restricts the character set and syntax of certain domain names in the master files and the DNS responses received from the network. The default differs according to the zone type. For master zones, the default is fail. For slave zones, the default is warn.
check-names ( master | slave | response ) ( warn | fail | ignore );
Specifies whether query logging must start when named starts. If querylog is not specified, query logging is determined by the presence of the logging category queries.
querylog yes_or_no;
Forwarding Options
You can use the forwarding facility to create a large site-wide cache on some servers, reducing traffic over links to external name servers. You can also use this option to allow queries by servers that intend to look up exterior names but do not have direct access to the Internet. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
Table 1-6describes the forwarding options. Table 1-6 Forwarding Options
Description Option
This option is effective only if you specify the IP addresses in the forwardersoption for forwarding. A value of first (the default value) causes the server to first query the IP addresses specified in the forwarders list. If this query is not successful, the server by itself searches the answer.
If the value is set as only, the server queries only the forwarder IP addresses.
forward (only first);
This option specifies the IP addresses used for forwarding. The default value is an empty list (that is, no forwarding).
forwarders { [ in_addr ; [ in_addr ; . . . ] ] };
Name-Checking Option
The server checks the domain names based on their expected client contexts. For example, you can check whether a domain name used as a host name complies with the RFCs that define valid host names:
check-names (master | slave | response )(warn | fail | ignore);
The server can check names in three areas: • master– Checks master zone files. • slave– Checks slave zone files.
• response– Checks the query’s response when the server has initiated the query. Following are the options available for check-names:
• ignore– No checking is done.
• warn– Names are checked against their expected client contexts. Invalid names are logged, but processing continues normally.
• fail– Names are checked against their expected client contexts. Invalid names are logged, and the offending data is rejected.
The default values for the check-names option are:
check-names master fail; check-names slave warn; check-names response ignore;
If you specify check-names response fail, the server sends a REFUSED response code to the client.
You can also specify the check-names option in the zone statement, but this overrides the options check-namesstatement. When you specify check-names in a zone statement, the area is not specified, because it can be deduced from the zone type.
Access Control Options
You can restrict access to the server based on the IP address of the requesting system.Table 1-7
describes the access control options. Table 1-7 Access Control Options
Description Option
This option specifies the hosts that are allowed to ask simple questions. You can also specify the allow-query option in the zonestatement, which overrides the options allow-query statement.
By default, it allows queries from all hosts. allow-query { address_match_list};
This option specifies the hosts that are allowed to receive zone transfers from the server. You can also use the allow-transfer option in the zone statement, which overrides the options allow-transferstatement. By default, it allows transfers from all hosts.
allow-transfer { address_match_list};
This option specifies which hosts are allowed to make recursive queries through the server. If not specified, recursive queries from all the hosts are allowed.
allow-recursion { address_match_list};
This option specifies a list of addresses that the server does not use to resolve a query and from which the server does not accept any queries.
blackhole { address_match_list};
Interface Options
listen-on [port ip_port] {address_match_list};
The listen-on option specifies the interfaces and ports from which the server answers queries. You can specify an optional port and an address_match_list in the listen-on option. The server listens on all interfaces allowed by the address_match_list.
If you do not specify a port, port 53 is used. If you do not specify the listen-on option, the server listens on port 53 on all interfaces. You can specify multiple listen-on statements. An example listen-on option is as follows:
listen-on { 5.6.7.8; };
listen-on port 1234 { 11.2.3.4; 1.2/16; };
Zone Transfer Options
Table 1-8describes the zone transfer options. Table 1-8 Zone Transfer Options
Description Option
This option defines a global list of IP addresses of name servers to which NOTIFY messages are sent, in addition to the servers listed in the zone's NS records when a fresh copy of the zone is loaded. also-notify { ( ip_addr [ port
ip_port ] ; )... };
This option specifies an alternate transfer source IPv4 address, if the transfer source address listed in transfer-source option fails and if the use-alt-transfer-source option is set.
alt-transfer-source ( ip4_addr | * ) [ port ip_port ];
This option specifies an alternate transfer source IPv6 address, if the transfer source address listed in transfer-source-v6 fails and if use-alt-transfer-sourceis set.
alt-transfer-source-v6 (ip6_addr|* ) [ port ip_port ];
Specifies the time period after which inbound zone transfers (named-xfer processes) must be terminated. The default value is 120 minutes (2 hours).
max-transfer-time-in number;
This option terminates inbound zone transfers making no progress in the specified period. The default value is 60 minutes.
max-transfer-idle-in;
This option terminates outbound zone transfers running longer than the specified time. The default value is 120 minutes.
max-transfer-time-out;
This option terminates outbound zone transfers making no progress in the specified period. The default value is 60 minutes.
max-transfer-idle-out;
The server supports two zone transfer methods: one-answer and many-answers. The first method uses one DNS message for every resource record transferred. The second method packs many resource records into one message. many-answers is more efficient than one-answer, but is only compatible with BIND 8.1.2 and patched versions of BIND 4.9.7. The default is one-answer.
You can override a transfer-format statement with a server statement on a per-server basis.
transfer-format (one-answer | many-answers );
This option specifies the maximum number of inbound zone transfers that can run concurrently. The default value is 10. Increasing the value of the transfer-in option speeds up the coverage of slave zones. It also increases the load on the local system.
transfer-in number;
This option specifies the maximum number of outbound zone transfer that run concurrently.
Table 1-8 Zone Transfer Options (continued)
Description Option
This option specifies the maximum number of inbound zone transfers (named-xfer processes) that run concurrently from a given remote name server. The default value is 2. Increasing the value of
transfers-per-nsspeeds up the convergence of slave zones. It also increases the load on the remote name server.
You can override the transfers-per-ns on a per-server basis by using the transfers option of the server statement.
transfers-per-ns number;
This option specifies the IPv4 address for inbound zone updates, which is also the source address for refresh queries and forwarded dynamic updates. If not set, it defaults to a system-controlled value, which is usually the address of the interface close to the remote end. transfer-source
This option is similar to transfer-source, except that zone transfers are performed using an IPv6 address.
transfer-source-v6
This option specifies whether the name server must use the alternate transfer sources. This option defaults to no if views are specified; otherwise, this option defaults to yes (for BIND 8 compatibility). use-alt-transfer-sourc e
yes_or_no;
Resource Limit Options
Resource limit options enable you to limit the server’s usage of the system resources. If a given operating system does not support a specific limit, a warning is issue.
You can use scaled values to specify resource limits. For example, you can use 1G instead of 1073741824 to specify a limit of one gigabyte. Specifying unlimited specifies unlimited usage, or the maximum available amount. default specifies the limit that was in effect when the server was started.
Table 1-9describes the resource options available. Table 1-9 Resource Limit Options
Description Option
This option specifies the maximum size of a core dump. The default value is default.
coresize size_spec ;
This option specifies the maximum amount of data memory the server uses. The default value is default.
datasize size-spec ;
This option specifies the maximum number of files the server can open concurrently. The default value is unlimited.
NOTE: The server cannot set an unlimited value for certain operating systems and cannot determine the maximum number of open files the kernel can support. On such systems, specifying unlimited causes the server to use rlim_max for RLIMIT_NOFILE or the value returned by sysconf(_SC_OPEN_MAX), depending on which contains the higher value. If the actual kernel limit is larger than this value, use limit files to specify the limit explicitly.
file size_spec ;
Specifies the maximum amount of stack memory the server can use. The default value is default.
stacksize size_spec ;
Server Resource Limits
The server resource limit options set limits on the server’s resource consumption that are enforced internally by the server rather than by the operating system.Table 1-10describes the server resource limit options.
Table 1-10 Server Resource Limit Options
Description Option
This option specifies maximum number of simultaneous recursive lookups the server performs on behalf of the clients. The default value is 1000. recursive-clients
This option specifies maximum number of simultaneous client TCP connections that the server accepts. The default value is 100. tcp-clients
This option specifies maximum amount of memory (in bytes) that a server’s cache can use. When the amount of data in the cache reaches this limit, the server causes the records to expire prematurely so that the limit is not exceeded.
max-cache-size
This option specifies the length of the listen queue. The default and minimum values are 3. If the kernel supports the dataready accept filter, this option also controls the number of TCP connections that are queued in the kernel