• IPAM
  • DNS
  • DHCP
  • Resources
  • About

BIND 9.20 Configuration Options

BIND configuration options as of BIND 9.20.11 are listed below and each option's applicability to the name server configuration (named.conf - options column) view statements or zone statements by zone type. This is intended as a quick reference listing each option in alphabetical order by option name. Option support varies by BIND release so check the options file within the doc/misc directory of your BIND installation to compare those supported in your release with this table.

The following conventions are used in the table:

  • A value of yes in the table indicates that the option specified in the corresponding row is supported within the statement block identified by the corresponding column for BIND 9.20. A blank value means it does not. A value of 'N/A' means that the option may be specified but is either ignored or not implemented as discussed in the corresponding description column for the table entry. Text in narrow font indicates that a value of the type so indicated must be specified. The table includes the following:
    • address_match_list - a name corresponding to a defined address match list within the configuration file
    • algorithm - one of a pre-defined set of valid hash algorithms
    • bytes - an integer quantity indicating a number of bytes
    • domain - a domain-formatted text string e.g. www.ipamworldwide.com.
    • IP_address - an IPv4 or IPv6 formatted address value
    • minutes - an integer value indicating the number of minutes
    • number - an integer quantity
    • pathname - a text string indicating a directory path on the server
    • port - an integer indicating a UDP or TCP port number
    • port_list - a list of integer port numbers
    • size - a size measure expressed as an integer and unit e.g. 10g for 10 gigabytes; if no unit is provided the default is bytes
    • string - a text string
    • zone_name - the name of a zone in domain format
  • Keywords are parameters though non-italicized. Examples are yes no first ignore.
  • ( a | b | c ) - parentheses denote a number of parameters one of which can be selected; the pipe character represents 'or.' Thus this expression indicates that a value of either a, b or c can be specified.

Option name and syntax Option description options view zone primary zone secondary zone stub zone static-stub zone forward zone hintzone redirect
allow-new-zones { yes | no };Configures whether zones can be added to the server at runtime using rndc addzone or deleted using rndc delzone. The default is no.yes







allow-notify { address_match_list };Accept Notify messages from hosts identified by the address match list in addition to corresponding zone primaries. The default is to allow Notify messages from the configured zone primary server(s) as configured in the primaries statement of a given zone declaration.yesyes
yes




allow-proxy { address_match_list };Experimental. Defines the scope from which the server will accept DNS message with PROXYv2 headers, which help identify the original client IP information. Default = none.yesyes
yes




allow-proxy-on { address_match_list };Experimental. Defines an address_match_list for the interface addresses allowed to accept PROXYv2 headers. The option is mostly intended for multi-homed configurations. Default= any.yesyes
yes




allow-query { address_match_list };Defines an ACL regarding who can query this server based on the address match list definition. The default is any.yesyesyesyesyesyes

yes
allow-query-cache { address_match_list };Specifies which hosts based on the address match list may receive query answers from the server's cache. If not specified this option defaults to the address match list specified in the allow-recursion option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}.yesyes






allow-query-cache-on { address_match_list };Specifies on which name server interface(s) queries will be accepted that may receive answers from the server's cache. For example this option could be configured to allow cache queries on the interface(s) facing the internal network.yesyes






allow-query-on { address_match_list };Specifies on which name server interface(s) queries will be accepted. For example this option could be configured to allow queries on the interface(s) facing the internal network.yesyesyesyesyes


yes
allow-recursion { address_match_list };Defines an ACL on who can issue recursive queries to this server based on the address match list definition. If not specified this option defaults to the address match list specified in the allow-query-cache option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}.yesyes






allow-recursion-on { address_match_list };Specifies on which name server interface(s) recursive queries will be accepted. For example this option could be configured to allow recursive queries on the interface(s) facing the internal network. The default is to accept recursive queries on all server interfaces.yesyes






allow-transfer { address_match_list };Specifies an ACL on who can receive a zone transfer from this server. The default is any.yesyesyesyes




allow-update { address_match_list };Defines an ACL on who can perform a dynamic DNS update based on the address match list definition. The default is none. If the more granular update-policy option is specified within options view or zone blocks allow-update must not also be specified within the corresponding statement block.yesyesyes





allow-update-forwarding { address_match_list };Specifies an ACL defining from whom dynamic updates will be accepted for secondary zones which will in turn be forwarded to the zone's primary server. The default is none. ISC recommends using either any or none the default. This pushes the enforcement of update acceptance from this secondary server to the primary server.yesyes
yes




also-notify [ port integer ] [ source ( ipv4_address | * ) ] [ source-v6 ( ipv6_address | * ) ] { ( server-list | IP_address [ port integer ] ) [ key keyname ] [ tls string ] ; ... };

Defines a set of IP addresses with or without corresponding port numbers to which to send Notify messages when a zone is updated (default = empty i.e. none). This option specifies additional Notify recipients to those specified in the zone's NS records.

yesyesyesyes




answer-cookie (yes | no);Specifies whether the server will include the COOKIE EDNS options in responses. The default is yes and it is suggested this be set to no only to rectify operational problemsyes







attach-cache cache-name;By default each view has its own cache database; this option enables sharing of a common cache database across some or all views. When set in the options directive all views will use the cache-name cache. Particular views may use their own cache by specifying a different cache-name within the view statement block. Cache sharing among views requires each view to support common cache-impacting parameters: check-names cleaning-interval dnssec-accept-expired dnssec-validation max-cache-ttl max-ncache-ttl max-cache-size and zero-no-soa-ttl.yesyes






auth-nxdomain (yes | no);Allows the server to always claim that a negative answer from its cache is actually authoritative even if it isn't; the default is no do not always claim authoritative answers.yesyes






automatic-interface-scan { yes | no };Configures named to recan network interfaces on the server when interface addresses are added or removed. The default is yes.yes







avoid-v4-udp-ports { port_list };Deprecated. Specifies which port numbers to avoid as system-assigned source UDP ports over IPv4 typically to avoid firewall-blocked port numbersyes







avoid-v6-udp-ports { port_list };Deprecated. Specifies which port numbers to avoid as system-assigned source UDP ports over IPv6 typically to avoid firewall-blocked port numbersyes







bindkeys-file pathname;Specifies the pathname on the server for the trusted keys for use in DNSSEC Lookaside Validation. The default is /etc/bind.keys.yes







blackhole { address_match_list };Defines an ACL defined by the address match list from which this server will not accept queries nor use to resolve a query. The default is none.yes







catalog-zones { specifications }; This option defines a catalog zone to facilitate zone updates for slave servers. Please refer to the catalog zones section for specification details.yesyes




check-dup-records (fail | warn | ignore);Configures the server to check its primary zones for resource records that are treated differently by DNSSEC but are semantically equal in plain DNS. The default is warn.yesyesyes





check-integrity (yes | no);When set to yes configures the server to perform zone integrity checks after loading of primary zones; the integrity check consists of assuring MX and SRV records refer to hosts which have corresponding A or AAAA records (intra-zone checks only) and that glue records exist for delegated zones. The default is yes.yesyesyes





check-mx (warn | fail | ignore);Performs checking on MX records and will fail warn (default) or ignore based on whether the RDATA contains an IP address.yesyesyes





check-mx-cname (warn | fail | ignore);Configures the server to verify that MX records do not refer to CNAME records; applies when check-integrity yes is configured. The default is warn.yesyes






check-names (primary | secondary | response) (warn | fail | ignore);Configures the server to validate owner names of A AAAA and MX records as well as RDATA names in NS SOA and MX records and also PTR records resolved based on queries for owners within ip6.arpa or in-addr.arpa zones. When defined within the options or view statement but not within zone declarations checking can be focused to primary zones (default = fail), secondary zones (default = warn), or responses received from other servers (response default = ignore).yesyesyesyesyes

yes
check-sibling (yes | no);Configures the server to verify that glue records exist for sibling zones i.e. other zones delegated by this server (as a common parent). For example the Rdata field of an NS record for a delegated zone may refer to a name server in a sibling zone:

a.ipamworldwide.com. IN NS ns.b.ipamworldwide.com

In such a case setting this option to yes causes the server to verify that a glue (A/AAAA) record exists for ns.b.ipamworldwide.com. This option only applies when check-integrity yes is configured. The default value is yes.

yesyes






check-spf (warn | ignore);If check-integrity is set this option dictates whether to check for the presence of a TXT record if an SPF record is found. Sender Policy Framework (SPF) RRTypes have been deprecated given the embedded deployments of SPF using the TXT record instead. The default value is warn.

yesyes






check-srv-cname (warn | fail | ignore);Configures the server to verify that SRV records do not refer to CNAME records; applies when check-integrity yes is configured. The default is warn.yesyes






check-svcb boolean ;Configures the server to check that SVCB (Service Binding) records that start with a _dns label prefixed by an optional _ label (e.g., _443._dns.ns1.example) have an alpn parameter, and that the dohpath parameter exists when the alpn indicates that it should be present. The default is yes.yesyes






check-wildcard (yes | no);Instructs the server to issue a warning upon detecting a non-fully resolvable wildcard (*) in its primary zones if set to yes. The default is yes.yesyesyes





clients-per-query number;Defines the minimum initial number of simultaneous outstanding recursive queries for a given name (i.e. of the same qname qtype qclass). In this context the server issuing such queries is the ""client"" referred to by the option name. (default = 10)yesyes






cookie-algorithm (aes | siphash24);Defines the algorithm to be used when generating the server cookie, which serves as a lightweight DNS message authentication mechanism. The default is aes if supported by the server, otherwise siphash24.yes





cookie-secret secret_string;Specifies the shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster. The shared secret is encoded as a hex string and needs to be 128 bits for AES128, 160 bits for SHA1 and 256 bits for SHA256. If not set, the system will generate a random secret at startup.yes





deny-answer-addresses { address_match_list; } [except-from { name-list; Configures the server to filter out (drop) address (A or AAAA) query responses from external DNS servers where the address(es) contained in the answer section fall within the address_match_list definition to mitigate rebinding attacks. However all address answers where the query name matches the except-from name-list will be accepted. For example a server configured with deny-answer-addresses {192.0.2.0/24;} except-from {"ipamworldwide.com";}; will drop A records in the answer section containing an address within the 192.0.2.0/24 space except where the query name falls within the ipamworldwide.com domain or subdomain.yesyes






deny-answer-aliases { alias-list; } [except-from { name-list; Configures the server to filter out (drop) alias (CNAME or DNAME) query responses from external DNS servers where the alias(es) contained in the answer section fall within the alias-list definition to mitigate rebinding attacks. However all alias answers where the query name matches the except-from name-list will be accepted. For example a server configured with deny-answer-aliases {"ipamworldwide.com";} except-from {"biz.worldwide.com";}; will drop CNAME or DNAME records within the answer section of the response containing an answer within the ipamworldwide.com domain or subdomains except where the query name falls within the biz.ipamworldwide.com domain or subdomains.yesyes






dialup (yes | no | notify | refresh | passive | notify-passive );Deprecated. Concentrates all communications between servers to the time when a dialup connection is made based on timing set in the heartbeat-interval option overriding the refresh timer to send out SOA (refresh) queries and NOTIFYs only at this interval. More granular control is available using:
  • notify parameter which directs the server to send only NOTIFYs during the connection with normal refresh processing
  • notify-passive parameter which indicates the server will send NOTIFYs during the heartbeat interval while suspending normal refresh processing
  • refresh suspends NOTIFYs during heartbeat intervals but sends refresh queries during the heartbeat interval
  • passive disables normal refresh processing
  • notify-passive sends NOTIFYs during the heartbeat and suppresses refresh processing
yesyesyesyesyes



directory pathname;"Specifies the location of current working directory on the server. Any relative (non-absolute) pathnames are interpreted as relative to this directory. If not specified the default is "".""."yes







disable-algorithms domain { algorithm; [ algorithm;] };Disables the specified DNSSEC algorithm(s) when processing queries for the specified domain and its subdomains. Multiple occurrences of this statement are permitted.yesyes






disable-ds-digests domain { digest_type; [ digest_type; ] };Disables specified DS/DLV digest types at and below the specified domain. Multiple statements are permitted.yesyes






disable-empty-zone zone_name;Disables an individual empty zone identified by zone_name. Multiple statements are permitted.yesyes






dns64 IPv6_prefix {
[clients {address_match_list };]
[mapped {address_match_list };]
[exclude {address_match_list };]
[suffix IPv6_addr;]
[recursive-only (yes|no);]
[break-dnssec (yes|no);] };

Supports the DNS64 IPv4-IPv6 co-existence strategy by allowing an IPv6 host to connect to an IPv4 destination via a NAT64 gateway whose IP address is a concatenation of the specified IPv6 prefix and a IPv4 address returned via A record queries (when no native AAAA record answers are provided). The DNS64 service provides this mapping function.

This option configures the recursive server to return mapped IPv4 addresses to AAAA queries when A but no AAAA answers are received from the authoritative server . The resolver receiving such an answer shall connect to a NAT64 device at this address; the NAT64 device links the incoming IPv6 connection from the resolver client to the corresponding mapped IPv4 address encoded in the IPv6 destination address based on the AAAA response provided by the DNS64 service.

The clients parameter indicates an address match list of clients for whom the service is provided; the default is any. The mapped parameter indicates which IPv4 addresses within the A resource record set shall be mapped to corresponding AAAA answers. The exclude parameter defines which queried IPv6 networks will return DNS64-translated AAAA records (based on A records returned) will be returned not native AAAA records; normally native AAAA records are returned obviating the need to return DNS64 fabricated AAAA records. The suffix can be used to specify addiitional bits to include in the mapped response following the IPv4 address (default is ::). The recursive-only parameter indicates whether to apply DNS64 mapping to recursive queries only and the break-dnssec will not add or remove records from the authoritative server response if no and will do so if yes.

yesyes






dns64-contact name ;Supports the DNS64 IPv4-IPv6 co-existence strategy as discussed above. This option defines the administrative contact name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction.yesyes






dns64-server name ;Supports the DNS64 IPv4-IPv6 co-existence strategy as described above. This option defines the DNS server name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction.yesyes






dnskey-sig-validity days ;Defines the number of days in the future when DNSSEC signatures that are automatically generated for DNSKEY RRsets as a result of dynamic updates will expire. This option is disabled if set to 0; otherwise it overrides the sig-validity-interval option for DNSKEY records. The maximum value is 3660 (10 years).yesyes






dnsrps-enable (yes | no) ;Enables or disables the DNS Response Policy Service (RPS) API, which enables use of an external response policy provider as an alternative to response policy zones.yesyes






dnsrps-library pathname ;This option specifies the path to the DNSRPS (DNS Response Policy Service) provider library. Typically this library is detected when building with configure --enable-dnsrps and does not need to be specified in named.conf; the option exists to override the default library for testing purposes.yesyes






dnsrps-options { text };Configures the DNS Response Policy Service (RPS) provider library, librpz; the text is passed to the library, concatenated with settings derived from the response policy statement.yesyes






dnssec-accept-expired (yes | no);Instructs the server to accept expired signatures for DNSSEC validation. The default is no.yesyes






dnssec-dnskey-kskonly (yes | no);This option is a parameter for BIND's automated DNSSEC key and signature management features. When set to yes and update-check-ksk is set to yes only KSKs will be used to sign the DNSKEY RRset at the zone apex; otherwise ZSKs may be used to sign the DNSKEY RRset. When update-check-ksk is set to no this option is ignored.yesyesyesyes




dnssec-loadkeys-interval minutes;Specifies the interval between checks for new keys or changes in key timing metadata when auto-dnssec maintain; is configured. The default is 60 (minutes) the minimum value is 1 and the maximum value is 1440.yesyesyesyes




dnssec-must-be-secure domain (yes | no);Specifies a domain (including subdomains) that must provide secure resolution as validated by trusted-key configuration or DLV when set to yes. When set to no secure resolution is not required for this domain.yesyes






dnssec-policy specifications ;Defines a DNSSEC key and signing policy (KASP) for zones.yesyesyes





dnssec-secure-to-insecure (yes | no);When set to yes this allows the DNSKEY record(s) to be deleted in the zone(s) via BIND's automated DNSSEC key and signature management features introduced in BIND 9.7.0. Deleting these records effectively transitions the zone(s) from secure to insecure.yesyesyes





dnssec-update-mode (maintain | no-resign); Configures automated signing of new or changed resource records and automated resigning of RRSets when nearing signature expiration when set to maintain. When set to no-resign new or changed resource records will be signed but automated resigning of RRSets when nearing signature expiration will be disabled.yesyes






dnssec-validation (yes | no | auto);Turns on DNSSEC validation processing when set to yes. dnssec-enable must also be set to yes. The default is yes.yesyes






dnstap { message_type; ... };Defines message types to be logged under the dnstap query logging feature. Message type can be client, auth, resolver, forwarder, or all.yesyes






dnstap-identity ( string | hostname | none );Defines an identity to include in dnstap messages. The default is hostname, i.e., the server's hostname.yes







dnstap-output ( file | unix ) path_name;dnstap logging destination including specification of destination as a file or a UNIX domain socket followed by the path of the file or socket.yes







dnstap-version ( string | none );Specifies a version string to inclue in dnstap messages.yes







dual-stack-servers [port port] [dscp ip_dscp ] { (domainname [port port] [dscp ip_dscp ] |IP_address [port port] [dscp ip_dscp ] ); ... };Specifies external name server IP addresses or hostnames that have access to both IPv4 and IPv6 transport. This option has no effect if the server on which this option is configured is itself dual-stacked.yesyes






dump-file pathname;Specifies the file pathname to place the dump file when told to dump its database via rndc dumpdb; the default is named_dump.dbyes







edns-udp-size bytes;Defines the advertised EDNS UDP buffer size in bytes ranging from 512 to 4096 (default)yesyes






empty-contact name;Specifies the zone contact that will appear in the SOA record created in empty zones. If not specified "." is used.yesyes






empty-server name;Specifies the server name that will appear in the SOA record created in empty zones. If not specified the empty zone's name will be used.yesyes






empty-zones-enable (yes | no);Enables (yes) or disables (no) creation of empty zones on the server. Empty zones are enabled by default.yesyes






fetch-quota-params number low high discount;Defines parameters for the dynamic resizing of the fetches-per-server option in response to detected congestion. The number parameter indicates how often the moving average ratio of timeouts to responses should be calculated based on the number of queries received (default = 100 queries). The remaining arguments define the low ratio threshold (default 0.1), the high threshold (default 0.3) and the discount parameter (default 0.7) respectively where a higher discount weighs more recent events higher than earlier events. This option requires BIND to be built with configure -enable-fetchlimit.yesyes






fetches-per-server number [(drop | fail)];Defines the maximum number of simultaneous iterative queries that may be sent to a single name server. The default is 0 which indicates no limit. This quota is dynamically adjusted based on the setting of the fetch-quota-params option. The optional drop or fail keyword indicates whether the server shall drop those queries exceeding the quota with no response or respond with a SERVFAIL. The default is fail.yesyes






fetches-per-zone number [(drop | fail)];Defines the maximum number of simultaneous iterative queries that may be sent for a given domain. The default is 0 which indicates no limit. This quota is dynamically adjusted based on the setting of the fetch-quota-params option. The optional drop or fail keyword indicates whether the server shall drop those queries exceeding the quota with no response or respond with a SERVFAIL. The default is fail.yesyes






flush-zones-on-shutdown (yes | no);When signaled to exit via the SIGTERM signal the server will discard any pending zone writes from journal files; the default is no indicating zone writes should first be performedyes







forward (only | first);Configures the server to either:
  • use only those servers configured in the forwarders statement to resolve queries (forward only) or
  • to first query a server listed in the forwarders statement and upon receiving no resolution answer query another server (e.g. based on cached information or hints file configuration) (forward first).
yesyesyesyesyes
yes

forwarders [ port port ] [ tls profile ] { [IP_address [ port port ] [tls profile]; ... };Specifies the IP address(es) of servers to query when using forwarding. The default is an empty list i.e. no forwarding but when the empty list is used within a zone statement while forwarders are configured within the server options statement then thosev forwarders are enabled on the server but not for the zone with the empty forwarders list (i.e. acts as negation).yesyesyesyesyes
yes

fstrm-set-buffer-hint number ;Configures the threshold number of bytes to accumulate in the output buffer before forcing a buffer flush in the high speed framing library, libfstrm used by dnstap. The minimum is 1024, the maximum is 65536, and the default is 8192.yes







fstrm-set-flush-timeout number ;Defines the number of seconds to allow unflushed data to remain in the output buffer in the high speed framing library, libfstrm used by dnstap. The minimum (and default) is 1 second, the maximum is 600 seconds (10 minutes).yes







fstrm-set-input-queue-size number ;Specifies the number of queue entries to allocate for each input queue for the high speed framing library, libfstrm used by dnstap. This value must be a power of 2. The minimum is 2, the maximum is 16384, and the default is 512.yes







fstrm-set-output-notify-threshold number ;The number of outstanding queue entries to allow on an input queue before waking the I/O thread for the high speed framing library, libfstrm used by dnstap. The minimum is 1 and the default is 32.yes







fstrm-set-output-queue-model ( mpsc | spsc ) ;Controls the queuing semantics to use for queue objects for the high speed framing library, libfstrm used by dnstap. The default is mpsc (multiple producer, single consumer); the other option is spsc (single producer, single consumer). yes







fstrm-set-output-queue-size number ;Defines the number of queue entries to allocate for each output queue for the high speed framing library, libfstrm used by dnstap. The minimum is 2, the maximum is system-dependent, and the default is 64.yes







fstrm-set-reopen-interval number ;Defines the number of seconds to wait between attempts to reopen a closed output stream for the high speed framing library, libfstrm used by dnstap. The default is 5 seconds, the minimum is 1 second, and the maximum is 600 seconds (10 minutes).yes







geoip-directory pathname;Defines the directory containing the GeoIP .dat database files for GeoIP initialization. By default this option is not configured and the libGeoIP built-in directory is used for GeoIP features.yesyes






heartbeat-interval minutes;Deprecated. Defines the heartbeat interval governing frequency of tasks for zones defined with the dialup option set to a value other than no (default = 60 [minutes]).yes







hostname ( hostname_string | none );Defines a host name to be provided in response to a TXT query of class CHAOS for owner hostname.bind. The default is the hostname of the server on which named is running as determined by a gethostname() call. Setting hostname_string to none disables processing of these queries.yes







http-listener-clients integer;Defines the maximum number of active concurrent http connections (default = 300, 0 = disabled).yes







http-port integer;Specifies the TCP port number used by the server to send and receive unencrypted DNS traffic via HTTP.yes







http-streams-per-connection integer;Defines the maximum number of active concurrent HTTP/2 streams on a per connection basis. (default = 100, 0 = disabled)yes







https-port integer;Specifies the TCP port number used by the server to send and receive encrypted DNS-over-HTTPS traffic (default = 443).yes







inline-signing boolean;If enabled (default), a DNSSEC-signed version of the zone is maintained.

yesyes




interface-interval minutes;Defines the interval governing the frequency of scans for new or removed network interfaces on the server to begin listening on new interfaces and stop listening on deleted interfaces as permitted with corresponding listen-on settings. The default is 60 [minutes].yes







ipv4only-contact string;Specifies the SOA contact for the ipv4only.arpa zone created if a dns64 statement is configured.yesyes






ipv4only-enable boolean;Enables or disables the automated creation of ipv4only.arpa zones if a dns64 statement is configured.yesyes






ipv4only-server string;Specifies the name of the server for the ipv4only.arpa zone created if a dns64 statement is configured.yesyes






ixfr-from-differences ((yes | no) | primary | secondary);When set to yes the server will compute the differences between a new version of a zone (upon reload as a primary or zone transfer receipt as a secondary) and use the differences between these for IXFR processing. The parameters primary and secondary may be defined at the view and zone statements to apply this processing to primary zones or secondary zones respectively within the view or zone.yesyesyesyes




keep-response-order { address_match_list };Specifies the set of addresses with the address match list to which the server will send responses to TCP queries in the same order in which they were received. The default is none.

yes




key-directory pathname;The full directory pathname in which public and private key files are stored on the server for processing of dynamic updates of DNSSEC secure zones. If not specified the current working directory is used.yesyesyesyes




lame-ttl seconds;Defines the number of seconds the server will cache a lame server designation; i.e. a given server is not authoritative for a zone that's delegated to it (default = 600 [seconds]).yesyes






listen-on [port port] [proxy profile] [tls profile] [http profile] { address_match_list };Specifies the network interface the server listens for queries; the default is to listen on port 53 on all interfaces. Multiple listen-on statements may be defined.yes







listen-on-v6 [port port] [proxy profile] [tls profile] [http profile] { address_match_list };Specifies the network interface parameters on which the server will listen for queries using IPv6 transport. If this option is not specified the server will not listen on any of the server's IPv6 addresses unless BIND was invoked with the -6 option when it will listen on all IPv6 interfaces.
yes







lmdb-mapsize size;Sets the maximum size for the memory map of the new-zone database (NZD) in Lightning Memory-Mapped Database (LMDB) format when BIND is built with liblmdb. The LMDB stores zone configuration information when using rndc addzone. The default is 32MB.yes







managed-keys-directory directory;The directory in which files used to track managed keys are located. By default this is the named working directory.yes








masterfile-format ( text | raw );Specifies the format of zone files on the server. The default is text. Setting to raw will omit some name checking features and setting to map uses an image of a BIND 9 in-memory zone database but is very server architecture specific.yesyesyesyesyes


yes
masterfile-style ( relative | full ) ;When masterfile-format is set to text, this option specifies whether a dump of the zone files is formatted in multi-line format with owner names expressed relative to a shared origin when set to relative which may be easier for human consumption or with fully qualified owner names when set to full which may be easier for script processing.yes







yes
match-mapped-addresses (yes | no);Specifies that the server should map IPv4 addresses associated with an IPv4-mapped IPv6 address against defined address match lists for processing. This option is intended solely for use as a work around for a Linux kernel quirk for IPv6-enabled Linux servers.yes







max-cache-size ( default | unlimited | size | percentage );Sets the maximum memory size to be used for the server's cache. If using DNS views the specified size applies to the cache size for each view. When the amount of data in the cache approaches the limit the server will prematurely expire records to remain within the bound. The default is 90% of physical memory for views with recursion enabled or 2MB for recursion disabled. yesyes






max-cache-ttl number;Defines the maximum retention time for cached [positive] information. The default is 7 days.yesyes






max-clients-per-query number;Defines the maximum number of simultaneous outstanding recursive queries for a given name (i.e. of the same qname qtype qclass) before dropping additional clients. In this context the server issuing such queries is the "client" referred to by the option name (default = 100).yesyes






max-ixfr-ratio ( unlimited | percentage );Sets the threshold expressed as a percentage of pending ixfr size to the full zone size above which an AXFR will be used instead of an IXFR for a zone transfer request. The default, unlimited, disables ratio checking.The minimum percentage value is 1%.yesyesyesyes




max-journal-size ( default | unlimited | size );Specifies the maximum size for each journal file, expressed in bytes or, if followed by an optional unit suffix (‘k’, ‘m’, or ‘g’), in kilobytes, megabytes, or gigabytes. When the journal file approaches the specified size, some of the oldest transactions in the journal are automatically removed. The largest permitted value is 2 gigabytes. Very small values are rounded up to 4096 bytes. It is possible to specify unlimited, which also means 2 gigabytes. If the limit is set to default or left unset, the journal is allowed to grow up to twice as large as the zone.yesyesyesyes




max-ncache-ttl seconds;Defines the maximum number of seconds the server will cache negative answers. The default is 10800 [seconds] or 3 days and the maximum value is 7 days.yesyes






max-query-count integer;Defines the maximum number of iterative queries that may be sent by a resolver while looking up a single name. If more queries than this need to be sent before an answer is reached, then recursion is terminated and a SERVFAIL response is returned to the client. The default is 200.yesyes






max-query-restarts seconds;Defines the maximum number of successive CNAME targets to follow when resolving a client query, before terminating the query to avoid a CNAME loop. Valid values are 1 to 255, and the default is 11.yesyes






max-records integerSpecfies the maximum number of records permitted in a zone. The default is 0 which means unlimited.yesyesyesyes
yes		yes

yes
max-records-per-type integerSets the maximum number of resource records that can be stored in an RRset in a database. When configured in options or view, it controls the cache database; it also sets the default value for zone databases, which can be overridden by setting it at the zone level. If set to a positive value, any attempt to cache, or to add to a zone an RRset with more than the specified number of records, will result in a failure. If set to 0, there is no cap on RRset size. The default is 100.yesyesyesyes
yes		yes

yes
max-recursion-depth number;Defines the maximum number of resolution redirections permitted for a given query. A redirection occurs when resolving a domain name requires the resolution of another name. The default is 7.yesyes






max-recursion-queries number;Defines the maximum number of iterative queries that may be sent for a given recursive query. The root and TLD iterative queries are not counted against this max and the default is 75.yesyes






max-refresh-time seconds;Defines the maximum refresh interval for SOA refresh attempts to the primary.yesyesyesyesyes



max-retry-time seconds;Defines the maximum retry time at which the server should retry a failed zone transfer.yesyesyesyesyes



max-rsa-exponent-size number ;Defines the maximum RSA exponent size that will be accepted when validating DNSSEC responses (in bits). Valid values are 0 (default, equivalent to 4096), 35 to 4096.yes



max-stale-ttl number ;If the stale answers feature is enabled (via option stale-answer-enable yes or rndc serve-stale on), this option sets the maximum time beyond the TTL expiry of a record to retain it in cache. The default is one week.yes



max-transfer-idle-in minutes;Specifies a limit on the duration of idle time during an inbound zone transfer (default = 60 [minutes]). Once exceeded the zone transfer will be terminated.yesyes
yesyes



max-transfer-idle-out minutes;Specifies a limit on the duration of idle time during an outbound zone transfer (default = 60 [minutes]). Once exceeded the zone transfer will be terminated.yesyesyesyes




max-transfer-time-in minutes;Specifies a limit on the duration of an inbound zone transfer (default = 120 [minutes]). Once exceeded the zone transfer will be terminated.yesyes
yesyes



max-transfer-time-out minutes;Specifies a limit on the duration of an outbound zone transfer (default = 120 [minutes]). Once exceeded the zone transfer will be terminated.yesyesyesyes




max-types-per-name integerDefines the maximum number of resource record types that can be stored for a single owner name in a database. When configured in options or view, it controls the cache database and sets the default value for zone databases, which can be overridden by setting it at the zone level.When set to 0, there is no limit on the number of RR types. The default is 100.yesyesyesyes
yes		yes

yes
max-udp-size bytesDefines the maximum EDNS UDP packet size the server will send in bytes ranging from 512 to 4096 (default)yesyes






max-validation-failures-per-fetch integerExperimental. Definess the maximum number of DNSSEC validation failures that can happen in a single resolver fetch. The default is 1.yesyes






max-validations-per-fetch integerExperimental. Defines the maximum number of DNSSEC validations that can happen in a single resolver fetch. The default is 16.yesyes






max-zone-ttl (unlimited | sec)Deprecated. Defines the maximum permissible TTL value for all zones or a particular zone on the server. This is useful when rolling DNSSEC keys to to enable the to-be-rolled key to remain available until corresponding RRSIG records have expired from cahces.yesyesyes




yes
memstatistics (yes | no);Turns on (yes) or off (no) writing of memory statistics to the file specified in the memstatistics-file option. The default is no unless named was started with the "-m record" switch.yes







memstatistics-file pathname;This specifies the pathname of the file to which the server will write memory usage statistics. The default is named.memstats.yes







message-compression (yes | no) ;Configures the server to use DNS name compression for regular queries (compression is always used for incremental or absolute zone transfers)yes







min-cache-ttl seconds;Defines the minimum time the server will cache affirmative answers. Valid values range from 0 to 90s.yesyes



min-ncache-ttl seconds;Defines the minimum time the server will cache negative answers. Valid values range from 0 to 90s.yesyes



min-refresh-time seconds;Defines the minimum SOA refresh time to query the primary.yesyesyesyesyes



min-retry-time seconds;Defines the minimum retry time at which the server should retry a failed zone transfer.yesyesyesyesyes



min-transfer-rate-in integer integer;Inbound zone transfers running slower than the given amount of bytes in the given amount of minutes are terminated. This option takes two non-zero integer values. A check is performed periodically every time the configured time interval passes. The default value is 10240 5, i.e. 10240 bytes in 5 minutes. The maximum time value is 28 days (40320 minutes).yesyes
yesyes



minimal-any (yes | no);This option governs responses to ANY queries, i.e., RRType of "*" for a given qname. If set to yes, only one RRType (and associated DNSSEC signatures) for the queried name will be provided in the response instead of all RRTypes for the queried name if set to no (default).yes







minimal-responses ( yes | no | no-auth | no-auth-recursive );When set to yes this option instructs the server to only add records to the authority and additional sections of the response when required e.g. for negative responses or delegations. When set to no-auth, the server will only add records to the authority section if required but may add records to the additional section. When set to no-auth-recursive, limiting of authority and additional section resource records applies to recursive queries. The default is no.yesyes






multi-master (yes | no);When set to yes the server will not log when its serial number is greater than that on another primaryyesyes
yesyes



new-zones-directory pathname;Specifies the directory in which to store configuration parameters added via rndc addzone.yes
yes






no-case-compress {addr_match_list };Responses to queriers within the scope of the address match list will include non-compression of case-sensitive answers. With case compression (default), example.com and example.COM are the same and hence compressed; with no-case-compression, both versions of the answer are included in the response.
yesyes





nocookie-udp-size number ;Defines the maximum size in bytes of UDP responses to queries without a valid server cookie. The default is 4096 but the max-udp-size option may further limit the response size.
yesyes





notify (yes | no | explicit | master-only | primary-only);This option governs the sending of NOTIFY messages:
  • yes - NOTIFY messages are sent to all servers with NS records for the zone except the zone master (primary) identified by the MNAME field of the zone's SOA record; NOTIFY messages are also sent to those defined in the also-notify option
  • explicit - NOTIFY messages are sent only to those servers identified in the also-notify option.
  • master-only - NOTIFY messages are sent only for master/primary zones
  • no - no NOTIFY messages are sent
yesyesyesyes




notify-defer seconds;This option defines the delay, in seconds, to wait before sending a set of NOTIFY messages for a zone. Whenever a NOTIFY message is ready to be sent, sending will be deferred for this duration. This can be useful, for example, when for some operation needs a catalog zone is updated with new member zones before these member zones are actually ready to be tranferred. The delay can be tuned for the catalog zone to an amount of time after which the member zones are usually known to become ready. The default is 0 seconds.yesyesyesyes




notify-delay seconds;This option defines the number of seconds to wait between sending sets of Notify messages. The default is 0.yesyesyesyes




notify-rate number;This option defines the rate of notify requests per second. The default is 20.yes







notify-source ( IPv4_address | * );Defines the server's network interface (IPv4 address) and optionally source UDP port for sending Notify messages.yesyesyesyes




notify-source-v6 ( IPv6_address | * );Defines the server's network interface (IPv6 address) and optionally source UDP port for sending Notify messages.yesyesyesyes




notify-to-soa (yes | no);Facilitates hidden primary configurations when set to yes by instructing the server to send a Notify message as appropriate to the server listed in the SOA record MNAME field. In hidden master configurations MNAME may be configured with the name of a secondary server. If set to no a Notify will not be sent to the server listed in the MNAME field.yesyesyesyes




nsec3-test-zone boolean ;This option is for internal testing only.yes







nta-lifetime duration ;This parameter configures the default time that a negative trust anchor (nta) is ignored when added via rndc nta. An nta disables DNSSEC validation for zones known to be failing validation due to misconfiguration. The duration may be entered using TTL-style formats for seconds, minutes or hours. The default is one hour.yesyesyesyes




nta-recheck duration ;Negative trust anchor (nta) configuration enables you to disable DNSSEC validation for a given domain due to know misconfiguration issues. Named will periodically issue a query to each nta domain to determine if it has been repaired, i.e., whether DNSSEC validation is accurate. This option sets the duration of the periodicity of these checks. These checks can be disabled by setting the valude to 0; the default is 5s.yes







nxdomain-redirect string ;Defines a redirect namespace to replace an NXDOMAIN received from an authoritative server with the original query name plus the specified string. If a relevant zone of type redirect is defined, it shall override the setting of this option.yes







parental-agents [ port integer] [ source ( IPv4_address | * ] | [ source-v6 IPv6_address | * ) ] { ( server_list [ port integer ] | ipv6_adress [ port integer] ) [key keyname] [tls string]; ... };

This specifies a list of one or more IP addresses of parental agents that are used to query the zone’s DS records during a KSK rollover.



yesyes




parental-source ( IPv4 address | * ) ;Specifies the source IPv4 address (and optionally port) the server uses to query the server of a parent zone to verify publication of an updated Delegation Signer (DS) record based on this server's zone's KSK rollover. If the DS has been updated to reflect the rolled key, the old KSK can be safely removed.yesyesyesyes




parental-source-v6 ( IPv6 address | * ) ;Specifies the source IPv6 address (and optionally port) the server uses to query the server of a parent zone to verify publication of an updated Delegation Signer (DS) record based on this server's zone's KSK rollover. If the DS has been updated to reflect the rolled key, the old KSK can be safely removed.yesyesyes




pid-file (pathname | none);Specifies the pathname of the file to which the server writes its process ID. The default is /var/run/named.pid (pre BIND 9.6) or /var/run/named/named.pid (BIND 9.6+). If the pathname parameter is specified as none no pid file will be written.yes







plugin ( query ) string [ { text } ];Plugins are new for 9.18 and are a work in progress. Zero or more plugin statements may be specified. The only plugin currently included in BIND is filter-aaaa.so, which replaces the filter-aaaa feature that previously existed.yesyes






port port;Specifies the UDP/TCP port number used by the server for sending and receiving DNS messages. This option is intended primarily for server testing purposes as setting the value to other than 53 the default will inhibit communications with the global DNSyes







preferred-glue (A | AAAA | NONE ) ;Specifies the preferred resource record type that will be specified first in the additional section of a query response for an NS record. The default is NONE no preference.yesyes






prefetch number [ number ] ;Specifies whether the server should refresh its cache for soon-to-expire cached data ensuring the cache always has an answer. The number parameter defines the trigger TTL at which prefetch will take place when a cached record with a lower TTL is encountered durign query processing. The default value is 0 which disables prefetch and other valid values are 1-10. The second optional parameter defines the eligibility TTL, or the smallest original TTL value that will be accepted for eligibility for prefetch. The default value is 9 and the value must be at least six seconds greater than the trigger TTL value.yesyes






provide-ixfr (yes | no);Used in options or server statements to configure a server configured as primary for its zones to honor IXFR requests from secondaries or not.yesyes






qname-minimization (strict | relaxed | disabled | off);Qname minimization calls for servers to convey the queryname (Qname) in queries in the context of the authoritative server being queried. For example, the server would include only the TLD in teh Qname when querying the root servers. This reduces the number of queries on the Internet with the fully qualified query intact to reduce exposure. Setting to strict follows this process as defined in RFC 7816 while relaxed (default value) supports this as well with a fallback to non-minimized qnames upon receipt of an NXDOMAIN or other error response. Disabled and off disables qname minimization on queries.yesyes



query-source [ address ] ( IPv4_address | * | none );Defines the local network interface (IPv4 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore the port parameter should generally not be specified.yesyes






query-source-v6 [ address ] ( IPv6_address | * | none ); Defines the local network interface (IPv6 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore the port parameter should generally not be specified.yesyes






querylog ( yes | no );When set to yes logging of queries is enabled upon named startup; query logging is otherwise determined by the queries logging category setting.yes







rate-limit {
[responses-per-second number ;]
[referrals-per-second number ;]
[nodata-per-second number ;]
[nxdomains-per-second number ; ]
[errors-per-second number ; ]
[all-per-second number ; ]
[window number ; ]
[log-only (yes | no) ; ]
[qps-scale number ; ]
[ipv4-prefix-length number ; ]
[ipv6-prefix-length number ; ]
[slip number ; ]
[exempt-clients {addr_match_list} ; ]
[max-table-size number ; ]
[min-table-size number ; ] };		Enables specification of parameters designed to minimize the use of this server in amplifying reflection denial of service attacks which inundate a spoofed (target) IP address. The server will limit nearly identical answers for a given IP address (or addresses within a block if ipv4-prefix-number (default = 24) or ipv6-prefix-number (default = 56) are specified and/or for a given namespace is a domain is specified.

Responses by type (responses, referrals, nodata, nxdomains or errors) or all can be limited based on the quantity of responses already provided as specified in the respective "per-second" parameter.

The qps-scale parameter dampens the responses/errors/nxdomains or all per second values to tighten defenses during an attack based on the overall query rate. For example if qps-scale is set to 250 and responses-per-second is 20, then a total query rate of 1000 qps changes the effective responses-per-second to (250/1000)*20 = 5. The optional parameters on responses-per-second control initiation of rate limiting to response or amplification factors to minimum sizes. Size applies to the minimum response size that will trigger this parameter; ratio indicates the policy applies for responses where the response size/request size ratio exceeds this value.

yesyes






recursing-file pathname;Specifies the pathname to the file in which named dumps the set of currently recursing queries when so instructed via the rndc recursing command. The default is named.recursing.yes







recursion (yes | no);Turn recursion on or off. If set to yes the server will perform recursion to obtain the answer for the client; if no the server will attempt to give an authoritative answer cached information or a referral to another name server.yesyes






recursive-clients number;Defines the maximum number of simultaneous recursive lookups the server will perform on behalf of clients (default = 1000).yes







request-expire (yes | no);;Configures the server to request the EDNS EXPIRE value from its primary server. This value indicates the time remaining until the zone expires if not refreshed. The use case for this option applies when a server, configured as a secondary, requests zone transfers from another secondary. The default is yes.yes

yes




request-ixfr (yes | no);Used in options or server statement to configure a secondary to request IXFRs of its primary or not.yesyes
yes





request-nsid (yes | no);When set to yes, an empty EDNS0 Name Server Identifier (NSID) option is sent with all queries to authoritative name servers during iterative name resolution. Returned NSID values are logged in the resolver logging category at level info. Default = no.yes







require-server-cookie (yes | no);Configures the server to require a valid server cookie within a query from a cookie aware client before sending a full response in reply. The BADCOOKIE error is sent if the cookie is absent or invalid.yes







resolver-query-timeout seconds;Enables specification of the number of seconds the server should await a response to a query before failing (SERVFAIL). The default is 10 and the maximum is 30.yes







resolver-use-dns64 (yes | no);Configures the server to use the IPv4-to-IPv6 address transformations specified by the dns64 option are applied to IPv4 server addresses to which recursive queries are sent. This allows a server to perform lookups via a NAT64 connection. Default = no.;yesyes






response-padding { address_match_element; ... } block-size blocksize;Enables padding of responses using the EDNS Padding option to maintain consistent packet sizes to improve confidentiality of DNS queries transmitted over encrypted channels. The response will be padded up to blocksize bytes if and only if the query a)contains an EDNS Padding option, b) includes a valid server cookie or uses TCP, c) is not signed using TSIG or SIG(0), and d) is from a client falling within the specified address_match_element.yes







response-policy { specifications } ;Also known as "DNS Firewall," this option enables specification of modified responses to queries for the specified zone in accordance with the response policy zone initiative where domain registrars may share valid (e.g. non-spammers) domain names to enable resolution while not resolving others modifying or otherwise processing responses for "invalid" domain names as identified via backlist/whitelist queries. Please consult our DNS firewall section for specification details.yesyes






responselog ( yes | no );Specifies whether response logging should be enabled when the server starts. Response logging complements query logging by logging the response code of previous queries along with the query name, type and class.yes







reuseport (yes | no);Enables or disables kernel load-balancing of sockets.yes






root-key-sentinel (yes | no);Enables the server to respond to DNS root key sentinal queries to enable the querier to deduce the trusted root zone key configured on the server. These queries are useful for administrators and Internet researchers to verify key configurations, e.g., prior to a key rollover.yes







rrset-order { order-stmt ; [ order-stmt; ]};

where:

order-stmt =
[ type rrtype]
[name domainname] order ordertype

Enables specification of ordering of resource records when multiple records apply to the query.

The rrtype parameter refers to a resource record type (e.g. MX) and domainname a given domain name (e.g. ipamworldwide.com).

Ordering (ordertype) may be:

  • fixed (the order they are defined in the zone)
  • random or
  • cyclic (round-robin).

Note: the fixed ordertype has been deprecated.

yesyes






secroots-file pathname; Specifies the pathname of the file to which rndc secroots command dumps security roots. (default = named.secroots).yes







send-cookie (yes | no);Configures the server to send an EDNS COOKIE with each query to provide identification to the queried server to avoid potential rate limiting treatment.yes







serial-query-rate number_per_second;Specifies the maximum number of serial number queries per second to be sent to the primary (across all zones) (default = 20).yes







serial-update-method (increment | unixtime | date );Configures the server with the zone serial number format in its SOA record. Setting to increment sets the format to a monotontically increasing integer. The unixtime format indicates the number of seconds since the UNIX epoch unless the serial number is already greater than this value, in whihc case it is incremented by 1. The date method defines the serial number format as YYYYMMDDXX where XX is an incremented value from 00 to 99.yes
yes





server-id ( server-id_string | none | hostname );Specifies the ID that the server should provide in response to a name server identifier (NSID) query or a query for owner ID.SERVER of type TXT in class CHAOS.

This information can be helpful in identifying the responding server in an anycast deployment. Defining the server-id_string as none (the default) disables responses to such queries and setting it to hostname returns the configured hostname (per gethostbyname() sockets call).

yes







servfail-ttl number;Defines the number of seconds to cache a SERVFAIL response due to DNSSEC validation or other server failure. This cache is ignored for queries with the Checking Disabled (CD) bit set to enable querying without validation if desired. The default is 1s, a value of 0 disables such caching and the maximum value is 30s.yes







session-keyalg algorithm;When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the key generation algorithm is HMAC-SHA256 but this option enables overriding this default. Valid values of algorithm are: hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 and hmac-md5.yes







session-keyfile pathname ;When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the file is /var/run/named/session.key though an alternative pathname may be defined using this option.yes







session-keyname keyname;When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the keyname is local-ddns though this option may be specified to define a different keyname.








sig-signing-nodes integer;Specifies the maximum number of "nodes" (unique RRSet owners) that are examined during a zone re-signing evaluation to determine if re-signature is required or not for each. The default is 100.yesyesyesyes




sig-signing-signatures number;Specifies the maximum number of RRSets that will be re-signed during an automatic re-signing process. This option bounds the number of signatures performed during a re-sign. The default is 10.yesyesyesyes




sig-signing-type integer;Specifies the RData Type to be used when generating key signing records. The default is 65535.yesyesyesyes




sig-validity-interval days [re-sign];Obsolete. Defines the expiration date as the number of days in the future for DNSSEC signatures automatically generated for dynamic updates to a secure zone. The default is 30 days and the maximum value is 10 years. The re-sign parameter defines the remaining time on RRSet signatures within which the server should re-sign the RRSet. If days is < 7 then re-sign is defined in units of hours; otherwise it is in days. If re-sign is not specified days/4 will be used as the assumed re-sign value. This option can be overidden for DNSKEY records via the dnskey-sig-validity option.yesyesyesyes




sig0checks-quota integer;Experimental. Defines the maximum number of simultaneous SIG(0)-signed messages that the server accepts. If the quota isreached, then named answers with a status code of REFUSED. The value of 0 disables the quota. The default is 1.yes







sig0checks-quota-exempt { address_match_element; ...} ;DNS clients can be exempted from the SIG(0) signature checking quota with the sig0checks-quota-exempt clause, using their IP and/or network addresses. The default value is an empty list.yes







sig0key-checks-limit integer;Specifies the maximum number of keys to consider for a SIG(0)-signed message when trying to verify it. named will parse the candidate keys and check whether their key tag and algorithm matches with the expected one before trying to verify the signature. If the limit is reached the message verification fails. The value of 0 disables the limitation. The default is 16.yes







sig0message-checks-limit integer;Defines the maximum number of keys which (when correctly parsed and matched against the expected key tag and algorithm) named uses to verify a SIG(0)-signed message. If the limit is reached the message verification fails. The value of 0 disables the limitation, and the default is 2.yes







sortlist { address_match_list };Deprecated. Enables specification of the order of query responses based on source of query respond with preferred list of responses. Here are the details on the syntax and interpretation of the sortlist option.yesyes






stale-answer-client-timeout ( disabled | off | duration );Defines the duration the server will wait before attempting to answer the query with a stale resource record from cache; if an answer is resolved in the meantime, the server will answer and refresh its cache wtih the resolved value. The minimum value is 0 (immediately return stale records) and the maximum is the value of resolver-query-timeout minus one second. The default is off (which is equivalent to disabled) and this option is ignored if stale-answer-enable is set to no.yesyes






stale-answer-enable (yes | no);Enables the server to respond with cached resource records whose TTL has expired when an authoritative server cannot be reached. The default is no. When set to yes, stale-cache-enable should also be set to yes.yesyes






stale-answer-ttl integer;Defines the TTL to be transmitted on stale resource records (records retained in cache whose TTL has expired). The default is 1s.yesyes






stale-cache-enable (yes | no);Enables the server to cache rather than expire state resource records, i.e., those whose TTL has expired when an authoritative server cannot be reached. The default is yes.yesyes






stale-refresh-time duration;If authoritative name servers for a queried zone are not answering queries, the recursive server will reply to its clients' queries with stale resource records without attempting to query the authoritative servers for the specified duration. The default is 30s and a value of 0 disables this feature, enabling full resolution attempts for every query regardless of authoritative servers status.yesyes






startup-notify-rate number;Defines the rate of Notify requests sent when the name server is first starting up or when zones have been newly added. The default rate is 20 per second.yes







statistics-file pathname;Specifies this pathname of the file to which the server appends statistics when the rndc stats command is executed. The default is named.stats.yes







synth-from-dnssec (yes | no);Setting to yes (default) could improve DNSSEC resolution performance by enabling synthesized validated responses based on cached NSEC (NSEC3 support not yet implemented) records and other RRsets that have been previously validated.yes
yes






tcp-advertised-timeout integer;Sets the timeout value the server will send in reponses containing the EDNS TCP Keepalive option specified in units of 100ms. Valid values range from 0 (close TCP connections immediately) to 65535, and the default is 300 (30s).yes
yes






tcp-clients number;Limits number of concurrent TCP connections (default = 100).yes







tcp-idle-timeout integer;Defines the length of time the server waits on an idle TCP connection before closing it when the client is not using the EDNS TCP Keepalive option. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 1200 (2m), and the default is 300 (30s).yes
yes






tcp-initial-timeout integer;Defines the length of time the server waits on a new TCP connection for the first message from the client before closing the connection. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 65535, and the default is 300 (30s).yes
yes






tcp-keepalive-timeout integer;Specifies the length of time the server waits on an idle TCP connection before closing it when the client is using the EDNS TCP Keepalive option. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 1200 (2m), and the default is 300 (30s).yes
yes






tcp-listen-queue number;Specifies the queue depth for listening for TCP connections (default and minimum = 3).yes







tcp-receive-buffer integer;Sets the operating system's receive buffer size for TCP sockets.yes







tcp-send-buffer integer;Sets the operating system's send buffer size for TCP sockets.yes







tkey-domain domainname;This option specifies the domainname that should be appended to the names of all shared keys generated during a TKEY exchange. In most cases the domainname should be the server's domain name.yes







tkey-gssapi-credential principal;This option configures the credential to be used to authenticate keys for use with the GSS-TSIG protocol e.g. when performing secure updates to Microsoft Windows DNS. Currently a Kerberos principal is supportedyes







tkey-gssapi-keytab pathname;Defines the pathname to the key file used to authenticate Kerberos 5 credentials. If not set the typical system key file is /etc/krb5.keytab.yes







tls-port integer;Specifies the TCP port number the server uses to receive and send DNS-over-TLS protocol traffic.yes







transfer-format (many-answers | one-answer) ;Specifies on a primary server which format to employ for zone transfers: one-answer means one resource record per message while many-answers (the default) means multiple records as many as will fit within the message size are placed within each transfer message.yesyes






transfer-message-size number;Intended primarily for testing, this option defines a soft upper bound on uncompressed zone transfer messages over TCP. If the message size exceeds this bound, multiple messages will be sent unless the Rdata of a single resource record exceeds the bound it will be sent regardless. Valid values range from 512 to 65535 and the default is 20480.yesyes






transfer-source ( IPv4_address | * );Defines the server's network interface (IPv4 address and optionally port number) on which incoming zone transfers will be bound. This option also specifies the source IP address and optionally source UDP port for SOA query messages and forwarded dynamic updates.yesyes
yesyes



transfer-source-v6 ( IPv6_address | * );Defines the server's network interface (IPv6 address and optionally port number) on which inbound zone transfers will be bound. This option also specifies the source IPv6 address and optionally source UDP port for SOA query messages and forwarded dynamic updates.yesyes
yesyes



transfers-in number;Specifies a limit to the total number of concurrently running inbound zone transfers (default = 10).yes







transfers-out number;Specifies a limit to the total number of concurrently running outbound zone transfers (default = 10).yes







transfers-per-ns number;Specifies a limit on the number of concurrently running inbound zone transfers from any given server (default = 2)yes







trust-anchor-telemetry boolean;Experimental. Instructs named to send specially formed queries encoding the zone's trusted key once per day to domains for which trust anchors have been configured. This enables signed zone operators to see which resolvers have been updated to trust a new key.yesyes






try-tcp-refresh (yes | no);If a zone refresh query via UDP fails this option when set to yes configures the server to reattempt using TCP. The default is yes.yesyes
yes




udp-receive-buffer integer;Sets the operating system's receive buffer size for UDP sockets.yes







udp-send-buffer integer;Sets the operating system's send buffer size for UDP sockets.yes







update-check-ksk (yes | no);Configures the server to use KSK(s) (KSK flag on the corresponding DNSKEY resource record is set) to sign the DNSKEY RRset only (if set to yes) or to ignore the KSK flag and use all zone keys to sign the zone (if set to no). The default of yes effectively requires the use of separate zone KSKs and ZSKs while a setting of no enables use of one key per zone.yesyesyesyes




update-policy { grant|deny identity ruletype name [types] };Enables specification of increased granularity of dynamic updates over and in lieu of allow-update. Please refer to the update-policy page for details.

yes





update-quota integer ;Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server.yes






use-v4-udp-ports { port list; };Deprecated. Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv4 queries. Values set in the avoid-v4-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535.

Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise queries using these port numbers will fail.

yes







use-v6-udp-ports { port list; };Deprecated. Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv6 queries. Values set in the avoid-v6-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535.

Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise queries using these port numbers will fail.

yes







v6-bias milliseconds;Indicates the number of milliseconds of preference to give to IPv6 name servers.

yesyes






validate-except { domain; ... };This option disables DNSSEC validation for specified domains and respective subdomains. While negative trust anchors enable this functionality on a temporary basis, this option enables permanent disabling of validation for these domains, such as unsigned local-use domains for example.yesyes






version version_string;This option specifies the string the server should provide in response to give to a TXT query of class CHAOS for name version.bind. Setting version_string to "none" disables responding to these queries.yes







zero-no-soa-ttl (yes | no);Instructs the server to set the TTL to zero when returning an authoritative negative response to an SOA query (default = yes).yesyesyesyes




zero-no-soa-ttl-cache (yes | no);Instructs the server when caching a negative response to an SOA query to set the TTL to zero (default = no).yesyes






zone-statistics (full | terse | none);Instructs the server to collect statistical data on all zones (or per zone control/override in zone statement). These statistics can be accessed via the rndc stats command which appends them to the file identified in the statistics-file option.yesyesyesyesyesyes

yes