xref: /netbsd-src/external/mpl/bind/dist/doc/misc/options (revision 9689912e6b171cbda866ec33f15ae94a04e2c02d) 
1acl <string> { <address_match_element>; ... }; // may occur multiple times
2
3controls {
4	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
5	unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
6}; // may occur multiple times
7
8dlz <string> {
9	database <string>;
10	search <boolean>;
11}; // may occur multiple times
12
13dnssec-policy <string> {
14	cdnskey <boolean>;
15	cds-digest-types { <string>; ... };
16	dnskey-ttl <duration>;
17	inline-signing <boolean>;
18	keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... };
19	max-zone-ttl <duration>;
20	nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
21	offline-ksk <boolean>;
22	parent-ds-ttl <duration>;
23	parent-propagation-delay <duration>;
24	publish-safety <duration>;
25	purge-keys <duration>;
26	retire-safety <duration>;
27	signatures-jitter <duration>;
28	signatures-refresh <duration>;
29	signatures-validity <duration>;
30	signatures-validity-dnskey <duration>;
31	zone-propagation-delay <duration>;
32}; // may occur multiple times
33
34dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
35
36http <string> {
37	endpoints { <quoted_string>; ... };
38	listener-clients <integer>;
39	streams-per-connection <integer>;
40}; // may occur multiple times
41
42key <string> {
43	algorithm <string>;
44	secret <string>;
45}; // may occur multiple times
46
47key-store <string> {
48	directory <string>;
49	pkcs11-uri <quoted_string>;
50}; // may occur multiple times
51
52logging {
53	category <string> { <string>; ... }; // may occur multiple times
54	channel <string> {
55		buffered <boolean>;
56		file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
57		null;
58		print-category <boolean>;
59		print-severity <boolean>;
60		print-time ( iso8601 | iso8601-utc | local | <boolean> );
61		severity <log_severity>;
62		stderr;
63		syslog [ <syslog_facility> ];
64	}; // may occur multiple times
65};
66
67managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
68
69options {
70	allow-new-zones <boolean>;
71	allow-notify { <address_match_element>; ... };
72	allow-proxy { <address_match_element>; ... }; // experimental
73	allow-proxy-on { <address_match_element>; ... }; // experimental
74	allow-query { <address_match_element>; ... };
75	allow-query-cache { <address_match_element>; ... };
76	allow-query-cache-on { <address_match_element>; ... };
77	allow-query-on { <address_match_element>; ... };
78	allow-recursion { <address_match_element>; ... };
79	allow-recursion-on { <address_match_element>; ... };
80	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
81	allow-update { <address_match_element>; ... };
82	allow-update-forwarding { <address_match_element>; ... };
83	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
84	answer-cookie <boolean>;
85	attach-cache <string>;
86	auth-nxdomain <boolean>;
87	automatic-interface-scan <boolean>;
88	avoid-v4-udp-ports { <portrange>; ... }; // deprecated
89	avoid-v6-udp-ports { <portrange>; ... }; // deprecated
90	bindkeys-file <quoted_string>; // test only
91	blackhole { <address_match_element>; ... };
92	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
93	check-dup-records ( fail | warn | ignore );
94	check-integrity <boolean>;
95	check-mx ( fail | warn | ignore );
96	check-mx-cname ( fail | warn | ignore );
97	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
98	check-sibling <boolean>;
99	check-spf ( warn | ignore );
100	check-srv-cname ( fail | warn | ignore );
101	check-svcb <boolean>;
102	check-wildcard <boolean>;
103	clients-per-query <integer>;
104	cookie-algorithm ( siphash24 );
105	cookie-secret <string>; // may occur multiple times
106	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
107	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
108	dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
109	directory <quoted_string>;
110	disable-algorithms <string> { <string>; ... }; // may occur multiple times
111	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
112	disable-empty-zone <string>; // may occur multiple times
113	dns64 <netprefix> {
114		break-dnssec <boolean>;
115		clients { <address_match_element>; ... };
116		exclude { <address_match_element>; ... };
117		mapped { <address_match_element>; ... };
118		recursive-only <boolean>;
119		suffix <ipv6_address>;
120	}; // may occur multiple times
121	dns64-contact <string>;
122	dns64-server <string>;
123	dnskey-sig-validity <integer>; // obsolete
124	dnsrps-enable <boolean>; // not configured
125	dnsrps-library <quoted_string>; // not configured
126	dnsrps-options { <unspecified-text> }; // not configured
127	dnssec-accept-expired <boolean>;
128	dnssec-dnskey-kskonly <boolean>; // obsolete
129	dnssec-loadkeys-interval <integer>;
130	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
131	dnssec-policy <string>;
132	dnssec-secure-to-insecure <boolean>; // obsolete
133	dnssec-update-mode ( maintain | no-resign ); // obsolete
134	dnssec-validation ( yes | no | auto );
135	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
136	dnstap-identity ( <quoted_string> | none | hostname ); // not configured
137	dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // not configured
138	dnstap-version ( <quoted_string> | none ); // not configured
139	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
140	dump-file <quoted_string>;
141	edns-udp-size <integer>;
142	empty-contact <string>;
143	empty-server <string>;
144	empty-zones-enable <boolean>;
145	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
146	fetches-per-server <integer> [ ( drop | fail ) ];
147	fetches-per-zone <integer> [ ( drop | fail ) ];
148	flush-zones-on-shutdown <boolean>;
149	forward ( first | only );
150	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
151	fstrm-set-buffer-hint <integer>; // not configured
152	fstrm-set-flush-timeout <integer>; // not configured
153	fstrm-set-input-queue-size <integer>; // not configured
154	fstrm-set-output-notify-threshold <integer>; // not configured
155	fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
156	fstrm-set-output-queue-size <integer>; // not configured
157	fstrm-set-reopen-interval <duration>; // not configured
158	geoip-directory ( <quoted_string> | none );
159	heartbeat-interval <integer>; // deprecated
160	hostname ( <quoted_string> | none );
161	http-listener-clients <integer>;
162	http-port <integer>;
163	http-streams-per-connection <integer>;
164	https-port <integer>;
165	interface-interval <duration>;
166	ipv4only-contact <string>;
167	ipv4only-enable <boolean>;
168	ipv4only-server <string>;
169	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
170	keep-response-order { <address_match_element>; ... }; // obsolete
171	key-directory <quoted_string>;
172	lame-ttl <duration>;
173	listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
174	listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
175	lmdb-mapsize <sizeval>;
176	managed-keys-directory <quoted_string>;
177	masterfile-format ( raw | text );
178	masterfile-style ( full | relative );
179	match-mapped-addresses <boolean>;
180	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
181	max-cache-ttl <duration>;
182	max-clients-per-query <integer>;
183	max-ixfr-ratio ( unlimited | <percentage> );
184	max-journal-size ( default | unlimited | <sizeval> );
185	max-ncache-ttl <duration>;
186	max-query-restarts <integer>;
187	max-records <integer>;
188	max-records-per-type <integer>;
189	max-recursion-depth <integer>;
190	max-recursion-queries <integer>;
191	max-refresh-time <integer>;
192	max-retry-time <integer>;
193	max-rsa-exponent-size <integer>;
194	max-stale-ttl <duration>;
195	max-transfer-idle-in <integer>;
196	max-transfer-idle-out <integer>;
197	max-transfer-time-in <integer>;
198	max-transfer-time-out <integer>;
199	max-types-per-name <integer>;
200	max-udp-size <integer>;
201	max-validation-failures-per-fetch <integer>; // experimental
202	max-validations-per-fetch <integer>; // experimental
203	max-zone-ttl ( unlimited | <duration> ); // deprecated
204	memstatistics <boolean>;
205	memstatistics-file <quoted_string>;
206	message-compression <boolean>;
207	min-cache-ttl <duration>;
208	min-ncache-ttl <duration>;
209	min-refresh-time <integer>;
210	min-retry-time <integer>;
211	minimal-any <boolean>;
212	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
213	multi-master <boolean>;
214	new-zones-directory <quoted_string>;
215	no-case-compress { <address_match_element>; ... };
216	nocookie-udp-size <integer>;
217	notify ( explicit | master-only | primary-only | <boolean> );
218	notify-delay <integer>;
219	notify-rate <integer>;
220	notify-source ( <ipv4_address> | * );
221	notify-source-v6 ( <ipv6_address> | * );
222	notify-to-soa <boolean>;
223	nsec3-test-zone <boolean>; // test only
224	nta-lifetime <duration>;
225	nta-recheck <duration>;
226	nxdomain-redirect <string>;
227	parental-source ( <ipv4_address> | * );
228	parental-source-v6 ( <ipv6_address> | * );
229	pid-file ( <quoted_string> | none );
230	port <integer>;
231	preferred-glue <string>;
232	prefetch <integer> [ <integer> ];
233	provide-ixfr <boolean>;
234	qname-minimization ( strict | relaxed | disabled | off );
235	query-source [ address ] ( <ipv4_address> | * );
236	query-source-v6 [ address ] ( <ipv6_address> | * );
237	querylog <boolean>;
238	rate-limit {
239		all-per-second <integer>;
240		errors-per-second <integer>;
241		exempt-clients { <address_match_element>; ... };
242		ipv4-prefix-length <integer>;
243		ipv6-prefix-length <integer>;
244		log-only <boolean>;
245		max-table-size <integer>;
246		min-table-size <integer>;
247		nodata-per-second <integer>;
248		nxdomains-per-second <integer>;
249		qps-scale <integer>;
250		referrals-per-second <integer>;
251		responses-per-second <integer>;
252		slip <integer>;
253		window <integer>;
254	};
255	recursing-file <quoted_string>;
256	recursion <boolean>;
257	recursive-clients <integer>;
258	request-expire <boolean>;
259	request-ixfr <boolean>;
260	request-nsid <boolean>;
261	require-server-cookie <boolean>;
262	resolver-query-timeout <integer>;
263	resolver-use-dns64 <boolean>;
264	response-padding { <address_match_element>; ... } block-size <integer>;
265	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
266	responselog <boolean>;
267	reuseport <boolean>;
268	root-key-sentinel <boolean>;
269	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
270	secroots-file <quoted_string>;
271	send-cookie <boolean>;
272	serial-query-rate <integer>;
273	serial-update-method ( date | increment | unixtime );
274	server-id ( <quoted_string> | none | hostname );
275	servfail-ttl <duration>;
276	session-keyalg <string>;
277	session-keyfile ( <quoted_string> | none );
278	session-keyname <string>;
279	sig-signing-nodes <integer>;
280	sig-signing-signatures <integer>;
281	sig-signing-type <integer>;
282	sig-validity-interval <integer> [ <integer> ]; // obsolete
283	sig0checks-quota <integer>; // experimental
284	sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
285	sortlist { <address_match_element>; ... }; // deprecated
286	stale-answer-client-timeout ( disabled | off | <integer> );
287	stale-answer-enable <boolean>;
288	stale-answer-ttl <duration>;
289	stale-cache-enable <boolean>;
290	stale-refresh-time <duration>;
291	startup-notify-rate <integer>;
292	statistics-file <quoted_string>;
293	synth-from-dnssec <boolean>;
294	tcp-advertised-timeout <integer>;
295	tcp-clients <integer>;
296	tcp-idle-timeout <integer>;
297	tcp-initial-timeout <integer>;
298	tcp-keepalive-timeout <integer>;
299	tcp-listen-queue <integer>;
300	tcp-receive-buffer <integer>;
301	tcp-send-buffer <integer>;
302	tkey-domain <quoted_string>;
303	tkey-gssapi-credential <quoted_string>;
304	tkey-gssapi-keytab <quoted_string>;
305	tls-port <integer>;
306	transfer-format ( many-answers | one-answer );
307	transfer-message-size <integer>;
308	transfer-source ( <ipv4_address> | * );
309	transfer-source-v6 ( <ipv6_address> | * );
310	transfers-in <integer>;
311	transfers-out <integer>;
312	transfers-per-ns <integer>;
313	trust-anchor-telemetry <boolean>;
314	try-tcp-refresh <boolean>;
315	udp-receive-buffer <integer>;
316	udp-send-buffer <integer>;
317	update-check-ksk <boolean>; // obsolete
318	update-quota <integer>;
319	use-v4-udp-ports { <portrange>; ... }; // deprecated
320	use-v6-udp-ports { <portrange>; ... }; // deprecated
321	v6-bias <integer>;
322	validate-except { <string>; ... };
323	version ( <quoted_string> | none );
324	zero-no-soa-ttl <boolean>;
325	zero-no-soa-ttl-cache <boolean>;
326	zone-statistics ( full | terse | none | <boolean> );
327};
328
329parental-agents <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
330
331plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
332
333primaries <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
334
335server <netprefix> {
336	bogus <boolean>;
337	edns <boolean>;
338	edns-udp-size <integer>;
339	edns-version <integer>;
340	keys <server_key>;
341	max-udp-size <integer>;
342	notify-source ( <ipv4_address> | * );
343	notify-source-v6 ( <ipv6_address> | * );
344	padding <integer>;
345	provide-ixfr <boolean>;
346	query-source [ address ] ( <ipv4_address> | * );
347	query-source-v6 [ address ] ( <ipv6_address> | * );
348	request-expire <boolean>;
349	request-ixfr <boolean>;
350	request-nsid <boolean>;
351	require-cookie <boolean>;
352	send-cookie <boolean>;
353	tcp-keepalive <boolean>;
354	tcp-only <boolean>;
355	transfer-format ( many-answers | one-answer );
356	transfer-source ( <ipv4_address> | * );
357	transfer-source-v6 ( <ipv6_address> | * );
358	transfers <integer>;
359}; // may occur multiple times
360
361statistics-channels {
362	inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
363}; // may occur multiple times
364
365tls <string> {
366	ca-file <quoted_string>;
367	cert-file <quoted_string>;
368	cipher-suites <string>;
369	ciphers <string>;
370	dhparam-file <quoted_string>;
371	key-file <quoted_string>;
372	prefer-server-ciphers <boolean>;
373	protocols { <string>; ... };
374	remote-hostname <quoted_string>;
375	session-tickets <boolean>;
376}; // may occur multiple times
377
378trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
379
380trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
381
382view <string> [ <class> ] {
383	allow-new-zones <boolean>;
384	allow-notify { <address_match_element>; ... };
385	allow-proxy { <address_match_element>; ... }; // experimental
386	allow-proxy-on { <address_match_element>; ... }; // experimental
387	allow-query { <address_match_element>; ... };
388	allow-query-cache { <address_match_element>; ... };
389	allow-query-cache-on { <address_match_element>; ... };
390	allow-query-on { <address_match_element>; ... };
391	allow-recursion { <address_match_element>; ... };
392	allow-recursion-on { <address_match_element>; ... };
393	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
394	allow-update { <address_match_element>; ... };
395	allow-update-forwarding { <address_match_element>; ... };
396	also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
397	attach-cache <string>;
398	auth-nxdomain <boolean>;
399	catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
400	check-dup-records ( fail | warn | ignore );
401	check-integrity <boolean>;
402	check-mx ( fail | warn | ignore );
403	check-mx-cname ( fail | warn | ignore );
404	check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
405	check-sibling <boolean>;
406	check-spf ( warn | ignore );
407	check-srv-cname ( fail | warn | ignore );
408	check-svcb <boolean>;
409	check-wildcard <boolean>;
410	clients-per-query <integer>;
411	deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
412	deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
413	dialup ( notify | notify-passive | passive | refresh | <boolean> ); // deprecated
414	disable-algorithms <string> { <string>; ... }; // may occur multiple times
415	disable-ds-digests <string> { <string>; ... }; // may occur multiple times
416	disable-empty-zone <string>; // may occur multiple times
417	dlz <string> {
418		database <string>;
419		search <boolean>;
420	}; // may occur multiple times
421	dns64 <netprefix> {
422		break-dnssec <boolean>;
423		clients { <address_match_element>; ... };
424		exclude { <address_match_element>; ... };
425		mapped { <address_match_element>; ... };
426		recursive-only <boolean>;
427		suffix <ipv6_address>;
428	}; // may occur multiple times
429	dns64-contact <string>;
430	dns64-server <string>;
431	dnskey-sig-validity <integer>; // obsolete
432	dnsrps-enable <boolean>; // not configured
433	dnsrps-options { <unspecified-text> }; // not configured
434	dnssec-accept-expired <boolean>;
435	dnssec-dnskey-kskonly <boolean>; // obsolete
436	dnssec-loadkeys-interval <integer>;
437	dnssec-must-be-secure <string> <boolean>; // may occur multiple times, deprecated
438	dnssec-policy <string>;
439	dnssec-secure-to-insecure <boolean>; // obsolete
440	dnssec-update-mode ( maintain | no-resign ); // obsolete
441	dnssec-validation ( yes | no | auto );
442	dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured
443	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
444	dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
445	edns-udp-size <integer>;
446	empty-contact <string>;
447	empty-server <string>;
448	empty-zones-enable <boolean>;
449	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
450	fetches-per-server <integer> [ ( drop | fail ) ];
451	fetches-per-zone <integer> [ ( drop | fail ) ];
452	forward ( first | only );
453	forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
454	ipv4only-contact <string>;
455	ipv4only-enable <boolean>;
456	ipv4only-server <string>;
457	ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
458	key <string> {
459		algorithm <string>;
460		secret <string>;
461	}; // may occur multiple times
462	key-directory <quoted_string>;
463	lame-ttl <duration>;
464	lmdb-mapsize <sizeval>;
465	managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
466	masterfile-format ( raw | text );
467	masterfile-style ( full | relative );
468	match-clients { <address_match_element>; ... };
469	match-destinations { <address_match_element>; ... };
470	match-recursive-only <boolean>;
471	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
472	max-cache-ttl <duration>;
473	max-clients-per-query <integer>;
474	max-ixfr-ratio ( unlimited | <percentage> );
475	max-journal-size ( default | unlimited | <sizeval> );
476	max-ncache-ttl <duration>;
477	max-query-restarts <integer>;
478	max-records <integer>;
479	max-records-per-type <integer>;
480	max-recursion-depth <integer>;
481	max-recursion-queries <integer>;
482	max-refresh-time <integer>;
483	max-retry-time <integer>;
484	max-stale-ttl <duration>;
485	max-transfer-idle-in <integer>;
486	max-transfer-idle-out <integer>;
487	max-transfer-time-in <integer>;
488	max-transfer-time-out <integer>;
489	max-types-per-name <integer>;
490	max-udp-size <integer>;
491	max-validation-failures-per-fetch <integer>; // experimental
492	max-validations-per-fetch <integer>; // experimental
493	max-zone-ttl ( unlimited | <duration> ); // deprecated
494	message-compression <boolean>;
495	min-cache-ttl <duration>;
496	min-ncache-ttl <duration>;
497	min-refresh-time <integer>;
498	min-retry-time <integer>;
499	minimal-any <boolean>;
500	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
501	multi-master <boolean>;
502	new-zones-directory <quoted_string>;
503	no-case-compress { <address_match_element>; ... };
504	nocookie-udp-size <integer>;
505	notify ( explicit | master-only | primary-only | <boolean> );
506	notify-delay <integer>;
507	notify-source ( <ipv4_address> | * );
508	notify-source-v6 ( <ipv6_address> | * );
509	notify-to-soa <boolean>;
510	nsec3-test-zone <boolean>; // test only
511	nta-lifetime <duration>;
512	nta-recheck <duration>;
513	nxdomain-redirect <string>;
514	parental-source ( <ipv4_address> | * );
515	parental-source-v6 ( <ipv6_address> | * );
516	plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
517	preferred-glue <string>;
518	prefetch <integer> [ <integer> ];
519	provide-ixfr <boolean>;
520	qname-minimization ( strict | relaxed | disabled | off );
521	query-source [ address ] ( <ipv4_address> | * );
522	query-source-v6 [ address ] ( <ipv6_address> | * );
523	rate-limit {
524		all-per-second <integer>;
525		errors-per-second <integer>;
526		exempt-clients { <address_match_element>; ... };
527		ipv4-prefix-length <integer>;
528		ipv6-prefix-length <integer>;
529		log-only <boolean>;
530		max-table-size <integer>;
531		min-table-size <integer>;
532		nodata-per-second <integer>;
533		nxdomains-per-second <integer>;
534		qps-scale <integer>;
535		referrals-per-second <integer>;
536		responses-per-second <integer>;
537		slip <integer>;
538		window <integer>;
539	};
540	recursion <boolean>;
541	request-expire <boolean>;
542	request-ixfr <boolean>;
543	request-nsid <boolean>;
544	require-server-cookie <boolean>;
545	resolver-query-timeout <integer>;
546	resolver-use-dns64 <boolean>;
547	response-padding { <address_match_element>; ... } block-size <integer>;
548	response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
549	root-key-sentinel <boolean>;
550	rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
551	send-cookie <boolean>;
552	serial-update-method ( date | increment | unixtime );
553	server <netprefix> {
554		bogus <boolean>;
555		edns <boolean>;
556		edns-udp-size <integer>;
557		edns-version <integer>;
558		keys <server_key>;
559		max-udp-size <integer>;
560		notify-source ( <ipv4_address> | * );
561		notify-source-v6 ( <ipv6_address> | * );
562		padding <integer>;
563		provide-ixfr <boolean>;
564		query-source [ address ] ( <ipv4_address> | * );
565		query-source-v6 [ address ] ( <ipv6_address> | * );
566		request-expire <boolean>;
567		request-ixfr <boolean>;
568		request-nsid <boolean>;
569		require-cookie <boolean>;
570		send-cookie <boolean>;
571		tcp-keepalive <boolean>;
572		tcp-only <boolean>;
573		transfer-format ( many-answers | one-answer );
574		transfer-source ( <ipv4_address> | * );
575		transfer-source-v6 ( <ipv6_address> | * );
576		transfers <integer>;
577	}; // may occur multiple times
578	servfail-ttl <duration>;
579	sig-signing-nodes <integer>;
580	sig-signing-signatures <integer>;
581	sig-signing-type <integer>;
582	sig-validity-interval <integer> [ <integer> ]; // obsolete
583	sortlist { <address_match_element>; ... }; // deprecated
584	stale-answer-client-timeout ( disabled | off | <integer> );
585	stale-answer-enable <boolean>;
586	stale-answer-ttl <duration>;
587	stale-cache-enable <boolean>;
588	stale-refresh-time <duration>;
589	synth-from-dnssec <boolean>;
590	transfer-format ( many-answers | one-answer );
591	transfer-source ( <ipv4_address> | * );
592	transfer-source-v6 ( <ipv6_address> | * );
593	trust-anchor-telemetry <boolean>;
594	trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
595	trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated
596	try-tcp-refresh <boolean>;
597	update-check-ksk <boolean>; // obsolete
598	v6-bias <integer>;
599	validate-except { <string>; ... };
600	zero-no-soa-ttl <boolean>;
601	zero-no-soa-ttl-cache <boolean>;
602	zone-statistics ( full | terse | none | <boolean> );
603}; // may occur multiple times
604
605