1 2This is a summary of the named.conf options supported by 3this version of BIND 9. 4 5acl <string> { <address_match_element>; ... }; // may occur multiple times 6 7controls { 8 inet ( <ipv4_address> | <ipv6_address> | 9 * ) [ port ( <integer> | * ) ] allow 10 { <address_match_element>; ... } [ 11 keys { <string>; ... } ] [ read-only 12 <boolean> ]; // may occur multiple times 13 unix <quoted_string> perm <integer> 14 owner <integer> group <integer> [ 15 keys { <string>; ... } ] [ read-only 16 <boolean> ]; // may occur multiple times 17}; // may occur multiple times 18 19dlz <string> { 20 database <string>; 21 search <boolean>; 22}; // may occur multiple times 23 24dnssec-policy <string> { 25 dnskey-ttl <duration>; 26 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 27 <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; 28 max-zone-ttl <duration>; 29 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ 30 salt-length <integer> ]; 31 parent-ds-ttl <duration>; 32 parent-propagation-delay <duration>; 33 parent-registration-delay <duration>; // obsolete 34 publish-safety <duration>; 35 purge-keys <duration>; 36 retire-safety <duration>; 37 signatures-refresh <duration>; 38 signatures-validity <duration>; 39 signatures-validity-dnskey <duration>; 40 zone-propagation-delay <duration>; 41}; // may occur multiple times 42 43dyndb <string> <quoted_string> { 44 <unspecified-text> }; // may occur multiple times 45 46key <string> { 47 algorithm <string>; 48 secret <string>; 49}; // may occur multiple times 50 51logging { 52 category <string> { <string>; ... }; // may occur multiple times 53 channel <string> { 54 buffered <boolean>; 55 file <quoted_string> [ versions ( unlimited | <integer> ) ] 56 [ size <size> ] [ suffix ( increment | timestamp ) ]; 57 null; 58 print-category <boolean>; 59 print-severity <boolean>; 60 print-time ( iso8601 | iso8601-utc | local | <boolean> ); 61 severity <log_severity>; 62 stderr; 63 syslog [ <syslog_facility> ]; 64 }; // may occur multiple times 65}; 66 67lwres { <unspecified-text> }; // obsolete, may occur multiple times 68 69managed-keys { <string> ( static-key 70 | initial-key | static-ds | 71 initial-ds ) <integer> <integer> 72 <integer> <quoted_string>; ... }; // may occur multiple times, deprecated 73 74masters <string> [ port <integer> ] [ dscp 75 <integer> ] { ( <remote-servers> | 76 <ipv4_address> [ port <integer> ] | 77 <ipv6_address> [ port <integer> ] ) [ key 78 <string> ]; ... }; // may occur multiple times 79 80options { 81 acache-cleaning-interval <integer>; // obsolete 82 acache-enable <boolean>; // obsolete 83 additional-from-auth <boolean>; // obsolete 84 additional-from-cache <boolean>; // obsolete 85 allow-new-zones <boolean>; 86 allow-notify { <address_match_element>; ... }; 87 allow-query { <address_match_element>; ... }; 88 allow-query-cache { <address_match_element>; ... }; 89 allow-query-cache-on { <address_match_element>; ... }; 90 allow-query-on { <address_match_element>; ... }; 91 allow-recursion { <address_match_element>; ... }; 92 allow-recursion-on { <address_match_element>; ... }; 93 allow-transfer { <address_match_element>; ... }; 94 allow-update { <address_match_element>; ... }; 95 allow-update-forwarding { <address_match_element>; ... }; 96 allow-v6-synthesis { <address_match_element>; ... }; // obsolete 97 also-notify [ port <integer> ] [ dscp <integer> ] { ( 98 <remote-servers> | <ipv4_address> [ port <integer> ] | 99 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 100 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 101 ] [ dscp <integer> ]; 102 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 103 * ) ] [ dscp <integer> ]; 104 answer-cookie <boolean>; 105 attach-cache <string>; 106 auth-nxdomain <boolean>; // default changed 107 auto-dnssec ( allow | maintain | off ); // deprecated 108 automatic-interface-scan <boolean>; 109 avoid-v4-udp-ports { <portrange>; ... }; 110 avoid-v6-udp-ports { <portrange>; ... }; 111 bindkeys-file <quoted_string>; 112 blackhole { <address_match_element>; ... }; 113 cache-file <quoted_string>; // deprecated 114 catalog-zones { zone <string> [ default-masters [ port <integer> ] 115 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 116 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 117 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 118 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 119 check-dup-records ( fail | warn | ignore ); 120 check-integrity <boolean>; 121 check-mx ( fail | warn | ignore ); 122 check-mx-cname ( fail | warn | ignore ); 123 check-names ( primary | master | 124 secondary | slave | response ) ( 125 fail | warn | ignore ); // may occur multiple times 126 check-sibling <boolean>; 127 check-spf ( warn | ignore ); 128 check-srv-cname ( fail | warn | ignore ); 129 check-wildcard <boolean>; 130 cleaning-interval <integer>; // obsolete 131 clients-per-query <integer>; 132 cookie-algorithm ( aes | siphash24 ); 133 cookie-secret <string>; // may occur multiple times 134 coresize ( default | unlimited | <sizeval> ); 135 datasize ( default | unlimited | <sizeval> ); 136 deallocate-on-exit <boolean>; // ancient 137 deny-answer-addresses { <address_match_element>; ... } [ 138 except-from { <string>; ... } ]; 139 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 140 } ]; 141 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 142 directory <quoted_string>; 143 disable-algorithms <string> { <string>; 144 ... }; // may occur multiple times 145 disable-ds-digests <string> { <string>; 146 ... }; // may occur multiple times 147 disable-empty-zone <string>; // may occur multiple times 148 dns64 <netprefix> { 149 break-dnssec <boolean>; 150 clients { <address_match_element>; ... }; 151 exclude { <address_match_element>; ... }; 152 mapped { <address_match_element>; ... }; 153 recursive-only <boolean>; 154 suffix <ipv6_address>; 155 }; // may occur multiple times 156 dns64-contact <string>; 157 dns64-server <string>; 158 dnskey-sig-validity <integer>; 159 dnsrps-enable <boolean>; // not configured 160 dnsrps-options { <unspecified-text> }; // not configured 161 dnssec-accept-expired <boolean>; 162 dnssec-dnskey-kskonly <boolean>; 163 dnssec-enable <boolean>; // obsolete 164 dnssec-loadkeys-interval <integer>; 165 dnssec-lookaside ( <string> 166 trust-anchor <string> | 167 auto | no ); // obsolete, may occur multiple times 168 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 169 dnssec-policy <string>; 170 dnssec-secure-to-insecure <boolean>; 171 dnssec-update-mode ( maintain | no-resign ); 172 dnssec-validation ( yes | no | auto ); 173 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 174 ( query | response ) ]; ... }; 175 dnstap-identity ( <quoted_string> | none | hostname ); 176 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | 177 <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( 178 increment | timestamp ) ]; 179 dnstap-version ( <quoted_string> | none ); 180 dscp <integer>; // deprecated 181 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 182 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 183 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 184 <integer> ] [ dscp <integer> ] ); ... }; 185 dump-file <quoted_string>; 186 edns-udp-size <integer>; 187 empty-contact <string>; 188 empty-server <string>; 189 empty-zones-enable <boolean>; 190 fake-iquery <boolean>; // ancient 191 fetch-glue <boolean>; // ancient 192 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 193 fetches-per-server <integer> [ ( drop | fail ) ]; 194 fetches-per-zone <integer> [ ( drop | fail ) ]; 195 files ( default | unlimited | <sizeval> ); 196 filter-aaaa { <address_match_element>; ... }; // obsolete 197 filter-aaaa-on-v4 <boolean>; // obsolete 198 filter-aaaa-on-v6 <boolean>; // obsolete 199 flush-zones-on-shutdown <boolean>; 200 forward ( first | only ); 201 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 202 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 203 fstrm-set-buffer-hint <integer>; 204 fstrm-set-flush-timeout <integer>; 205 fstrm-set-input-queue-size <integer>; 206 fstrm-set-output-notify-threshold <integer>; 207 fstrm-set-output-queue-model ( mpsc | spsc ); 208 fstrm-set-output-queue-size <integer>; 209 fstrm-set-reopen-interval <duration>; 210 geoip-directory ( <quoted_string> | none ); 211 geoip-use-ecs <boolean>; // obsolete 212 glue-cache <boolean>; 213 has-old-clients <boolean>; // ancient 214 heartbeat-interval <integer>; 215 host-statistics <boolean>; // ancient 216 host-statistics-max <integer>; // ancient 217 hostname ( <quoted_string> | none ); 218 interface-interval <duration>; 219 ixfr-from-differences ( primary | master | secondary | slave | 220 <boolean> ); 221 keep-response-order { <address_match_element>; ... }; 222 key-directory <quoted_string>; 223 lame-ttl <duration>; 224 listen-on [ port <integer> ] [ dscp 225 <integer> ] { 226 <address_match_element>; ... }; // may occur multiple times 227 listen-on-v6 [ port <integer> ] [ dscp 228 <integer> ] { 229 <address_match_element>; ... }; // may occur multiple times 230 lmdb-mapsize <sizeval>; 231 lock-file ( <quoted_string> | none ); 232 maintain-ixfr-base <boolean>; // ancient 233 managed-keys-directory <quoted_string>; 234 masterfile-format ( map | raw | text ); 235 masterfile-style ( full | relative ); 236 match-mapped-addresses <boolean>; 237 max-acache-size ( unlimited | <sizeval> ); // obsolete 238 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 239 max-cache-ttl <duration>; 240 max-clients-per-query <integer>; 241 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 242 max-ixfr-ratio ( unlimited | <percentage> ); 243 max-journal-size ( default | unlimited | <sizeval> ); 244 max-ncache-ttl <duration>; 245 max-records <integer>; 246 max-recursion-depth <integer>; 247 max-recursion-queries <integer>; 248 max-refresh-time <integer>; 249 max-retry-time <integer>; 250 max-rsa-exponent-size <integer>; 251 max-stale-ttl <duration>; 252 max-transfer-idle-in <integer>; 253 max-transfer-idle-out <integer>; 254 max-transfer-time-in <integer>; 255 max-transfer-time-out <integer>; 256 max-udp-size <integer>; 257 max-zone-ttl ( unlimited | <duration> ); 258 memstatistics <boolean>; 259 memstatistics-file <quoted_string>; 260 message-compression <boolean>; 261 min-cache-ttl <duration>; 262 min-ncache-ttl <duration>; 263 min-refresh-time <integer>; 264 min-retry-time <integer>; 265 min-roots <integer>; // ancient 266 minimal-any <boolean>; 267 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 268 multi-master <boolean>; 269 multiple-cnames <boolean>; // ancient 270 named-xfer <quoted_string>; // ancient 271 new-zones-directory <quoted_string>; 272 no-case-compress { <address_match_element>; ... }; 273 nocookie-udp-size <integer>; 274 nosit-udp-size <integer>; // obsolete 275 notify ( explicit | master-only | primary-only | <boolean> ); 276 notify-delay <integer>; 277 notify-rate <integer>; 278 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 279 dscp <integer> ]; 280 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 281 [ dscp <integer> ]; 282 notify-to-soa <boolean>; 283 nsec3-test-zone <boolean>; // test only 284 nta-lifetime <duration>; 285 nta-recheck <duration>; 286 nxdomain-redirect <string>; 287 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 288 dscp <integer> ]; 289 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 290 ] [ dscp <integer> ]; 291 pid-file ( <quoted_string> | none ); 292 port <integer>; 293 preferred-glue <string>; 294 prefetch <integer> [ <integer> ]; 295 provide-ixfr <boolean>; 296 qname-minimization ( strict | relaxed | disabled | off ); 297 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 298 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 299 port ( <integer> | * ) ) ) [ dscp <integer> ]; 300 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 301 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 302 port ( <integer> | * ) ) ) [ dscp <integer> ]; 303 querylog <boolean>; 304 queryport-pool-ports <integer>; // obsolete 305 queryport-pool-updateinterval <integer>; // obsolete 306 random-device ( <quoted_string> | none ); 307 rate-limit { 308 all-per-second <integer>; 309 errors-per-second <integer>; 310 exempt-clients { <address_match_element>; ... }; 311 ipv4-prefix-length <integer>; 312 ipv6-prefix-length <integer>; 313 log-only <boolean>; 314 max-table-size <integer>; 315 min-table-size <integer>; 316 nodata-per-second <integer>; 317 nxdomains-per-second <integer>; 318 qps-scale <integer>; 319 referrals-per-second <integer>; 320 responses-per-second <integer>; 321 slip <integer>; 322 window <integer>; 323 }; 324 recursing-file <quoted_string>; 325 recursion <boolean>; 326 recursive-clients <integer>; 327 request-expire <boolean>; 328 request-ixfr <boolean>; 329 request-nsid <boolean>; 330 request-sit <boolean>; // obsolete 331 require-server-cookie <boolean>; 332 reserved-sockets <integer>; 333 resolver-nonbackoff-tries <integer>; 334 resolver-query-timeout <integer>; 335 resolver-retry-interval <integer>; 336 response-padding { <address_match_element>; ... } block-size 337 <integer>; 338 response-policy { zone <string> [ add-soa <boolean> ] [ log 339 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 340 <duration> ] [ policy ( cname | disabled | drop | given | no-op 341 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 342 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 343 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 344 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 345 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 346 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 347 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 348 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 349 dnsrps-options { <unspecified-text> } ]; 350 reuseport <boolean>; 351 rfc2308-type1 <boolean>; // ancient 352 root-delegation-only [ exclude { <string>; ... } ]; 353 root-key-sentinel <boolean>; 354 rrset-order { [ class <string> ] [ type <string> ] [ name 355 <quoted_string> ] <string> <string>; ... }; 356 secroots-file <quoted_string>; 357 send-cookie <boolean>; 358 serial-queries <integer>; // ancient 359 serial-query-rate <integer>; 360 serial-update-method ( date | increment | unixtime ); 361 server-id ( <quoted_string> | none | hostname ); 362 servfail-ttl <duration>; 363 session-keyalg <string>; 364 session-keyfile ( <quoted_string> | none ); 365 session-keyname <string>; 366 sig-signing-nodes <integer>; 367 sig-signing-signatures <integer>; 368 sig-signing-type <integer>; 369 sig-validity-interval <integer> [ <integer> ]; 370 sit-secret <string>; // obsolete 371 sortlist { <address_match_element>; ... }; 372 stacksize ( default | unlimited | <sizeval> ); 373 stale-answer-client-timeout ( disabled | off | <integer> ); 374 stale-answer-enable <boolean>; 375 stale-answer-ttl <duration>; 376 stale-cache-enable <boolean>; 377 stale-refresh-time <duration>; 378 startup-notify-rate <integer>; 379 statistics-file <quoted_string>; 380 statistics-interval <integer>; // ancient 381 suppress-initial-notify <boolean>; // not yet implemented 382 synth-from-dnssec <boolean>; 383 tcp-advertised-timeout <integer>; 384 tcp-clients <integer>; 385 tcp-idle-timeout <integer>; 386 tcp-initial-timeout <integer>; 387 tcp-keepalive-timeout <integer>; 388 tcp-listen-queue <integer>; 389 tkey-dhkey <quoted_string> <integer>; 390 tkey-domain <quoted_string>; 391 tkey-gssapi-credential <quoted_string>; 392 tkey-gssapi-keytab <quoted_string>; 393 topology { <address_match_element>; ... }; // ancient 394 transfer-format ( many-answers | one-answer ); 395 transfer-message-size <integer>; 396 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 397 dscp <integer> ]; 398 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 399 ] [ dscp <integer> ]; 400 transfers-in <integer>; 401 transfers-out <integer>; 402 transfers-per-ns <integer>; 403 treat-cr-as-space <boolean>; // ancient 404 trust-anchor-telemetry <boolean>; // experimental 405 try-tcp-refresh <boolean>; 406 update-check-ksk <boolean>; 407 update-quota <integer>; 408 use-alt-transfer-source <boolean>; 409 use-id-pool <boolean>; // ancient 410 use-ixfr <boolean>; // obsolete 411 use-queryport-pool <boolean>; // obsolete 412 use-v4-udp-ports { <portrange>; ... }; 413 use-v6-udp-ports { <portrange>; ... }; 414 v6-bias <integer>; 415 validate-except { <string>; ... }; 416 version ( <quoted_string> | none ); 417 zero-no-soa-ttl <boolean>; 418 zero-no-soa-ttl-cache <boolean>; 419 zone-statistics ( full | terse | none | <boolean> ); 420}; 421 422parental-agents <string> [ port <integer> ] [ 423 dscp <integer> ] { ( <remote-servers> | 424 <ipv4_address> [ port <integer> ] | 425 <ipv6_address> [ port <integer> ] ) [ key 426 <string> ]; ... }; // may occur multiple times 427 428plugin ( query ) <string> [ { <unspecified-text> 429 } ]; // may occur multiple times 430 431primaries <string> [ port <integer> ] [ dscp 432 <integer> ] { ( <remote-servers> | 433 <ipv4_address> [ port <integer> ] | 434 <ipv6_address> [ port <integer> ] ) [ key 435 <string> ]; ... }; // may occur multiple times 436 437server <netprefix> { 438 bogus <boolean>; 439 edns <boolean>; 440 edns-udp-size <integer>; 441 edns-version <integer>; 442 keys <server_key>; 443 max-udp-size <integer>; 444 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 445 dscp <integer> ]; 446 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 447 [ dscp <integer> ]; 448 padding <integer>; 449 provide-ixfr <boolean>; 450 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 451 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 452 port ( <integer> | * ) ) ) [ dscp <integer> ]; 453 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 454 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 455 port ( <integer> | * ) ) ) [ dscp <integer> ]; 456 request-expire <boolean>; 457 request-ixfr <boolean>; 458 request-nsid <boolean>; 459 request-sit <boolean>; // obsolete 460 send-cookie <boolean>; 461 support-ixfr <boolean>; // obsolete 462 tcp-keepalive <boolean>; 463 tcp-only <boolean>; 464 transfer-format ( many-answers | one-answer ); 465 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 466 dscp <integer> ]; 467 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 468 ] [ dscp <integer> ]; 469 transfers <integer>; 470}; // may occur multiple times 471 472statistics-channels { 473 inet ( <ipv4_address> | <ipv6_address> | 474 * ) [ port ( <integer> | * ) ] [ 475 allow { <address_match_element>; ... 476 } ]; // may occur multiple times 477}; // may occur multiple times 478 479trust-anchors { <string> ( static-key | 480 initial-key | static-ds | initial-ds ) 481 <integer> <integer> <integer> 482 <quoted_string>; ... }; // may occur multiple times 483 484trusted-keys { <string> <integer> 485 <integer> <integer> 486 <quoted_string>; ... }; // may occur multiple times, deprecated 487 488view <string> [ <class> ] { 489 acache-cleaning-interval <integer>; // obsolete 490 acache-enable <boolean>; // obsolete 491 additional-from-auth <boolean>; // obsolete 492 additional-from-cache <boolean>; // obsolete 493 allow-new-zones <boolean>; 494 allow-notify { <address_match_element>; ... }; 495 allow-query { <address_match_element>; ... }; 496 allow-query-cache { <address_match_element>; ... }; 497 allow-query-cache-on { <address_match_element>; ... }; 498 allow-query-on { <address_match_element>; ... }; 499 allow-recursion { <address_match_element>; ... }; 500 allow-recursion-on { <address_match_element>; ... }; 501 allow-transfer { <address_match_element>; ... }; 502 allow-update { <address_match_element>; ... }; 503 allow-update-forwarding { <address_match_element>; ... }; 504 allow-v6-synthesis { <address_match_element>; ... }; // obsolete 505 also-notify [ port <integer> ] [ dscp <integer> ] { ( 506 <remote-servers> | <ipv4_address> [ port <integer> ] | 507 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 508 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 509 ] [ dscp <integer> ]; 510 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 511 * ) ] [ dscp <integer> ]; 512 attach-cache <string>; 513 auth-nxdomain <boolean>; // default changed 514 auto-dnssec ( allow | maintain | off ); // deprecated 515 cache-file <quoted_string>; // deprecated 516 catalog-zones { zone <string> [ default-masters [ port <integer> ] 517 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 518 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 519 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 520 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 521 check-dup-records ( fail | warn | ignore ); 522 check-integrity <boolean>; 523 check-mx ( fail | warn | ignore ); 524 check-mx-cname ( fail | warn | ignore ); 525 check-names ( primary | master | 526 secondary | slave | response ) ( 527 fail | warn | ignore ); // may occur multiple times 528 check-sibling <boolean>; 529 check-spf ( warn | ignore ); 530 check-srv-cname ( fail | warn | ignore ); 531 check-wildcard <boolean>; 532 cleaning-interval <integer>; // obsolete 533 clients-per-query <integer>; 534 deny-answer-addresses { <address_match_element>; ... } [ 535 except-from { <string>; ... } ]; 536 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 537 } ]; 538 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 539 disable-algorithms <string> { <string>; 540 ... }; // may occur multiple times 541 disable-ds-digests <string> { <string>; 542 ... }; // may occur multiple times 543 disable-empty-zone <string>; // may occur multiple times 544 dlz <string> { 545 database <string>; 546 search <boolean>; 547 }; // may occur multiple times 548 dns64 <netprefix> { 549 break-dnssec <boolean>; 550 clients { <address_match_element>; ... }; 551 exclude { <address_match_element>; ... }; 552 mapped { <address_match_element>; ... }; 553 recursive-only <boolean>; 554 suffix <ipv6_address>; 555 }; // may occur multiple times 556 dns64-contact <string>; 557 dns64-server <string>; 558 dnskey-sig-validity <integer>; 559 dnsrps-enable <boolean>; // not configured 560 dnsrps-options { <unspecified-text> }; // not configured 561 dnssec-accept-expired <boolean>; 562 dnssec-dnskey-kskonly <boolean>; 563 dnssec-enable <boolean>; // obsolete 564 dnssec-loadkeys-interval <integer>; 565 dnssec-lookaside ( <string> 566 trust-anchor <string> | 567 auto | no ); // obsolete, may occur multiple times 568 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 569 dnssec-policy <string>; 570 dnssec-secure-to-insecure <boolean>; 571 dnssec-update-mode ( maintain | no-resign ); 572 dnssec-validation ( yes | no | auto ); 573 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 574 ( query | response ) ]; ... }; 575 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 576 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 577 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 578 <integer> ] [ dscp <integer> ] ); ... }; 579 dyndb <string> <quoted_string> { 580 <unspecified-text> }; // may occur multiple times 581 edns-udp-size <integer>; 582 empty-contact <string>; 583 empty-server <string>; 584 empty-zones-enable <boolean>; 585 fetch-glue <boolean>; // ancient 586 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 587 fetches-per-server <integer> [ ( drop | fail ) ]; 588 fetches-per-zone <integer> [ ( drop | fail ) ]; 589 filter-aaaa { <address_match_element>; ... }; // obsolete 590 filter-aaaa-on-v4 <boolean>; // obsolete 591 filter-aaaa-on-v6 <boolean>; // obsolete 592 forward ( first | only ); 593 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 594 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 595 glue-cache <boolean>; 596 ixfr-from-differences ( primary | master | secondary | slave | 597 <boolean> ); 598 key <string> { 599 algorithm <string>; 600 secret <string>; 601 }; // may occur multiple times 602 key-directory <quoted_string>; 603 lame-ttl <duration>; 604 lmdb-mapsize <sizeval>; 605 maintain-ixfr-base <boolean>; // ancient 606 managed-keys { <string> ( 607 static-key | initial-key 608 | static-ds | initial-ds 609 ) <integer> <integer> 610 <integer> 611 <quoted_string>; ... }; // may occur multiple times, deprecated 612 masterfile-format ( map | raw | text ); 613 masterfile-style ( full | relative ); 614 match-clients { <address_match_element>; ... }; 615 match-destinations { <address_match_element>; ... }; 616 match-recursive-only <boolean>; 617 max-acache-size ( unlimited | <sizeval> ); // obsolete 618 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 619 max-cache-ttl <duration>; 620 max-clients-per-query <integer>; 621 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 622 max-ixfr-ratio ( unlimited | <percentage> ); 623 max-journal-size ( default | unlimited | <sizeval> ); 624 max-ncache-ttl <duration>; 625 max-records <integer>; 626 max-recursion-depth <integer>; 627 max-recursion-queries <integer>; 628 max-refresh-time <integer>; 629 max-retry-time <integer>; 630 max-stale-ttl <duration>; 631 max-transfer-idle-in <integer>; 632 max-transfer-idle-out <integer>; 633 max-transfer-time-in <integer>; 634 max-transfer-time-out <integer>; 635 max-udp-size <integer>; 636 max-zone-ttl ( unlimited | <duration> ); 637 message-compression <boolean>; 638 min-cache-ttl <duration>; 639 min-ncache-ttl <duration>; 640 min-refresh-time <integer>; 641 min-retry-time <integer>; 642 min-roots <integer>; // ancient 643 minimal-any <boolean>; 644 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 645 multi-master <boolean>; 646 new-zones-directory <quoted_string>; 647 no-case-compress { <address_match_element>; ... }; 648 nocookie-udp-size <integer>; 649 nosit-udp-size <integer>; // obsolete 650 notify ( explicit | master-only | primary-only | <boolean> ); 651 notify-delay <integer>; 652 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 653 dscp <integer> ]; 654 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 655 [ dscp <integer> ]; 656 notify-to-soa <boolean>; 657 nsec3-test-zone <boolean>; // test only 658 nta-lifetime <duration>; 659 nta-recheck <duration>; 660 nxdomain-redirect <string>; 661 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 662 dscp <integer> ]; 663 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 664 ] [ dscp <integer> ]; 665 plugin ( query ) <string> [ { 666 <unspecified-text> } ]; // may occur multiple times 667 preferred-glue <string>; 668 prefetch <integer> [ <integer> ]; 669 provide-ixfr <boolean>; 670 qname-minimization ( strict | relaxed | disabled | off ); 671 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 672 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 673 port ( <integer> | * ) ) ) [ dscp <integer> ]; 674 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 675 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 676 port ( <integer> | * ) ) ) [ dscp <integer> ]; 677 queryport-pool-ports <integer>; // obsolete 678 queryport-pool-updateinterval <integer>; // obsolete 679 rate-limit { 680 all-per-second <integer>; 681 errors-per-second <integer>; 682 exempt-clients { <address_match_element>; ... }; 683 ipv4-prefix-length <integer>; 684 ipv6-prefix-length <integer>; 685 log-only <boolean>; 686 max-table-size <integer>; 687 min-table-size <integer>; 688 nodata-per-second <integer>; 689 nxdomains-per-second <integer>; 690 qps-scale <integer>; 691 referrals-per-second <integer>; 692 responses-per-second <integer>; 693 slip <integer>; 694 window <integer>; 695 }; 696 recursion <boolean>; 697 request-expire <boolean>; 698 request-ixfr <boolean>; 699 request-nsid <boolean>; 700 request-sit <boolean>; // obsolete 701 require-server-cookie <boolean>; 702 resolver-nonbackoff-tries <integer>; 703 resolver-query-timeout <integer>; 704 resolver-retry-interval <integer>; 705 response-padding { <address_match_element>; ... } block-size 706 <integer>; 707 response-policy { zone <string> [ add-soa <boolean> ] [ log 708 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 709 <duration> ] [ policy ( cname | disabled | drop | given | no-op 710 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 711 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 712 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 713 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 714 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 715 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 716 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 717 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 718 dnsrps-options { <unspecified-text> } ]; 719 rfc2308-type1 <boolean>; // ancient 720 root-delegation-only [ exclude { <string>; ... } ]; 721 root-key-sentinel <boolean>; 722 rrset-order { [ class <string> ] [ type <string> ] [ name 723 <quoted_string> ] <string> <string>; ... }; 724 send-cookie <boolean>; 725 serial-update-method ( date | increment | unixtime ); 726 server <netprefix> { 727 bogus <boolean>; 728 edns <boolean>; 729 edns-udp-size <integer>; 730 edns-version <integer>; 731 keys <server_key>; 732 max-udp-size <integer>; 733 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 734 ) ] [ dscp <integer> ]; 735 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 736 | * ) ] [ dscp <integer> ]; 737 padding <integer>; 738 provide-ixfr <boolean>; 739 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port 740 ( <integer> | * ) ] ) | ( [ [ address ] ( 741 <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ 742 dscp <integer> ]; 743 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ 744 port ( <integer> | * ) ] ) | ( [ [ address ] ( 745 <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ 746 dscp <integer> ]; 747 request-expire <boolean>; 748 request-ixfr <boolean>; 749 request-nsid <boolean>; 750 request-sit <boolean>; // obsolete 751 send-cookie <boolean>; 752 support-ixfr <boolean>; // obsolete 753 tcp-keepalive <boolean>; 754 tcp-only <boolean>; 755 transfer-format ( many-answers | one-answer ); 756 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 757 * ) ] [ dscp <integer> ]; 758 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 759 <integer> | * ) ] [ dscp <integer> ]; 760 transfers <integer>; 761 }; // may occur multiple times 762 servfail-ttl <duration>; 763 sig-signing-nodes <integer>; 764 sig-signing-signatures <integer>; 765 sig-signing-type <integer>; 766 sig-validity-interval <integer> [ <integer> ]; 767 sortlist { <address_match_element>; ... }; 768 stale-answer-client-timeout ( disabled | off | <integer> ); 769 stale-answer-enable <boolean>; 770 stale-answer-ttl <duration>; 771 stale-cache-enable <boolean>; 772 stale-refresh-time <duration>; 773 suppress-initial-notify <boolean>; // not yet implemented 774 synth-from-dnssec <boolean>; 775 topology { <address_match_element>; ... }; // ancient 776 transfer-format ( many-answers | one-answer ); 777 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 778 dscp <integer> ]; 779 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 780 ] [ dscp <integer> ]; 781 trust-anchor-telemetry <boolean>; // experimental 782 trust-anchors { <string> ( static-key | 783 initial-key | static-ds | initial-ds 784 ) <integer> <integer> <integer> 785 <quoted_string>; ... }; // may occur multiple times 786 trusted-keys { <string> 787 <integer> <integer> 788 <integer> 789 <quoted_string>; ... }; // may occur multiple times, deprecated 790 try-tcp-refresh <boolean>; 791 update-check-ksk <boolean>; 792 use-alt-transfer-source <boolean>; 793 use-queryport-pool <boolean>; // obsolete 794 v6-bias <integer>; 795 validate-except { <string>; ... }; 796 zero-no-soa-ttl <boolean>; 797 zero-no-soa-ttl-cache <boolean>; 798 zone <string> [ <class> ] { 799 allow-notify { <address_match_element>; ... }; 800 allow-query { <address_match_element>; ... }; 801 allow-query-on { <address_match_element>; ... }; 802 allow-transfer { <address_match_element>; ... }; 803 allow-update { <address_match_element>; ... }; 804 allow-update-forwarding { <address_match_element>; ... }; 805 also-notify [ port <integer> ] [ dscp <integer> ] { ( 806 <remote-servers> | <ipv4_address> [ port <integer> ] | 807 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 808 ... }; 809 alt-transfer-source ( <ipv4_address> | * ) [ port ( 810 <integer> | * ) ] [ dscp <integer> ]; 811 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( 812 <integer> | * ) ] [ dscp <integer> ]; 813 auto-dnssec ( allow | maintain | off ); // deprecated 814 check-dup-records ( fail | warn | ignore ); 815 check-integrity <boolean>; 816 check-mx ( fail | warn | ignore ); 817 check-mx-cname ( fail | warn | ignore ); 818 check-names ( fail | warn | ignore ); 819 check-sibling <boolean>; 820 check-spf ( warn | ignore ); 821 check-srv-cname ( fail | warn | ignore ); 822 check-wildcard <boolean>; 823 database <string>; 824 delegation-only <boolean>; 825 dialup ( notify | notify-passive | passive | refresh | 826 <boolean> ); 827 dlz <string>; 828 dnskey-sig-validity <integer>; 829 dnssec-dnskey-kskonly <boolean>; 830 dnssec-loadkeys-interval <integer>; 831 dnssec-policy <string>; 832 dnssec-secure-to-insecure <boolean>; 833 dnssec-update-mode ( maintain | no-resign ); 834 file <quoted_string>; 835 forward ( first | only ); 836 forwarders [ port <integer> ] [ dscp <integer> ] { ( 837 <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ 838 dscp <integer> ]; ... }; 839 in-view <string>; 840 inline-signing <boolean>; 841 ixfr-base <quoted_string>; // ancient 842 ixfr-from-differences <boolean>; 843 ixfr-tmp-file <quoted_string>; // ancient 844 journal <quoted_string>; 845 key-directory <quoted_string>; 846 maintain-ixfr-base <boolean>; // ancient 847 masterfile-format ( map | raw | text ); 848 masterfile-style ( full | relative ); 849 masters [ port <integer> ] [ dscp <integer> ] { ( 850 <remote-servers> | <ipv4_address> [ port <integer> ] | 851 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 852 ... }; 853 max-ixfr-log-size ( default | unlimited | 854 <sizeval> ); // ancient 855 max-ixfr-ratio ( unlimited | <percentage> ); 856 max-journal-size ( default | unlimited | <sizeval> ); 857 max-records <integer>; 858 max-refresh-time <integer>; 859 max-retry-time <integer>; 860 max-transfer-idle-in <integer>; 861 max-transfer-idle-out <integer>; 862 max-transfer-time-in <integer>; 863 max-transfer-time-out <integer>; 864 max-zone-ttl ( unlimited | <duration> ); 865 min-refresh-time <integer>; 866 min-retry-time <integer>; 867 multi-master <boolean>; 868 notify ( explicit | master-only | primary-only | <boolean> ); 869 notify-delay <integer>; 870 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 871 ) ] [ dscp <integer> ]; 872 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 873 | * ) ] [ dscp <integer> ]; 874 notify-to-soa <boolean>; 875 nsec3-test-zone <boolean>; // test only 876 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 877 <remote-servers> | <ipv4_address> [ port <integer> ] | 878 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 879 ... }; 880 parental-source ( <ipv4_address> | * ) [ port ( <integer> | 881 * ) ] [ dscp <integer> ]; 882 parental-source-v6 ( <ipv6_address> | * ) [ port ( 883 <integer> | * ) ] [ dscp <integer> ]; 884 primaries [ port <integer> ] [ dscp <integer> ] { ( 885 <remote-servers> | <ipv4_address> [ port <integer> ] | 886 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 887 ... }; 888 pubkey <integer> <integer> <integer> 889 <quoted_string>; // ancient 890 request-expire <boolean>; 891 request-ixfr <boolean>; 892 serial-update-method ( date | increment | unixtime ); 893 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 894 server-names { <string>; ... }; 895 sig-signing-nodes <integer>; 896 sig-signing-signatures <integer>; 897 sig-signing-type <integer>; 898 sig-validity-interval <integer> [ <integer> ]; 899 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 900 * ) ] [ dscp <integer> ]; 901 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 902 <integer> | * ) ] [ dscp <integer> ]; 903 try-tcp-refresh <boolean>; 904 type ( primary | master | secondary | slave | mirror | 905 delegation-only | forward | hint | redirect | 906 static-stub | stub ); 907 update-check-ksk <boolean>; 908 update-policy ( local | { ( deny | grant ) <string> ( 909 6to4-self | external | krb5-self | krb5-selfsub | 910 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 911 name | self | selfsub | selfwild | subdomain | tcp-self 912 | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } ); 913 use-alt-transfer-source <boolean>; 914 zero-no-soa-ttl <boolean>; 915 zone-statistics ( full | terse | none | <boolean> ); 916 }; // may occur multiple times 917 zone-statistics ( full | terse | none | <boolean> ); 918}; // may occur multiple times 919 920zone <string> [ <class> ] { 921 allow-notify { <address_match_element>; ... }; 922 allow-query { <address_match_element>; ... }; 923 allow-query-on { <address_match_element>; ... }; 924 allow-transfer { <address_match_element>; ... }; 925 allow-update { <address_match_element>; ... }; 926 allow-update-forwarding { <address_match_element>; ... }; 927 also-notify [ port <integer> ] [ dscp <integer> ] { ( 928 <remote-servers> | <ipv4_address> [ port <integer> ] | 929 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 930 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 931 ] [ dscp <integer> ]; 932 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 933 * ) ] [ dscp <integer> ]; 934 auto-dnssec ( allow | maintain | off ); // deprecated 935 check-dup-records ( fail | warn | ignore ); 936 check-integrity <boolean>; 937 check-mx ( fail | warn | ignore ); 938 check-mx-cname ( fail | warn | ignore ); 939 check-names ( fail | warn | ignore ); 940 check-sibling <boolean>; 941 check-spf ( warn | ignore ); 942 check-srv-cname ( fail | warn | ignore ); 943 check-wildcard <boolean>; 944 database <string>; 945 delegation-only <boolean>; 946 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 947 dlz <string>; 948 dnskey-sig-validity <integer>; 949 dnssec-dnskey-kskonly <boolean>; 950 dnssec-loadkeys-interval <integer>; 951 dnssec-policy <string>; 952 dnssec-secure-to-insecure <boolean>; 953 dnssec-update-mode ( maintain | no-resign ); 954 file <quoted_string>; 955 forward ( first | only ); 956 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 957 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 958 in-view <string>; 959 inline-signing <boolean>; 960 ixfr-base <quoted_string>; // ancient 961 ixfr-from-differences <boolean>; 962 ixfr-tmp-file <quoted_string>; // ancient 963 journal <quoted_string>; 964 key-directory <quoted_string>; 965 maintain-ixfr-base <boolean>; // ancient 966 masterfile-format ( map | raw | text ); 967 masterfile-style ( full | relative ); 968 masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> 969 | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 970 <integer> ] ) [ key <string> ]; ... }; 971 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 972 max-ixfr-ratio ( unlimited | <percentage> ); 973 max-journal-size ( default | unlimited | <sizeval> ); 974 max-records <integer>; 975 max-refresh-time <integer>; 976 max-retry-time <integer>; 977 max-transfer-idle-in <integer>; 978 max-transfer-idle-out <integer>; 979 max-transfer-time-in <integer>; 980 max-transfer-time-out <integer>; 981 max-zone-ttl ( unlimited | <duration> ); 982 min-refresh-time <integer>; 983 min-retry-time <integer>; 984 multi-master <boolean>; 985 notify ( explicit | master-only | primary-only | <boolean> ); 986 notify-delay <integer>; 987 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 988 dscp <integer> ]; 989 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 990 [ dscp <integer> ]; 991 notify-to-soa <boolean>; 992 nsec3-test-zone <boolean>; // test only 993 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 994 <remote-servers> | <ipv4_address> [ port <integer> ] | 995 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 996 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 997 dscp <integer> ]; 998 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 999 ] [ dscp <integer> ]; 1000 primaries [ port <integer> ] [ dscp <integer> ] { ( 1001 <remote-servers> | <ipv4_address> [ port <integer> ] | 1002 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 1003 pubkey <integer> <integer> <integer> <quoted_string>; // ancient 1004 request-expire <boolean>; 1005 request-ixfr <boolean>; 1006 serial-update-method ( date | increment | unixtime ); 1007 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 1008 server-names { <string>; ... }; 1009 sig-signing-nodes <integer>; 1010 sig-signing-signatures <integer>; 1011 sig-signing-type <integer>; 1012 sig-validity-interval <integer> [ <integer> ]; 1013 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 1014 dscp <integer> ]; 1015 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 1016 ] [ dscp <integer> ]; 1017 try-tcp-refresh <boolean>; 1018 type ( primary | master | secondary | slave | mirror | 1019 delegation-only | forward | hint | redirect | static-stub | 1020 stub ); 1021 update-check-ksk <boolean>; 1022 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | 1023 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 1024 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 1025 | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] 1026 <rrtypelist>; ... } ); 1027 use-alt-transfer-source <boolean>; 1028 zero-no-soa-ttl <boolean>; 1029 zone-statistics ( full | terse | none | <boolean> ); 1030}; // may occur multiple times 1031 1032