BIND 9.8.0 Configuration Options

BIND configuration options as of BIND 9.8.0 are listed below and each option's applicability to the name server configuration (named.conf - options column) view statements or zone statements by zone type. This is intended as a quick reference listing each option in alphabetical order by option name. Option support varies by BIND release so check the options file within the doc/misc directory of your BIND installation to compare those supported in your release with this table.

The following conventions are used in the table:

  • A value of yes in the table indicates that the option specified in the corresponding row is supported within the statement block identified by the corresponding column for BIND 9.8.0. A blank value means it does not. A value of 'N/A' means that the option may be specified but is either ignored or not implemented as discussed in the corresponding description column for the table entry. Text in narrow font indicates that a value of the type so indicated must be specified. The table includes the following:
    • address_match_list - a name corresponding to a defined address match list within the configuration file
    • algorithm - one of a pre-defined set of valid hash algorithms
    • bytes - an integer quantity indicating a number of bytes
    • domain - a domain-formatted text string e.g. www.ipamworldwide.com.
    • IP_address - an IPv4 or IPv6 formatted address value
    • minutes - an integer value indicating the number of minutes
    • number - an integer quantity
    • pathname - a text string indicating a directory path on the server
    • port - an integer indicating a UDP or TCP port number
    • port_list - a list of integer port numbers
    • size - a size measure expressed as an integer and unit e.g. 10g for 10 gigabytes; if no unit is provided the default is bytes
    • string - a text string
    • zone_name - the name of a zone in domain format
  • Keywords are parameters though non-italicized. Examples are yes no first ignore.
  • ( a | b | c ) - parentheses denote a number of parameters one of which can be selected; the pipe character represents 'or.' Thus this expression indicates that a value of either a b or c can be specified.

Option name and syntax Option description options view zone master zone slave zone stub zone static-stub zone forward zone hint
acache-cleaning-interval minutes;Defines the interval at which the server will analyze the additional section cache (acache), to remove records with expired TTLs. The default is 60 [minutes]. Setting this option to 0 disables acache cleaning.yesyes





acache-enable (yes | no);"Enables the additional section cache (acache), which is an internal BIND caching mechanism that provides a ""shortcut"" to the additional section content of each answer resource record. Enabling acache can improve query performance, especially for authoritative zones each with several delegations and many glue records (which are placed in the additional section of a query response). Disabling acache can reduce the risk of cache poisoning."yesyes





additional-from-auth (yes | no);When set to yes, this option specifies that the server will add records to the additional data section of its response to a query from a resolver or another server. The additional section records would include any authoritative information related to the query, e.g., A records for an MX query or CNAME and DNAME referenced records in other zones for which the server is authoritative. The default is yes.yesyes





additional-from-cache (yes | no);When set to yes, this option specifies that the server will add records to the additional data section of its query response any cached information related to the query, e.g., CNAME and DNAME referenced records, for which the server has cached data. When set to no, this option disables the use of cache not only for additional data but for query answers as well. The default is yes.yesyes





allow-new-zones { yes | no };Configures whether zones can be added to the server at runtime using rndc addzone or deleted using rndc delzone. The default is no.yes






allow-notify { address_match_list };Accept Notify messages from hosts identified by the address match list, in addition to corresponding zone masters. The default is to allow Notify messages from the configured zone master server(s), as configured in the masters statement of a given zone declaration.yesyes
yes



allow-query { address_match_list };Defines an ACL regarding who can query this server based on the address match list definition. The default is any.yesyesyesyesyesyes

allow-query-cache { address_match_list };Specifies which hosts, based on the address match list, may receive query answers from the server's cache. If not specified this option defaults to the address match list specified in the allow-recursion option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}.yesyes





allow-query-cache-on { address_match_list };Specifies on which name server interface(s) queries will be accepted that may receive answers from the server's cache. For example, this option could be configured to allow cache queries on the interface(s) facing the internal network. (New option in BIND 9.5.0).yesyes





allow-query-on { address_match_list };Specifies on which name server interface(s) queries will be accepted. For example, this option could be configured to allow queries on the interface(s) facing the internal network. (BIND 9.5.0+)yesyesyesyesyes


allow-recursion { address_match_list };Defines an ACL on who can issue recursive queries to this server based on the address match list definition. If not specified this option defaults to the address match list specified in the allow-query-cache option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}.yesyes





allow-recursion-on { address_match_list };Specifies on which name server interface(s) recursive queries will be accepted. For example, this option could be configured to allow recursive queries on the interface(s) facing the internal network. The default is to accept recursive queries on all server interfaces. (New option in BIND 9.5.0)yesyes





allow-transfer { address_match_list };Specifies an ACL on who can receive a zone transfer from this server. The default is any.yesyesyesyes



allow-update { address_match_list };Defines an ACL on who can perform a dynamic DNS update based on the address match list definition. The default is none. If the more granular update-policy option is specified within options, view or zone blocks, allow-update must not also be specified within the corresponding statement block.yesyesyes




allow-update-forwarding { address_match_list };Specifies an ACL defining from whom dynamic updates will be accepted for slave zones, which will in turn be forwarded to the zone's master server. The default is none. ISC recommends using either any or none, the default. This pushes the enforcement of update acceptance from this slave server to the master server.yesyes
yes



allow-v6-synthesis { address_match_list };BIND ignores this option; it was devised to provide a transition from AAAA to A6 records, which are now deprecated.yesyes





also-notify { IP_address [port port ]; [IP_address [port port]; ] };

Defines a set of IP addresses with or without corresponding port numbers to which to send Notify messages when a zone is updated (default = empty, i.e., none). This option specifies additional Notify recipients to those specified in the zone's NS records.

Note that prior to BIND 9.5, an optional outbound port parameter could be set before the curly brackets, but this has been removed in order to leverage port randomization for added security.

yesyesyesyes



alt-transfer-source (IPv4_address | *) [port port];Specifies an alternate transfer source IPv4 address and optionally port for performing inbound zone transfers or for issuing SOA queries or forwarded dynamic updates if the transaction failed with transfer-source parameters. Note that the use-alt-transfer-source yes option must be set.yesyes
yesyes


alt-transfer-source-v6 (IPv6_address | *) [port port ];Specifies an alternate transfer source IPv6 address and optionally port for performing inbound zone transfers or for issuing SOA queries or forwarded dynamic updates if the transaction failed with transfer-source-v6 parameters. Note that the use-alt-transfer-source yes option must be set.yesyes
yesyes


attach-cache cache-name;By default, each view has its own cache database; this option enables sharing of a common cache database across some or all views. When set in the options directive, all views will use the cache-name cache. Particular views may use their own cache by specifying a different cache-name within the view statement block. Cache sharing among views requires each view to support common cache-impacting parameters: check-names, cleaning-interval, dnssec-accept-expired, dnssec-validation, max-cache-ttl, max-ncache-ttl, max-cache-size and zero-no-soa-ttl.yesyes





auth-nxdomain (yes | no);Allows the server to always claim that a negative answer from its cache is actually authoritative even if it isn't; the default is no, do not always claim authoritative answers.yesyes





auto-dnssec (allow | maintain | create | off);This option defines the degree of automation for BIND's automated DNSSEC key and signature management features introduced in BIND 9.7.0.
  • The allow setting enables key updates and zone resigning when the user initiates the rndc sign zone command corresponding to this zone.
  • maintain includes the allow setting capability and adds the automation of key activation, revocation, retirement and deletion according to each key's timing metadata as specified using the dnssec-keygen utility.
  • create adds to the maintain functionality the ability to automatically create new keys when needed (Note “ this has not yet been implemented as of BIND 9.7.0).
The off setting (default) disables automated DNSSEC management.


yes




avoid-v4-udp-ports { port_list };Specifies which port numbers to avoid as system-assigned source UDP ports over IPv4, typically to avoid firewall-blocked port numbersyes






avoid-v6-udp-ports { port_list };Specifies which port numbers to avoid as system-assigned source UDP ports over IPv6, typically to avoid firewall-blocked port numbersyes






bindkeys-file pathname;Specifies the pathname on the server for the trusted keys for use in DNSSEC Lookaside Validation. The default is /etc/bind.keys.yes






blackhole { address_match_list };Defines an ACL defined by the address match list from which this server will not accept queries, nor use to resolve a query. The default is none.yes






cache-file pathname;Specifies the pathname on the server for the cache file, but is used only for testing and should not be used.yesyes





check-dup-records (fail | warn | ignore);Configures the server to check its master zones for resource records that are treated differently by DNSSEC but are semantically equal in 'plain DNS. The default is warn.yesyesyes




check-integrity (yes | no);When set to yes, configures the server to perform zone integrity checks after loading of master zones; the integrity check consists of assuring MX and SRV records refer to hosts which have corresponding A or AAAA records (intra-zone checks only) and that glue records exist for delegated zones. The default is yes.yesyesyes




check-mx (warn | fail | ignore);Performs checking on MX records and will fail, warn (default), or ignore based on whether the RDATA contains an IP address.yesyesyes




check-mx-cname (warn | fail | ignore);Configures the server to verify that MX records do not refer to CNAME records; applies when check-integrity yes is configured. The default is warn.yesyes





check-names (master | slave | response) (warn | fail | ignore);Configures the server to validate owner names of A, AAAA, and MX records, as well as RDATA names in NS, SOA, and MX records, and also PTR records resolved based on queries for owners within ip6.arpa or in-addr.arpa zones. When defined within the options or view statement, but not within zone declarations, checking can be focused to master zones (default = fail), slave zones (default = warn), or responses received from other servers (response, default = ignore).yesyesyesyesyes


check-sibling (yes | no);Configures the server to verify that glue records exist for sibling zones, i.e., other zones delegated by this server (as a common parent). For example, the Rdata field of an NS record for a delegated zone may refer to a name server in a sibling zone:

a.ipamworldwide.com. IN NS ns.b.ipamworldwide.com

In such a case, setting this option to yes causes the server to verify that a glue (A/AAAA) record exists for ns.b.ipamworldwide.com. This option only applies when check-integrity yes is configured. The default value is yes.

yesyes





check-srv-cname (warn | fail | ignore);Configures the server to verify that SRV records do not refer to CNAME records; applies when check-integrity yes is configured. The default is warn.yesyes





check-wildcard (yes | no);Instructs the server to issue a warning upon detecting a non-fully resolvable wildcard (*) in its master zones if set to yes. The default is yes.yesyesyes




cleaning-interval minutes;Defines the interval at which the server will analyze the cache to remove records with expired TTLs (default = 60 [minutes]).yesyes





clients-per-query number;Defines the minimum initial number of simultaneous outstanding recursive queries for a given name (i.e., of the same qname, qtype, qclass). In this context, the server issuing such queries is the ""client"" referred to by the option name. (default = 10)yesyes





coresize size;Defines the maximum size of a core dump file. The default is default, which is the default core dump file size permitted by the operating system.yes






database string;Specifies the type of database used for storing zone data. The string argument is interpreted as a whitespace-delimited string, with the first entry comprising the database drivers linked into the server and the remaining entries passed to the database as arguments. The default type is rbt, BIND 9's in-memory red-black-tree database (which does not take additional arguments)
yesyesyesyes


datasize size;Defines the maximum size of memory the server may use. The default is default, which is the amount of memory allocated by the operating system by default, though this option is useful when specifying a size greater than the operating system default, if this amount is too small.yes






deallocate-on-exit (yes | no);BIND 8 provided this option to enable deallocation of memory upon exit to check for memory leaks; BIND 9 always performs this task and therefore ignores this option.N/A






delegation-only (yes | no);Specifies whether the associated stub or hint zone should be treated as a delegation-only type zone



yes
yesyes
deny-answer-addresses { address_match_list; } [except-from { name-list; ]Configures the server to filter out (drop) address (A or AAAA) query responses from external DNS servers where the address(es) contained in the answer section fall within the address_match_list definition to mitigate rebinding attacks. However all address answers where the query name matches the except-from name-list will be accepted. For example, a server configured with deny-answer-addresses {192.0.2.0/24;} except-from {'ipamworldwide.com;}; will drop A records in the answer section containing an address within the 192.0.2.0/24 space except where the query name falls within the ipamworldwide.com domain or subdomain.yesyes





deny-answer-aliases { alias-list; } [except-from { name-list; ]Configures the server to filter out (drop) alias (CNAME or DNAME) query responses from external DNS servers where the alias(es) contained in the answer section fall within the alias-list definition to mitigate rebinding attacks. However all alias answers where the query name matches the except-from name-list will be accepted. For example, a server configured with deny-answer-aliases {'ipamworldwide.com;} except-from {'biz.worldwide.com;}; will drop CNAME or DNAME records within the answer section of the response containing an answer within the ipamworldwide.com domain or subdomains except where the query name falls within the biz.ipamworldwide.com domain or subdomains.yesyes





dialup (yes | no | notify | refresh | passive | notify-passive );Concentrates all communications between servers to the time when a dialup connection is made based on timing set in the heartbeat-interval option, overriding the refresh timer to send out SOA (refresh) queries and NOTIFYs only at this interval. More granular control is available using:
  • notify parameter, which directs the server to send only NOTIFYs during the connection with normal refresh processing
  • notify-passive parameter, which indicates the server will send NOTIFYs during the heartbeat interval while suspending normal refresh processing
  • refresh suspends NOTIFYs during heartbeat intervals but sends refresh queries during the heartbeat interval
  • passive disables normal refresh processing
  • notify-passive sends NOTIFYs during the heartbeat and suppresses refresh processing
yesyesyesyesyes


directory pathname;"Specifies the location of current working directory on the server. Any relative (non-absolute) pathnames are interpreted as relative to this directory. If not specified, the default is "".""."yes






disable-algorithms domain { algorithm; [ algorithm;] };Disables the specified DNSSEC algorithm(s) when processing queries for the specified domain and its subdomains. Multiple occurrences of this statement are permitted.yesyes





disable-empty-zone zone_name;Disables an individual empty zone identified by zone_name. Multiple statements are permitted.yesyes





dns64 IPv6_prefix { [clients {address_match_list };] [mapped {address_match_list };] [exclude {address_match_list };] [suffix IPv6_addr;] [recursive-only (yes|no);] [break-dnssec (yes|no);] };

Supports the DNS64 IPv4-IPv6 co-existence strategy by allowing an IPv6 host to connect to an IPv4 destination via a NAT64 gateway, whose IP address is a concatenation of the specified IPv6 prefix and a IPv4 address returned via A record queries (when no native AAAA record answers are provided). The DNS64 service provides this mapping function.

This option configures the recursive server to return mapped IPv4 addresses to AAAA queries when A but no AAAA answers are received from the authoritative server . The resolver receiving such an answer shall connect to a NAT64 device at this address; the NAT64 device links the incoming IPv6 connection from the resolver client to the corresponding mapped IPv4 address encoded in the IPv6 destination address based on the AAAA response provided by the DNS64 service.

The clients parameter indicates an address match list of clients for whom the service is provided; the default is any. The mapped parameter indicates which IPv4 addresses within the A resource record set shall be mapped to corresponding AAAA answers. The exclude parameter defines which queried IPv6 networks will return DNS64-translated AAAA records (based on A records returned) will be returned, not native AAAA records; normally, native AAAA records are returned obviating the need to return DNS64 fabricated AAAA records. The suffix can be used to specify addiitional bits to include in the mapped response following the IPv4 address (default is ::). The recursive-only parameter indicates whether to apply DNS64 mapping to recursive queries only and the break-dnssec will not add or remove records from the authoritative server response if no and will do so if yes.

yesyes





dns64-contact name ;Supports the DNS64 IPv4-IPv6 co-existence strategy as discussed above. This option defines the administrative contact name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction.yesyes





dns64-server name ;Supports the DNS64 IPv4-IPv6 co-existence strategy as described above. This option defines the DNS server name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction.yesyes





dnssec-accept-expired (yes | no);Instructs the server to accept expired signatures for DNSSEC validation. The default is no.yesyes





dnssec-dnskey-kskonly (yes | no);This option is a parameter for BIND's automated DNSSEC key and signature management features introduced in BIND 9.7.0. When set to yes and update-check-ksk is set to yes, only KSKs will be used to sign the DNSKEY RRset at the zone apex; otherwise ZSKs may be used to sign the DNSKEY RRset. When update-check-ksk is set to no, this option is ignored.yesyesyes




dnssec-enable (yes | no);Turns on DNNSEC processing on the server when set to yes The default is yes.yesyes





dnssec-lookaside (auto | domain trust-anchor DLV_domain);Specifies parameters for DNSSEC Lookaside Validation (DLV).

The DLV_domain serves as a domain escalation point for DNSSEC resolution signature validation where a signed zone's parent is not signed.

If the query being resolved falls within the specified domain or its subdomains, the associated public KSK key is retrieved from the DLV_domain server and compared with configured trusted-keys on this server to authenticate the resolution.

The auto parameter initializes a managed key for the dlv.isc.org registry.

yesyes





dnssec-must-be-secure domain (yes | no);Specifies a domain (including subdomains) that must provide secure resolution as validated by trusted-key configuration or DLV when set to yes. When set to no, secure resolution is not required for this domain.yesyes





dnssec-secure-to-insecure (yes | no);When set to yes, this allows the DNSKEY record(s) to be deleted in the zone(s) via BIND's automated DNSSEC key and signature management features introduced in BIND 9.7.0. Deleting these records effectively transitions the zone(s) from secure to insecure.yesyesyes




dnssec-validation (yes | no);Turns on DNSSEC validation processing when set to yes. dnssec-enable must also be set to yes. The default is no.yesyes





dual-stack-servers [port port] { (domainname [port port] |IP_address [port port] ); ... };Specifies external name server IP addresses or hostnames that have access to both IPv4 and IPv6 transport. This option has no effect if the server on which this option is configured is itself dual-stacked.yesyes





dump-file pathname;Specifies the file pathname to place the dump file when told to dump its database via rndc dumpdb; the default is named_dump.dbyes






edns-udp-size bytes;Defines the advertised EDNS UDP buffer size in bytes, ranging from 512 to 4096 (default)yesyes





empty-contact name;Specifies the zone contact that will appear in the SOA record created in empty zones. If not specified, '. is used.yesyes





empty-server name;Specifies the server name that will appear in the SOA record created in empty zones. If not specified, the empty zone's name will be used.yesyes





empty-zones-enable (yes | no);Enables (yes) or disables (no) creation of empty zones on the server. Empty zones are enabled by default.yesyes





fake-iquery (yes | no);Obsolete - indicates the server should emulate DNS query type IQUERY which has been deprecated; BIND 9 never simulates IQUERYsN/A






fetch-glue (yes | no);Obsolete - Stops the server from fetching glue records to include in the additional section of the query response when set to no. BIND 9 never fetches glue records.N/AN/A





file filename;Identifies the zone filename for the specified zone

yesyesyes

yes
files number;Defines the maximum number of files the DNS service may have open concurrently. The default is unlimited.yes






filter-aaaa {addr_match_list;} ;Defines the address match list for which the filter-aaaa-on-v4 option is applied as described below. Multiple filter-aaaa options may be defined. The default is any.yes






filter-aaaa-on-v4 (yes | no | break-dnssec) ;

Defines whether the server will return AAAA records to certain clients. For example, clients that do not have IPv6 network access can be excluded. Such clients are defined by the address match list parameter of the filter-aaaa option. BIND must be compiled with the --enable-filter-aaaa option on the configure command line.

If this option is set to yes, AAAA records are not included in the response if the client falls within the filter-aaaa address match list and no DNSSEC signatures are included. If set to no, such filtering is not performed and AAAA records are returned. If set to break-dnssec, the AAAA records are not included even if DNSSEC signatures exist.

yes






flush-zones-on-shutdown (yes | no);When signaled to exit via the SIGTERM signal, the server will discard any pending zone writes from journal files; the default is no, indicating zone writes should first be performedyes






forward (only | first);Configures the server to either:
  • use only those servers configured in the forwarders statement to resolve queries (forward only) or
  • to first query a server listed in the forwarders statement, and upon receiving no resolution answer, query another server (e.g., based on cached information or hints file configuration) (forward first).
yesyesyesyesyes
yes
forwarders { [IP_address [port port]; ] };Specifies the IP address(es) of servers to query when using forwarding. The default is an empty list, i.e., no forwarding, but when the empty list is used within a zone statement, while forwarders are configured within the server options statement, then those forwarders are enabled on the server, but not for the zone with the empty forwarders list (i.e., acts as negation).yesyesyesyesyes
yes
has-old-clients (yes | no);Ignored in BIND 9 but its effect can be achieved using auth-nxdomain yes; and rfc2308-type1 no;yes






heartbeat-interval minutes;Defines the heartbeat interval governing frequency of tasks for zones defined with the dialup option set to a value other than no (default = 60 [minutes]).yes






host-statistics (yes | no);Not implemented in BIND 9 - stimulates statistics tracking for each host interacting with the serverN/A






host-statistics-max number;Not implemented in BIND 9 - specified the maximum number of host statistics entries permitted in BIND 8.N/A






hostname hostname_string;Defines a host name to be provided in response to a TXT query of class CHAOS for owner hostname.bind. The default is the hostname of the server on which named is running as determined by a gethostname() call. Setting hostname_string to none disables processing of these queries.yes






interface-interval minutes;Defines the interval governing the frequency of scans for new or removed network interfaces on the server to begin listening on new interfaces and stop listening on deleted interfaces, as permitted with corresponding listen-on settings. The default is 60 [minutes].yes






ixfr-from-differences ((yes | no) | master | slave);When set to yes, the server will compute the differences between a new version of a zone (upon reload as a master or zone transfer receipt as a slave) and use the differences between these for IXFR processing. The parameters master and slave may be defined at the view and zone statements to apply this processing to master zones or slave zones respectively within the view or zone.yesyesyesyes



ixfr-tmp-file pathname;Specifies the file pathname for a temp file for IXFRs

yesyes



journal pathname;Specifies the pathname of the journal file.

yesyes



key-directory pathname;The full directory pathname in which public and private key files are stored on the server for processing of dynamic updates of DNSSEC secure zones. If not specified, the current working directory is used.yesyesyes




lame-ttl seconds;Defines the number of seconds the server will cache a lame server designation; i.e., a given server is not authoritative for a zone that's delegated to it (default = 600 [seconds]).yesyes





listen-on [port port] { address_match_list };Specifies the network interface the server listens for queries; the default is to listen on port 53 on all interfaces. Multiple listen-on statements may be defined.yes






listen-on-v6 [port port] { address_match_list };Specifies the network interface parameters on which the server will listen for queries using IPv6 transport. If this option is not specified, the server will not listen on any of the server's IPv6 addresses unless BIND was invoked with the -6 option when it will listen on all IPv6 interfaces.
yes






maintain-ixfr-base (yes | no);Obsolete - indicated that server should keep a transaction log for IXFRs; such logging is enabled in BIND 9.N/AN/AN/AN/A



managed-keys-directory directory;The directory in which files used to track managed keys are located. By default this is the named working directory.yes







masterfile-format (text | raw);Specifies the format of zone files on the server. The default is text, and setting to raw will omit some name checking featuresyesyesyesyesyes


masters [port port ] { ( masters_list | ip_address [port port] [key key] ); [. . .] };Identifies the master name servers for the given zone, including specification of the outgoing port number for SOA queries and zone transfers (port specification before the curly brackets). This statement also specifies the zone master server's name or IP address, port and TSIG key to authenticate zone transfers.


yesyes


match-mapped-addresses (yes | no);Specifies that the server should map IPv4 addresses associated with an IPv4-mapped IPv6 address against defined address match lists for processing. This option is intended solely for use as a work around for a Linux kernel quirk for IPv6-enabled Linux servers.yes






max-acache-size size;Sets the maximum memory size to be used for the server's additional section cache (acache) in bytes. When the amount of data in the cache approaches the limit, the server will prematurely expire records to remain within the bound. The default = unlimited.yesyes





max-cache-size size;Sets the maximum memory size to be used for the server's cache. If using DNS views, the specified size applies to the cache size for each view. When the amount of data in the cache approaches the limit, the server will prematurely expire records to remain within the bound (default = 32M prior to BIND 9.6, and 0 as of BIND 9.6, which means that records are purged from cache when their TTLs expire).yesyes





max-cache-ttl number;Defines the maximum retention time for cached [positive] information. The default is 7 days.yesyes





max-clients-per-query number;Defines the maximum number of simultaneous outstanding recursive queries for a given name (i.e., of the same qname, qtype, qclass) before dropping additional clients. In this context, the server issuing such queries is the "client" referred to by the option name (default = 100).yesyes





max-ixfr-log-size number;Obsolete in BIND 9 and is ignored. The max-journal-size option performs a similar function in managing sizing of updates.yesyesyesyes



max-journal-size size;Specifies the maximum size of each journal file. The default is unlimited.yesyesyesyes



max-ncache-ttl seconds;Defines the maximum number of seconds the server will cache negative answers. The default is 10800 [seconds] or 3 days and the maximum value is 7 days.yesyes





max-refresh-time seconds;Defines the maximum refresh interval for SOA refresh attempts to the master.yesyesyesyesyes


max-retry-time seconds;Defines the maximum retry time at which the server should retry a failed zone transfer.yesyesyesyesyes


max-transfer-idle-in minutes;Specifies a limit on the duration of idle time during an inbound zone transfer (default = 60 [minutes]). Once exceeded, the zone transfer will be terminated.yesyes
yesyes


max-transfer-idle-out minutes;Specifies a limit on the duration of idle time during an outbound zone transfer (default = 60 [minutes]). Once exceeded, the zone transfer will be terminated.yesyesyesyes



max-transfer-time-in minutes;Specifies a limit on the duration of an inbound zone transfer (default = 120 [minutes]). Once exceeded, the zone transfer will be terminated.yesyes
yesyes


max-transfer-time-out minutes;Specifies a limit on the duration of an outbound zone transfer (default = 120 [minutes]). Once exceeded, the zone transfer will be terminated.yesyesyesyes



max-udp-size bytesDefines the maximum EDNS UDP packet size the server will send in bytes, ranging from 512 to 4096 (default)yesyes





memstatistics (yes | no);Turns on (yes) or off (no) writing of memory statistics to the file specified in the memstatistics-file option. The default is no unless named was started with the '-m record switch.yes






memstatistics-file pathname;This specifies the pathname of the file to which the server will write memory usage statistics. The default is named.memstats.yes






min-refresh-time seconds;Defines the minimum SOA refresh time to query the master.yesyesyesyesyes


min-retry-time seconds;Defines the minimum retry time at which the server should retry a failed zone transfer.yesyesyesyesyes


min-roots number;Not implemented in BIND 9. This option defines the minimum number of root servers configured within the hints file in order for the server to answer any queries regarding the root servers. This defines a minimum 'credibility threshold of the server's ability to respond to such queries. The default is 2.N/AN/A





minimal-responses (yes | no);When set to yes, this option instructs the server to only add records to the authority and additional sections of the response when required, e.g., for negative responses or delegations. The default is no.yesyes





multi-master (yes | no);When set to yes, the server will not log when its serial number is greater than that on another master
yes
yesyes


multiple-cnames (yes | no);Ignored in BIND 9, which disallows multiple CNAME records with the same owner name; in BIND 8, this option allows multiple CNAME records for a single nameN/A






named-xfer pathname;This option is not used in BIND 9, but it specified the directory path for named-xfer file (used by a slave server for inbound zone transfers).N/A






notify (yes | no | explicit | master-only);This option governs the sending of NOTIFY messages:
  • yes - NOTIFY messages are sent to all servers with NS records for the zone except the zone master identified by the MNAME field of the zone's SOA record; NOTIFY messages are also sent to those defined in the also-notify option
  • explicit - NOTIFY messages are sent only to those servers identified in the also-notify option.
  • master-only - NOTIFY messages are sent only for master zones
  • no - no NOTIFY messages are sent
yesyesyesyes



notify-delay seconds;This option defines the number of seconds to wait between sending sets of Notify messages. The default is 0. (New in BIND 9.5.0)yesyesyesyes



notify-source (IPv4_address | *) [port port ];Defines the server's network interface (IPv4 address) and optionally source UDP port for sending Notify messages.yesyesyesyes



notify-source-v6 (IPv6_address | *) [port port ];Defines the server's network interface (IPv6 address) and optionally source UDP port for sending Notify messages.yesyesyesyes



notify-to-soa (yes | no);Facilitates hidden master configurations when set to yes by instructing the server to send a Notify message as appropriate to the server listed in the SOA record master name (MNAME) field. In hidden master configurations, MNAME may be configured with the name of a slave server. If set to no, a Notify will not be sent to the server listed in the MNAME field.yesyesyesyes



nsec3-test-zone (yes | no);Option for testing NSEC3 records for DNSSEC.yesyes





pid-file (pathname | none);Specifies the pathname of the file to which the server writes its process ID. The default is /var/run/named.pid (pre BIND 9.6) or /var/run/named/named.pid (BIND 9.6+). If the pathname parameter is specified as none, no pid file will be written.yes






port port;Specifies the UDP/TCP port number used by the server for sending and receiving DNS messages. This option is intended primarily for server testing purposes, as setting the value to other than 53, the default, will inhibit communications with the global DNSyes






preferred-glue (A | AAAA | NONE ) ;Specifies the preferred resource record type that will be specified first in the additional section of a query response for an NS record. The default is NONE, no preference.yesyes





provide-ixfr (yes | no);Used in options or server statements to configure a server configured as master for its zones to honor IXFR requests from slaves or not.yesyes





pubkey flags protocol algorithm publickey;Ignored in BIND 9 - specifies a public key (similar subfields as a DNSKEY resource record) for the associated zone.

N/AN/AN/A


query-source (IPv4_address | *) [port (port |*)] | [address (IPv4_address | *)] [port (port |*)];Defines the local network interface (IPv4 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore, the port parameter should generally not be specified.yesyes





query-source-v6 (IPv6_address | *) [port (port |*)] | [address (IPv6_address | *)] [port (port |*)];Defines the local network interface (IPv6 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore, the port parameter should generally not be specified.yesyes





querylog ( yes | no );When set to yes, logging of queries is enabled upon named startup; query logging is otherwise determined by the queries logging category setting.yes






queryport-pool-ports number;Obsolete. Specifies the number of candidate ports randomly generated for use for setting of the IP port on outgoing queries. The default is 8 port numbers. (New in BIND 9.5.0 though obsoleted with port randomization feature of BIND 9.5.0-P2 and other 'P2 releases.)N/AN/A





queryport-pool-updateinterval minutes;Obsolete. Specifies the number of minutes between refreshes of the query port pool. When minutes has elapsed, the query port pool is regenerated. The default is 15 minutes. (New in BIND 9.5.0 though obsoleted with port randomization feature of BIND 9.5.0-P2 and other 'P2 releases.)N/AN/A





random-device pathname;Specifies the device or file used as a source of entropy or random data primarily for DNSSEC operations such as key generation for dynamic updates of secure zonesyes






recursing-file pathname;Specifies the pathname to the file in which named dumps the set of currently recursing queries when so instructed via the rndc recursing command. The default is named.recursing. (New in BIND 9.5.0+)yes






recursion (yes | no);Turn recursion on or off. If set to yes, the server will perform recursion to obtain the answer for the client; if no, the server will attempt to give an authoritative answer, cached information, or a referral to another name server.yesyes





recursive-clients number;Defines the maximum number of simultaneous recursive lookups the server will perform on behalf of clients (default = 1000).yes






request-ixfr (yes | no);Used in options or server statement to configure a slave to request IXFRs of its master or not.yesyes
yes




request-nsid (yes | no);Configures the server to request the name server identifier (NSID) in queries to other servers during the resolution processyesyes





reserved-sockets number;Enables specification of the number of file descriptors supported by the operating system to keep named within this constraint (Default =512).yes






resolver-query-timeoutseconds;Enables specification of the number of seconds the server should await a response to a query before failing (SERVFAIL). The default is 10 and the maximum is 30.yes






response-policy { zone [ policy (given | no-op | nxdomain | nodata | cname domain )]; };Enables specification of modified responses to queries for the specified zone in accordance with the response policy zone initiative, where domain registrars may share valid (e.g., non-spammers) domain names to enable resolution while not resolving others, modifying or otherwise processing responses for "invalid" domain names as identified via backlist/whitelist queries.yesyes





rfc2308-type1 (yes | no);Not yet implemented. Specifies that the server should send the zone's NS records with SOA in negative responses for the zone.N/AN/A





root-delegation-only [ exclude { namelist } ] ;Enables enforcement of delegation-only processing in root and TLDs except those domains listed within the namelist after the exclude keyword.yesyes





rrset-order { order-stmt ; [ order-stmt; ]};

where:

order-stmt =
[ type rrtype]
[name domainname] order ordertype

Enables specification of ordering of resource records when multiple records apply to the query.

The rrtype parameter refers to a resource record type (e.g., MX) and domainname a given domain name (e.g., ipamworldwide.com).

Ordering (ordertype) may be:

  • fixed (the order they are defined in the zone)
  • random or
  • cyclic (round-robin).

Note: the fixed ordertype has not yet been fully implemented in BIND 9.

yesyes





secroots-file pathname; Specifies the pathname of the file to which rndc secroots command dumps security roots. (default = named.secroots).yes






serial-queries number;Ignored in BIND 9 and superseded with the serial-query-rate option. This option had specified the maximum number of outstanding serial number queries.N/A






serial-query-rate number_per_second;Specifies the maximum number of serial number queries per second to be sent to the master (across all zones) (default = 20).yes






server-addresses {[IP_address; ... ]};Configures the name server IP addresses (IPv4 and/or IPv6) configured for this static-stub zone.




yes

server-id server-id_string;Specifies the ID that the server should provide in response to a name server identifier (NSID) query or a query for owner ID.SERVER of type TXT in class CHAOS.

This information can be helpful in identifying the responding server in an anycast deployment. Defining the server-id_string as none (the default) disables responses to such queries, and setting it to hostname returns the configured hostname (per gethostbyname() sockets call).

yes






server-names {[namelist ]};Configures the name server host domain names (NS rdata fields) configured for this static-stub zone.




yes

session-keyalg algorithm;When BIND's pre-defined update-policy local; is configured, named automatically creates a TSIG key to sign local dynamic updates. By default, the key generation algorithm is HMAC-SHA256, but this option enables overriding this default. Valid values of algorithm are: hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and hmac-md5.yes






session-keyfile (pathname | none);When BIND's pre-defined update-policy local; is configured, named automatically creates a TSIG key to sign local dynamic updates. By default, the file is /var/run/named/session.key, though an alternative pathname may be defined using this option.yes






session-keyname keyname;When BIND's pre-defined update-policy local; is configured, named automatically creates a TSIG key to sign local dynamic updates. By default, the keyname is local-ddns, though this option may be specified to define a different keyname.







sig-signing-nodes integer;Specifies the maximum number of 'nodes (unique RRSet owners) that are examined during a zone re-signing evaluation to determine if re-signature is required or not for each. The default is 100.yesyesyes




sig-signing-signatures number;Specifies the maximum number of RRSets that will be re-signed during an automatic re-signing process. This option bounds the number of signatures performed during a re-sign. The default is 10.yesyesyes




sig-signing-type integer;Specifies the RData Type to be used when generating key signing records. The default is 65535.yesyesyes




sig-validity-interval days [re-sign];Defines the expiration date, as the number of days in the future, for DNSSEC signatures automatically generated for dynamic updates to a secure zone. The default is 30 days and the maximum value is 10 years. The re-sign parameter defines the remaining time on RRSet signatures within which the server should re-sign the RRSet. If days is < 7, then re-sign is defined in units of hours; otherwise it is in days. If re-sign is not specified, days/4 will be used as the assumed re-sign value.yesyesyes




sortlist { address_match_list };Enables specification of the order of query responses based on source of query, respond with preferred list of responses. Here are the details on the syntax and interpretation of the sortlist option.yesyes





stacksize size;Defines the maximum size of stack memory the server may use. The default is default, which is the amount of stack memory allocated by the operating system by default.yes






statistics-file pathname;Specifies this pathname of the file to which the server appends statistics when the rndc stats command is executed. The default is named.stats.yes






statistics-interval minutes;Defines the interval at which server statistics are logged. The default is 60 [minutes]. This option has not yet been implemented in BIND.N/A






suppress-initial-notify (yes | no);This option has not yet been implemented in BIND.N/AN/A





tcp-clients number;Limits number of concurrent TCP connections (default = 100).yes






tcp-listen-queue number;Specifies the queue depth for listening for TCP connections (default and minimum = 3).yes






tkey-dhkey key_name key_tag;This option specified the Diffie-Hellman key to use to generate shared keys with clients when using the Diffie-Hellman mode of TKEY. In most cases, this should be the server's hostname.yes






tkey-domain domainname;This option specifies the domainname that should be appended to the names of all shared keys generated during a TKEY exchange. In most cases, the domainname should be the server's domain name.yes






tkey-gssapi-credential principal;New in BIND 9.5.0, this option configures the credential to be used to authenticate keys for use with the GSS-TSIG protocol, e.g., when performing secure updates to Microsoft Windows DNS. Currently a Kerberos principal is supportedyes






tkey-gssapi-keytab pathname;Defines the pathname to the key file used to authenticate Kerberos 5 credentials. If not set, the typical system key file is /etc/krb5.keytab.yes






topology { address_match_list };Defines a preferential listing of networks, defined within an address match list, on which name servers will be queried. Click here for more on the interpretation of the topology option, though this option has not yet been implemented in BIND.N/AN/A





transfer-format (many-answers | one-answer) ;Specifies on a master server which format to employ for zone transfers: one-answer means one resource record per message while many-answers (the default) means multiple records, as many as will fit within the message size, are placed within each transfer message.yesyes





transfer-source (IPv4_address | *) [port port ];Defines the server's network interface (IPv4 address and optionally port number) on which incoming zone transfers will be bound. This option also specifies the source IP address and optionally source UDP port for SOA query messages and forwarded dynamic updates.yesyes
yesyes


transfer-source-v6 (IPv6_address | *) [port port ];Defines the server's network interface (IPv6 address and optionally port number) on which inbound zone transfers will be bound. This option also specifies the source IPv6 address and optionally source UDP port for SOA query messages and forwarded dynamic updates.yesyes
yesyes


transfers-in number;Specifies a limit to the total number of concurrently running inbound zone transfers (default = 10).yes






transfers-out number;Specifies a limit to the total number of concurrently running outbound zone transfers (default = 10).yes






transfers-per-ns number;Specifies a limit on the number of concurrently running inbound zone transfers from any given server (default = 2)yes






treat-cr-as-space (yes | no);Treat CR+NL at end of a line as simply NL to enable files created on Windows systems (CR_NL) to load on a Unix/Linux server. This option is ignored in BIND 9 as both NL and CR+NL forms are accepted.N/A






try-tcp-refresh (yes | no);If a zone refresh query via UDP fails, this option when set to yes, configures the server to reattempt using TCP. The default is yes. (New option in BIND 9.5.0).yesyes
yes



update-check-ksk (yes | no);Configures the server to use KSK(s) (KSK flag on the corresponding DNSKEY resource record is set) to sign the DNSKEY RRset only (if set to yes) or to ignore the KSK flag and use all zone keys to sign the zone (if set to no). The default of yes effectively requires the use of separate zone KSKs and ZSKs, while a setting of no enables use of one key per zone.yesyesyes




update-policy { grant|deny identity nametype name [types] };Enables specification of increased granularity of dynamic updates over and in lieu of allow-update. Please refer to the update-policy page for details.

yes




use-alt-transfer-source (yes | no);Controls the use of alternative transfer source options for v4 and v6 (alt-transfer-source and alt-transfer-source-v6 respectively).yesyes
yesyes


use-id-pool (yes | no);Obsolete - BIND 9 always uses random DNS message IDs in queries to prevent response spoofing without having to set this option to yes.N/A






use-ixfr (yes | no);Obsolete “ BIND 9 always uses IXFR by default, though use of IXFR can be controlled via provide-ixfr and request-ixfr statements in the options block or within a server statement block.N/A






use-queryport-pool (yes | no);Obsolete. Configures the server to randomize the source IP port in queries to other servers. This option is overridden if the query-source or query-source-v6 option is configured. (New in BIND 9.5.0 though obsoleted with port randomization feature of BIND 9.5.0-P2 and other 'P2 releases.)N/AN/A





use-v4-udp-ports { port list; };Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv4 queries. Values set in the avoid-v4-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535.

Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise, queries using these port numbers will fail.

yes






use-v6-udp-ports { port list; };Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv6 queries. Values set in the avoid-v6-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535.

Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise, queries using these port numbers will fail.

yes






version version_string;This option specifies the string the server should provide in response to give to a TXT query of class CHAOS for name version.bind. Setting version_string to 'none disables responding to these queries.yes






zero-no-soa-ttl (yes | no);Instructs the server to set the TTL to zero when returning an authoritative negative response to an SOA query (default = yes).yesyesyesyes



zero-no-soa-ttl-cache (yes | no);Instructs the server, when caching a negative response to an SOA query, to set the TTL to zero (default = no).yesyes





zone-statistics (yes | no);Instructs the server to collect statistical data on all zones (or per zone control/override in zone statement). These statistics can be accessed via the rndc stats command which appends them to the file identified in the statistics-file option.yesyesyesyesyesyes