Grammar: statistics-file <quoted_string>;
Blocks: options
│ │ │ │ -Tags: logging, server
│ │ │ │ +Tags: server, logging
│ │ │ │Specifies the pathname of the file where the server appends statistics, when using rndc stats.
This is the pathname of the file the server appends statistics to, when
│ │ │ │ instructed to do so using rndc stats. If not specified, the
│ │ │ │ default is named.stats in the server’s current directory. The
│ │ │ │ format of the file is described in The Statistics File.
Grammar: zone-statistics ( full | terse | none | <boolean> );
Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)
│ │ │ │ -Tags: logging, zone
│ │ │ │ +Tags: zone, logging
│ │ │ │Controls the level of statistics gathered for all zones.
│ │ │ │ │ │ │ │If full, the server collects statistical data on all zones,
│ │ │ │ unless specifically turned off on a per-zone basis by specifying
│ │ │ │ zone-statistics terse or zone-statistics none in the zone
│ │ │ │ statement. The statistical data includes, for example, DNSSEC signing
│ │ │ │ operations and the number of authoritative answers per query type. The
│ │ │ │ @@ -2871,15 +2871,15 @@
│ │ │ │
Grammar: allow-new-zones <boolean>;
Blocks: options, view
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Controls the ability to add zones at runtime via rndc addzone.
If yes, then zones can be added at runtime via rndc addzone.
│ │ │ │ The default is no.
Newly added zones’ configuration parameters are stored so that they
│ │ │ │ can persist after the server is restarted. The configuration
│ │ │ │ information is saved in a file called viewname.nzf (or, if
│ │ │ │ @@ -2908,15 +2908,15 @@
│ │ │ │
Grammar: memstatistics <boolean>;
Blocks: options
│ │ │ │ -Tags: server, logging
│ │ │ │ +Tags: logging, server
│ │ │ │Controls whether memory statistics are written to the file specified by memstatistics-file at exit.
This writes memory statistics to the file specified by
│ │ │ │ memstatistics-file at exit. The default is no unless -m
│ │ │ │ record is specified on the command line, in which case it is yes.
Grammar: request-expire <boolean>;
Blocks: options, server, view, zone (mirror, secondary), view.server
│ │ │ │ -Tags: transfer, query
│ │ │ │ +Tags: query, transfer
│ │ │ │Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
│ │ │ │ │ │ │ │The request-expire statement determines whether the local server, when
│ │ │ │ acting as a secondary, requests the EDNS EXPIRE value. The EDNS EXPIRE
│ │ │ │ value indicates the remaining time before the zone data expires and
│ │ │ │ needs to be refreshed. This is used when a secondary server transfers
│ │ │ │ a zone from another secondary server; when transferring from the
│ │ │ │ @@ -3705,15 +3705,15 @@
│ │ │ │
Grammar: querylog <boolean>;
Blocks: options
│ │ │ │ -Tags: logging, server
│ │ │ │ +Tags: server, logging
│ │ │ │Specifies whether query logging should be active when named first starts.
Query logging provides a complete log of all incoming queries and all query │ │ │ │ errors. This provides more insight into the server’s activity, but with a │ │ │ │ cost to performance which may be significant on heavily loaded servers.
│ │ │ │The querylog option specifies whether query logging should be active when
│ │ │ │ named first starts. If querylog is not specified, then query logging
│ │ │ │ @@ -3860,28 +3860,28 @@
│ │ │ │
Grammar: zero-no-soa-ttl <boolean>;
Blocks: options, view, zone (mirror, primary, secondary)
│ │ │ │ -Tags: server, zone, query
│ │ │ │ +Tags: zone, server, query
│ │ │ │Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
│ │ │ │ │ │ │ │If yes, when returning authoritative negative responses to SOA queries, set
│ │ │ │ the TTL of the SOA record returned in the authority section to zero.
│ │ │ │ The default is yes.
Grammar: zero-no-soa-ttl-cache <boolean>;
Blocks: options, view
│ │ │ │ -Tags: server, zone, query
│ │ │ │ +Tags: zone, server, query
│ │ │ │Sets the time to live (TTL) to zero when caching a negative response to an SOA query.
│ │ │ │ │ │ │ │If yes, when caching a negative response to an SOA query set the TTL to zero.
│ │ │ │ The default is no.
Grammar: notify-rate <integer>;
Blocks: options
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
│ │ │ │ │ │ │ │This specifies the rate at which NOTIFY requests are sent during normal zone │ │ │ │ maintenance operations. (NOTIFY requests due to initial zone loading │ │ │ │ are subject to a separate rate limit; see below.) The default is 20 │ │ │ │ per second. The lowest possible rate is one per second; when set to │ │ │ │ zero, it is silently raised to one.
│ │ │ │Grammar: startup-notify-rate <integer>;
Blocks: options
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
│ │ │ │ │ │ │ │This is the rate at which NOTIFY requests are sent when the name server │ │ │ │ is first starting up, or when zones have been newly added to the │ │ │ │ name server. The default is 20 per second. The lowest possible rate is │ │ │ │ one per second; when set to zero, it is silently raised to one.
│ │ │ │Grammar: max-records <integer>;
Blocks: options, view, zone (mirror, primary, redirect, secondary, static-stub, stub)
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Sets the maximum number of records permitted in a zone.
│ │ │ │ │ │ │ │This sets the maximum number of records permitted in a zone. The default is │ │ │ │ zero, which means the maximum is unlimited.
│ │ │ │Grammar: masterfile-format ( raw | text );
Blocks: options, view, zone (mirror, primary, redirect, secondary, stub)
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Specifies the file format of zone files.
│ │ │ │ │ │ │ │This specifies the file format of zone files (see Additional File Formats
│ │ │ │ for details). The default value is text, which is the standard
│ │ │ │ textual representation, except for secondary zones, in which the default
│ │ │ │ value is raw. Files in formats other than text are typically
│ │ │ │ expected to be generated by the named-compilezone tool, or dumped by
│ │ │ │ @@ -6237,15 +6237,15 @@
│ │ │ │
Grammar: notify-delay <integer>;
Blocks: options, view, zone (mirror, primary, secondary)
│ │ │ │ -Tags: transfer, zone
│ │ │ │ +Tags: zone, transfer
│ │ │ │Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
│ │ │ │ │ │ │ │This sets the delay, in seconds, between sending sets of NOTIFY messages │ │ │ │ for a zone. Whenever a NOTIFY message is sent for a zone, a timer will │ │ │ │ be set for this duration. If the zone is updated again before the timer │ │ │ │ expires, the NOTIFY for that update will be postponed. The default is 5 │ │ │ │ seconds.
│ │ │ │ @@ -6570,50 +6570,50 @@ │ │ │ │ to deeper in the tree. │ │ │ │ │ │ │ │Grammar: empty-server <string>;
Blocks: options, view
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Specifies the server name in the returned SOA record for empty zones.
│ │ │ │ │ │ │ │This specifies the server name that appears in the returned SOA record for │ │ │ │ empty zones. If none is specified, the zone’s name is used.
│ │ │ │Grammar: empty-contact <string>;
Blocks: options, view
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Specifies the contact name in the returned SOA record for empty zones.
│ │ │ │ │ │ │ │This specifies the contact name that appears in the returned SOA record for │ │ │ │ empty zones. If none is specified, “.” is used.
│ │ │ │Grammar: empty-zones-enable <boolean>;
Blocks: options, view
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Enables or disables all empty zones.
│ │ │ │ │ │ │ │This enables or disables all empty zones. By default, they are enabled.
│ │ │ │Grammar: disable-empty-zone <string>; // may occur multiple times
Blocks: options, view
│ │ │ │ -Tags: server, zone
│ │ │ │ +Tags: zone, server
│ │ │ │Disables individual empty zones.
│ │ │ │ │ │ │ │This disables individual empty zones. By default, none are disabled. This │ │ │ │ option can be specified multiple times.
│ │ │ │Grammar: response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
Blocks: options, view
│ │ │ │ -Tags: server, security, zone, query
│ │ │ │ +Tags: zone, server, query, security
│ │ │ │Specifies response policy zones for the view or among global options.
│ │ │ │ │ │ │ │Response policy zones are named in the response-policy option for
│ │ │ │ the view, or among the global options if there is no response-policy
│ │ │ │ option for the view. Response policy zones are ordinary DNS zones
│ │ │ │ containing RRsets that can be queried normally if allowed. It is usually
│ │ │ │ best to restrict those queries with something like
│ │ │ │ @@ -9846,15 +9846,15 @@
│ │ │ │ in-view <string>;
│ │ │ │ };
│ │ │ │
│ │ │ │
│ │ │ │
Grammar zone (in-view): in-view <string>;
Blocks: zone, zone (in-view), view.zone
│ │ │ │ -Tags: view, zone
│ │ │ │ +Tags: zone, view
│ │ │ │Specifies the view in which a given zone is defined.
│ │ │ │ │ │ │ │When using multiple views, a type primary or type secondary zone configured
│ │ │ │ in one view can be referenced in a subsequent view. This allows both views
│ │ │ │ to use the same zone without the overhead of loading it more than once. This
│ │ │ │ is configured using a zone statement, with an in-view option
│ │ │ │ specifying the view in which the zone is defined. A zone statement
│ │ │ │ @@ -10462,15 +10462,15 @@
│ │ │ │
Limits UDP responses of all kinds.
│ │ │ │query
Controls the ability to add zones at runtime via rndc addzone.
server, zone
zone, server
Defines an address_match_list that is allowed to send NOTIFY messages for the zone, in addition to addresses defined in the primaries option for the zone.
transfer
Disables DS digest types from a specified zone.
│ │ │ │zone, dnssec
Disables individual empty zones.
│ │ │ │server, zone
zone, server
Configures a Dynamically Loadable Zone (DLZ) database in named.conf.
zone
Sets the maximum EDNS VERSION that is sent to the server(s) by the resolver.
│ │ │ │server
Specifies the contact name in the returned SOA record for empty zones.
│ │ │ │server, zone
zone, server
Specifies the server name in the returned SOA record for empty zones.
│ │ │ │server, zone
zone, server
Enables or disables all empty zones.
│ │ │ │server, zone
zone, server
Specifies a list of HTTP query paths on which to listen.
│ │ │ │server, query
Specifies the TCP port number the server uses to receive and send DNS-over-HTTPS protocol traffic.
│ │ │ │server, query
Specifies the view in which a given zone is defined.
│ │ │ │view, zone
zone, view
Specifies a TCP socket as a control channel.
│ │ │ │server
Specifies an access control list (ACL) of IPv4 addresses that are to be mapped to the corresponding A RRset in dns64.
query
Specifies the file format of zone files.
│ │ │ │server, zone
zone, server
Specifies the format of zone files during a dump, when the masterfile-format is text.
server
Specifies the maximum retention time (in seconds) for storage of negative answers in the server's cache.
│ │ │ │server
Sets the maximum number of records permitted in a zone.
│ │ │ │server, zone
zone, server
Sets the maximum number of records that can be stored in an RRset
│ │ │ │server
Specifies a maximum permissible time-to-live (TTL) value, in seconds.
│ │ │ │zone, query
Controls whether memory statistics are written to the file specified by memstatistics-file at exit.
server, logging
logging, server
Sets the pathname of the file where the server writes memory usage statistics on exit.
│ │ │ │logging
Controls whether NOTIFY messages are sent on zone changes.
transfer
Sets the delay (in seconds) between sending sets of NOTIFY messages for a zone.
│ │ │ │transfer, zone
zone, transfer
Specifies the rate at which NOTIFY requests are sent during normal zone maintenance operations.
│ │ │ │transfer, zone
zone, transfer
Defines the IPv4 address (and optional port) to be used for outgoing NOTIFY messages.
transfer
Controls the IPv6 address from which queries are issued.
│ │ │ │query
Specifies whether query logging should be active when named first starts.
logging, server
server, logging
Controls excessive UDP responses, to prevent BIND 9 from being used to amplify reflection denial-of-service (DoS) attacks.
│ │ │ │query
Specifies the expected hostname in the TLS certificate of the remote server.
│ │ │ │security
Specifies whether the local server requests the EDNS EXPIRE value, when acting as a secondary.
│ │ │ │transfer, query
query, transfer
Controls whether a secondary requests an incremental zone transfer (IXFR) or a full zone transfer (AXFR).
│ │ │ │transfer
Adds an EDNS Padding option to encrypted messages, to reduce the chance of guessing the contents based on size.
│ │ │ │query
Specifies response policy zones for the view or among global options.
│ │ │ │server, security, zone, query
zone, server, query, security
Limits the number of non-empty responses for a valid domain name and record type.
│ │ │ │query
Sets the time window for the return of "stale" cached answers before the next attempt to contact, if the name servers for a given zone are not responding.
│ │ │ │server, query
Specifies the rate at which NOTIFY requests are sent when the name server is first starting, or when new zones have been added.
│ │ │ │transfer, zone
zone, transfer
Specifies the communication channels to be used by system administrators to access statistics information on the name server.
│ │ │ │logging
Specifies the pathname of the file where the server appends statistics, when using rndc stats.
logging, server
server, logging
Directs the logging channel output to the server's standard error stream.
│ │ │ │logging
Specifies the length of time during which responses are tracked.
│ │ │ │query
Specifies whether to set the time to live (TTL) of the SOA record to zero, when returning authoritative negative responses to SOA queries.
│ │ │ │server, zone, query
zone, server, query
Sets the time to live (TTL) to zero when caching a negative response to an SOA query.
│ │ │ │server, zone, query
zone, server, query
Specifies the zone in a BIND 9 configuration.
│ │ │ │zone
Sets the propagation delay from the time a zone is first updated to when the new version of the zone is served by all secondary servers.
│ │ │ │zone, dnssec
Controls the level of statistics gathered for all zones.
│ │ │ │logging, zone
zone, logging
These tables group the various statements permissible in named.conf by
│ │ │ │ ├── html2text {}
│ │ │ │ │ @@ -2414,1274 +2414,1232 @@
│ │ │ │ │ Zone_Tag_Statements relate to or control zone behavior, and typically only
│ │ │ │ │ appear in a zone block.
│ │ │ │ │ Deprecated_Tag_Statements are those that are now deprecated, but are included
│ │ │ │ │ here for historical reference.
│ │ │ │ │ The following table lists all statements permissible in named.conf, with their
│ │ │ │ │ associated tags; the next section groups the statements by tag. Please note
│ │ │ │ │ that these sections are a work in progress.
│ │ │ │ │ -Statement Description Tags
│ │ │ │ │ -acl Assigns a symbolic name to server
│ │ │ │ │ - an address match list.
│ │ │ │ │ -algorithm Defines the algorithm to be security
│ │ │ │ │ - used in a key clause.
│ │ │ │ │ -all-per-second Limits UDP responses of all query
│ │ │ │ │ - kinds.
│ │ │ │ │ - Controls the ability to add
│ │ │ │ │ -allow-new-zones zones at runtime via rndc server, zone
│ │ │ │ │ - addzone.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list that is
│ │ │ │ │ - allowed to send NOTIFY
│ │ │ │ │ -allow-notify messages for the zone, in transfer
│ │ │ │ │ - addition to addresses
│ │ │ │ │ - defined in the primaries
│ │ │ │ │ - option for the zone.
│ │ │ │ │ - Specifies which hosts (an
│ │ │ │ │ -allow-query IP address list) are query
│ │ │ │ │ - allowed to send queries to
│ │ │ │ │ - this resolver.
│ │ │ │ │ - Specifies which hosts (an
│ │ │ │ │ - IP address list) can access
│ │ │ │ │ -allow-query-cache this server's cache and query
│ │ │ │ │ - thus effectively controls
│ │ │ │ │ - recursion.
│ │ │ │ │ - Specifies which hosts (an
│ │ │ │ │ - IP address list) can access
│ │ │ │ │ -allow-query-cache-on this server's cache. Used query
│ │ │ │ │ - on servers with multiple
│ │ │ │ │ - interfaces.
│ │ │ │ │ - Specifies which local
│ │ │ │ │ - addresses (an IP address
│ │ │ │ │ -allow-query-on list) are allowed to send query
│ │ │ │ │ - queries to this resolver.
│ │ │ │ │ - Used in multi-homed
│ │ │ │ │ - configurations.
│ │ │ │ │ - Defines an
│ │ │ │ │ -allow-recursion address_match_list of query
│ │ │ │ │ - clients that are allowed to
│ │ │ │ │ - perform recursive queries.
│ │ │ │ │ - Specifies which local
│ │ │ │ │ -allow-recursion-on addresses can accept server, query
│ │ │ │ │ - recursive queries.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list of hosts
│ │ │ │ │ -allow-transfer that are allowed to transfer
│ │ │ │ │ - transfer the zone
│ │ │ │ │ - information from this
│ │ │ │ │ - server.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list of hosts
│ │ │ │ │ -allow-update that are allowed to submit transfer
│ │ │ │ │ - dynamic updates for primary
│ │ │ │ │ - zones.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list of hosts
│ │ │ │ │ -allow-update-forwarding that are allowed to submit transfer
│ │ │ │ │ - dynamic updates to a
│ │ │ │ │ - secondary server for
│ │ │ │ │ - transmission to a primary.
│ │ │ │ │ - Defines one or more hosts
│ │ │ │ │ -also-notify that are sent NOTIFY transfer
│ │ │ │ │ - messages when zone changes
│ │ │ │ │ - occur.
│ │ │ │ │ - Defines alternate local
│ │ │ │ │ - IPv4 address(es) to be used
│ │ │ │ │ - by the server for inbound
│ │ │ │ │ -alt-transfer-source zone transfers, if the deprecated
│ │ │ │ │ - address(es) defined by
│ │ │ │ │ - transfer-source fail and
│ │ │ │ │ - use-alt-transfer-source is
│ │ │ │ │ - enabled.
│ │ │ │ │ - Defines alternate local
│ │ │ │ │ -alt-transfer-source-v6 IPv6 address(es) to be used deprecated
│ │ │ │ │ - by the server for inbound
│ │ │ │ │ - zone transfers.
│ │ │ │ │ - Controls whether COOKIE
│ │ │ │ │ -answer-cookie EDNS replies are sent in query
│ │ │ │ │ - response to client queries.
│ │ │ │ │ - Allows multiple views to
│ │ │ │ │ -attach-cache share a single cache view
│ │ │ │ │ - database.
│ │ │ │ │ - Controls whether BIND,
│ │ │ │ │ - acting as a resolver,
│ │ │ │ │ -auth-nxdomain provides authoritative query
│ │ │ │ │ - NXDOMAIN (domain does not
│ │ │ │ │ - exist) answers.
│ │ │ │ │ - Permits varying levels of
│ │ │ │ │ -auto-dnssec automatic DNSSEC key dnssec
│ │ │ │ │ - management.
│ │ │ │ │ - Controls the automatic
│ │ │ │ │ -automatic-interface-scan rescanning of network server
│ │ │ │ │ - interfaces when addresses
│ │ │ │ │ - are added or removed.
│ │ │ │ │ - Specifies the range(s) of
│ │ │ │ │ -avoid-v4-udp-ports ports to be excluded from deprecated
│ │ │ │ │ - use as sources for UDP/IPv4
│ │ │ │ │ - messages.
│ │ │ │ │ - Specifies the range(s) of
│ │ │ │ │ -avoid-v6-udp-ports ports to be excluded from deprecated
│ │ │ │ │ - use as sources for UDP/IPv6
│ │ │ │ │ - messages.
│ │ │ │ │ - Specifies the pathname of a
│ │ │ │ │ -bindkeys-file file to override the built- dnssec
│ │ │ │ │ - in trusted keys provided by
│ │ │ │ │ - named.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list of hosts
│ │ │ │ │ -blackhole to ignore. The server will query
│ │ │ │ │ - neither respond to queries
│ │ │ │ │ - from nor send queries to
│ │ │ │ │ - these addresses.
│ │ │ │ │ -bogus Allows a remote server to server
│ │ │ │ │ - be ignored.
│ │ │ │ │ - Enables dns64 synthesis
│ │ │ │ │ -break-dnssec even if the validated query
│ │ │ │ │ - result would cause a DNSSEC
│ │ │ │ │ - validation failure.
│ │ │ │ │ -buffered Controls flushing of log logging
│ │ │ │ │ - messages.
│ │ │ │ │ - Specifies the path to a
│ │ │ │ │ - file containing TLS
│ │ │ │ │ -ca-file certificates for trusted CA server, security
│ │ │ │ │ - authorities, used to verify
│ │ │ │ │ - remote peer certificates.
│ │ │ │ │ -catalog-zones Configures catalog zones in zone
│ │ │ │ │ - named.conf.
│ │ │ │ │ - Specifies the type of data
│ │ │ │ │ -category logged to a particular logging
│ │ │ │ │ - channel.
│ │ │ │ │ - Specifies the path to a
│ │ │ │ │ -cert-file file containing the TLS server, security
│ │ │ │ │ - certificate for a
│ │ │ │ │ - connection.
│ │ │ │ │ - Defines a stream of data
│ │ │ │ │ -channel that can be independently logging
│ │ │ │ │ - logged.
│ │ │ │ │ - Checks primary zones for
│ │ │ │ │ - records that are treated as
│ │ │ │ │ -check-dup-records different by DNSSEC but are dnssec, query
│ │ │ │ │ - semantically equal in plain
│ │ │ │ │ - DNS.
│ │ │ │ │ - Performs post-load zone
│ │ │ │ │ -check-integrity integrity checks on primary zone
│ │ │ │ │ - zones.
│ │ │ │ │ - Checks whether an MX record
│ │ │ │ │ -check-mx appears to refer to an IP zone
│ │ │ │ │ - address.
│ │ │ │ │ - Sets the response to MX
│ │ │ │ │ -check-mx-cname records that refer to zone
│ │ │ │ │ - CNAMEs.
│ │ │ │ │ - Restricts the character set
│ │ │ │ │ - and syntax of certain
│ │ │ │ │ -check-names domain names in primary server, query
│ │ │ │ │ - files and/or DNS responses
│ │ │ │ │ - received from the network.
│ │ │ │ │ - Specifies whether to check
│ │ │ │ │ -check-sibling for sibling glue when zone
│ │ │ │ │ - performing integrity
│ │ │ │ │ - checks.
│ │ │ │ │ - Specifies whether to check
│ │ │ │ │ -check-spf for a TXT Sender Policy zone
│ │ │ │ │ - Framework record, if an SPF
│ │ │ │ │ - record is present.
│ │ │ │ │ - Sets the response to SRV
│ │ │ │ │ -check-srv-cname records that refer to zone
│ │ │ │ │ - CNAMEs.
│ │ │ │ │ -check-wildcard Checks for non-terminal zone
│ │ │ │ │ - wildcards.
│ │ │ │ │ -ciphers Specifies a list of allowed security
│ │ │ │ │ - ciphers.
│ │ │ │ │ - Specifies an access control
│ │ │ │ │ -clients list (ACL) of clients that query
│ │ │ │ │ - are affected by a given
│ │ │ │ │ - dns64 directive.
│ │ │ │ │ - Sets the initial minimum
│ │ │ │ │ - number of simultaneous
│ │ │ │ │ -clients-per-query recursive clients accepted server
│ │ │ │ │ - by the server for any given
│ │ │ │ │ - query before the server
│ │ │ │ │ - drops additional clients.
│ │ │ │ │ - Specifies control channels
│ │ │ │ │ -controls to be used to manage the server
│ │ │ │ │ - name server.
│ │ │ │ │ - Sets the algorithm to be
│ │ │ │ │ -cookie-algorithm used when generating a server
│ │ │ │ │ - server cookie.
│ │ │ │ │ - Specifies a shared secret
│ │ │ │ │ - used for generating and
│ │ │ │ │ -cookie-secret verifying EDNS COOKIE server
│ │ │ │ │ - options within an anycast
│ │ │ │ │ - cluster.
│ │ │ │ │ -coresize Sets the maximum size of a deprecated
│ │ │ │ │ - core dump.
│ │ │ │ │ - Specifies the type of
│ │ │ │ │ -database database to be used to zone
│ │ │ │ │ - store zone data.
│ │ │ │ │ - Sets the maximum amount of
│ │ │ │ │ -datasize data memory that can be deprecated
│ │ │ │ │ - used by the server.
│ │ │ │ │ - Indicates that a forward,
│ │ │ │ │ -delegation-only hint, or stub zone is to be deprecated
│ │ │ │ │ - treated as a delegation-
│ │ │ │ │ - only type zone.
│ │ │ │ │ - Rejects A or AAAA records
│ │ │ │ │ -deny-answer-addresses if the corresponding IPv4 query
│ │ │ │ │ - or IPv6 addresses match a
│ │ │ │ │ - given address_match_list.
│ │ │ │ │ - Rejects CNAME or DNAME
│ │ │ │ │ -deny-answer-aliases records if the "alias" name query
│ │ │ │ │ - matches a given list of
│ │ │ │ │ - domain_name elements.
│ │ │ │ │ - Specifies the path to a
│ │ │ │ │ -dhparam-file file containing Diffie- server, security
│ │ │ │ │ - Hellman parameters, for
│ │ │ │ │ - enabling cipher suites.
│ │ │ │ │ - Concentrates zone
│ │ │ │ │ - maintenance so that all
│ │ │ │ │ -dialup transfers take place once deprecated
│ │ │ │ │ - every heartbeat-interval,
│ │ │ │ │ - ideally during a single
│ │ │ │ │ - call.
│ │ │ │ │ -directory Sets the server's working server
│ │ │ │ │ - directory.
│ │ │ │ │ -disable-algorithms Disables DNSSEC algorithms dnssec
│ │ │ │ │ - from a specified zone.
│ │ │ │ │ -disable-ds-digests Disables DS digest types zone, dnssec
│ │ │ │ │ - from a specified zone.
│ │ │ │ │ -disable-empty-zone Disables individual empty server, zone
│ │ │ │ │ - zones.
│ │ │ │ │ - Configures a Dynamically
│ │ │ │ │ -dlz Loadable Zone (DLZ) zone
│ │ │ │ │ - database in named.conf.
│ │ │ │ │ - Instructs named to return
│ │ │ │ │ -dns64 mapped IPv4 addresses to query
│ │ │ │ │ - AAAA queries when there are
│ │ │ │ │ - no AAAA records.
│ │ │ │ │ -dns64-contact Specifies the name of the server
│ │ │ │ │ - contact for dns64 zones.
│ │ │ │ │ -dns64-server Specifies the name of the server
│ │ │ │ │ - server for dns64 zones.
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ -dnskey-sig-validity days in the future when dnssec
│ │ │ │ │ - automatically generated
│ │ │ │ │ - DNSSEC signatures expire.
│ │ │ │ │ - Specifies the time to live
│ │ │ │ │ -dnskey-ttl (TTL) for DNSKEY resource dnssec
│ │ │ │ │ - records.
│ │ │ │ │ - Turns on the DNS Response
│ │ │ │ │ -dnsrps-enable Policy Service (DNSRPS) server, security
│ │ │ │ │ - interface.
│ │ │ │ │ - Provides additional RPZ
│ │ │ │ │ - configuration settings,
│ │ │ │ │ -dnsrps-options which are passed to the DNS server, security
│ │ │ │ │ - Response Policy Service
│ │ │ │ │ - (DNSRPS) provider library.
│ │ │ │ │ - Instructs BIND 9 to accept
│ │ │ │ │ -dnssec-accept-expired expired DNSSEC signatures dnssec
│ │ │ │ │ - when validating.
│ │ │ │ │ - Specifies that only key-
│ │ │ │ │ - signing keys are used to
│ │ │ │ │ -dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec
│ │ │ │ │ - and CDS RRsets at a zone's
│ │ │ │ │ - apex.
│ │ │ │ │ - Sets the frequency of
│ │ │ │ │ -dnssec-loadkeys-interval automatic checks of the dnssec
│ │ │ │ │ - DNSSEC key repository.
│ │ │ │ │ - Defines hierarchies that
│ │ │ │ │ -dnssec-must-be-secure must or may not be secure deprecated
│ │ │ │ │ - (signed and validated).
│ │ │ │ │ -dnssec-policy Defines a key and signing dnssec
│ │ │ │ │ - policy (KASP) for zones.
│ │ │ │ │ - Allows a dynamic zone to
│ │ │ │ │ -dnssec-secure-to-insecure transition from secure to dnssec
│ │ │ │ │ - insecure by deleting all
│ │ │ │ │ - DNSKEY records.
│ │ │ │ │ - Controls the scheduled
│ │ │ │ │ -dnssec-update-mode maintenance of DNSSEC dnssec
│ │ │ │ │ - signatures.
│ │ │ │ │ -dnssec-validation Enables DNSSEC validation dnssec
│ │ │ │ │ - in named.
│ │ │ │ │ -dnstap Enables logging of dnstap logging
│ │ │ │ │ - messages.
│ │ │ │ │ - Specifies an identity
│ │ │ │ │ -dnstap-identity string to send in dnstap logging
│ │ │ │ │ - messages.
│ │ │ │ │ - Configures the path to
│ │ │ │ │ -dnstap-output which the dnstap frame logging
│ │ │ │ │ - stream is sent.
│ │ │ │ │ -dnstap-version Specifies a version string logging
│ │ │ │ │ - to send in dnstap messages.
│ │ │ │ │ - Sets the Differentiated
│ │ │ │ │ -dscp Services Code Point (DSCP) server, query
│ │ │ │ │ - value (obsolete).
│ │ │ │ │ - Specifies host names or
│ │ │ │ │ -dual-stack-servers addresses of machines with server
│ │ │ │ │ - access to both IPv4 and
│ │ │ │ │ - IPv6 transports.
│ │ │ │ │ - Indicates the pathname of
│ │ │ │ │ -dump-file the file where the server logging
│ │ │ │ │ - dumps the database after
│ │ │ │ │ - rndc_dumpdb.
│ │ │ │ │ -dyndb Configures a DynDB database zone
│ │ │ │ │ - in named.conf.
│ │ │ │ │ -edns Controls the use of the server
│ │ │ │ │ - EDNS0 (RFC_2671) feature.
│ │ │ │ │ - Sets the maximum advertised
│ │ │ │ │ - EDNS UDP buffer size to
│ │ │ │ │ -edns-udp-size control the size of packets query
│ │ │ │ │ - received from authoritative
│ │ │ │ │ - servers in response to
│ │ │ │ │ - recursive queries.
│ │ │ │ │ - Sets the maximum EDNS
│ │ │ │ │ -edns-version VERSION that is sent to the server
│ │ │ │ │ - server(s) by the resolver.
│ │ │ │ │ - Specifies the contact name
│ │ │ │ │ -empty-contact in the returned SOA record server, zone
│ │ │ │ │ - for empty zones.
│ │ │ │ │ - Specifies the server name
│ │ │ │ │ -empty-server in the returned SOA record server, zone
│ │ │ │ │ - for empty zones.
│ │ │ │ │ -empty-zones-enable Enables or disables all server, zone
│ │ │ │ │ - empty zones.
│ │ │ │ │ - Specifies a list of HTTP
│ │ │ │ │ -endpoints query paths on which to server, query
│ │ │ │ │ - listen.
│ │ │ │ │ - Limits the number of errors
│ │ │ │ │ -errors-per-second for a valid domain name and server
│ │ │ │ │ - record type.
│ │ │ │ │ - Allows a list of IPv6
│ │ │ │ │ - addresses to be ignored if
│ │ │ │ │ -exclude they appear in a domain query
│ │ │ │ │ - name's AAAA records in
│ │ │ │ │ - dns64.
│ │ │ │ │ - Exempts specific clients or
│ │ │ │ │ -exempt-clients client groups from rate query
│ │ │ │ │ - limiting.
│ │ │ │ │ - Sets the parameters for
│ │ │ │ │ - dynamic resizing of the
│ │ │ │ │ -fetch-quota-params fetches-per-server quota in server, query
│ │ │ │ │ - response to detected
│ │ │ │ │ - congestion.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ - simultaneous iterative
│ │ │ │ │ - queries allowed to be sent
│ │ │ │ │ -fetches-per-server by a server to an upstream server, query
│ │ │ │ │ - name server before the
│ │ │ │ │ - server blocks additional
│ │ │ │ │ - queries.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ - simultaneous iterative
│ │ │ │ │ -fetches-per-zone queries allowed to any one server, query
│ │ │ │ │ - domain before the server
│ │ │ │ │ - blocks new queries for data
│ │ │ │ │ - in or beneath that zone.
│ │ │ │ │ -file Specifies the zone's zone
│ │ │ │ │ - filename.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ -files files the server may have deprecated
│ │ │ │ │ - open concurrently.
│ │ │ │ │ - Controls whether pending
│ │ │ │ │ -flush-zones-on-shutdown zone writes are flushed zone
│ │ │ │ │ - when the name server exits.
│ │ │ │ │ - Allows or disallows
│ │ │ │ │ - fallback to recursion if
│ │ │ │ │ -forward forwarding has failed; it query
│ │ │ │ │ - is always used in
│ │ │ │ │ - conjunction with the
│ │ │ │ │ - forwarders statement.
│ │ │ │ │ - Defines one or more hosts
│ │ │ │ │ -forwarders to which queries are query
│ │ │ │ │ - forwarded.
│ │ │ │ │ - Sets the number of
│ │ │ │ │ -fstrm-set-buffer-hint accumulated bytes in the logging
│ │ │ │ │ - output buffer before
│ │ │ │ │ - forcing a buffer flush.
│ │ │ │ │ - Sets the number of seconds
│ │ │ │ │ -fstrm-set-flush-timeout that unflushed data remains logging
│ │ │ │ │ - in the output buffer.
│ │ │ │ │ - Sets the number of queue
│ │ │ │ │ -fstrm-set-input-queue-size entries to allocate for logging
│ │ │ │ │ - each input queue.
│ │ │ │ │ - Sets the number of
│ │ │ │ │ -fstrm-set-output-notify- outstanding queue entries
│ │ │ │ │ -threshold allowed on an input queue logging
│ │ │ │ │ - before waking the I/
│ │ │ │ │ - O thread.
│ │ │ │ │ -fstrm-set-output-queue- Sets the queuing semantics logging
│ │ │ │ │ -model to use for queue objects.
│ │ │ │ │ - Sets the number of queue
│ │ │ │ │ -fstrm-set-output-queue-size entries allocated for each logging
│ │ │ │ │ - output queue.
│ │ │ │ │ - Sets the number of seconds
│ │ │ │ │ -fstrm-set-reopen-interval to wait between attempts to logging
│ │ │ │ │ - reopen a closed output
│ │ │ │ │ - stream.
│ │ │ │ │ - Specifies the directory
│ │ │ │ │ -geoip-directory containing GeoIP database server
│ │ │ │ │ - files.
│ │ │ │ │ -glue-cache Deprecated. deprecated
│ │ │ │ │ - Sets the interval at which
│ │ │ │ │ -heartbeat-interval the server performs zone deprecated
│ │ │ │ │ - maintenance tasks for all
│ │ │ │ │ - zones marked as dialup.
│ │ │ │ │ - Specifies the hostname of
│ │ │ │ │ -hostname the server to return in server
│ │ │ │ │ - response to a hostname.bind
│ │ │ │ │ - query.
│ │ │ │ │ - Configures HTTP endpoints
│ │ │ │ │ -http on which to listen for DNS- server, query
│ │ │ │ │ - over-HTTPS (DoH) queries.
│ │ │ │ │ - Limits the number of active
│ │ │ │ │ -http-listener-clients concurrent connections on a server
│ │ │ │ │ - per-listener basis.
│ │ │ │ │ - Specifies the TCP port
│ │ │ │ │ - number the server uses to
│ │ │ │ │ -http-port receive and send server, query
│ │ │ │ │ - unencrypted DNS traffic via
│ │ │ │ │ - HTTP.
│ │ │ │ │ - Limits the number of active
│ │ │ │ │ -http-streams-per-connection concurrent HTTP/2 streams server
│ │ │ │ │ - on a per-connection basis.
│ │ │ │ │ - Specifies the TCP port
│ │ │ │ │ -https-port number the server uses to server, query
│ │ │ │ │ - receive and send DNS-over-
│ │ │ │ │ - HTTPS protocol traffic.
│ │ │ │ │ -in-view Specifies the view in which view, zone
│ │ │ │ │ - a given zone is defined.
│ │ │ │ │ -inet Specifies a TCP socket as a server
│ │ │ │ │ - control channel.
│ │ │ │ │ - Specifies whether BIND 9
│ │ │ │ │ -inline-signing maintains a separate signed zone, dnssec
│ │ │ │ │ - version of a zone.
│ │ │ │ │ - Sets the interval at which
│ │ │ │ │ -interface-interval the server scans the server
│ │ │ │ │ - network interface list.
│ │ │ │ │ - Specifies the prefix
│ │ │ │ │ -ipv4-prefix-length lengths of IPv4 address server
│ │ │ │ │ - blocks.
│ │ │ │ │ - Specifies the contact for
│ │ │ │ │ -ipv4only-contact the IPV4ONLY.ARPA zone server
│ │ │ │ │ - created by dns64.
│ │ │ │ │ - Enables automatic IPv4
│ │ │ │ │ -ipv4only-enable zones if a dns64 block is query
│ │ │ │ │ - configured.
│ │ │ │ │ - Specifies the name of the
│ │ │ │ │ -ipv4only-server server for the server, query
│ │ │ │ │ - IPV4ONLY.ARPA zone created
│ │ │ │ │ - by dns64.
│ │ │ │ │ - Specifies the prefix
│ │ │ │ │ -ipv6-prefix-length lengths of IPv6 address server
│ │ │ │ │ - blocks.
│ │ │ │ │ -ixfr-from-differences Controls how IXFR transfers transfer
│ │ │ │ │ - are calculated.
│ │ │ │ │ - Allows the default
│ │ │ │ │ -journal journal's filename to be zone
│ │ │ │ │ - overridden.
│ │ │ │ │ - Defines an
│ │ │ │ │ - address_match_list of
│ │ │ │ │ -keep-response-order addresses which do not server
│ │ │ │ │ - accept reordered answers
│ │ │ │ │ - within a single TCP stream.
│ │ │ │ │ - Defines a shared secret key
│ │ │ │ │ -key for use with TSIG or the security
│ │ │ │ │ - command channel.
│ │ │ │ │ - Indicates the directory
│ │ │ │ │ -key-directory where public and private dnssec
│ │ │ │ │ - DNSSEC key files are found.
│ │ │ │ │ - Specifies the path to a
│ │ │ │ │ -key-file file containing the private server, security
│ │ │ │ │ - TLS key for a connection.
│ │ │ │ │ - Specifies one or more
│ │ │ │ │ -keys server_key s to be used server, security
│ │ │ │ │ - with a remote server.
│ │ │ │ │ -lame-ttl Sets the resolver's lame server
│ │ │ │ │ - cache.
│ │ │ │ │ - Specifies the IPv4
│ │ │ │ │ -listen-on addresses on which a server server
│ │ │ │ │ - listens for DNS queries.
│ │ │ │ │ - Specifies the IPv6
│ │ │ │ │ -listen-on-v6 addresses on which a server server
│ │ │ │ │ - listens for DNS queries.
│ │ │ │ │ - Specifies a per-listener
│ │ │ │ │ -listener-clients quota for active server, query
│ │ │ │ │ - connections.
│ │ │ │ │ - Sets a maximum size for the
│ │ │ │ │ -lmdb-mapsize memory map of the new-zone server
│ │ │ │ │ - database in LMDB database
│ │ │ │ │ - format.
│ │ │ │ │ - Sets the pathname of the
│ │ │ │ │ - file on which named
│ │ │ │ │ -lock-file attempts to acquire a file server
│ │ │ │ │ - lock when starting for the
│ │ │ │ │ - first time.
│ │ │ │ │ - Tests rate-limiting
│ │ │ │ │ -log-only parameters without actually logging, query
│ │ │ │ │ - dropping any requests.
│ │ │ │ │ -logging Configures logging options logging
│ │ │ │ │ - for the name server.
│ │ │ │ │ -managed-keys Deprecated, use trust- deprecated
│ │ │ │ │ - anchors.
│ │ │ │ │ - Specifies the directory in
│ │ │ │ │ -managed-keys-directory which to store the files dnssec
│ │ │ │ │ - that track managed DNSSEC
│ │ │ │ │ - keys.
│ │ │ │ │ - Specifies an access control
│ │ │ │ │ - list (ACL) of IPv4
│ │ │ │ │ -mapped addresses that are to be query
│ │ │ │ │ - mapped to the corresponding
│ │ │ │ │ - A RRset in dns64.
│ │ │ │ │ -masterfile-format Specifies the file format server, zone
│ │ │ │ │ - of zone files.
│ │ │ │ │ - Specifies the format of
│ │ │ │ │ -masterfile-style zone files during a dump, server
│ │ │ │ │ - when the masterfile-format
│ │ │ │ │ - is text.
│ │ │ │ │ - Specifies a view of DNS
│ │ │ │ │ -match-clients namespace for a given view
│ │ │ │ │ - subset of client IP
│ │ │ │ │ - addresses.
│ │ │ │ │ - Specifies a view of DNS
│ │ │ │ │ -match-destinations namespace for a given view
│ │ │ │ │ - subset of destination IP
│ │ │ │ │ - addresses.
│ │ │ │ │ - Allows IPv4-mapped IPv6
│ │ │ │ │ - addresses to match address-
│ │ │ │ │ -match-mapped-addresses match list entries for server
│ │ │ │ │ - corresponding IPv4
│ │ │ │ │ - addresses.
│ │ │ │ │ - Specifies that only
│ │ │ │ │ -match-recursive-only recursive requests can view
│ │ │ │ │ - match this view of the DNS
│ │ │ │ │ - namespace.
│ │ │ │ │ - Sets the maximum amount of
│ │ │ │ │ - memory to use for an
│ │ │ │ │ -max-cache-size individual cache database server
│ │ │ │ │ - and its associated
│ │ │ │ │ - metadata.
│ │ │ │ │ - Specifies the maximum time
│ │ │ │ │ -max-cache-ttl (in seconds) that the server
│ │ │ │ │ - server caches ordinary
│ │ │ │ │ - (positive) answers.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ - simultaneous recursive
│ │ │ │ │ -max-clients-per-query clients accepted by the server
│ │ │ │ │ - server for any given query
│ │ │ │ │ - before the server drops
│ │ │ │ │ - additional clients.
│ │ │ │ │ - Sets the maximum size for
│ │ │ │ │ -max-ixfr-ratio IXFR responses to zone transfer
│ │ │ │ │ - transfer requests.
│ │ │ │ │ -max-journal-size Controls the size of transfer
│ │ │ │ │ - journal files.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ - retention time (in seconds)
│ │ │ │ │ -max-ncache-ttl for storage of negative server
│ │ │ │ │ - answers in the server's
│ │ │ │ │ - cache.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ -max-records records permitted in a server, zone
│ │ │ │ │ - zone.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ -max-records-per-type records that can be stored server
│ │ │ │ │ - in an RRset
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ - levels of recursion
│ │ │ │ │ -max-recursion-depth permitted at any one time server
│ │ │ │ │ - while servicing a recursive
│ │ │ │ │ - query.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ -max-recursion-queries iterative queries while server, query
│ │ │ │ │ - servicing a recursive
│ │ │ │ │ - query.
│ │ │ │ │ - Limits the zone refresh
│ │ │ │ │ -max-refresh-time interval to no less often transfer
│ │ │ │ │ - than the specified value,
│ │ │ │ │ - in seconds.
│ │ │ │ │ - Limits the zone refresh
│ │ │ │ │ -max-retry-time retry interval to no less transfer
│ │ │ │ │ - often than the specified
│ │ │ │ │ - value, in seconds.
│ │ │ │ │ - Sets the maximum RSA
│ │ │ │ │ -max-rsa-exponent-size exponent size (in bits) dnssec, query
│ │ │ │ │ - when validating.
│ │ │ │ │ - Specifies the maximum time
│ │ │ │ │ - that the server retains
│ │ │ │ │ -max-stale-ttl records past their normal server
│ │ │ │ │ - expiry, to return them as
│ │ │ │ │ - stale records.
│ │ │ │ │ - Sets the maximum size of
│ │ │ │ │ -max-table-size the table used to track server
│ │ │ │ │ - requests and rate-limit
│ │ │ │ │ - responses.
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ -max-transfer-idle-in minutes after which inbound transfer
│ │ │ │ │ - zone transfers making no
│ │ │ │ │ - progress are terminated.
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ - minutes after which
│ │ │ │ │ -max-transfer-idle-out outbound zone transfers transfer
│ │ │ │ │ - making no progress are
│ │ │ │ │ - terminated.
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ -max-transfer-time-in minutes after which inbound transfer
│ │ │ │ │ - zone transfers are
│ │ │ │ │ - terminated.
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ -max-transfer-time-out minutes after which transfer
│ │ │ │ │ - outbound zone transfers are
│ │ │ │ │ - terminated.
│ │ │ │ │ - Sets the maximum number of
│ │ │ │ │ -max-types-per-name RR types that can be stored server
│ │ │ │ │ - for an owner name
│ │ │ │ │ -max-udp-size Sets the maximum EDNS UDP query
│ │ │ │ │ - message size sent by named.
│ │ │ │ │ - Specifies a maximum
│ │ │ │ │ -max-zone-ttl permissible time-to-live zone, query
│ │ │ │ │ - (TTL) value, in seconds.
│ │ │ │ │ - Controls whether memory
│ │ │ │ │ -memstatistics statistics are written to server, logging
│ │ │ │ │ - the file specified by
│ │ │ │ │ - memstatistics-file at exit.
│ │ │ │ │ - Sets the pathname of the
│ │ │ │ │ -memstatistics-file file where the server logging
│ │ │ │ │ - writes memory usage
│ │ │ │ │ - statistics on exit.
│ │ │ │ │ - Controls whether DNS name
│ │ │ │ │ -message-compression compression is used in query
│ │ │ │ │ - responses to regular
│ │ │ │ │ - queries.
│ │ │ │ │ - Specifies the minimum time
│ │ │ │ │ -min-cache-ttl (in seconds) that the server
│ │ │ │ │ - server caches ordinary
│ │ │ │ │ - (positive) answers.
│ │ │ │ │ - Specifies the minimum
│ │ │ │ │ - retention time (in seconds)
│ │ │ │ │ -min-ncache-ttl for storage of negative server
│ │ │ │ │ - answers in the server's
│ │ │ │ │ - cache.
│ │ │ │ │ - Limits the zone refresh
│ │ │ │ │ -min-refresh-time interval to no more often transfer
│ │ │ │ │ - than the specified value,
│ │ │ │ │ - in seconds.
│ │ │ │ │ - Limits the zone refresh
│ │ │ │ │ -min-retry-time retry interval to no more transfer
│ │ │ │ │ - often than the specified
│ │ │ │ │ - value, in seconds.
│ │ │ │ │ - Sets the minimum size of
│ │ │ │ │ -min-table-size the table used to track query
│ │ │ │ │ - requests and rate-limit
│ │ │ │ │ - responses.
│ │ │ │ │ - Controls whether the server
│ │ │ │ │ - replies with only one of
│ │ │ │ │ -minimal-any the RRsets for a query query
│ │ │ │ │ - name, when generating a
│ │ │ │ │ - positive response to a
│ │ │ │ │ - query of type ANY over UDP.
│ │ │ │ │ - Controls whether the server
│ │ │ │ │ - only adds records to the
│ │ │ │ │ - authority and additional
│ │ │ │ │ -minimal-responses data sections when they are query
│ │ │ │ │ - required (e.g. delegations,
│ │ │ │ │ - negative responses). This
│ │ │ │ │ - improves server
│ │ │ │ │ - performance.
│ │ │ │ │ - Controls whether serial
│ │ │ │ │ -multi-master number mismatch errors are transfer
│ │ │ │ │ - logged.
│ │ │ │ │ - Specifies the directory
│ │ │ │ │ - where configuration
│ │ │ │ │ -new-zones-directory parameters are stored for zone
│ │ │ │ │ - zones added by rndc
│ │ │ │ │ - addzone.
│ │ │ │ │ - Specifies a list of
│ │ │ │ │ -no-case-compress addresses that require server
│ │ │ │ │ - case-insensitive
│ │ │ │ │ - compression in responses.
│ │ │ │ │ - Sets the maximum size of
│ │ │ │ │ -nocookie-udp-size UDP responses that are sent query
│ │ │ │ │ - to queries without a valid
│ │ │ │ │ - server COOKIE.
│ │ │ │ │ - Limits the number of empty
│ │ │ │ │ -nodata-per-second (NODATA) responses for a query
│ │ │ │ │ - valid domain name.
│ │ │ │ │ - Controls whether NOTIFY
│ │ │ │ │ -notify messages are sent on zone transfer
│ │ │ │ │ - changes.
│ │ │ │ │ - Sets the delay (in seconds)
│ │ │ │ │ -notify-delay between sending sets of transfer, zone
│ │ │ │ │ - NOTIFY messages for a zone.
│ │ │ │ │ - Specifies the rate at which
│ │ │ │ │ -notify-rate NOTIFY requests are sent transfer, zone
│ │ │ │ │ - during normal zone
│ │ │ │ │ - maintenance operations.
│ │ │ │ │ - Defines the IPv4 address
│ │ │ │ │ -notify-source (and optional port) to be transfer
│ │ │ │ │ - used for outgoing NOTIFY
│ │ │ │ │ - messages.
│ │ │ │ │ - Defines the IPv6 address
│ │ │ │ │ -notify-source-v6 (and optional port) to be transfer
│ │ │ │ │ - used for outgoing NOTIFY
│ │ │ │ │ - messages.
│ │ │ │ │ - Controls whether the name
│ │ │ │ │ -notify-to-soa servers in the NS RRset are transfer
│ │ │ │ │ - checked against the SOA
│ │ │ │ │ - MNAME.
│ │ │ │ │ - Specifies the use of NSEC3
│ │ │ │ │ -nsec3param instead of NSEC, and sets dnssec
│ │ │ │ │ - NSEC3 parameters.
│ │ │ │ │ - Specifies the lifetime, in
│ │ │ │ │ -nta-lifetime seconds, for negative trust dnssec
│ │ │ │ │ - anchors added via rndc_nta.
│ │ │ │ │ - Specifies the time interval
│ │ │ │ │ - for checking whether
│ │ │ │ │ -nta-recheck negative trust anchors dnssec
│ │ │ │ │ - added via rndc_nta are
│ │ │ │ │ - still necessary.
│ │ │ │ │ - Causes all messages sent to
│ │ │ │ │ -null the logging channel to be logging
│ │ │ │ │ - discarded.
│ │ │ │ │ - Appends the specified
│ │ │ │ │ - suffix to the original
│ │ │ │ │ -nxdomain-redirect query name, when replacing query
│ │ │ │ │ - an NXDOMAIN with a redirect
│ │ │ │ │ - namespace.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -nxdomains-per-second undefined subdomains for a query
│ │ │ │ │ - valid domain name.
│ │ │ │ │ -options Defines global options to server
│ │ │ │ │ - be used by BIND 9.
│ │ │ │ │ - Adds EDNS Padding options
│ │ │ │ │ -padding to outgoing messages to server
│ │ │ │ │ - increase the packet size.
│ │ │ │ │ - Sets the time to live (TTL)
│ │ │ │ │ -parent-ds-ttl of the DS RRset used by the dnssec
│ │ │ │ │ - parent zone.
│ │ │ │ │ - Sets the propagation delay
│ │ │ │ │ - from the time the parent
│ │ │ │ │ -parent-propagation-delay zone is updated to when the zone, dnssec
│ │ │ │ │ - new version is served by
│ │ │ │ │ - all of the parent zone's
│ │ │ │ │ - name servers.
│ │ │ │ │ - Defines a list of
│ │ │ │ │ -parental-agents delegation agents to be zone
│ │ │ │ │ - used by primary and
│ │ │ │ │ - secondary zones.
│ │ │ │ │ - Specifies which local IPv4
│ │ │ │ │ -parental-source source address is used to dnssec
│ │ │ │ │ - send parental DS queries.
│ │ │ │ │ - Specifies which local IPv6
│ │ │ │ │ -parental-source-v6 source address is used to dnssec
│ │ │ │ │ - send parental DS queries.
│ │ │ │ │ - Specifies the pathname of
│ │ │ │ │ -pid-file the file where the server server
│ │ │ │ │ - writes its process ID.
│ │ │ │ │ -plugin Configures plugins in server
│ │ │ │ │ - named.conf.
│ │ │ │ │ - Specifies the UDP/TCP port
│ │ │ │ │ -port number the server uses to server, query
│ │ │ │ │ - receive and send DNS
│ │ │ │ │ - protocol traffic.
│ │ │ │ │ - Specifies that server
│ │ │ │ │ -prefer-server-ciphers ciphers should be preferred server, security
│ │ │ │ │ - over client ones.
│ │ │ │ │ - Controls the order of glue
│ │ │ │ │ -preferred-glue records in an A or AAAA query
│ │ │ │ │ - response.
│ │ │ │ │ - Specifies the "trigger"
│ │ │ │ │ -prefetch time-to-live (TTL) value at query
│ │ │ │ │ - which prefetch of the
│ │ │ │ │ - current query takes place.
│ │ │ │ │ -primaries Defines one or more primary zone
│ │ │ │ │ - servers for a zone.
│ │ │ │ │ -print-category Includes the category in logging
│ │ │ │ │ - log messages.
│ │ │ │ │ -print-severity Includes the severity in logging
│ │ │ │ │ - log messages.
│ │ │ │ │ -print-time Specifies the time format logging
│ │ │ │ │ - for log messages.
│ │ │ │ │ - Specifies the allowed
│ │ │ │ │ -protocols versions of the TLS security
│ │ │ │ │ - protocol.
│ │ │ │ │ - Controls whether a primary
│ │ │ │ │ - responds to an incremental
│ │ │ │ │ -provide-ixfr zone request (IXFR) or only transfer
│ │ │ │ │ - responds with a full zone
│ │ │ │ │ - transfer (AXFR).
│ │ │ │ │ - Increases the amount of
│ │ │ │ │ - time between when keys are
│ │ │ │ │ -publish-safety published and when they dnssec
│ │ │ │ │ - become active, to allow for
│ │ │ │ │ - unforeseen events.
│ │ │ │ │ - Specifies the amount of
│ │ │ │ │ - time after which DNSSEC
│ │ │ │ │ -purge-keys keys that have been deleted dnssec
│ │ │ │ │ - from the zone can be
│ │ │ │ │ - removed from disk.
│ │ │ │ │ - Controls QNAME minimization
│ │ │ │ │ -qname-minimization behavior in the BIND 9 query
│ │ │ │ │ - resolver.
│ │ │ │ │ - Tightens defenses during
│ │ │ │ │ -qps-scale DNS attacks by scaling back query
│ │ │ │ │ - the ratio of the current
│ │ │ │ │ - query-per-second rate.
│ │ │ │ │ - Controls the IPv4 address
│ │ │ │ │ -query-source from which queries are query
│ │ │ │ │ - issued.
│ │ │ │ │ - Controls the IPv6 address
│ │ │ │ │ -query-source-v6 from which queries are query
│ │ │ │ │ - issued.
│ │ │ │ │ - Specifies whether query
│ │ │ │ │ -querylog logging should be active logging, server
│ │ │ │ │ - when named first starts.
│ │ │ │ │ - Controls excessive UDP
│ │ │ │ │ - responses, to prevent BIND
│ │ │ │ │ -rate-limit 9 from being used to query
│ │ │ │ │ - amplify reflection denial-
│ │ │ │ │ - of-service (DoS) attacks.
│ │ │ │ │ - Specifies the pathname of
│ │ │ │ │ - the file where the server
│ │ │ │ │ -recursing-file dumps queries that are server
│ │ │ │ │ - currently recursing via
│ │ │ │ │ - rndc_recursing.
│ │ │ │ │ -recursion Defines whether recursion query
│ │ │ │ │ - and caching are allowed.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ -recursive-clients number of concurrent query
│ │ │ │ │ - recursive queries the
│ │ │ │ │ - server can perform.
│ │ │ │ │ - Toggles whether dns64
│ │ │ │ │ -recursive-only synthesis occurs only for query
│ │ │ │ │ - recursive queries.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -referrals-per-second referrals or delegations to query
│ │ │ │ │ - a server for a given
│ │ │ │ │ - domain.
│ │ │ │ │ - Specifies the expected
│ │ │ │ │ -remote-hostname hostname in the TLS security
│ │ │ │ │ - certificate of the remote
│ │ │ │ │ - server.
│ │ │ │ │ - Specifies whether the local
│ │ │ │ │ -request-expire server requests the EDNS transfer, query
│ │ │ │ │ - EXPIRE value, when acting
│ │ │ │ │ - as a secondary.
│ │ │ │ │ - Controls whether a
│ │ │ │ │ - secondary requests an
│ │ │ │ │ -request-ixfr incremental zone transfer transfer
│ │ │ │ │ - (IXFR) or a full zone
│ │ │ │ │ - transfer (AXFR).
│ │ │ │ │ - Controls whether an empty
│ │ │ │ │ - EDNS(0) NSID (Name Server
│ │ │ │ │ - Identifier) option is sent
│ │ │ │ │ -request-nsid with all queries to query
│ │ │ │ │ - authoritative name servers
│ │ │ │ │ - during iterative
│ │ │ │ │ - resolution.
│ │ │ │ │ - Controls whether a valid
│ │ │ │ │ -require-server-cookie server cookie is required query
│ │ │ │ │ - before sending a full
│ │ │ │ │ - response to a UDP request.
│ │ │ │ │ -reserved-sockets Deprecated. deprecated
│ │ │ │ │ - Specifies the number of
│ │ │ │ │ -resolver-nonbackoff-tries retries before exponential deprecated.
│ │ │ │ │ - backoff.
│ │ │ │ │ - Specifies the length of
│ │ │ │ │ - time, in milliseconds, that
│ │ │ │ │ -resolver-query-timeout a resolver attempts to query
│ │ │ │ │ - resolve a recursive query
│ │ │ │ │ - before failing.
│ │ │ │ │ -resolver-retry-interval Sets the base retry deprecated
│ │ │ │ │ - interval (in milliseconds).
│ │ │ │ │ - Adds an EDNS Padding option
│ │ │ │ │ - to encrypted messages, to
│ │ │ │ │ -response-padding reduce the chance of query
│ │ │ │ │ - guessing the contents based
│ │ │ │ │ - on size.
│ │ │ │ │ - Specifies response policy server, security, zone,
│ │ │ │ │ -response-policy zones for the view or among query
│ │ │ │ │ - global options.
│ │ │ │ │ - Limits the number of non-
│ │ │ │ │ -responses-per-second empty responses for a valid query
│ │ │ │ │ - domain name and record
│ │ │ │ │ - type.
│ │ │ │ │ - Increases the amount of
│ │ │ │ │ - time a key remains
│ │ │ │ │ -retire-safety published after it is no dnssec
│ │ │ │ │ - longer active, to allow for
│ │ │ │ │ - unforeseen events.
│ │ │ │ │ -reuseport Enables kernel load- server
│ │ │ │ │ - balancing of sockets.
│ │ │ │ │ - Turns on enforcement of
│ │ │ │ │ - delegation-only in top-
│ │ │ │ │ -root-delegation-only level domains (TLDs) and deprecated
│ │ │ │ │ - root zones with an optional
│ │ │ │ │ - exclude list.
│ │ │ │ │ - Controls whether BIND 9
│ │ │ │ │ -root-key-sentinel responds to root key server
│ │ │ │ │ - sentinel probes.
│ │ │ │ │ - Defines the order in which
│ │ │ │ │ -rrset-order equal RRs (RRsets) are query
│ │ │ │ │ - returned.
│ │ │ │ │ - Specifies whether a
│ │ │ │ │ -search Dynamically Loadable Zone query
│ │ │ │ │ - (DLZ) module is queried for
│ │ │ │ │ - an answer to a query name.
│ │ │ │ │ - Defines a Base64-encoded
│ │ │ │ │ -secret string to be used as the security
│ │ │ │ │ - secret by the algorithm.
│ │ │ │ │ - Specifies the pathname of
│ │ │ │ │ -secroots-file the file where the server dnssec
│ │ │ │ │ - dumps security roots, when
│ │ │ │ │ - using rndc_secroots.
│ │ │ │ │ - Controls whether a COOKIE
│ │ │ │ │ -send-cookie EDNS option is sent along query
│ │ │ │ │ - with a query.
│ │ │ │ │ - Defines an upper limit on
│ │ │ │ │ - the number of queries per
│ │ │ │ │ -serial-query-rate second issued by the transfer
│ │ │ │ │ - server, when querying the
│ │ │ │ │ - SOA RRs used for zone
│ │ │ │ │ - transfers.
│ │ │ │ │ - Specifies the update method
│ │ │ │ │ -serial-update-method to be used for the zone zone
│ │ │ │ │ - serial number in the SOA
│ │ │ │ │ - record.
│ │ │ │ │ - Defines characteristics to
│ │ │ │ │ -server be associated with a remote server
│ │ │ │ │ - name server.
│ │ │ │ │ - Specifies a list of IP
│ │ │ │ │ - addresses to which queries
│ │ │ │ │ -server-addresses should be sent in recursive zone, query
│ │ │ │ │ - resolution for a static-
│ │ │ │ │ - stub zone.
│ │ │ │ │ - Specifies the ID of the
│ │ │ │ │ -server-id server to return in server
│ │ │ │ │ - response to a ID.SERVER
│ │ │ │ │ - query.
│ │ │ │ │ - Specifies a list of domain
│ │ │ │ │ - names of name servers that
│ │ │ │ │ -server-names act as authoritative zone
│ │ │ │ │ - servers of a static-stub
│ │ │ │ │ - zone.
│ │ │ │ │ - Sets the length of time (in
│ │ │ │ │ -servfail-ttl seconds) that a SERVFAIL server
│ │ │ │ │ - response is cached.
│ │ │ │ │ - Specifies the algorithm to
│ │ │ │ │ -session-keyalg use for the TSIG session security
│ │ │ │ │ - key.
│ │ │ │ │ - Specifies the pathname of
│ │ │ │ │ - the file where a TSIG
│ │ │ │ │ -session-keyfile session key is written, security
│ │ │ │ │ - when generated by named for
│ │ │ │ │ - use by nsupdate -l.
│ │ │ │ │ -session-keyname Specifies the key name for security
│ │ │ │ │ - the TSIG session key.
│ │ │ │ │ - Enables or disables session
│ │ │ │ │ -session-tickets resumption through TLS security
│ │ │ │ │ - session tickets.
│ │ │ │ │ -severity Defines the priority level logging
│ │ │ │ │ - of log messages.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ - number of nodes to be
│ │ │ │ │ -sig-signing-nodes examined in each quantum, dnssec
│ │ │ │ │ - when signing a zone with a
│ │ │ │ │ - new DNSKEY.
│ │ │ │ │ - Specifies the threshold for
│ │ │ │ │ - the number of signatures
│ │ │ │ │ -sig-signing-signatures that terminates processing dnssec
│ │ │ │ │ - a quantum, when signing a
│ │ │ │ │ - zone with a new DNSKEY.
│ │ │ │ │ - Specifies a private RDATA
│ │ │ │ │ -sig-signing-type type to use when generating dnssec
│ │ │ │ │ - signing-state records.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ -sig-validity-interval number of days that RRSIGs dnssec
│ │ │ │ │ - generated by named are
│ │ │ │ │ - valid.
│ │ │ │ │ -signatures-jitter Specifies a range for dnssec
│ │ │ │ │ - signatures expirations.
│ │ │ │ │ -signatures-refresh Specifies how frequently an dnssec
│ │ │ │ │ - RRSIG record is refreshed.
│ │ │ │ │ -signatures-validity Indicates the validity dnssec
│ │ │ │ │ - period of an RRSIG record.
│ │ │ │ │ -signatures-validity-dnskey Indicates the validity dnssec
│ │ │ │ │ - period of DNSKEY records.
│ │ │ │ │ - Sets the number of
│ │ │ │ │ - "slipped" responses to
│ │ │ │ │ -slip minimize the use of forged query
│ │ │ │ │ - source addresses for an
│ │ │ │ │ - attack.
│ │ │ │ │ - Controls the ordering of
│ │ │ │ │ -sortlist RRs returned to the client, query
│ │ │ │ │ - based on the client's IP
│ │ │ │ │ - address.
│ │ │ │ │ - Sets the maximum amount of
│ │ │ │ │ -stacksize stack memory that can be deprecated
│ │ │ │ │ - used by the server.
│ │ │ │ │ - Defines the amount of time
│ │ │ │ │ - (in milliseconds) that
│ │ │ │ │ -stale-answer-client-timeout named waits before server, query
│ │ │ │ │ - attempting to answer a
│ │ │ │ │ - query with a stale RRset
│ │ │ │ │ - from cache.
│ │ │ │ │ - Enables the returning of
│ │ │ │ │ -stale-answer-enable "stale" cached answers when server, query
│ │ │ │ │ - the name servers for a zone
│ │ │ │ │ - are not answering.
│ │ │ │ │ - Specifies the time to live
│ │ │ │ │ -stale-answer-ttl (TTL) to be returned on query
│ │ │ │ │ - stale answers, in seconds.
│ │ │ │ │ -stale-cache-enable Enables the retention of server, query
│ │ │ │ │ - "stale" cached answers.
│ │ │ │ │ - Sets the time window for
│ │ │ │ │ - the return of "stale"
│ │ │ │ │ - cached answers before the
│ │ │ │ │ -stale-refresh-time next attempt to contact, if server, query
│ │ │ │ │ - the name servers for a
│ │ │ │ │ - given zone are not
│ │ │ │ │ - responding.
│ │ │ │ │ - Specifies the rate at which
│ │ │ │ │ - NOTIFY requests are sent
│ │ │ │ │ -startup-notify-rate when the name server is transfer, zone
│ │ │ │ │ - first starting, or when new
│ │ │ │ │ - zones have been added.
│ │ │ │ │ - Specifies the communication
│ │ │ │ │ - channels to be used by
│ │ │ │ │ -statistics-channels system administrators to logging
│ │ │ │ │ - access statistics
│ │ │ │ │ - information on the name
│ │ │ │ │ - server.
│ │ │ │ │ - Specifies the pathname of
│ │ │ │ │ -statistics-file the file where the server logging, server
│ │ │ │ │ - appends statistics, when
│ │ │ │ │ - using rndc_stats.
│ │ │ │ │ - Directs the logging channel
│ │ │ │ │ -stderr output to the server's logging
│ │ │ │ │ - standard error stream.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ -streams-per-connection number of concurrent HTTP/ server, query
│ │ │ │ │ - 2 streams over an HTTP/
│ │ │ │ │ - 2 connection.
│ │ │ │ │ - Defines trailing bits for
│ │ │ │ │ -suffix mapped IPv4 address bits in query
│ │ │ │ │ - dns64.
│ │ │ │ │ - Enables support for RFC
│ │ │ │ │ -synth-from-dnssec 8198, Aggressive Use of dnssec
│ │ │ │ │ - DNSSEC-Validated Cache.
│ │ │ │ │ -syslog Directs the logging channel logging
│ │ │ │ │ - to the system log.
│ │ │ │ │ - Sets the timeout value (in
│ │ │ │ │ - milliseconds) that the
│ │ │ │ │ -tcp-advertised-timeout server sends in responses query
│ │ │ │ │ - containing the EDNS TCP
│ │ │ │ │ - keepalive option.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ -tcp-clients number of simultaneous server
│ │ │ │ │ - client TCP connections
│ │ │ │ │ - accepted by the server.
│ │ │ │ │ - Sets the amount of time (in
│ │ │ │ │ - milliseconds) that the
│ │ │ │ │ - server waits on an idle TCP
│ │ │ │ │ -tcp-idle-timeout connection before closing query
│ │ │ │ │ - it, if the EDNS TCP
│ │ │ │ │ - keepalive option is not in
│ │ │ │ │ - use.
│ │ │ │ │ - Sets the amount of time (in
│ │ │ │ │ - milliseconds) that the
│ │ │ │ │ -tcp-initial-timeout server waits on a new TCP server, query
│ │ │ │ │ - connection for the first
│ │ │ │ │ - message from the client.
│ │ │ │ │ -tcp-keepalive Adds EDNS TCP keepalive to server
│ │ │ │ │ - messages sent over TCP.
│ │ │ │ │ - Sets the amount of time (in
│ │ │ │ │ - milliseconds) that the
│ │ │ │ │ -tcp-keepalive-timeout server waits on an idle TCP query
│ │ │ │ │ - connection before closing
│ │ │ │ │ - it, if the EDNS TCP
│ │ │ │ │ - keepalive option is in use.
│ │ │ │ │ -tcp-listen-queue Sets the listen-queue server
│ │ │ │ │ - depth.
│ │ │ │ │ -tcp-only Sets the transport protocol server
│ │ │ │ │ - to TCP.
│ │ │ │ │ - Sets the operating system's
│ │ │ │ │ -tcp-receive-buffer receive buffer size for TCP server
│ │ │ │ │ - sockets.
│ │ │ │ │ - Sets the operating system's
│ │ │ │ │ -tcp-send-buffer send buffer size for TCP server
│ │ │ │ │ - sockets.
│ │ │ │ │ - Sets the Diffie-Hellman key
│ │ │ │ │ -tkey-dhkey used by the server to deprecated
│ │ │ │ │ - generate shared keys.
│ │ │ │ │ - Sets the domain appended to
│ │ │ │ │ -tkey-domain the names of all shared security
│ │ │ │ │ - keys generated with TKEY.
│ │ │ │ │ - Sets the security
│ │ │ │ │ - credential for
│ │ │ │ │ -tkey-gssapi-credential authentication keys security
│ │ │ │ │ - requested by the GSS-TSIG
│ │ │ │ │ - protocol.
│ │ │ │ │ - Sets the KRB5 keytab file
│ │ │ │ │ -tkey-gssapi-keytab to use for GSS-TSIG security
│ │ │ │ │ - updates.
│ │ │ │ │ -tls Configures a TLS security
│ │ │ │ │ - connection.
│ │ │ │ │ - Specifies the TCP port
│ │ │ │ │ -tls-port number the server uses to server, query
│ │ │ │ │ - receive and send DNS-over-
│ │ │ │ │ - TLS protocol traffic.
│ │ │ │ │ - Controls whether multiple
│ │ │ │ │ -transfer-format records can be packed into transfer
│ │ │ │ │ - a message during zone
│ │ │ │ │ - transfers.
│ │ │ │ │ - Limits the uncompressed
│ │ │ │ │ -transfer-message-size size of DNS messages used transfer
│ │ │ │ │ - in zone transfers over TCP.
│ │ │ │ │ - Defines which local IPv4
│ │ │ │ │ - address(es) are bound to
│ │ │ │ │ -transfer-source TCP connections used to transfer
│ │ │ │ │ - fetch zones transferred
│ │ │ │ │ - inbound by the server.
│ │ │ │ │ - Defines which local IPv6
│ │ │ │ │ - address(es) are bound to
│ │ │ │ │ -transfer-source-v6 TCP connections used to transfer
│ │ │ │ │ - fetch zones transferred
│ │ │ │ │ - inbound by the server.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -transfers concurrent inbound zone server
│ │ │ │ │ - transfers from a server.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -transfers-in concurrent inbound zone transfer
│ │ │ │ │ - transfers.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -transfers-out concurrent outbound zone transfer
│ │ │ │ │ - transfers.
│ │ │ │ │ - Limits the number of
│ │ │ │ │ -transfers-per-ns concurrent inbound zone transfer
│ │ │ │ │ - transfers from a remote
│ │ │ │ │ - server.
│ │ │ │ │ - Instructs named to send
│ │ │ │ │ - specially formed queries
│ │ │ │ │ -trust-anchor-telemetry once per day to domains for dnssec
│ │ │ │ │ - which trust anchors have
│ │ │ │ │ - been configured.
│ │ │ │ │ -trust-anchors Defines DNSSEC trust dnssec
│ │ │ │ │ - anchors.
│ │ │ │ │ -trusted-keys Deprecated, use trust- deprecated
│ │ │ │ │ - anchors.
│ │ │ │ │ - Specifies that BIND 9
│ │ │ │ │ -try-tcp-refresh should attempt to refresh a transfer
│ │ │ │ │ - zone using TCP if UDP
│ │ │ │ │ - queries fail.
│ │ │ │ │ -type Specifies the kind of zone zone
│ │ │ │ │ - in a given configuration.
│ │ │ │ │ - Enforces the delegation-
│ │ │ │ │ -type_delegation-only only status of deprecated
│ │ │ │ │ - infrastructure zones (COM,
│ │ │ │ │ - NET, ORG, etc.).
│ │ │ │ │ - Contains forwarding
│ │ │ │ │ -type_forward statements that apply to zone
│ │ │ │ │ - queries within a given
│ │ │ │ │ - domain.
│ │ │ │ │ - Contains the initial set of
│ │ │ │ │ -type_hint root name servers to be zone
│ │ │ │ │ - used at BIND 9 startup.
│ │ │ │ │ - Contains a DNSSEC-validated
│ │ │ │ │ -type_mirror duplicate of the main data zone
│ │ │ │ │ - for a zone.
│ │ │ │ │ -type_primary Contains the main copy of zone
│ │ │ │ │ - the data for a zone.
│ │ │ │ │ - Contains information to
│ │ │ │ │ -type_redirect answer queries when normal zone
│ │ │ │ │ - resolution would return
│ │ │ │ │ - NXDOMAIN.
│ │ │ │ │ - Contains a duplicate of the
│ │ │ │ │ -type_secondary data for a zone that has zone
│ │ │ │ │ - been transferred from a
│ │ │ │ │ - primary server.
│ │ │ │ │ - Contains a duplicate of the
│ │ │ │ │ - NS records of a primary
│ │ │ │ │ -type_static-stub zone, but statically zone
│ │ │ │ │ - configured rather than
│ │ │ │ │ - transferred from a primary
│ │ │ │ │ - server.
│ │ │ │ │ - Contains a duplicate of the
│ │ │ │ │ -type_stub NS records of a primary zone
│ │ │ │ │ - zone.
│ │ │ │ │ - Sets the operating system's
│ │ │ │ │ -udp-receive-buffer receive buffer size for UDP server
│ │ │ │ │ - sockets.
│ │ │ │ │ - Sets the operating system's
│ │ │ │ │ -udp-send-buffer send buffer size for UDP server
│ │ │ │ │ - sockets.
│ │ │ │ │ - Specifies a Unix domain
│ │ │ │ │ -unix socket as a control server
│ │ │ │ │ - channel.
│ │ │ │ │ - Specifies whether to check
│ │ │ │ │ - the KSK bit to determine
│ │ │ │ │ -update-check-ksk how a key should be used, zone, dnssec
│ │ │ │ │ - when generating RRSIGs for
│ │ │ │ │ - a secure zone.
│ │ │ │ │ - Sets fine-grained rules to
│ │ │ │ │ - allow or deny dynamic
│ │ │ │ │ -update-policy updates (DDNS), based on transfer
│ │ │ │ │ - requester identity, updated
│ │ │ │ │ - content, etc.
│ │ │ │ │ - Specifies the maximum
│ │ │ │ │ -update-quota number of concurrent DNS server
│ │ │ │ │ - UPDATE messages that can be
│ │ │ │ │ - processed by the server.
│ │ │ │ │ - Indicates whether alt-
│ │ │ │ │ -use-alt-transfer-source transfer-source and alt- deprecated
│ │ │ │ │ - transfer-source-v6 can be
│ │ │ │ │ - used.
│ │ │ │ │ - Specifies a list of ports
│ │ │ │ │ -use-v4-udp-ports that are valid sources for deprecated
│ │ │ │ │ - UDP/IPv4 messages.
│ │ │ │ │ - Specifies a list of ports
│ │ │ │ │ -use-v6-udp-ports that are valid sources for deprecated
│ │ │ │ │ - UDP/IPv6 messages.
│ │ │ │ │ - Indicates the number of
│ │ │ │ │ -v6-bias milliseconds of preference server, query
│ │ │ │ │ - to give to IPv6 name
│ │ │ │ │ - servers.
│ │ │ │ │ - Specifies a list of domain
│ │ │ │ │ -validate-except names at and beneath which dnssec
│ │ │ │ │ - DNSSEC validation should
│ │ │ │ │ - not be performed.
│ │ │ │ │ - Specifies the version
│ │ │ │ │ -version number of the server to server
│ │ │ │ │ - return in response to a
│ │ │ │ │ - version.bind query.
│ │ │ │ │ - Allows a name server to
│ │ │ │ │ -view answer a DNS query view
│ │ │ │ │ - differently depending on
│ │ │ │ │ - who is asking.
│ │ │ │ │ - Specifies the length of
│ │ │ │ │ -window time during which responses query
│ │ │ │ │ - are tracked.
│ │ │ │ │ - Specifies whether to set
│ │ │ │ │ - the time to live (TTL) of
│ │ │ │ │ -zero-no-soa-ttl the SOA record to zero, server, zone, query
│ │ │ │ │ - when returning
│ │ │ │ │ - authoritative negative
│ │ │ │ │ - responses to SOA queries.
│ │ │ │ │ - Sets the time to live (TTL)
│ │ │ │ │ -zero-no-soa-ttl-cache to zero when caching a server, zone, query
│ │ │ │ │ - negative response to an SOA
│ │ │ │ │ - query.
│ │ │ │ │ -zone Specifies the zone in a zone
│ │ │ │ │ - BIND 9 configuration.
│ │ │ │ │ - Sets the propagation delay
│ │ │ │ │ - from the time a zone is
│ │ │ │ │ -zone-propagation-delay first updated to when the zone, dnssec
│ │ │ │ │ - new version of the zone is
│ │ │ │ │ - served by all secondary
│ │ │ │ │ - servers.
│ │ │ │ │ - Controls the level of
│ │ │ │ │ -zone-statistics statistics gathered for all logging, zone
│ │ │ │ │ - zones.
│ │ │ │ │ +Statement Description Tags
│ │ │ │ │ +acl Assigns a symbolic name to server
│ │ │ │ │ + an address match list.
│ │ │ │ │ +algorithm Defines the algorithm to be security
│ │ │ │ │ + used in a key clause.
│ │ │ │ │ +all-per-second Limits UDP responses of all query
│ │ │ │ │ + kinds.
│ │ │ │ │ + Controls the ability to add
│ │ │ │ │ +allow-new-zones zones at runtime via rndc zone, server
│ │ │ │ │ + addzone.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list that is
│ │ │ │ │ + allowed to send NOTIFY
│ │ │ │ │ +allow-notify messages for the zone, in transfer
│ │ │ │ │ + addition to addresses
│ │ │ │ │ + defined in the primaries
│ │ │ │ │ + option for the zone.
│ │ │ │ │ + Specifies which hosts (an IP
│ │ │ │ │ +allow-query address list) are allowed to query
│ │ │ │ │ + send queries to this
│ │ │ │ │ + resolver.
│ │ │ │ │ + Specifies which hosts (an IP
│ │ │ │ │ + address list) can access
│ │ │ │ │ +allow-query-cache this server's cache and thus query
│ │ │ │ │ + effectively controls
│ │ │ │ │ + recursion.
│ │ │ │ │ + Specifies which hosts (an IP
│ │ │ │ │ + address list) can access
│ │ │ │ │ +allow-query-cache-on this server's cache. Used on query
│ │ │ │ │ + servers with multiple
│ │ │ │ │ + interfaces.
│ │ │ │ │ + Specifies which local
│ │ │ │ │ + addresses (an IP address
│ │ │ │ │ +allow-query-on list) are allowed to send query
│ │ │ │ │ + queries to this resolver.
│ │ │ │ │ + Used in multi-homed
│ │ │ │ │ + configurations.
│ │ │ │ │ + Defines an
│ │ │ │ │ +allow-recursion address_match_list of query
│ │ │ │ │ + clients that are allowed to
│ │ │ │ │ + perform recursive queries.
│ │ │ │ │ + Specifies which local
│ │ │ │ │ +allow-recursion-on addresses can accept server, query
│ │ │ │ │ + recursive queries.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list of hosts
│ │ │ │ │ +allow-transfer that are allowed to transfer transfer
│ │ │ │ │ + the zone information from
│ │ │ │ │ + this server.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list of hosts
│ │ │ │ │ +allow-update that are allowed to submit transfer
│ │ │ │ │ + dynamic updates for primary
│ │ │ │ │ + zones.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list of hosts
│ │ │ │ │ +allow-update-forwarding that are allowed to submit transfer
│ │ │ │ │ + dynamic updates to a
│ │ │ │ │ + secondary server for
│ │ │ │ │ + transmission to a primary.
│ │ │ │ │ + Defines one or more hosts
│ │ │ │ │ +also-notify that are sent NOTIFY transfer
│ │ │ │ │ + messages when zone changes
│ │ │ │ │ + occur.
│ │ │ │ │ + Defines alternate local IPv4
│ │ │ │ │ + address(es) to be used by
│ │ │ │ │ + the server for inbound zone
│ │ │ │ │ +alt-transfer-source transfers, if the address deprecated
│ │ │ │ │ + (es) defined by transfer-
│ │ │ │ │ + source fail and use-alt-
│ │ │ │ │ + transfer-source is enabled.
│ │ │ │ │ + Defines alternate local IPv6
│ │ │ │ │ +alt-transfer-source-v6 address(es) to be used by deprecated
│ │ │ │ │ + the server for inbound zone
│ │ │ │ │ + transfers.
│ │ │ │ │ + Controls whether COOKIE EDNS
│ │ │ │ │ +answer-cookie replies are sent in response query
│ │ │ │ │ + to client queries.
│ │ │ │ │ + Allows multiple views to
│ │ │ │ │ +attach-cache share a single cache view
│ │ │ │ │ + database.
│ │ │ │ │ + Controls whether BIND,
│ │ │ │ │ + acting as a resolver,
│ │ │ │ │ +auth-nxdomain provides authoritative query
│ │ │ │ │ + NXDOMAIN (domain does not
│ │ │ │ │ + exist) answers.
│ │ │ │ │ + Permits varying levels of
│ │ │ │ │ +auto-dnssec automatic DNSSEC key dnssec
│ │ │ │ │ + management.
│ │ │ │ │ + Controls the automatic
│ │ │ │ │ +automatic-interface-scan rescanning of network server
│ │ │ │ │ + interfaces when addresses
│ │ │ │ │ + are added or removed.
│ │ │ │ │ + Specifies the range(s) of
│ │ │ │ │ +avoid-v4-udp-ports ports to be excluded from deprecated
│ │ │ │ │ + use as sources for UDP/IPv4
│ │ │ │ │ + messages.
│ │ │ │ │ + Specifies the range(s) of
│ │ │ │ │ +avoid-v6-udp-ports ports to be excluded from deprecated
│ │ │ │ │ + use as sources for UDP/IPv6
│ │ │ │ │ + messages.
│ │ │ │ │ + Specifies the pathname of a
│ │ │ │ │ +bindkeys-file file to override the built- dnssec
│ │ │ │ │ + in trusted keys provided by
│ │ │ │ │ + named.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list of hosts
│ │ │ │ │ +blackhole to ignore. The server will query
│ │ │ │ │ + neither respond to queries
│ │ │ │ │ + from nor send queries to
│ │ │ │ │ + these addresses.
│ │ │ │ │ +bogus Allows a remote server to be server
│ │ │ │ │ + ignored.
│ │ │ │ │ + Enables dns64 synthesis even
│ │ │ │ │ +break-dnssec if the validated result query
│ │ │ │ │ + would cause a DNSSEC
│ │ │ │ │ + validation failure.
│ │ │ │ │ +buffered Controls flushing of log logging
│ │ │ │ │ + messages.
│ │ │ │ │ + Specifies the path to a file
│ │ │ │ │ + containing TLS certificates
│ │ │ │ │ +ca-file for trusted CA authorities, server, security
│ │ │ │ │ + used to verify remote peer
│ │ │ │ │ + certificates.
│ │ │ │ │ +catalog-zones Configures catalog zones in zone
│ │ │ │ │ + named.conf.
│ │ │ │ │ + Specifies the type of data
│ │ │ │ │ +category logged to a particular logging
│ │ │ │ │ + channel.
│ │ │ │ │ + Specifies the path to a file
│ │ │ │ │ +cert-file containing the TLS server, security
│ │ │ │ │ + certificate for a
│ │ │ │ │ + connection.
│ │ │ │ │ + Defines a stream of data
│ │ │ │ │ +channel that can be independently logging
│ │ │ │ │ + logged.
│ │ │ │ │ + Checks primary zones for
│ │ │ │ │ + records that are treated as
│ │ │ │ │ +check-dup-records different by DNSSEC but are dnssec, query
│ │ │ │ │ + semantically equal in plain
│ │ │ │ │ + DNS.
│ │ │ │ │ + Performs post-load zone
│ │ │ │ │ +check-integrity integrity checks on primary zone
│ │ │ │ │ + zones.
│ │ │ │ │ + Checks whether an MX record
│ │ │ │ │ +check-mx appears to refer to an IP zone
│ │ │ │ │ + address.
│ │ │ │ │ + Sets the response to MX
│ │ │ │ │ +check-mx-cname records that refer to zone
│ │ │ │ │ + CNAMEs.
│ │ │ │ │ + Restricts the character set
│ │ │ │ │ + and syntax of certain domain
│ │ │ │ │ +check-names names in primary files and/ server, query
│ │ │ │ │ + or DNS responses received
│ │ │ │ │ + from the network.
│ │ │ │ │ + Specifies whether to check
│ │ │ │ │ +check-sibling for sibling glue when zone
│ │ │ │ │ + performing integrity checks.
│ │ │ │ │ + Specifies whether to check
│ │ │ │ │ +check-spf for a TXT Sender Policy zone
│ │ │ │ │ + Framework record, if an SPF
│ │ │ │ │ + record is present.
│ │ │ │ │ + Sets the response to SRV
│ │ │ │ │ +check-srv-cname records that refer to zone
│ │ │ │ │ + CNAMEs.
│ │ │ │ │ +check-wildcard Checks for non-terminal zone
│ │ │ │ │ + wildcards.
│ │ │ │ │ +ciphers Specifies a list of allowed security
│ │ │ │ │ + ciphers.
│ │ │ │ │ + Specifies an access control
│ │ │ │ │ +clients list (ACL) of clients that query
│ │ │ │ │ + are affected by a given
│ │ │ │ │ + dns64 directive.
│ │ │ │ │ + Sets the initial minimum
│ │ │ │ │ + number of simultaneous
│ │ │ │ │ +clients-per-query recursive clients accepted server
│ │ │ │ │ + by the server for any given
│ │ │ │ │ + query before the server
│ │ │ │ │ + drops additional clients.
│ │ │ │ │ + Specifies control channels
│ │ │ │ │ +controls to be used to manage the server
│ │ │ │ │ + name server.
│ │ │ │ │ + Sets the algorithm to be
│ │ │ │ │ +cookie-algorithm used when generating a server
│ │ │ │ │ + server cookie.
│ │ │ │ │ + Specifies a shared secret
│ │ │ │ │ + used for generating and
│ │ │ │ │ +cookie-secret verifying EDNS COOKIE server
│ │ │ │ │ + options within an anycast
│ │ │ │ │ + cluster.
│ │ │ │ │ +coresize Sets the maximum size of a deprecated
│ │ │ │ │ + core dump.
│ │ │ │ │ + Specifies the type of
│ │ │ │ │ +database database to be used to store zone
│ │ │ │ │ + zone data.
│ │ │ │ │ + Sets the maximum amount of
│ │ │ │ │ +datasize data memory that can be used deprecated
│ │ │ │ │ + by the server.
│ │ │ │ │ + Indicates that a forward,
│ │ │ │ │ +delegation-only hint, or stub zone is to be deprecated
│ │ │ │ │ + treated as a delegation-only
│ │ │ │ │ + type zone.
│ │ │ │ │ + Rejects A or AAAA records if
│ │ │ │ │ +deny-answer-addresses the corresponding IPv4 or query
│ │ │ │ │ + IPv6 addresses match a given
│ │ │ │ │ + address_match_list.
│ │ │ │ │ + Rejects CNAME or DNAME
│ │ │ │ │ +deny-answer-aliases records if the "alias" name query
│ │ │ │ │ + matches a given list of
│ │ │ │ │ + domain_name elements.
│ │ │ │ │ + Specifies the path to a file
│ │ │ │ │ +dhparam-file containing Diffie-Hellman server, security
│ │ │ │ │ + parameters, for enabling
│ │ │ │ │ + cipher suites.
│ │ │ │ │ + Concentrates zone
│ │ │ │ │ + maintenance so that all
│ │ │ │ │ +dialup transfers take place once deprecated
│ │ │ │ │ + every heartbeat-interval,
│ │ │ │ │ + ideally during a single
│ │ │ │ │ + call.
│ │ │ │ │ +directory Sets the server's working server
│ │ │ │ │ + directory.
│ │ │ │ │ +disable-algorithms Disables DNSSEC algorithms dnssec
│ │ │ │ │ + from a specified zone.
│ │ │ │ │ +disable-ds-digests Disables DS digest types zone, dnssec
│ │ │ │ │ + from a specified zone.
│ │ │ │ │ +disable-empty-zone Disables individual empty zone, server
│ │ │ │ │ + zones.
│ │ │ │ │ + Configures a Dynamically
│ │ │ │ │ +dlz Loadable Zone (DLZ) database zone
│ │ │ │ │ + in named.conf.
│ │ │ │ │ + Instructs named to return
│ │ │ │ │ +dns64 mapped IPv4 addresses to query
│ │ │ │ │ + AAAA queries when there are
│ │ │ │ │ + no AAAA records.
│ │ │ │ │ +dns64-contact Specifies the name of the server
│ │ │ │ │ + contact for dns64 zones.
│ │ │ │ │ +dns64-server Specifies the name of the server
│ │ │ │ │ + server for dns64 zones.
│ │ │ │ │ + Specifies the number of days
│ │ │ │ │ +dnskey-sig-validity in the future when dnssec
│ │ │ │ │ + automatically generated
│ │ │ │ │ + DNSSEC signatures expire.
│ │ │ │ │ + Specifies the time to live
│ │ │ │ │ +dnskey-ttl (TTL) for DNSKEY resource dnssec
│ │ │ │ │ + records.
│ │ │ │ │ + Turns on the DNS Response
│ │ │ │ │ +dnsrps-enable Policy Service (DNSRPS) server, security
│ │ │ │ │ + interface.
│ │ │ │ │ + Provides additional RPZ
│ │ │ │ │ + configuration settings,
│ │ │ │ │ +dnsrps-options which are passed to the DNS server, security
│ │ │ │ │ + Response Policy Service
│ │ │ │ │ + (DNSRPS) provider library.
│ │ │ │ │ + Instructs BIND 9 to accept
│ │ │ │ │ +dnssec-accept-expired expired DNSSEC signatures dnssec
│ │ │ │ │ + when validating.
│ │ │ │ │ + Specifies that only key-
│ │ │ │ │ + signing keys are used to
│ │ │ │ │ +dnssec-dnskey-kskonly sign the DNSKEY, CDNSKEY, dnssec
│ │ │ │ │ + and CDS RRsets at a zone's
│ │ │ │ │ + apex.
│ │ │ │ │ + Sets the frequency of
│ │ │ │ │ +dnssec-loadkeys-interval automatic checks of the dnssec
│ │ │ │ │ + DNSSEC key repository.
│ │ │ │ │ + Defines hierarchies that
│ │ │ │ │ +dnssec-must-be-secure must or may not be secure deprecated
│ │ │ │ │ + (signed and validated).
│ │ │ │ │ +dnssec-policy Defines a key and signing dnssec
│ │ │ │ │ + policy (KASP) for zones.
│ │ │ │ │ + Allows a dynamic zone to
│ │ │ │ │ +dnssec-secure-to-insecure transition from secure to dnssec
│ │ │ │ │ + insecure by deleting all
│ │ │ │ │ + DNSKEY records.
│ │ │ │ │ + Controls the scheduled
│ │ │ │ │ +dnssec-update-mode maintenance of DNSSEC dnssec
│ │ │ │ │ + signatures.
│ │ │ │ │ +dnssec-validation Enables DNSSEC validation in dnssec
│ │ │ │ │ + named.
│ │ │ │ │ +dnstap Enables logging of dnstap logging
│ │ │ │ │ + messages.
│ │ │ │ │ +dnstap-identity Specifies an identity string logging
│ │ │ │ │ + to send in dnstap messages.
│ │ │ │ │ + Configures the path to which
│ │ │ │ │ +dnstap-output the dnstap frame stream is logging
│ │ │ │ │ + sent.
│ │ │ │ │ +dnstap-version Specifies a version string logging
│ │ │ │ │ + to send in dnstap messages.
│ │ │ │ │ + Sets the Differentiated
│ │ │ │ │ +dscp Services Code Point (DSCP) server, query
│ │ │ │ │ + value (obsolete).
│ │ │ │ │ + Specifies host names or
│ │ │ │ │ +dual-stack-servers addresses of machines with server
│ │ │ │ │ + access to both IPv4 and IPv6
│ │ │ │ │ + transports.
│ │ │ │ │ + Indicates the pathname of
│ │ │ │ │ +dump-file the file where the server logging
│ │ │ │ │ + dumps the database after
│ │ │ │ │ + rndc_dumpdb.
│ │ │ │ │ +dyndb Configures a DynDB database zone
│ │ │ │ │ + in named.conf.
│ │ │ │ │ +edns Controls the use of the server
│ │ │ │ │ + EDNS0 (RFC_2671) feature.
│ │ │ │ │ + Sets the maximum advertised
│ │ │ │ │ + EDNS UDP buffer size to
│ │ │ │ │ +edns-udp-size control the size of packets query
│ │ │ │ │ + received from authoritative
│ │ │ │ │ + servers in response to
│ │ │ │ │ + recursive queries.
│ │ │ │ │ + Sets the maximum EDNS
│ │ │ │ │ +edns-version VERSION that is sent to the server
│ │ │ │ │ + server(s) by the resolver.
│ │ │ │ │ + Specifies the contact name
│ │ │ │ │ +empty-contact in the returned SOA record zone, server
│ │ │ │ │ + for empty zones.
│ │ │ │ │ + Specifies the server name in
│ │ │ │ │ +empty-server the returned SOA record for zone, server
│ │ │ │ │ + empty zones.
│ │ │ │ │ +empty-zones-enable Enables or disables all zone, server
│ │ │ │ │ + empty zones.
│ │ │ │ │ + Specifies a list of HTTP
│ │ │ │ │ +endpoints query paths on which to server, query
│ │ │ │ │ + listen.
│ │ │ │ │ + Limits the number of errors
│ │ │ │ │ +errors-per-second for a valid domain name and server
│ │ │ │ │ + record type.
│ │ │ │ │ + Allows a list of IPv6
│ │ │ │ │ + addresses to be ignored if
│ │ │ │ │ +exclude they appear in a domain query
│ │ │ │ │ + name's AAAA records in
│ │ │ │ │ + dns64.
│ │ │ │ │ + Exempts specific clients or
│ │ │ │ │ +exempt-clients client groups from rate query
│ │ │ │ │ + limiting.
│ │ │ │ │ + Sets the parameters for
│ │ │ │ │ + dynamic resizing of the
│ │ │ │ │ +fetch-quota-params fetches-per-server quota in server, query
│ │ │ │ │ + response to detected
│ │ │ │ │ + congestion.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ + simultaneous iterative
│ │ │ │ │ + queries allowed to be sent
│ │ │ │ │ +fetches-per-server by a server to an upstream server, query
│ │ │ │ │ + name server before the
│ │ │ │ │ + server blocks additional
│ │ │ │ │ + queries.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ + simultaneous iterative
│ │ │ │ │ +fetches-per-zone queries allowed to any one server, query
│ │ │ │ │ + domain before the server
│ │ │ │ │ + blocks new queries for data
│ │ │ │ │ + in or beneath that zone.
│ │ │ │ │ +file Specifies the zone's zone
│ │ │ │ │ + filename.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ +files files the server may have deprecated
│ │ │ │ │ + open concurrently.
│ │ │ │ │ + Controls whether pending
│ │ │ │ │ +flush-zones-on-shutdown zone writes are flushed when zone
│ │ │ │ │ + the name server exits.
│ │ │ │ │ + Allows or disallows fallback
│ │ │ │ │ + to recursion if forwarding
│ │ │ │ │ +forward has failed; it is always query
│ │ │ │ │ + used in conjunction with the
│ │ │ │ │ + forwarders statement.
│ │ │ │ │ +forwarders Defines one or more hosts to query
│ │ │ │ │ + which queries are forwarded.
│ │ │ │ │ + Sets the number of
│ │ │ │ │ +fstrm-set-buffer-hint accumulated bytes in the logging
│ │ │ │ │ + output buffer before forcing
│ │ │ │ │ + a buffer flush.
│ │ │ │ │ + Sets the number of seconds
│ │ │ │ │ +fstrm-set-flush-timeout that unflushed data remains logging
│ │ │ │ │ + in the output buffer.
│ │ │ │ │ + Sets the number of queue
│ │ │ │ │ +fstrm-set-input-queue-size entries to allocate for each logging
│ │ │ │ │ + input queue.
│ │ │ │ │ + Sets the number of
│ │ │ │ │ +fstrm-set-output-notify- outstanding queue entries
│ │ │ │ │ +threshold allowed on an input queue logging
│ │ │ │ │ + before waking the I/
│ │ │ │ │ + O thread.
│ │ │ │ │ +fstrm-set-output-queue-model Sets the queuing semantics logging
│ │ │ │ │ + to use for queue objects.
│ │ │ │ │ + Sets the number of queue
│ │ │ │ │ +fstrm-set-output-queue-size entries allocated for each logging
│ │ │ │ │ + output queue.
│ │ │ │ │ + Sets the number of seconds
│ │ │ │ │ +fstrm-set-reopen-interval to wait between attempts to logging
│ │ │ │ │ + reopen a closed output
│ │ │ │ │ + stream.
│ │ │ │ │ + Specifies the directory
│ │ │ │ │ +geoip-directory containing GeoIP database server
│ │ │ │ │ + files.
│ │ │ │ │ +glue-cache Deprecated. deprecated
│ │ │ │ │ + Sets the interval at which
│ │ │ │ │ +heartbeat-interval the server performs zone deprecated
│ │ │ │ │ + maintenance tasks for all
│ │ │ │ │ + zones marked as dialup.
│ │ │ │ │ + Specifies the hostname of
│ │ │ │ │ +hostname the server to return in server
│ │ │ │ │ + response to a hostname.bind
│ │ │ │ │ + query.
│ │ │ │ │ + Configures HTTP endpoints on
│ │ │ │ │ +http which to listen for DNS- server, query
│ │ │ │ │ + over-HTTPS (DoH) queries.
│ │ │ │ │ + Limits the number of active
│ │ │ │ │ +http-listener-clients concurrent connections on a server
│ │ │ │ │ + per-listener basis.
│ │ │ │ │ + Specifies the TCP port
│ │ │ │ │ +http-port number the server uses to server, query
│ │ │ │ │ + receive and send unencrypted
│ │ │ │ │ + DNS traffic via HTTP.
│ │ │ │ │ + Limits the number of active
│ │ │ │ │ +http-streams-per-connection concurrent HTTP/2 streams on server
│ │ │ │ │ + a per-connection basis.
│ │ │ │ │ + Specifies the TCP port
│ │ │ │ │ +https-port number the server uses to server, query
│ │ │ │ │ + receive and send DNS-over-
│ │ │ │ │ + HTTPS protocol traffic.
│ │ │ │ │ +in-view Specifies the view in which zone, view
│ │ │ │ │ + a given zone is defined.
│ │ │ │ │ +inet Specifies a TCP socket as a server
│ │ │ │ │ + control channel.
│ │ │ │ │ + Specifies whether BIND 9
│ │ │ │ │ +inline-signing maintains a separate signed zone, dnssec
│ │ │ │ │ + version of a zone.
│ │ │ │ │ + Sets the interval at which
│ │ │ │ │ +interface-interval the server scans the network server
│ │ │ │ │ + interface list.
│ │ │ │ │ +ipv4-prefix-length Specifies the prefix lengths server
│ │ │ │ │ + of IPv4 address blocks.
│ │ │ │ │ + Specifies the contact for
│ │ │ │ │ +ipv4only-contact the IPV4ONLY.ARPA zone server
│ │ │ │ │ + created by dns64.
│ │ │ │ │ + Enables automatic IPv4 zones
│ │ │ │ │ +ipv4only-enable if a dns64 block is query
│ │ │ │ │ + configured.
│ │ │ │ │ + Specifies the name of the
│ │ │ │ │ +ipv4only-server server for the IPV4ONLY.ARPA server, query
│ │ │ │ │ + zone created by dns64.
│ │ │ │ │ +ipv6-prefix-length Specifies the prefix lengths server
│ │ │ │ │ + of IPv6 address blocks.
│ │ │ │ │ +ixfr-from-differences Controls how IXFR transfers transfer
│ │ │ │ │ + are calculated.
│ │ │ │ │ +journal Allows the default journal's zone
│ │ │ │ │ + filename to be overridden.
│ │ │ │ │ + Defines an
│ │ │ │ │ + address_match_list of
│ │ │ │ │ +keep-response-order addresses which do not server
│ │ │ │ │ + accept reordered answers
│ │ │ │ │ + within a single TCP stream.
│ │ │ │ │ + Defines a shared secret key
│ │ │ │ │ +key for use with TSIG or the security
│ │ │ │ │ + command channel.
│ │ │ │ │ + Indicates the directory
│ │ │ │ │ +key-directory where public and private dnssec
│ │ │ │ │ + DNSSEC key files are found.
│ │ │ │ │ + Specifies the path to a file
│ │ │ │ │ +key-file containing the private TLS server, security
│ │ │ │ │ + key for a connection.
│ │ │ │ │ + Specifies one or more
│ │ │ │ │ +keys server_key s to be used with server, security
│ │ │ │ │ + a remote server.
│ │ │ │ │ +lame-ttl Sets the resolver's lame server
│ │ │ │ │ + cache.
│ │ │ │ │ + Specifies the IPv4 addresses
│ │ │ │ │ +listen-on on which a server listens server
│ │ │ │ │ + for DNS queries.
│ │ │ │ │ + Specifies the IPv6 addresses
│ │ │ │ │ +listen-on-v6 on which a server listens server
│ │ │ │ │ + for DNS queries.
│ │ │ │ │ + Specifies a per-listener
│ │ │ │ │ +listener-clients quota for active server, query
│ │ │ │ │ + connections.
│ │ │ │ │ + Sets a maximum size for the
│ │ │ │ │ +lmdb-mapsize memory map of the new-zone server
│ │ │ │ │ + database in LMDB database
│ │ │ │ │ + format.
│ │ │ │ │ + Sets the pathname of the
│ │ │ │ │ +lock-file file on which named attempts server
│ │ │ │ │ + to acquire a file lock when
│ │ │ │ │ + starting for the first time.
│ │ │ │ │ + Tests rate-limiting
│ │ │ │ │ +log-only parameters without actually logging, query
│ │ │ │ │ + dropping any requests.
│ │ │ │ │ +logging Configures logging options logging
│ │ │ │ │ + for the name server.
│ │ │ │ │ +managed-keys Deprecated, use trust- deprecated
│ │ │ │ │ + anchors.
│ │ │ │ │ + Specifies the directory in
│ │ │ │ │ +managed-keys-directory which to store the files dnssec
│ │ │ │ │ + that track managed DNSSEC
│ │ │ │ │ + keys.
│ │ │ │ │ + Specifies an access control
│ │ │ │ │ + list (ACL) of IPv4 addresses
│ │ │ │ │ +mapped that are to be mapped to the query
│ │ │ │ │ + corresponding A RRset in
│ │ │ │ │ + dns64.
│ │ │ │ │ +masterfile-format Specifies the file format of zone, server
│ │ │ │ │ + zone files.
│ │ │ │ │ + Specifies the format of zone
│ │ │ │ │ +masterfile-style files during a dump, when server
│ │ │ │ │ + the masterfile-format is
│ │ │ │ │ + text.
│ │ │ │ │ + Specifies a view of DNS
│ │ │ │ │ +match-clients namespace for a given subset view
│ │ │ │ │ + of client IP addresses.
│ │ │ │ │ + Specifies a view of DNS
│ │ │ │ │ +match-destinations namespace for a given subset view
│ │ │ │ │ + of destination IP addresses.
│ │ │ │ │ + Allows IPv4-mapped IPv6
│ │ │ │ │ + addresses to match address-
│ │ │ │ │ +match-mapped-addresses match list entries for server
│ │ │ │ │ + corresponding IPv4
│ │ │ │ │ + addresses.
│ │ │ │ │ + Specifies that only
│ │ │ │ │ +match-recursive-only recursive requests can match view
│ │ │ │ │ + this view of the DNS
│ │ │ │ │ + namespace.
│ │ │ │ │ + Sets the maximum amount of
│ │ │ │ │ +max-cache-size memory to use for an server
│ │ │ │ │ + individual cache database
│ │ │ │ │ + and its associated metadata.
│ │ │ │ │ + Specifies the maximum time
│ │ │ │ │ +max-cache-ttl (in seconds) that the server server
│ │ │ │ │ + caches ordinary (positive)
│ │ │ │ │ + answers.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ + simultaneous recursive
│ │ │ │ │ +max-clients-per-query clients accepted by the server
│ │ │ │ │ + server for any given query
│ │ │ │ │ + before the server drops
│ │ │ │ │ + additional clients.
│ │ │ │ │ + Sets the maximum size for
│ │ │ │ │ +max-ixfr-ratio IXFR responses to zone transfer
│ │ │ │ │ + transfer requests.
│ │ │ │ │ +max-journal-size Controls the size of journal transfer
│ │ │ │ │ + files.
│ │ │ │ │ + Specifies the maximum
│ │ │ │ │ + retention time (in seconds)
│ │ │ │ │ +max-ncache-ttl for storage of negative server
│ │ │ │ │ + answers in the server's
│ │ │ │ │ + cache.
│ │ │ │ │ +max-records Sets the maximum number of zone, server
│ │ │ │ │ + records permitted in a zone.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ +max-records-per-type records that can be stored server
│ │ │ │ │ + in an RRset
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ + levels of recursion
│ │ │ │ │ +max-recursion-depth permitted at any one time server
│ │ │ │ │ + while servicing a recursive
│ │ │ │ │ + query.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ +max-recursion-queries iterative queries while server, query
│ │ │ │ │ + servicing a recursive query.
│ │ │ │ │ + Limits the zone refresh
│ │ │ │ │ +max-refresh-time interval to no less often transfer
│ │ │ │ │ + than the specified value, in
│ │ │ │ │ + seconds.
│ │ │ │ │ + Limits the zone refresh
│ │ │ │ │ +max-retry-time retry interval to no less transfer
│ │ │ │ │ + often than the specified
│ │ │ │ │ + value, in seconds.
│ │ │ │ │ + Sets the maximum RSA
│ │ │ │ │ +max-rsa-exponent-size exponent size (in bits) when dnssec, query
│ │ │ │ │ + validating.
│ │ │ │ │ + Specifies the maximum time
│ │ │ │ │ + that the server retains
│ │ │ │ │ +max-stale-ttl records past their normal server
│ │ │ │ │ + expiry, to return them as
│ │ │ │ │ + stale records.
│ │ │ │ │ + Sets the maximum size of the
│ │ │ │ │ +max-table-size table used to track requests server
│ │ │ │ │ + and rate-limit responses.
│ │ │ │ │ + Specifies the number of
│ │ │ │ │ +max-transfer-idle-in minutes after which inbound transfer
│ │ │ │ │ + zone transfers making no
│ │ │ │ │ + progress are terminated.
│ │ │ │ │ + Specifies the number of
│ │ │ │ │ +max-transfer-idle-out minutes after which outbound transfer
│ │ │ │ │ + zone transfers making no
│ │ │ │ │ + progress are terminated.
│ │ │ │ │ + Specifies the number of
│ │ │ │ │ +max-transfer-time-in minutes after which inbound transfer
│ │ │ │ │ + zone transfers are
│ │ │ │ │ + terminated.
│ │ │ │ │ + Specifies the number of
│ │ │ │ │ +max-transfer-time-out minutes after which outbound transfer
│ │ │ │ │ + zone transfers are
│ │ │ │ │ + terminated.
│ │ │ │ │ + Sets the maximum number of
│ │ │ │ │ +max-types-per-name RR types that can be stored server
│ │ │ │ │ + for an owner name
│ │ │ │ │ +max-udp-size Sets the maximum EDNS UDP query
│ │ │ │ │ + message size sent by named.
│ │ │ │ │ + Specifies a maximum
│ │ │ │ │ +max-zone-ttl permissible time-to-live zone, query
│ │ │ │ │ + (TTL) value, in seconds.
│ │ │ │ │ + Controls whether memory
│ │ │ │ │ +memstatistics statistics are written to logging, server
│ │ │ │ │ + the file specified by
│ │ │ │ │ + memstatistics-file at exit.
│ │ │ │ │ + Sets the pathname of the
│ │ │ │ │ +memstatistics-file file where the server writes logging
│ │ │ │ │ + memory usage statistics on
│ │ │ │ │ + exit.
│ │ │ │ │ + Controls whether DNS name
│ │ │ │ │ +message-compression compression is used in query
│ │ │ │ │ + responses to regular
│ │ │ │ │ + queries.
│ │ │ │ │ + Specifies the minimum time
│ │ │ │ │ +min-cache-ttl (in seconds) that the server server
│ │ │ │ │ + caches ordinary (positive)
│ │ │ │ │ + answers.
│ │ │ │ │ + Specifies the minimum
│ │ │ │ │ + retention time (in seconds)
│ │ │ │ │ +min-ncache-ttl for storage of negative server
│ │ │ │ │ + answers in the server's
│ │ │ │ │ + cache.
│ │ │ │ │ + Limits the zone refresh
│ │ │ │ │ +min-refresh-time interval to no more often transfer
│ │ │ │ │ + than the specified value, in
│ │ │ │ │ + seconds.
│ │ │ │ │ + Limits the zone refresh
│ │ │ │ │ +min-retry-time retry interval to no more transfer
│ │ │ │ │ + often than the specified
│ │ │ │ │ + value, in seconds.
│ │ │ │ │ + Sets the minimum size of the
│ │ │ │ │ +min-table-size table used to track requests query
│ │ │ │ │ + and rate-limit responses.
│ │ │ │ │ + Controls whether the server
│ │ │ │ │ + replies with only one of the
│ │ │ │ │ +minimal-any RRsets for a query name, query
│ │ │ │ │ + when generating a positive
│ │ │ │ │ + response to a query of type
│ │ │ │ │ + ANY over UDP.
│ │ │ │ │ + Controls whether the server
│ │ │ │ │ + only adds records to the
│ │ │ │ │ + authority and additional
│ │ │ │ │ +minimal-responses data sections when they are query
│ │ │ │ │ + required (e.g. delegations,
│ │ │ │ │ + negative responses). This
│ │ │ │ │ + improves server performance.
│ │ │ │ │ + Controls whether serial
│ │ │ │ │ +multi-master number mismatch errors are transfer
│ │ │ │ │ + logged.
│ │ │ │ │ + Specifies the directory
│ │ │ │ │ +new-zones-directory where configuration zone
│ │ │ │ │ + parameters are stored for
│ │ │ │ │ + zones added by rndc_addzone.
│ │ │ │ │ + Specifies a list of
│ │ │ │ │ +no-case-compress addresses that require case- server
│ │ │ │ │ + insensitive compression in
│ │ │ │ │ + responses.
│ │ │ │ │ + Sets the maximum size of UDP
│ │ │ │ │ +nocookie-udp-size responses that are sent to query
│ │ │ │ │ + queries without a valid
│ │ │ │ │ + server COOKIE.
│ │ │ │ │ + Limits the number of empty
│ │ │ │ │ +nodata-per-second (NODATA) responses for a query
│ │ │ │ │ + valid domain name.
│ │ │ │ │ + Controls whether NOTIFY
│ │ │ │ │ +notify messages are sent on zone transfer
│ │ │ │ │ + changes.
│ │ │ │ │ + Sets the delay (in seconds)
│ │ │ │ │ +notify-delay between sending sets of zone, transfer
│ │ │ │ │ + NOTIFY messages for a zone.
│ │ │ │ │ + Specifies the rate at which
│ │ │ │ │ +notify-rate NOTIFY requests are sent zone, transfer
│ │ │ │ │ + during normal zone
│ │ │ │ │ + maintenance operations.
│ │ │ │ │ + Defines the IPv4 address
│ │ │ │ │ +notify-source (and optional port) to be transfer
│ │ │ │ │ + used for outgoing NOTIFY
│ │ │ │ │ + messages.
│ │ │ │ │ + Defines the IPv6 address
│ │ │ │ │ +notify-source-v6 (and optional port) to be transfer
│ │ │ │ │ + used for outgoing NOTIFY
│ │ │ │ │ + messages.
│ │ │ │ │ + Controls whether the name
│ │ │ │ │ +notify-to-soa servers in the NS RRset are transfer
│ │ │ │ │ + checked against the SOA
│ │ │ │ │ + MNAME.
│ │ │ │ │ + Specifies the use of NSEC3
│ │ │ │ │ +nsec3param instead of NSEC, and sets dnssec
│ │ │ │ │ + NSEC3 parameters.
│ │ │ │ │ + Specifies the lifetime, in
│ │ │ │ │ +nta-lifetime seconds, for negative trust dnssec
│ │ │ │ │ + anchors added via rndc_nta.
│ │ │ │ │ + Specifies the time interval
│ │ │ │ │ + for checking whether
│ │ │ │ │ +nta-recheck negative trust anchors added dnssec
│ │ │ │ │ + via rndc_nta are still
│ │ │ │ │ + necessary.
│ │ │ │ │ + Causes all messages sent to
│ │ │ │ │ +null the logging channel to be logging
│ │ │ │ │ + discarded.
│ │ │ │ │ + Appends the specified suffix
│ │ │ │ │ +nxdomain-redirect to the original query name, query
│ │ │ │ │ + when replacing an NXDOMAIN
│ │ │ │ │ + with a redirect namespace.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +nxdomains-per-second undefined subdomains for a query
│ │ │ │ │ + valid domain name.
│ │ │ │ │ +options Defines global options to be server
│ │ │ │ │ + used by BIND 9.
│ │ │ │ │ + Adds EDNS Padding options to
│ │ │ │ │ +padding outgoing messages to server
│ │ │ │ │ + increase the packet size.
│ │ │ │ │ + Sets the time to live (TTL)
│ │ │ │ │ +parent-ds-ttl of the DS RRset used by the dnssec
│ │ │ │ │ + parent zone.
│ │ │ │ │ + Sets the propagation delay
│ │ │ │ │ + from the time the parent
│ │ │ │ │ +parent-propagation-delay zone is updated to when the zone, dnssec
│ │ │ │ │ + new version is served by all
│ │ │ │ │ + of the parent zone's name
│ │ │ │ │ + servers.
│ │ │ │ │ + Defines a list of delegation
│ │ │ │ │ +parental-agents agents to be used by primary zone
│ │ │ │ │ + and secondary zones.
│ │ │ │ │ + Specifies which local IPv4
│ │ │ │ │ +parental-source source address is used to dnssec
│ │ │ │ │ + send parental DS queries.
│ │ │ │ │ + Specifies which local IPv6
│ │ │ │ │ +parental-source-v6 source address is used to dnssec
│ │ │ │ │ + send parental DS queries.
│ │ │ │ │ + Specifies the pathname of
│ │ │ │ │ +pid-file the file where the server server
│ │ │ │ │ + writes its process ID.
│ │ │ │ │ +plugin Configures plugins in server
│ │ │ │ │ + named.conf.
│ │ │ │ │ + Specifies the UDP/TCP port
│ │ │ │ │ +port number the server uses to server, query
│ │ │ │ │ + receive and send DNS
│ │ │ │ │ + protocol traffic.
│ │ │ │ │ + Specifies that server
│ │ │ │ │ +prefer-server-ciphers ciphers should be preferred server, security
│ │ │ │ │ + over client ones.
│ │ │ │ │ + Controls the order of glue
│ │ │ │ │ +preferred-glue records in an A or AAAA query
│ │ │ │ │ + response.
│ │ │ │ │ + Specifies the "trigger"
│ │ │ │ │ +prefetch time-to-live (TTL) value at query
│ │ │ │ │ + which prefetch of the
│ │ │ │ │ + current query takes place.
│ │ │ │ │ +primaries Defines one or more primary zone
│ │ │ │ │ + servers for a zone.
│ │ │ │ │ +print-category Includes the category in log logging
│ │ │ │ │ + messages.
│ │ │ │ │ +print-severity Includes the severity in log logging
│ │ │ │ │ + messages.
│ │ │ │ │ +print-time Specifies the time format logging
│ │ │ │ │ + for log messages.
│ │ │ │ │ + Specifies the allowed
│ │ │ │ │ +protocols versions of the TLS security
│ │ │ │ │ + protocol.
│ │ │ │ │ + Controls whether a primary
│ │ │ │ │ + responds to an incremental
│ │ │ │ │ +provide-ixfr zone request (IXFR) or only transfer
│ │ │ │ │ + responds with a full zone
│ │ │ │ │ + transfer (AXFR).
│ │ │ │ │ + Increases the amount of time
│ │ │ │ │ + between when keys are
│ │ │ │ │ +publish-safety published and when they dnssec
│ │ │ │ │ + become active, to allow for
│ │ │ │ │ + unforeseen events.
│ │ │ │ │ + Specifies the amount of time
│ │ │ │ │ + after which DNSSEC keys that
│ │ │ │ │ +purge-keys have been deleted from the dnssec
│ │ │ │ │ + zone can be removed from
│ │ │ │ │ + disk.
│ │ │ │ │ + Controls QNAME minimization
│ │ │ │ │ +qname-minimization behavior in the BIND 9 query
│ │ │ │ │ + resolver.
│ │ │ │ │ + Tightens defenses during DNS
│ │ │ │ │ +qps-scale attacks by scaling back the query
│ │ │ │ │ + ratio of the current query-
│ │ │ │ │ + per-second rate.
│ │ │ │ │ + Controls the IPv4 address
│ │ │ │ │ +query-source from which queries are query
│ │ │ │ │ + issued.
│ │ │ │ │ + Controls the IPv6 address
│ │ │ │ │ +query-source-v6 from which queries are query
│ │ │ │ │ + issued.
│ │ │ │ │ + Specifies whether query
│ │ │ │ │ +querylog logging should be active server, logging
│ │ │ │ │ + when named first starts.
│ │ │ │ │ + Controls excessive UDP
│ │ │ │ │ + responses, to prevent BIND 9
│ │ │ │ │ +rate-limit from being used to amplify query
│ │ │ │ │ + reflection denial-of-service
│ │ │ │ │ + (DoS) attacks.
│ │ │ │ │ + Specifies the pathname of
│ │ │ │ │ + the file where the server
│ │ │ │ │ +recursing-file dumps queries that are server
│ │ │ │ │ + currently recursing via rndc
│ │ │ │ │ + recursing.
│ │ │ │ │ +recursion Defines whether recursion query
│ │ │ │ │ + and caching are allowed.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +recursive-clients of concurrent recursive query
│ │ │ │ │ + queries the server can
│ │ │ │ │ + perform.
│ │ │ │ │ + Toggles whether dns64
│ │ │ │ │ +recursive-only synthesis occurs only for query
│ │ │ │ │ + recursive queries.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +referrals-per-second referrals or delegations to query
│ │ │ │ │ + a server for a given domain.
│ │ │ │ │ + Specifies the expected
│ │ │ │ │ +remote-hostname hostname in the TLS security
│ │ │ │ │ + certificate of the remote
│ │ │ │ │ + server.
│ │ │ │ │ + Specifies whether the local
│ │ │ │ │ +request-expire server requests the EDNS query, transfer
│ │ │ │ │ + EXPIRE value, when acting as
│ │ │ │ │ + a secondary.
│ │ │ │ │ + Controls whether a secondary
│ │ │ │ │ +request-ixfr requests an incremental zone transfer
│ │ │ │ │ + transfer (IXFR) or a full
│ │ │ │ │ + zone transfer (AXFR).
│ │ │ │ │ + Controls whether an empty
│ │ │ │ │ + EDNS(0) NSID (Name Server
│ │ │ │ │ +request-nsid Identifier) option is sent query
│ │ │ │ │ + with all queries to
│ │ │ │ │ + authoritative name servers
│ │ │ │ │ + during iterative resolution.
│ │ │ │ │ + Controls whether a valid
│ │ │ │ │ +require-server-cookie server cookie is required query
│ │ │ │ │ + before sending a full
│ │ │ │ │ + response to a UDP request.
│ │ │ │ │ +reserved-sockets Deprecated. deprecated
│ │ │ │ │ + Specifies the number of
│ │ │ │ │ +resolver-nonbackoff-tries retries before exponential deprecated.
│ │ │ │ │ + backoff.
│ │ │ │ │ + Specifies the length of
│ │ │ │ │ + time, in milliseconds, that
│ │ │ │ │ +resolver-query-timeout a resolver attempts to query
│ │ │ │ │ + resolve a recursive query
│ │ │ │ │ + before failing.
│ │ │ │ │ +resolver-retry-interval Sets the base retry interval deprecated
│ │ │ │ │ + (in milliseconds).
│ │ │ │ │ + Adds an EDNS Padding option
│ │ │ │ │ + to encrypted messages, to
│ │ │ │ │ +response-padding reduce the chance of query
│ │ │ │ │ + guessing the contents based
│ │ │ │ │ + on size.
│ │ │ │ │ + Specifies response policy zone, server, query,
│ │ │ │ │ +response-policy zones for the view or among security
│ │ │ │ │ + global options.
│ │ │ │ │ + Limits the number of non-
│ │ │ │ │ +responses-per-second empty responses for a valid query
│ │ │ │ │ + domain name and record type.
│ │ │ │ │ + Increases the amount of time
│ │ │ │ │ + a key remains published
│ │ │ │ │ +retire-safety after it is no longer dnssec
│ │ │ │ │ + active, to allow for
│ │ │ │ │ + unforeseen events.
│ │ │ │ │ +reuseport Enables kernel load- server
│ │ │ │ │ + balancing of sockets.
│ │ │ │ │ + Turns on enforcement of
│ │ │ │ │ + delegation-only in top-level
│ │ │ │ │ +root-delegation-only domains (TLDs) and root deprecated
│ │ │ │ │ + zones with an optional
│ │ │ │ │ + exclude list.
│ │ │ │ │ + Controls whether BIND 9
│ │ │ │ │ +root-key-sentinel responds to root key server
│ │ │ │ │ + sentinel probes.
│ │ │ │ │ + Defines the order in which
│ │ │ │ │ +rrset-order equal RRs (RRsets) are query
│ │ │ │ │ + returned.
│ │ │ │ │ + Specifies whether a
│ │ │ │ │ +search Dynamically Loadable Zone query
│ │ │ │ │ + (DLZ) module is queried for
│ │ │ │ │ + an answer to a query name.
│ │ │ │ │ + Defines a Base64-encoded
│ │ │ │ │ +secret string to be used as the security
│ │ │ │ │ + secret by the algorithm.
│ │ │ │ │ + Specifies the pathname of
│ │ │ │ │ +secroots-file the file where the server dnssec
│ │ │ │ │ + dumps security roots, when
│ │ │ │ │ + using rndc_secroots.
│ │ │ │ │ + Controls whether a COOKIE
│ │ │ │ │ +send-cookie EDNS option is sent along query
│ │ │ │ │ + with a query.
│ │ │ │ │ + Defines an upper limit on
│ │ │ │ │ + the number of queries per
│ │ │ │ │ +serial-query-rate second issued by the server, transfer
│ │ │ │ │ + when querying the SOA RRs
│ │ │ │ │ + used for zone transfers.
│ │ │ │ │ + Specifies the update method
│ │ │ │ │ +serial-update-method to be used for the zone zone
│ │ │ │ │ + serial number in the SOA
│ │ │ │ │ + record.
│ │ │ │ │ + Defines characteristics to
│ │ │ │ │ +server be associated with a remote server
│ │ │ │ │ + name server.
│ │ │ │ │ + Specifies a list of IP
│ │ │ │ │ + addresses to which queries
│ │ │ │ │ +server-addresses should be sent in recursive zone, query
│ │ │ │ │ + resolution for a static-stub
│ │ │ │ │ + zone.
│ │ │ │ │ + Specifies the ID of the
│ │ │ │ │ +server-id server to return in response server
│ │ │ │ │ + to a ID.SERVER query.
│ │ │ │ │ + Specifies a list of domain
│ │ │ │ │ +server-names names of name servers that zone
│ │ │ │ │ + act as authoritative servers
│ │ │ │ │ + of a static-stub zone.
│ │ │ │ │ + Sets the length of time (in
│ │ │ │ │ +servfail-ttl seconds) that a SERVFAIL server
│ │ │ │ │ + response is cached.
│ │ │ │ │ + Specifies the algorithm to
│ │ │ │ │ +session-keyalg use for the TSIG session security
│ │ │ │ │ + key.
│ │ │ │ │ + Specifies the pathname of
│ │ │ │ │ + the file where a TSIG
│ │ │ │ │ +session-keyfile session key is written, when security
│ │ │ │ │ + generated by named for use
│ │ │ │ │ + by nsupdate -l.
│ │ │ │ │ +session-keyname Specifies the key name for security
│ │ │ │ │ + the TSIG session key.
│ │ │ │ │ + Enables or disables session
│ │ │ │ │ +session-tickets resumption through TLS security
│ │ │ │ │ + session tickets.
│ │ │ │ │ +severity Defines the priority level logging
│ │ │ │ │ + of log messages.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +sig-signing-nodes of nodes to be examined in dnssec
│ │ │ │ │ + each quantum, when signing a
│ │ │ │ │ + zone with a new DNSKEY.
│ │ │ │ │ + Specifies the threshold for
│ │ │ │ │ + the number of signatures
│ │ │ │ │ +sig-signing-signatures that terminates processing a dnssec
│ │ │ │ │ + quantum, when signing a zone
│ │ │ │ │ + with a new DNSKEY.
│ │ │ │ │ + Specifies a private RDATA
│ │ │ │ │ +sig-signing-type type to use when generating dnssec
│ │ │ │ │ + signing-state records.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +sig-validity-interval of days that RRSIGs dnssec
│ │ │ │ │ + generated by named are
│ │ │ │ │ + valid.
│ │ │ │ │ +signatures-jitter Specifies a range for dnssec
│ │ │ │ │ + signatures expirations.
│ │ │ │ │ +signatures-refresh Specifies how frequently an dnssec
│ │ │ │ │ + RRSIG record is refreshed.
│ │ │ │ │ +signatures-validity Indicates the validity dnssec
│ │ │ │ │ + period of an RRSIG record.
│ │ │ │ │ +signatures-validity-dnskey Indicates the validity dnssec
│ │ │ │ │ + period of DNSKEY records.
│ │ │ │ │ + Sets the number of "slipped"
│ │ │ │ │ +slip responses to minimize the query
│ │ │ │ │ + use of forged source
│ │ │ │ │ + addresses for an attack.
│ │ │ │ │ + Controls the ordering of RRs
│ │ │ │ │ +sortlist returned to the client, query
│ │ │ │ │ + based on the client's IP
│ │ │ │ │ + address.
│ │ │ │ │ + Sets the maximum amount of
│ │ │ │ │ +stacksize stack memory that can be deprecated
│ │ │ │ │ + used by the server.
│ │ │ │ │ + Defines the amount of time
│ │ │ │ │ + (in milliseconds) that named
│ │ │ │ │ +stale-answer-client-timeout waits before attempting to server, query
│ │ │ │ │ + answer a query with a stale
│ │ │ │ │ + RRset from cache.
│ │ │ │ │ + Enables the returning of
│ │ │ │ │ +stale-answer-enable "stale" cached answers when server, query
│ │ │ │ │ + the name servers for a zone
│ │ │ │ │ + are not answering.
│ │ │ │ │ + Specifies the time to live
│ │ │ │ │ +stale-answer-ttl (TTL) to be returned on query
│ │ │ │ │ + stale answers, in seconds.
│ │ │ │ │ +stale-cache-enable Enables the retention of server, query
│ │ │ │ │ + "stale" cached answers.
│ │ │ │ │ + Sets the time window for the
│ │ │ │ │ + return of "stale" cached
│ │ │ │ │ +stale-refresh-time answers before the next server, query
│ │ │ │ │ + attempt to contact, if the
│ │ │ │ │ + name servers for a given
│ │ │ │ │ + zone are not responding.
│ │ │ │ │ + Specifies the rate at which
│ │ │ │ │ + NOTIFY requests are sent
│ │ │ │ │ +startup-notify-rate when the name server is zone, transfer
│ │ │ │ │ + first starting, or when new
│ │ │ │ │ + zones have been added.
│ │ │ │ │ + Specifies the communication
│ │ │ │ │ + channels to be used by
│ │ │ │ │ +statistics-channels system administrators to logging
│ │ │ │ │ + access statistics
│ │ │ │ │ + information on the name
│ │ │ │ │ + server.
│ │ │ │ │ + Specifies the pathname of
│ │ │ │ │ +statistics-file the file where the server server, logging
│ │ │ │ │ + appends statistics, when
│ │ │ │ │ + using rndc_stats.
│ │ │ │ │ + Directs the logging channel
│ │ │ │ │ +stderr output to the server's logging
│ │ │ │ │ + standard error stream.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +streams-per-connection of concurrent HTTP/2 streams server, query
│ │ │ │ │ + over an HTTP/2 connection.
│ │ │ │ │ + Defines trailing bits for
│ │ │ │ │ +suffix mapped IPv4 address bits in query
│ │ │ │ │ + dns64.
│ │ │ │ │ + Enables support for RFC
│ │ │ │ │ +synth-from-dnssec 8198, Aggressive Use of dnssec
│ │ │ │ │ + DNSSEC-Validated Cache.
│ │ │ │ │ +syslog Directs the logging channel logging
│ │ │ │ │ + to the system log.
│ │ │ │ │ + Sets the timeout value (in
│ │ │ │ │ + milliseconds) that the
│ │ │ │ │ +tcp-advertised-timeout server sends in responses query
│ │ │ │ │ + containing the EDNS TCP
│ │ │ │ │ + keepalive option.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +tcp-clients of simultaneous client TCP server
│ │ │ │ │ + connections accepted by the
│ │ │ │ │ + server.
│ │ │ │ │ + Sets the amount of time (in
│ │ │ │ │ + milliseconds) that the
│ │ │ │ │ + server waits on an idle TCP
│ │ │ │ │ +tcp-idle-timeout connection before closing query
│ │ │ │ │ + it, if the EDNS TCP
│ │ │ │ │ + keepalive option is not in
│ │ │ │ │ + use.
│ │ │ │ │ + Sets the amount of time (in
│ │ │ │ │ + milliseconds) that the
│ │ │ │ │ +tcp-initial-timeout server waits on a new TCP server, query
│ │ │ │ │ + connection for the first
│ │ │ │ │ + message from the client.
│ │ │ │ │ +tcp-keepalive Adds EDNS TCP keepalive to server
│ │ │ │ │ + messages sent over TCP.
│ │ │ │ │ + Sets the amount of time (in
│ │ │ │ │ + milliseconds) that the
│ │ │ │ │ +tcp-keepalive-timeout server waits on an idle TCP query
│ │ │ │ │ + connection before closing
│ │ │ │ │ + it, if the EDNS TCP
│ │ │ │ │ + keepalive option is in use.
│ │ │ │ │ +tcp-listen-queue Sets the listen-queue depth. server
│ │ │ │ │ +tcp-only Sets the transport protocol server
│ │ │ │ │ + to TCP.
│ │ │ │ │ + Sets the operating system's
│ │ │ │ │ +tcp-receive-buffer receive buffer size for TCP server
│ │ │ │ │ + sockets.
│ │ │ │ │ + Sets the operating system's
│ │ │ │ │ +tcp-send-buffer send buffer size for TCP server
│ │ │ │ │ + sockets.
│ │ │ │ │ + Sets the Diffie-Hellman key
│ │ │ │ │ +tkey-dhkey used by the server to deprecated
│ │ │ │ │ + generate shared keys.
│ │ │ │ │ + Sets the domain appended to
│ │ │ │ │ +tkey-domain the names of all shared keys security
│ │ │ │ │ + generated with TKEY.
│ │ │ │ │ + Sets the security credential
│ │ │ │ │ +tkey-gssapi-credential for authentication keys security
│ │ │ │ │ + requested by the GSS-TSIG
│ │ │ │ │ + protocol.
│ │ │ │ │ +tkey-gssapi-keytab Sets the KRB5 keytab file to security
│ │ │ │ │ + use for GSS-TSIG updates.
│ │ │ │ │ +tls Configures a TLS connection. security
│ │ │ │ │ + Specifies the TCP port
│ │ │ │ │ +tls-port number the server uses to server, query
│ │ │ │ │ + receive and send DNS-over-
│ │ │ │ │ + TLS protocol traffic.
│ │ │ │ │ + Controls whether multiple
│ │ │ │ │ +transfer-format records can be packed into a transfer
│ │ │ │ │ + message during zone
│ │ │ │ │ + transfers.
│ │ │ │ │ + Limits the uncompressed size
│ │ │ │ │ +transfer-message-size of DNS messages used in zone transfer
│ │ │ │ │ + transfers over TCP.
│ │ │ │ │ + Defines which local IPv4
│ │ │ │ │ + address(es) are bound to TCP
│ │ │ │ │ +transfer-source connections used to fetch transfer
│ │ │ │ │ + zones transferred inbound by
│ │ │ │ │ + the server.
│ │ │ │ │ + Defines which local IPv6
│ │ │ │ │ + address(es) are bound to TCP
│ │ │ │ │ +transfer-source-v6 connections used to fetch transfer
│ │ │ │ │ + zones transferred inbound by
│ │ │ │ │ + the server.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +transfers concurrent inbound zone server
│ │ │ │ │ + transfers from a server.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +transfers-in concurrent inbound zone transfer
│ │ │ │ │ + transfers.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +transfers-out concurrent outbound zone transfer
│ │ │ │ │ + transfers.
│ │ │ │ │ + Limits the number of
│ │ │ │ │ +transfers-per-ns concurrent inbound zone transfer
│ │ │ │ │ + transfers from a remote
│ │ │ │ │ + server.
│ │ │ │ │ + Instructs named to send
│ │ │ │ │ + specially formed queries
│ │ │ │ │ +trust-anchor-telemetry once per day to domains for dnssec
│ │ │ │ │ + which trust anchors have
│ │ │ │ │ + been configured.
│ │ │ │ │ +trust-anchors Defines DNSSEC trust dnssec
│ │ │ │ │ + anchors.
│ │ │ │ │ +trusted-keys Deprecated, use trust- deprecated
│ │ │ │ │ + anchors.
│ │ │ │ │ + Specifies that BIND 9 should
│ │ │ │ │ +try-tcp-refresh attempt to refresh a zone transfer
│ │ │ │ │ + using TCP if UDP queries
│ │ │ │ │ + fail.
│ │ │ │ │ +type Specifies the kind of zone zone
│ │ │ │ │ + in a given configuration.
│ │ │ │ │ + Enforces the delegation-only
│ │ │ │ │ +type_delegation-only status of infrastructure deprecated
│ │ │ │ │ + zones (COM, NET, ORG, etc.).
│ │ │ │ │ + Contains forwarding
│ │ │ │ │ +type_forward statements that apply to zone
│ │ │ │ │ + queries within a given
│ │ │ │ │ + domain.
│ │ │ │ │ + Contains the initial set of
│ │ │ │ │ +type_hint root name servers to be used zone
│ │ │ │ │ + at BIND 9 startup.
│ │ │ │ │ + Contains a DNSSEC-validated
│ │ │ │ │ +type_mirror duplicate of the main data zone
│ │ │ │ │ + for a zone.
│ │ │ │ │ +type_primary Contains the main copy of zone
│ │ │ │ │ + the data for a zone.
│ │ │ │ │ + Contains information to
│ │ │ │ │ +type_redirect answer queries when normal zone
│ │ │ │ │ + resolution would return
│ │ │ │ │ + NXDOMAIN.
│ │ │ │ │ + Contains a duplicate of the
│ │ │ │ │ +type_secondary data for a zone that has zone
│ │ │ │ │ + been transferred from a
│ │ │ │ │ + primary server.
│ │ │ │ │ + Contains a duplicate of the
│ │ │ │ │ + NS records of a primary
│ │ │ │ │ +type_static-stub zone, but statically zone
│ │ │ │ │ + configured rather than
│ │ │ │ │ + transferred from a primary
│ │ │ │ │ + server.
│ │ │ │ │ + Contains a duplicate of the
│ │ │ │ │ +type_stub NS records of a primary zone
│ │ │ │ │ + zone.
│ │ │ │ │ + Sets the operating system's
│ │ │ │ │ +udp-receive-buffer receive buffer size for UDP server
│ │ │ │ │ + sockets.
│ │ │ │ │ + Sets the operating system's
│ │ │ │ │ +udp-send-buffer send buffer size for UDP server
│ │ │ │ │ + sockets.
│ │ │ │ │ +unix Specifies a Unix domain server
│ │ │ │ │ + socket as a control channel.
│ │ │ │ │ + Specifies whether to check
│ │ │ │ │ + the KSK bit to determine how
│ │ │ │ │ +update-check-ksk a key should be used, when zone, dnssec
│ │ │ │ │ + generating RRSIGs for a
│ │ │ │ │ + secure zone.
│ │ │ │ │ + Sets fine-grained rules to
│ │ │ │ │ + allow or deny dynamic
│ │ │ │ │ +update-policy updates (DDNS), based on transfer
│ │ │ │ │ + requester identity, updated
│ │ │ │ │ + content, etc.
│ │ │ │ │ + Specifies the maximum number
│ │ │ │ │ +update-quota of concurrent DNS UPDATE server
│ │ │ │ │ + messages that can be
│ │ │ │ │ + processed by the server.
│ │ │ │ │ + Indicates whether alt-
│ │ │ │ │ +use-alt-transfer-source transfer-source and alt- deprecated
│ │ │ │ │ + transfer-source-v6 can be
│ │ │ │ │ + used.
│ │ │ │ │ + Specifies a list of ports
│ │ │ │ │ +use-v4-udp-ports that are valid sources for deprecated
│ │ │ │ │ + UDP/IPv4 messages.
│ │ │ │ │ + Specifies a list of ports
│ │ │ │ │ +use-v6-udp-ports that are valid sources for deprecated
│ │ │ │ │ + UDP/IPv6 messages.
│ │ │ │ │ + Indicates the number of
│ │ │ │ │ +v6-bias milliseconds of preference server, query
│ │ │ │ │ + to give to IPv6 name
│ │ │ │ │ + servers.
│ │ │ │ │ + Specifies a list of domain
│ │ │ │ │ +validate-except names at and beneath which dnssec
│ │ │ │ │ + DNSSEC validation should not
│ │ │ │ │ + be performed.
│ │ │ │ │ + Specifies the version number
│ │ │ │ │ +version of the server to return in server
│ │ │ │ │ + response to a version.bind
│ │ │ │ │ + query.
│ │ │ │ │ + Allows a name server to
│ │ │ │ │ +view answer a DNS query view
│ │ │ │ │ + differently depending on who
│ │ │ │ │ + is asking.
│ │ │ │ │ + Specifies the length of time
│ │ │ │ │ +window during which responses are query
│ │ │ │ │ + tracked.
│ │ │ │ │ + Specifies whether to set the
│ │ │ │ │ + time to live (TTL) of the
│ │ │ │ │ +zero-no-soa-ttl SOA record to zero, when zone, server, query
│ │ │ │ │ + returning authoritative
│ │ │ │ │ + negative responses to SOA
│ │ │ │ │ + queries.
│ │ │ │ │ + Sets the time to live (TTL)
│ │ │ │ │ +zero-no-soa-ttl-cache to zero when caching a zone, server, query
│ │ │ │ │ + negative response to an SOA
│ │ │ │ │ + query.
│ │ │ │ │ +zone Specifies the zone in a BIND zone
│ │ │ │ │ + 9 configuration.
│ │ │ │ │ + Sets the propagation delay
│ │ │ │ │ + from the time a zone is
│ │ │ │ │ +zone-propagation-delay first updated to when the zone, dnssec
│ │ │ │ │ + new version of the zone is
│ │ │ │ │ + served by all secondary
│ │ │ │ │ + servers.
│ │ │ │ │ + Controls the level of
│ │ │ │ │ +zone-statistics statistics gathered for all zone, logging
│ │ │ │ │ + zones.
│ │ │ │ │
│ │ │ │ │ ***** 8.4. Statements by Tagï *****
│ │ │ │ │ These tables group the various statements permissible in named.conf by their
│ │ │ │ │ corresponding tag.
│ │ │ │ │ **** 8.4.1. DNSSEC Tag Statementsï ****
│ │ │ │ │ Statement Description
│ │ │ │ │ auto-dnssec Permits varying levels of automatic DNSSEC key