xref: /netbsd-src/external/mpl/bind/dist/fuzz/isc_lex_getmastertoken.in/named.conf (revision 345cf9fb81bd0411c53e25d62cd93bdcaa865312) 
1�/*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12/*
13 * This is a worthless, nonrunnable example of a named.conf file that has
14 * every conceivable syntax element in use.  We use it to test the parser.
15 * It could also be used as a conceptual template for users of new features.
16 */
17
18/*
19 * C-style comments are OK
20 */
21
22// So are C++-style comments
23
24#So are shell - style comments
25
26// watch out for ";" -- it's important!
27
28options {
29	additional - from - auth true;
30	additional - from - cache false;
31
32	version "my version string";
33	random - device "/dev/random";
34	directory "/tmp";
35
36	port 666;
37
38	sig - validity - interval 33;
39
40#Obsolete
41	named - xfer "/usr/libexec/named-xfer"; // _PATH_XFER
42
43	dump - file "named_dump.db";	       // _PATH_DUMPFILE
44	pid - file "/var/run/named.pid";       // _PATH_PIDFILE
45	statistics - file "named.stats";       // _PATH_STATS
46	memstatistics - file "named.memstats"; // _PATH_MEMSTATS
47
48	max - cache - ttl 999;
49	min - cache - ttl 66;
50	auth - nxdomain yes; // always set AA on NXDOMAIN.
51			     // don't set this to 'no' unless
52			     // you know what you're doing -- older
53			     // servers won't like it.
54
55#Obsolete
56	deallocate - on - exit no;
57
58	dialup yes;
59
60#Obsolete
61	fake - iquery no;
62
63	fetch - glue yes;
64	has - old - clients yes;
65	host - statistics no;
66
67#Obsolete
68	multiple - cnames no; // if yes, then a name my have more
69			      // than one CNAME RR.  This use
70			      // is non-standard and is not
71			      // recommended, but it is available
72			      // because previous releases supported
73			      // it and it was used by large sites
74			      // for load balancing.
75
76	notify yes; // send NOTIFY messages.  You can set
77		    // notify on a zone-by-zone
78		    // basis in the "zone" statement
79		    // see (below)
80	recursion yes;
81	rfc2308 - type1 no;
82
83#Obsolete
84	use - id - pool yes;
85
86#Obsolete
87	treat - cr - as - space yes;
88
89	also - notify { 10.0.2.3; };
90
91	// The "forward" option is only meaningful if you've defined
92	// forwarders.  "first" gives the normal BIND
93	// forwarding behavior, i.e. ask the forwarders first, and if that
94	// doesn't work then do the full lookup.  You can also say
95	// "forward only;" which is what used to be specified with
96	// "slave" or "options forward-only".  "only" will never attempt
97	// a full lookup; only the forwarders will be used.
98	forward first;
99	forwarders {
100		1.2.3.4;
101		5.6.7.8;
102	};
103
104	check - names master fail;
105	check - names slave warn;
106	check - names response ignore;
107
108	allow - query { any; };
109	allow - transfer { any; };
110	allow - recursion { !any; };
111	blackhole { 45 / 24; };
112	keep - response - order { 46 / 24; };
113
114	listen - on {
115		10 / 24;
116		10.0.0.3;
117	};
118
119	listen - on port 53 { any; };
120
121	listen - on { 5.6.7.8; };
122
123	listen - on port 1234 {
124		!1.2.3.4;
125		1.2.3 / 24;
126	};
127
128	listen - on - v6 { 1 : 1 : 1 : 1 : 1 : 1 : 1 : 1; };
129
130	listen - on - v6 port 777 { 2 : 2 : 2 : 2 : 2 : 2 : 2 : 2; };
131
132	query - source - v6 address 8 : 7 : 6 : 5 : 4 : 3 : 2 : 1 port *;
133	query - source port *address 10.0.0.54;
134
135	lame - ttl 444;
136
137	max - transfer - time - in 300;
138	max - transfer - time - out 10;
139	max - transfer - idle - in 100;
140	max - transfer - idle - out 11;
141
142	max - retry - time 1234;
143	min - retry - time 1111;
144	max - refresh - time 888;
145	min - refresh - time 777;
146
147	max - ncache - ttl 333;
148	min - ncache - ttl 22;
149	min - roots 15;
150	serial - queries 34;
151
152	transfer - format one - answer;
153
154	transfers - in 10;
155	transfers - per - ns 2;
156	transfers - out 0;
157
158	transfer - source 10.0.0.5;
159	transfer - source - v6 4 : 3 : 2 : 1 : 5 : 6 : 7 : 8;
160
161	request - ixfr yes;
162	provide - ixfr yes;
163
164#Now called 'provide-ixfr'
165#maintain - ixfr - base no; // If yes, keep transaction log file for IXFR
166
167	max - ixfr - log - size 20m;
168	coresize 100;
169	datasize 101;
170	files 230;
171	max - cache - size 1m;
172	stacksize 231;
173	heartbeat - interval 1001;
174	interface - interval 1002;
175	statistics - interval 1003;
176
177	topology {
178		10 / 8;
179
180		!1.2.3 / 24;
181
182		{
183			1.2 / 16;
184			3 / 8;
185		};
186	};
187
188	sortlist {
189		10 / 8;
190		11 / 8;
191	};
192
193	tkey - domain "foo.com";
194	tkey - dhkey "xyz" 666;
195
196	rrset - order {
197		class IN type A name "foo" order random;
198		order cyclic;
199	};
200};
201
202/*
203 * Control listeners, for "ndc".  Every nameserver needs at least one.
204 */
205controls {
206	// 'inet' lines without a 'port' defaults to 'port 953'
207	// 'keys' must be used and the list must have at least one entry
208	inet *port 52 allow { any; }
209	keys { "key2"; };
210	unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named.
211	inet 10.0.0.1 allow {
212		any;
213		key foo;
214	}
215	keys { "key4"; };
216	inet 10.0.0.2 allow { none; }
217	keys {
218		"key-1";
219		"key-2";
220	};
221	inet 10.0.0.2 allow { none; };
222};
223
224zone "master.demo.zone" {
225	type master; // what used to be called "primary"
226	database "somedb -option1 -option2 arg1 arg2 arg3";
227	file "master.demo.zone";
228	check - names fail;
229	allow - update { none; };
230	allow - update - forwarding {
231		10.0.0.5;
232		!any;
233	};
234	allow - transfer { any; };
235	allow - query { any; };
236	sig - validity - interval 990;
237	notify explicit;
238	also - notify {
239		1.0.0.1;
240	}; // don't notify any nameservers other
241	   // than those on the NS list for this
242	   // zone
243	forward first;
244	forwarders {
245		10.0.0.3;
246		1 : 2 : 3 : 4 : 5 : 6 : 7 : 8;
247	};
248};
249
250zone "slave.demo.zone" {
251	type slave; // what used to be called "secondary"
252	file "slave.demo.zone";
253	ixfr - base "slave.demo.zone.ixfr"; // File name for IXFR transaction
254					    // log file
255	masters {
256		1.2.3.4 port 10 key "foo"; // where to zone transfer from
257		5.6.7.8;
258		6.7.8.9 key "zippo";
259	};
260	transfer - source 10.0.0.53; // fixes multihoming problems
261	check - names warn;
262	allow - update { none; };
263	allow - transfer { any; };
264	allow - update - forwarding { any; };
265	allow - query { any; };
266	max - transfer - time - in 120; // if not set, global option is used.
267	max - transfer - time - out 1;	// if not set, global option is used.
268	max - transfer - idle - in 2;	// if not set, global option is used.
269	max - transfer - idle - out 3;	// if not set, global option is used.
270	also - notify { 1.0.0.2; };
271	forward only;
272	forwarders {
273		10.45.45.45;
274		10.0.0.3;
275		1 : 2 : 3 : 4 : 5 : 6 : 7 : 8;
276	};
277};
278
279key "non-viewkey" {
280	secret "YWFh";
281	algorithm "zzz";
282};
283
284view "test-view" in {
285	key "viewkey" {
286		algorithm "xxx";
287		secret "eXl5";
288	};
289	also - notify { 10.2.2.3; };
290	managed - keys { foo.com.static 4 3 2 "abdefghijklmnopqrstuvwxyz"; };
291	sig - validity - interval 45;
292	max - cache - size 100000;
293	allow - query { 10.0.0.30; };
294	additional - from - cache false;
295	additional - from - auth no;
296	match - clients { 10.0.0.1; };
297	check - names master warn;
298	check - names slave ignore;
299	check - names response fail;
300	auth - nxdomain false;
301	recursion true;
302	provide - ixfr false;
303	request - ixfr true;
304	fetch - glue true;
305	notify false;
306	rfc2308 - type1 false;
307	transfer - source 10.0.0.55;
308	transfer - source - v6 4 : 3 : 8 : 1 : 5 : 6 : 7 : 8;
309	query - source port *address 10.0.0.54;
310	query - source - v6 address 6 : 6 : 6 : 6 : 6 : 6 : 6 : 6 port *;
311	max - transfer - time - out 45;
312	max - transfer - idle - out 55;
313	min - roots 3;
314	lame - ttl 477;
315	max - ncache - ttl 333;
316	max - cache - ttl 777;
317	transfer - format many - answers;
318	max - retry - time 7;
319	min - retry - time 4;
320	max - refresh - time 999;
321	min - refresh - time 111;
322
323	zone "view-zone.com" {
324		type master;
325		allow - update - forwarding { 10.0.0.34; };
326		file "view-zone-master";
327	};
328
329	server 5.6.7.8 { keys "viewkey"; };
330
331	server 10.9.8.7 { keys "non-viewkey"; };
332	dialup yes;
333};
334
335zone "stub.demo.zone" {
336	type stub; // stub zones are like slave zones,
337		   // except that only the NS records
338		   // are transferred.
339	dialup yes;
340	file "stub.demo.zone";
341	masters {
342		1.2.3.4; // where to zone transfer from
343		5.6.7.8 port 999;
344	};
345	check - names warn;
346	allow - update { none; };
347	allow - transfer { any; };
348	allow - query { any; };
349
350	max - retry - time 10;
351	min - retry - time 11;
352	max - refresh - time 12;
353	min - refresh - time 13;
354
355	max - transfer - time - in 120; // if not set, global option is used.
356	pubkey 257 255 1 "a useless key";
357	pubkey 257 255 1 "another useless key";
358};
359
360zone "." {
361	type hint; // used to be specified w/ "cache"
362	file "cache.db";
363	//	pubkey 257 255 1
364	//"AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
365};
366
367managed - keys {
368	"." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/"
369			     "KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP"
370			     "/rick6gvEer5VcDEkLR5Q==";
371};
372
373acl can_query {
374	!1.2.3 / 24;
375	any;
376}; // network 1.2.3.0 mask 255.255.255.0
377   // is disallowed; rest are OK
378acl can_axfr {
379	1.2.3.4;
380	can_query;
381}; // host 1.2.3.4 and any host allowed
382   // by can_query are OK
383
384zone "disabled-zone.com" {
385	type master;
386	file "bar";
387
388	max - retry - time 100;
389	min - retry - time 110;
390	max - refresh - time 120;
391	min - refresh - time 130;
392};
393
394zone "non-default-acl.demo.zone" {
395	type master;
396	file "foo";
397	allow - query { can_query; };
398	allow - transfer { can_axfr; };
399	allow - update {
400		1.2.3.4;
401		5.6.7.8;
402	};
403	pubkey 666 665 664 "key of the beast";
404	// Errors trapped by parser:
405	//	identity or name not absolute
406	//	'wildcard' match type and no wildcard character in name
407	//
408	// issues:
409	//	- certain rdatatype values (such as "key") are config file
410	// keywords and
411	// 	  must be quoted or a syntax error will occur.
412	//
413
414	update - policy {
415		grant root.domain.subdomain host.domain.A MX CNAME;
416		grant sub.root.domain.wildcard *.host.domain.A;
417		grant root.domain.name host.domain.a ns md mf cname soa mb mg mr
418			"null" wks ptr hinfo minfo mx txt rp afsdb x25 isdn rt
419				nsap sig "key" px gpos aaaa loc nxt srv naptr kx
420					cert a6 dname opt unspec uri tkey tsig;
421		grant foo.bar.com.self foo.bar.com.a;
422	};
423};
424
425key sample_key {			   // for TSIG; supported by parser
426	algorithm hmac - md5;		   // but not yet implemented in the
427	secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
428};
429
430key key2 {
431	algorithm hmac - md5;
432	secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
433};
434
435acl key_acl { key sample_key; }; // a request signed with sample_key
436
437server 1.2.3.4 {
438	request - ixfr no;
439	provide - ixfr no;
440	bogus no;			// if yes, we won't query or listen
441					// to this server
442	transfer - format one - answer; // set transfer format for this
443					// server (see the description of
444					// 'transfer-format' above)
445					// if not specified, the global option
446					// will be used
447	transfers 0;			// not implemented
448	keys{ "sample_key" };		// for TSIG; supported by the parser
449					// but not yet implemented in the
450					// rest of the server
451#Now called 'request-ixfr'
452#support - ixfr yes; // for IXFR supported by server
453		     // if yes, the listed server talks IXFR
454};
455
456logging {
457	/*
458	 * All log output goes to one or more "channels"; you can make as
459	 * many of them as you want.
460	 */
461
462	channel syslog_errors { // this channel will send errors or
463		syslog user;	// or worse to syslog (user facility)
464		severity error;
465	};
466
467	channel stderr_errors { stderr; };
468
469	/*
470	 * Channels have a severity level.  Messages at severity levels
471	 * greater than or equal to the channel's level will be logged on
472	 * the channel.  In order of decreasing severity, the levels are:
473	 *
474	 * 	critical		a fatal error
475	 *	error
476	 *	warning
477	 *	notice			a normal, but significant event
478	 *	info			an informational message
479	 *	debug 1			the least detailed debugging info
480	 *	...
481	 *	debug 99		the most detailed debugging info
482	 */
483
484	/*
485	 * Here are the built-in channels:
486	 *
487	 * 	channel default_syslog {
488	 *		syslog daemon;
489	 *		severity info;
490	 *	};
491	 *
492	 *	channel default_debug {
493	 *		file "named.run";	// note: stderr is used instead
494	 *					// of "named.run" if the server
495	 *					// is started with the "-f"
496	 *					// option.
497	 *		severity dynamic;	// this means log debugging
498	 *					// at whatever debugging level
499	 *					// the server is at, and don't
500	 *					// log anything if not
501	 *					// debugging.
502	 *	};
503	 *
504	 *	channel null {			// this is the bit bucket;
505	 *		file "/dev/null";	// any logging to this channel
506	 *					// is discarded.
507	 *	};
508	 *
509	 *	channel default_stderr {	// writes to stderr
510	 *		file "<stderr>";	// this is illustrative only;
511	 *					// there's currently no way
512	 *					// of saying "stderr" in the
513	 *					// configuration language.
514	 *					// i.e. don't try this at home.
515	 *		severity info;
516	 *	};
517	 *
518	 *	default_stderr only works before the server daemonizes (i.e.
519	 *	during initial startup) or when it is running in foreground
520	 *	mode (-f command line option).
521	 */
522
523	/*
524	 * There are many categories, so you can send the logs
525	 * you want to see wherever you want, without seeing logs you
526	 * don't want.  Right now the categories are
527	 *
528	 *	default			the catch-all.  many things still
529	 *				aren't classified into categories, and
530	 *				they all end up here.  also, if you
531	 *				don't specify any channels for a
532	 *				category, the default category is used
533	 *				instead.
534	 *	config			high-level configuration file
535	 *				processing
536	 *	parser			low-level configuration file processing
537	 *	queries			what used to be called "query logging"
538	 *	lame-servers		messages like "Lame server on ..."
539	 *	statistics
540	 *	panic			if the server has to shut itself
541	 *				down due to an internal problem, it
542	 *				logs the problem here (as well as
543	 *				in the problem's native category)
544	 *	update			dynamic update
545	 *	ncache			negative caching
546	 *	xfer-in			zone transfers we're receiving
547	 *	xfer-out		zone transfers we're sending
548	 *	db			all database operations
549	 *	eventlib		debugging info from the event system
550	 *				(see below)
551	 *	packet			dumps of packets received and sent
552	 *				(see below)
553	 *	notify			the NOTIFY protocol
554	 *	cname			messages like "XX points to a CNAME"
555	 *	security		approved/unapproved requests
556	 *	os			operating system problems
557	 *	insist			consistency check failures
558	 *	maintenance		periodic maintenance
559	 *	load			zone loading
560	 *	response-checks		messages like
561	 *				"Malformed response ..."
562	 *				"wrong ans. name ..."
563	 *				"unrelated additional info ..."
564	 *				"invalid RR type ..."
565	 *				"bad referral ..."
566	 */
567
568	category parser {
569		syslog_errors;	// you can log to as many channels
570		default_syslog; // as you want
571	};
572
573	category lame - servers { null; }; // don't log these at all
574
575	channel moderate_debug {
576		file "foo";	      // foo
577		severity debug 3;     // level 3 debugging to file
578		print - time yes;     // timestamp log entries
579		print - category yes; // print category name
580		print - severity yes; // print severity level
581				      /*
582				       * Note that debugging must have been turned on either
583				       * on the command line or with a signal to get debugging
584				       * output (non-debugging output will still be written to
585				       * this channel).
586				       */
587	};
588
589	channel another {
590		file "bar" versions 99 size 10M;
591		severity info;
592	};
593
594	channel third {
595		file "bar" size 100000 versions unlimited;
596		severity debug; // use default debug level
597	};
598
599	/*
600	 * If you don't want to see "zone XXXX loaded" messages but do
601	 * want to see any problems, you could do the following.
602	 */
603	channel no_info_messages {
604		syslog;
605		severity notice;
606	};
607
608	category load { no_info_messages; };
609
610	/*
611	 * You can also define category "default"; it gets used when no
612	 * "category" statement has been given for a category.
613	 */
614	category default {
615		default_syslog;
616		moderate_debug;
617	};
618
619	/*
620	 * If you don't define category default yourself, the default
621	 * default category will be used.  It is
622	 *
623	 * 	category default { default_syslog; default_debug; };
624	 */
625
626	/*
627	 * If you don't define category panic yourself, the default
628	 * panic category will be used.  It is
629	 *
630	 * 	category panic { default_syslog; default_stderr; };
631	 */
632
633	/*
634	 * Two categories, 'packet' and 'eventlib', are special.  Only one
635	 * channel may be assigned to each of them, and it must be a
636	 * file channel.  If you don't define them  yourself, they default to
637	 *
638	 *	category eventlib { default_debug; };
639	 *
640	 *	category packet { default_debug; };
641	 */
642};
643
644#include "filename"; // can't do within a statement
645