1/* 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 * 4 * This Source Code Form is subject to the terms of the Mozilla Public 5 * License, v. 2.0. If a copy of the MPL was not distributed with this 6 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 7 * 8 * See the COPYRIGHT file distributed with this work for additional 9 * information regarding copyright ownership. 10 */ 11 12/* 13 * This is a worthless, nonrunnable example of a named.conf file that has 14 * every conceivable syntax element in use. We use it to test the parser. 15 * It could also be used as a conceptual template for users of new features. 16 */ 17 18/* 19 * C-style comments are OK 20 */ 21 22// So are C++-style comments 23 24#So are shell - style comments 25 26// watch out for ";" -- it's important! 27 28options { 29 additional - from - auth true; 30 additional - from - cache false; 31 32 version "my version string"; 33 random - device "/dev/random"; 34 directory "/tmp"; 35 36 port 666; 37 38 sig - validity - interval 33; 39 40#Obsolete 41 named - xfer "/usr/libexec/named-xfer"; // _PATH_XFER 42 43 dump - file "named_dump.db"; // _PATH_DUMPFILE 44 pid - file "/var/run/named.pid"; // _PATH_PIDFILE 45 statistics - file "named.stats"; // _PATH_STATS 46 memstatistics - file "named.memstats"; // _PATH_MEMSTATS 47 48 max - cache - ttl 999; 49 min - cache - ttl 66; 50 auth - nxdomain yes; // always set AA on NXDOMAIN. 51 // don't set this to 'no' unless 52 // you know what you're doing -- older 53 // servers won't like it. 54 55#Obsolete 56 deallocate - on - exit no; 57 58 dialup yes; 59 60#Obsolete 61 fake - iquery no; 62 63 fetch - glue yes; 64 has - old - clients yes; 65 host - statistics no; 66 67#Obsolete 68 multiple - cnames no; // if yes, then a name my have more 69 // than one CNAME RR. This use 70 // is non-standard and is not 71 // recommended, but it is available 72 // because previous releases supported 73 // it and it was used by large sites 74 // for load balancing. 75 76 notify yes; // send NOTIFY messages. You can set 77 // notify on a zone-by-zone 78 // basis in the "zone" statement 79 // see (below) 80 recursion yes; 81 rfc2308 - type1 no; 82 83#Obsolete 84 use - id - pool yes; 85 86#Obsolete 87 treat - cr - as - space yes; 88 89 also - notify { 10.0.2.3; }; 90 91 // The "forward" option is only meaningful if you've defined 92 // forwarders. "first" gives the normal BIND 93 // forwarding behavior, i.e. ask the forwarders first, and if that 94 // doesn't work then do the full lookup. You can also say 95 // "forward only;" which is what used to be specified with 96 // "secondary" or "options forward-only". "only" will never attempt 97 // a full lookup; only the forwarders will be used. 98 forward first; 99 forwarders { 100 1.2.3.4; 101 5.6.7.8; 102 }; 103 104 check - names primary fail; 105 check - names secondary warn; 106 check - names response ignore; 107 108 allow - query { any; }; 109 allow - transfer { any; }; 110 allow - recursion { !any; }; 111 blackhole { 45 / 24; }; 112 keep - response - order { 46 / 24; }; 113 114 listen - on { 115 10 / 24; 116 10.0.0.3; 117 }; 118 119 listen - on port 53 { any; }; 120 121 listen - on { 5.6.7.8; }; 122 123 listen - on port 1234 { 124 !1.2.3.4; 125 1.2.3 / 24; 126 }; 127 128 listen - on - v6 { 1 : 1 : 1 : 1 : 1 : 1 : 1 : 1; }; 129 130 listen - on - v6 port 777 { 2 : 2 : 2 : 2 : 2 : 2 : 2 : 2; }; 131 132 query - source - v6 address 8 : 7 : 6 : 5 : 4 : 3 : 2 : 1 port *; 133 query - source port *address 10.0.0.54; 134 135 lame - ttl 444; 136 137 max - transfer - time - in 300; 138 max - transfer - time - out 10; 139 max - transfer - idle - in 100; 140 max - transfer - idle - out 11; 141 142 max - retry - time 1234; 143 min - retry - time 1111; 144 max - refresh - time 888; 145 min - refresh - time 777; 146 147 max - ncache - ttl 333; 148 min - ncache - ttl 22; 149 min - roots 15; 150 serial - queries 34; 151 152 transfer - format one - answer; 153 154 transfers - in 10; 155 transfers - per - ns 2; 156 transfers - out 0; 157 158 transfer - source 10.0.0.5; 159 transfer - source - v6 4 : 3 : 2 : 1 : 5 : 6 : 7 : 8; 160 161 request - ixfr yes; 162 provide - ixfr yes; 163 164#Now called 'provide-ixfr' 165#maintain - ixfr - base no; // If yes, keep transaction log file for IXFR 166 167 max - ixfr - log - size 20m; 168 coresize 100; 169 datasize 101; 170 files 230; 171 max - cache - size 1m; 172 stacksize 231; 173 heartbeat - interval 1001; 174 interface - interval 1002; 175 statistics - interval 1003; 176 177 topology { 178 10 / 8; 179 180 !1.2.3 / 24; 181 182 { 183 1.2 / 16; 184 3 / 8; 185 }; 186 }; 187 188 sortlist { 189 10 / 8; 190 11 / 8; 191 }; 192 193 tkey - domain "foo.com"; 194 tkey - dhkey "xyz" 666; 195 196 rrset - order { 197 class IN type A name "foo" order random; 198 order cyclic; 199 }; 200}; 201 202/* 203 * Control listeners, for "ndc". Every nameserver needs at least one. 204 */ 205controls { 206 // 'inet' lines without a 'port' defaults to 'port 953' 207 // 'keys' must be used and the list must have at least one entry 208 inet *port 52 allow { any; } 209 keys { "key2"; }; 210 unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named. 211 inet 10.0.0.1 allow { 212 any; 213 key foo; 214 } 215 keys { "key4"; }; 216 inet 10.0.0.2 allow { none; } 217 keys { 218 "key-1"; 219 "key-2"; 220 }; 221 inet 10.0.0.2 allow { none; }; 222}; 223 224zone "primary.demo.zone" { 225 type primaryr; 226 database "somedb -option1 -option2 arg1 arg2 arg3"; 227 file "primary.demo.zone"; 228 check - names fail; 229 allow - update { none; }; 230 allow - update - forwarding { 231 10.0.0.5; 232 !any; 233 }; 234 allow - transfer { any; }; 235 allow - query { any; }; 236 sig - validity - interval 990; 237 notify explicit; 238 also - notify { 239 1.0.0.1; 240 }; // don't notify any nameservers other 241 // than those on the NS list for this 242 // zone 243 forward first; 244 forwarders { 245 10.0.0.3; 246 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8; 247 }; 248}; 249 250zone "secondary.demo.zone" { 251 type secondary; 252 file "secondary.demo.zone"; 253 ixfr - base "secondary.demo.zone.ixfr"; // File name for IXFR transaction 254 // log file 255 primaries { 256 1.2.3.4 port 10 key "foo"; // where to zone transfer from 257 5.6.7.8; 258 6.7.8.9 key "zippo"; 259 }; 260 transfer - source 10.0.0.53; // fixes multihoming problems 261 check - names warn; 262 allow - update { none; }; 263 allow - transfer { any; }; 264 allow - update - forwarding { any; }; 265 allow - query { any; }; 266 max - transfer - time - in 120; // if not set, global option is used. 267 max - transfer - time - out 1; // if not set, global option is used. 268 max - transfer - idle - in 2; // if not set, global option is used. 269 max - transfer - idle - out 3; // if not set, global option is used. 270 also - notify { 1.0.0.2; }; 271 forward only; 272 forwarders { 273 10.45.45.45; 274 10.0.0.3; 275 1 : 2 : 3 : 4 : 5 : 6 : 7 : 8; 276 }; 277}; 278 279key "non-viewkey" { 280 secret "YWFh"; 281 algorithm "zzz"; 282}; 283 284view "test-view" in { 285 key "viewkey" { 286 algorithm "xxx"; 287 secret "eXl5"; 288 }; 289 also - notify { 10.2.2.3; }; 290 managed - keys { foo.com.static 4 3 2 "abdefghijklmnopqrstuvwxyz"; }; 291 sig - validity - interval 45; 292 max - cache - size 100000; 293 allow - query { 10.0.0.30; }; 294 additional - from - cache false; 295 additional - from - auth no; 296 match - clients { 10.0.0.1; }; 297 check - names primary warn; 298 check - names secondary ignore; 299 check - names response fail; 300 auth - nxdomain false; 301 recursion true; 302 provide - ixfr false; 303 request - ixfr true; 304 fetch - glue true; 305 notify false; 306 rfc2308 - type1 false; 307 transfer - source 10.0.0.55; 308 transfer - source - v6 4 : 3 : 8 : 1 : 5 : 6 : 7 : 8; 309 query - source port *address 10.0.0.54; 310 query - source - v6 address 6 : 6 : 6 : 6 : 6 : 6 : 6 : 6 port *; 311 max - transfer - time - out 45; 312 max - transfer - idle - out 55; 313 min - roots 3; 314 lame - ttl 477; 315 max - ncache - ttl 333; 316 max - cache - ttl 777; 317 transfer - format many - answers; 318 max - retry - time 7; 319 min - retry - time 4; 320 max - refresh - time 999; 321 min - refresh - time 111; 322 323 zone "view-zone.com" { 324 type primary; 325 allow - update - forwarding { 10.0.0.34; }; 326 file "view-zone-primary"; 327 }; 328 329 server 5.6.7.8 { keys "viewkey"; }; 330 331 server 10.9.8.7 { keys "non-viewkey"; }; 332 dialup yes; 333}; 334 335zone "stub.demo.zone" { 336 type stub; // stub zones are like secondary zones, 337 // except that only the NS records 338 // are transferred. 339 dialup yes; 340 file "stub.demo.zone"; 341 primaries { 342 1.2.3.4; // where to zone transfer from 343 5.6.7.8 port 999; 344 }; 345 check - names warn; 346 allow - update { none; }; 347 allow - transfer { any; }; 348 allow - query { any; }; 349 350 max - retry - time 10; 351 min - retry - time 11; 352 max - refresh - time 12; 353 min - refresh - time 13; 354 355 max - transfer - time - in 120; // if not set, global option is used. 356 pubkey 257 255 1 "a useless key"; 357 pubkey 257 255 1 "another useless key"; 358}; 359 360zone "." { 361 type hint; // used to be specified w/ "cache" 362 file "cache.db"; 363 // pubkey 257 255 1 364 //"AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; 365}; 366 367managed - keys { 368 "." static 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/" 369 "KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP" 370 "/rick6gvEer5VcDEkLR5Q=="; 371}; 372 373acl can_query { 374 !1.2.3 / 24; 375 any; 376}; // network 1.2.3.0 mask 255.255.255.0 377 // is disallowed; rest are OK 378acl can_axfr { 379 1.2.3.4; 380 can_query; 381}; // host 1.2.3.4 and any host allowed 382 // by can_query are OK 383 384zone "disabled-zone.com" { 385 type primary; 386 file "bar"; 387 388 max - retry - time 100; 389 min - retry - time 110; 390 max - refresh - time 120; 391 min - refresh - time 130; 392}; 393 394zone "non-default-acl.demo.zone" { 395 type primary; 396 file "foo"; 397 allow - query { can_query; }; 398 allow - transfer { can_axfr; }; 399 allow - update { 400 1.2.3.4; 401 5.6.7.8; 402 }; 403 pubkey 666 665 664 "key of the beast"; 404 // Errors trapped by parser: 405 // identity or name not absolute 406 // 'wildcard' match type and no wildcard character in name 407 // 408 // issues: 409 // - certain rdatatype values (such as "key") are config file 410 // keywords and 411 // must be quoted or a syntax error will occur. 412 // 413 414 update - policy { 415 grant root.domain.subdomain host.domain.A MX CNAME; 416 grant sub.root.domain.wildcard *.host.domain.A; 417 grant root.domain.name host.domain.a ns md mf cname soa mb mg mr 418 "null" wks ptr hinfo minfo mx txt rp afsdb x25 isdn rt 419 nsap sig "key" px gpos aaaa loc nxt srv naptr kx 420 cert a6 dname opt unspec uri tkey tsig; 421 grant foo.bar.com.self foo.bar.com.a; 422 }; 423}; 424 425key sample_key { // for TSIG; supported by parser 426 algorithm hmac - md5; // but not yet implemented in the 427 secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server 428}; 429 430key key2 { 431 algorithm hmac - md5; 432 secret "ZXJlaCB0ZXJjZXMgcm91eQ=="; 433}; 434 435acl key_acl { key sample_key; }; // a request signed with sample_key 436 437server 1.2.3.4 { 438 request - ixfr no; 439 provide - ixfr no; 440 bogus no; // if yes, we won't query or listen 441 // to this server 442 transfer - format one - answer; // set transfer format for this 443 // server (see the description of 444 // 'transfer-format' above) 445 // if not specified, the global option 446 // will be used 447 transfers 0; // not implemented 448 keys{ "sample_key" }; // for TSIG; supported by the parser 449 // but not yet implemented in the 450 // rest of the server 451#Now called 'request-ixfr' 452#support - ixfr yes; // for IXFR supported by server 453 // if yes, the listed server talks IXFR 454}; 455 456logging { 457 /* 458 * All log output goes to one or more "channels"; you can make as 459 * many of them as you want. 460 */ 461 462 channel syslog_errors { // this channel will send errors or 463 syslog user; // or worse to syslog (user facility) 464 severity error; 465 }; 466 467 channel stderr_errors { stderr; }; 468 469 /* 470 * Channels have a severity level. Messages at severity levels 471 * greater than or equal to the channel's level will be logged on 472 * the channel. In order of decreasing severity, the levels are: 473 * 474 * critical a fatal error 475 * error 476 * warning 477 * notice a normal, but significant event 478 * info an informational message 479 * debug 1 the least detailed debugging info 480 * ... 481 * debug 99 the most detailed debugging info 482 */ 483 484 /* 485 * Here are the built-in channels: 486 * 487 * channel default_syslog { 488 * syslog daemon; 489 * severity info; 490 * }; 491 * 492 * channel default_debug { 493 * file "named.run"; // note: stderr is used instead 494 * // of "named.run" if the server 495 * // is started with the "-f" 496 * // option. 497 * severity dynamic; // this means log debugging 498 * // at whatever debugging level 499 * // the server is at, and don't 500 * // log anything if not 501 * // debugging. 502 * }; 503 * 504 * channel null { // this is the bit bucket; 505 * file "/dev/null"; // any logging to this channel 506 * // is discarded. 507 * }; 508 * 509 * channel default_stderr { // writes to stderr 510 * file "<stderr>"; // this is illustrative only; 511 * // there's currently no way 512 * // of saying "stderr" in the 513 * // configuration language. 514 * // i.e. don't try this at home. 515 * severity info; 516 * }; 517 * 518 * default_stderr only works before the server daemonizes (i.e. 519 * during initial startup) or when it is running in foreground 520 * mode (-f command line option). 521 */ 522 523 /* 524 * There are many categories, so you can send the logs 525 * you want to see wherever you want, without seeing logs you 526 * don't want. Right now the categories are 527 * 528 * default the catch-all. many things still 529 * aren't classified into categories, and 530 * they all end up here. also, if you 531 * don't specify any channels for a 532 * category, the default category is used 533 * instead. 534 * config high-level configuration file 535 * processing 536 * parser low-level configuration file processing 537 * queries what used to be called "query logging" 538 * lame-servers messages like "Lame server on ..." 539 * statistics 540 * panic if the server has to shut itself 541 * down due to an internal problem, it 542 * logs the problem here (as well as 543 * in the problem's native category) 544 * update dynamic update 545 * ncache negative caching 546 * xfer-in zone transfers we're receiving 547 * xfer-out zone transfers we're sending 548 * db all database operations 549 * eventlib debugging info from the event system 550 * (see below) 551 * packet dumps of packets received and sent 552 * (see below) 553 * notify the NOTIFY protocol 554 * cname messages like "XX points to a CNAME" 555 * security approved/unapproved requests 556 * os operating system problems 557 * insist consistency check failures 558 * maintenance periodic maintenance 559 * load zone loading 560 * response-checks messages like 561 * "Malformed response ..." 562 * "wrong ans. name ..." 563 * "unrelated additional info ..." 564 * "invalid RR type ..." 565 * "bad referral ..." 566 */ 567 568 category parser { 569 syslog_errors; // you can log to as many channels 570 default_syslog; // as you want 571 }; 572 573 category lame - servers { null; }; // don't log these at all 574 575 channel moderate_debug { 576 file "foo"; // foo 577 severity debug 3; // level 3 debugging to file 578 print - time yes; // timestamp log entries 579 print - category yes; // print category name 580 print - severity yes; // print severity level 581 /* 582 * Note that debugging must have been turned on either 583 * on the command line or with a signal to get debugging 584 * output (non-debugging output will still be written to 585 * this channel). 586 */ 587 }; 588 589 channel another { 590 file "bar" versions 99 size 10M; 591 severity info; 592 }; 593 594 channel third { 595 file "bar" size 100000 versions unlimited; 596 severity debug; // use default debug level 597 }; 598 599 /* 600 * If you don't want to see "zone XXXX loaded" messages but do 601 * want to see any problems, you could do the following. 602 */ 603 channel no_info_messages { 604 syslog; 605 severity notice; 606 }; 607 608 category load { no_info_messages; }; 609 610 /* 611 * You can also define category "default"; it gets used when no 612 * "category" statement has been given for a category. 613 */ 614 category default { 615 default_syslog; 616 moderate_debug; 617 }; 618 619 /* 620 * If you don't define category default yourself, the default 621 * default category will be used. It is 622 * 623 * category default { default_syslog; default_debug; }; 624 */ 625 626 /* 627 * If you don't define category panic yourself, the default 628 * panic category will be used. It is 629 * 630 * category panic { default_syslog; default_stderr; }; 631 */ 632 633 /* 634 * Two categories, 'packet' and 'eventlib', are special. Only one 635 * channel may be assigned to each of them, and it must be a 636 * file channel. If you don't define them yourself, they default to 637 * 638 * category eventlib { default_debug; }; 639 * 640 * category packet { default_debug; }; 641 */ 642}; 643 644#include "filename"; // can't do within a statement 645