Zone Options

allow-notify See the description of allow-notify inSection 6.2.16.4.

allow-query See the description of allow-query inSection 6.2.16.4.

allow-query-on See the description of allow-query-on inSection 6.2.16.4.

allow-transfer See the description of allow-transfer inSection 6.2.16.4.

allow-update See the description of allow-update inSection 6.2.16.4.

update-policy Specifies a ”Simple Secure Update” policy. SeeSection 6.2.28.4.

allow-update-forwarding See the description of allow-update-forwarding inSection 6.2.16.4.

also-notify Only meaningful if notify is active for this zone. The set of machines that will receive a DNS NOTIFYmessage for this zone is made up of all the listed name servers (other than the primary master) for the zone plus any IP addresses specified with also-notify. A port may be specified with each also-notify address to send the notify messages to a port other than the default of 53. A TSIG key may also be specified to cause the NOTIFY to be signed by the given key. also-notify is not meaningful for stub zones. The default is the empty list.

check-names This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to zone type. For master zones the default is fail. For slave zones the default is warn. It is not implemented for hint zones.

check-mx See the description of check-mx inSection 6.2.16.1.

check-spf See the description of check-spf inSection 6.2.16.1.

check-wildcard See the description of check-wildcard inSection 6.2.16.1.

check-integrity See the description of check-integrity inSection 6.2.16.1.

check-sibling See the description of check-sibling inSection 6.2.16.1.

zero-no-soa-ttl See the description of zero-no-soa-ttl inSection 6.2.16.1.

update-check-ksk See the description of update-check-ksk inSection 6.2.16.1.

dnssec-update-mode See the description of dnssec-update-mode inSection 6.2.16.

dnssec-dnskey-kskonly See the description of dnssec-dnskey-kskonly inSection 6.2.16.1.

try-tcp-refresh See the description of try-tcp-refresh inSection 6.2.16.1.

database Specify the type of database to be used for storing the zone data. The string following the databasekeyword is interpreted as a list of whitespace-delimited words. The first word identi-fies the database type, and any subsequent words are passed as arguments to the database to be interpreted in a way specific to the database type.

The default is "rbt", BIND 9’s native in-memory red-black-tree database. This database does not take arguments.

Other values are possible if additional database drivers have been linked into the server. Some sample drivers are included with the distribution but none are linked in by default.

dialup See the description of dialup inSection 6.2.16.1.

delegation-only The flag only applies to hint and stub zones. If set to yes, then the zone will also be treated as if it is also a delegation-only type zone.

See caveats inroot-delegation-only.

forward Only meaningful if the zone has a forwarders list. The only value causes the lookup to fail after trying the forwarders and getting no answer, while first would allow a normal lookup to be tried.

forwarders Used to override the list of global forwarders. If it is not specified in a zone of type forward, no forwarding is done for the zone and the global options are not used.

ixfr-base Was used in BIND 8 to specify the name of the transaction log (journal) file for dynamic update and IXFR. BIND 9 ignores the option and constructs the name of the journal file by appending ”.

jnl” to the name of the zone file.

ixfr-tmp-file Was an undocumented option in BIND 8. Ignored in BIND 9.

journal Allow the default journal’s filename to be overridden. The default is the zone’s filename with

”.jnl” appended. This is applicable to master and slave zones.

max-journal-size See the description of max-journal-size inSection 6.2.16.10.

max-transfer-time-in See the description of max-transfer-time-in inSection 6.2.16.7.

max-transfer-idle-in See the description of max-transfer-idle-in inSection 6.2.16.7.

max-transfer-time-out See the description of max-transfer-time-out inSection 6.2.16.7.

max-transfer-idle-out See the description of max-transfer-idle-out inSection 6.2.16.7.

notify See the description of notify inSection 6.2.16.1.

notify-delay See the description of notify-delay inSection 6.2.16.15.

notify-to-soa See the description of notify-to-soa inSection 6.2.16.1.

pubkey In BIND 8, this option was intended for specifying a public zone key for verification of signa-tures in DNSSEC signed zones when they are loaded from disk. BIND 9 does not verify signasigna-tures on load and ignores the option.

zone-statistics If yes, the server will keep statistical information for this zone, which can be dumped to the statistics-file defined in the server options.

server-addresses Only meaningful for static-stub zones. This is a list of IP addresses to which queries should be sent in recursive resolution for the zone. A non empty list for this option will internally configure the apex NS RR with associated glue A or AAAA RRs.

For example, if ”example.com” is configured as a static-stub zone with 192.0.2.1 and 2001:db8::1234 in a server-addresses option, the following RRs will be internally configured.

example.com. NS example.com.

example.com. A 192.0.2.1

example.com. AAAA 2001:db8::1234

These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for ”www.example.com” with the RD bit on, the server will initiate recursive resolution and send queries to 192.0.2.1 and/or 2001:db8::1234.

server-names Only meaningful for static-stub zones. This is a list of domain names of nameservers that act as authoritative servers of the static-stub zone. These names will be resolved to IP ad-dresses when named needs to send queries to these servers. To make this supplemental resolution successful, these names must not be a subdomain of the origin name of static-stub zone. That is, when ”example.net” is the origin of a static-stub zone, ”ns.example” and ”master.example.com”

can be specified in the server-names option, but ”ns.example.net” cannot, and will be rejected by the configuration parser.

A non empty list for this option will internally configure the apex NS RR with the specified names.

For example, if ”example.com” is configured as a static-stub zone with ”ns1.example.net” and

”ns2.example.net” in a server-names option, the following RRs will be internally configured.

example.com. NS ns1.example.net.

example.com. NS ns2.example.net.

These records are internally used to resolve names under the static-stub zone. For instance, if the server receives a query for ”www.example.com” with the RD bit on, the server initiate recursive resolution, resolve ”ns1.example.net” and/or ”ns2.example.net” to IP addresses, and then send queries to (one or more of) these addresses.

sig-validity-interval See the description of sig-validity-interval inSection 6.2.16.15.

sig-signing-nodes See the description of sig-signing-nodes inSection 6.2.16.15.

sig-signing-signatures See the description of sig-signing-signatures inSection 6.2.16.15.

sig-signing-type See the description of sig-signing-type inSection 6.2.16.15.

transfer-source See the description of transfer-source inSection 6.2.16.7.

transfer-source-v6 See the description of transfer-source-v6 inSection 6.2.16.7.

alt-transfer-source See the description of alt-transfer-source inSection 6.2.16.7.

alt-transfer-source-v6 See the description of alt-transfer-source-v6 inSection 6.2.16.7.

use-alt-transfer-source See the description of use-alt-transfer-source inSection 6.2.16.7.

notify-source See the description of notify-source inSection 6.2.16.7.

notify-source-v6 See the description of notify-source-v6 inSection 6.2.16.7.

min-refresh-time, max-refresh-time, min-retry-time, max-retry-time See the description inSection 6.2.16.15.

ixfr-from-differences See the description of ixfr-from-differences in Section 6.2.16.1. (Note that the ixfr-from-differences masterand slave choices are not available at the zone level.)

key-directory See the description of key-directory inSection 6.2.16.

auto-dnssec Zones configured for dynamic DNS may also use this option to allow varying levels of automatic DNSSEC key management. There are three possible settings:

auto-dnssec allow; permits keys to be updated and the zone fully re-signed whenever the user issues the command rndc sign zonename.

auto-dnssec maintain;includes the above, but also automatically adjusts the zone’s DNSSEC keys on schedule, according to the keys’ timing metadata (seednssec-keygen(8)anddnssec-settime(8)).

The command rndc sign zonename causes named to load keys from the key repository and sign the zone with all keys that are active. rndc loadkeys zonename causes named to load keys from the key repository and schedule key maintenance events to occur in the future, but it does not sign the full zone immediately. Note: once keys have been loaded for a zone the first time, the repository will be searched for changes periodically, regardless of whether rndc loadkeys is used.

The recheck interval is defined by dnssec-loadkeys-interval.) The default setting is auto-dnssec off.

serial-update-method Zones configured for dynamic DNS may use this option to set the update method that will be used for the zone serial number in the SOA record.

With the default setting of serial-update-method increment;, the SOA serial number will be incre-mented by one each time the zone is updated.

When set to serial-update-method unixtime;, the SOA serial number will be set to the number of seconds since the UNIX epoch, unless the serial number is already greater than or equal to that value, in which case it is simply incremented by one.

inline-signing If yes, this enables ”bump in the wire” signing of a zone, where a unsigned zone is transferred in or loaded from disk and a signed version of the zone is served, with possibly, a different serial number. This behaviour is disabled by default.

multi-master See the description of multi-master inSection 6.2.16.1.

masterfile-format See the description of masterfile-format inSection 6.2.16.15.

dnssec-secure-to-insecure See the description of dnssec-secure-to-insecure inSection 6.2.16.1.