mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-30 15:38:06 +01:00
6b6ac9438f
package does have BXA export approval, but the licensing strings on the dnssafe code are a bit unpleasant. The crypto is easy to restore and bind will run without it - just without full dnssec support. Obtained from: The Internet Software Consortium (www.isc.org)
457 lines
14 KiB
Plaintext
457 lines
14 KiB
Plaintext
/*
|
|
* This is a worthless, nonrunnable example of a named.conf file that has
|
|
* every conceivable syntax element in use. We use it to test the parser.
|
|
* It could also be used as a conceptual template for users of new features.
|
|
*/
|
|
|
|
/*
|
|
* C-style comments are OK
|
|
*/
|
|
|
|
// So are C++-style comments
|
|
|
|
# So are shell-style comments
|
|
|
|
// watch out for ";" -- it's important!
|
|
|
|
options {
|
|
directory "."; // use current directory
|
|
named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
|
|
dump-file "named_dump.db"; // _PATH_DUMPFILE
|
|
pid-file "/var/run/named.pid"; // _PATH_PIDFILE
|
|
statistics-file "named.stats"; // _PATH_STATS
|
|
memstatistics-file "named.memstats"; // _PATH_MEMSTATS
|
|
check-names master fail;
|
|
check-names slave warn;
|
|
check-names response ignore;
|
|
host-statistics no;
|
|
deallocate-on-exit no; // Painstakingly deallocate all
|
|
// objects when exiting instead of
|
|
// letting the OS clean up for us.
|
|
// Useful a memory leak is suspected.
|
|
// Final statistics are written to the
|
|
// memstatistics-file.
|
|
datasize default;
|
|
stacksize default;
|
|
coresize default;
|
|
files unlimited;
|
|
recursion yes;
|
|
fetch-glue yes;
|
|
fake-iquery no;
|
|
notify yes; // send NOTIFY messages. You can set
|
|
// notify on a zone-by-zone
|
|
// basis in the "zone" statement
|
|
// see (below)
|
|
max-serial-queries 4; // number of parallel SOA queries
|
|
// we can have outstanding for master
|
|
// zone change testing purposes
|
|
auth-nxdomain yes; // always set AA on NXDOMAIN.
|
|
// don't set this to 'no' unless
|
|
// you know what you're doing -- older
|
|
// servers won't like it.
|
|
multiple-cnames no; // if yes, then a name my have more
|
|
// than one CNAME RR. This use
|
|
// is non-standard and is not
|
|
// recommended, but it is available
|
|
// because previous releases supported
|
|
// it and it was used by large sites
|
|
// for load balancing.
|
|
allow-query { any; };
|
|
allow-transfer { any; };
|
|
transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be
|
|
// set > than MAX_XFERS_RUNNING (20)
|
|
transfers-per-ns 2; // DEFAULT_XFERS_PER_NS
|
|
transfers-out 0; // not implemented
|
|
max-transfer-time-in 120; // MAX_XFER_TIME; the default number
|
|
// of minutes an inbound zone transfer
|
|
// may run. May be set on a per-zone
|
|
// basis.
|
|
/*
|
|
* The "transfer-format" option specifies the way outbound zone
|
|
* transfers (i.e. from us to them) are formatted. Two values are
|
|
* allowed:
|
|
*
|
|
* one-answer Each RR gets its own DNS message.
|
|
* This format is not very efficient,
|
|
* but is widely understood. All
|
|
* versions of BIND prior to 8.1 generate
|
|
* this format for outbound zone
|
|
* and require it on inbound transfers.
|
|
*
|
|
* many-answers As many RRs as will fit are put into
|
|
* each DNS message. This format is
|
|
* the most efficient, but is only known
|
|
* to work with BIND 8. Patches to
|
|
* BIND 4.9.5 named-xfer that enable it
|
|
* to understand 'many-answers' will be
|
|
* available.
|
|
*
|
|
* If you are going to be doing zone transfers to older servers, you
|
|
* shouldn't use 'many-answers'. 'transfer-format' may also be set
|
|
* on a host-by-host basis using the 'server' statement (see below).
|
|
*/
|
|
transfer-format one-answer;
|
|
query-source address * port *;
|
|
/*
|
|
* The "forward" option is only meaningful if you've defined
|
|
* forwarders. "first" gives the normal BIND
|
|
* forwarding behavior, i.e. ask the forwarders first, and if that
|
|
* doesn't work then do the full lookup. You can also say
|
|
* "forward only;" which is what used to be specified with
|
|
* "slave" or "options forward-only". "only" will never attempt
|
|
* a full lookup; only the forwarders will be used.
|
|
*/
|
|
forward first;
|
|
forwarders { }; // default is no forwarders
|
|
/*
|
|
* Here's a forwarders example that isn't trivial
|
|
*/
|
|
/*
|
|
forwarders {
|
|
1.2.3.4;
|
|
5.6.7.8;
|
|
};
|
|
*/
|
|
topology { localhost; localnets; }; // prefer local nameservers
|
|
/*
|
|
* Here's a more complicated topology example; it's commented out
|
|
* because only one topology block is allowed.
|
|
*
|
|
topology {
|
|
10/8; // prefer network 10.0.0.0
|
|
// netmask 255.0.0.0 most
|
|
!1.2.3/24; // don't like 1.2.3.0 netmask
|
|
// 255.255.255.0 at all
|
|
{ 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0
|
|
// and 3.0.0.0 netmask 255.0.0.0
|
|
// equally well, but less than 10/8
|
|
};
|
|
*/
|
|
|
|
listen-on port 53 { any; }; // listen for queries on port 53 on
|
|
// any interface on the system
|
|
// (i.e. all interfaces). The
|
|
// "port 53" is optional; if you
|
|
// don't specify a port, port 53
|
|
// is assumed.
|
|
/*
|
|
* Multiple listen-on statements are allowed. Here's a more
|
|
* complicated example:
|
|
*/
|
|
/*
|
|
listen-on { 5.6.7.8; }; // listen on port 53 on interface
|
|
// 5.6.7.8
|
|
listen-on port 1234 { // listen on port 1234 on any
|
|
!1.2.3.4; // interface on network 1.2.3
|
|
1.2.3/24; // netmask 255.255.255.0, except for
|
|
}; // interface 1.2.3.4.
|
|
*/
|
|
|
|
/*
|
|
* Interval Timers
|
|
*/
|
|
cleaning-interval 60; // clean the cache of expired RRs
|
|
// every 'cleaning-interval' minutes
|
|
interface-interval 60; // scan for new or deleted interfaces
|
|
// every 'interface-interval' minutes
|
|
statistics-interval 60; // log statistics every
|
|
// 'statistics-interval' minutes
|
|
/*
|
|
* IXFR options
|
|
*/
|
|
maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
|
|
max-ixfr-log-size 20; // Not implemented, maximum size the
|
|
// IXFR transaction log file to grow
|
|
};
|
|
|
|
/*
|
|
* Control listeners, for "ndc". Every nameserver needs at least one.
|
|
*/
|
|
controls {
|
|
inet * port 52 allow { any; }; // a bad idea
|
|
unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default
|
|
};
|
|
|
|
zone "master.demo.zone" {
|
|
type master; // what used to be called "primary"
|
|
file "master.demo.zone";
|
|
check-names fail;
|
|
allow-update { none; };
|
|
allow-transfer { any; };
|
|
allow-query { any; };
|
|
// notify yes; // send NOTIFY messages for this
|
|
// zone? The global option is used
|
|
// if "notify" is not specified
|
|
// here.
|
|
also-notify { }; // don't notify any nameservers other
|
|
// than those on the NS list for this
|
|
// zone
|
|
};
|
|
|
|
zone "slave.demo.zone" {
|
|
type slave; // what used to be called "secondary"
|
|
file "slave.demo.zone";
|
|
ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file
|
|
masters {
|
|
1.2.3.4; // where to zone transfer from
|
|
5.6.7.8;
|
|
};
|
|
transfer-source 10.0.0.53; // fixes multihoming problems
|
|
check-names warn;
|
|
allow-update { none; };
|
|
allow-transfer { any; };
|
|
allow-query { any; };
|
|
max-transfer-time-in 120; // if not set, global option is used.
|
|
also-notify { }; // don't notify any nameservers other
|
|
// than those on the NS list for this
|
|
// zone
|
|
};
|
|
|
|
zone "stub.demo.zone" {
|
|
type stub; // stub zones are like slave zones,
|
|
// except that only the NS records
|
|
// are transferred.
|
|
file "stub.demo.zone";
|
|
masters {
|
|
1.2.3.4; // where to zone transfer from
|
|
5.6.7.8;
|
|
};
|
|
check-names warn;
|
|
allow-update { none; };
|
|
allow-transfer { any; };
|
|
allow-query { any; };
|
|
max-transfer-time-in 120; // if not set, global option is used.
|
|
};
|
|
|
|
zone "." {
|
|
type hint; // used to be specified w/ "cache"
|
|
file "cache.db";
|
|
pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
|
|
};
|
|
|
|
trusted-keys {
|
|
. 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
|
|
};
|
|
|
|
|
|
acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
|
|
// is disallowed; rest are OK
|
|
acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
|
|
// by can_query are OK
|
|
|
|
zone "non-default-acl.demo.zone" {
|
|
type master;
|
|
file "foo";
|
|
allow-query { can_query; };
|
|
allow-transfer { can_axfr; };
|
|
allow-update {
|
|
1.2.3.4;
|
|
5.6.7.8;
|
|
};
|
|
};
|
|
|
|
key sample_key { // for TSIG
|
|
algorithm hmac-md5; // hmac-md5 is the supported algorithm
|
|
secret "abcdefgh"; // base 64 encoded secret
|
|
};
|
|
|
|
key key2 {
|
|
algorithm hmac-md5;
|
|
secret "87654321";
|
|
};
|
|
|
|
acl key_acl { key sample_key; }; // a request signed with sample_key
|
|
|
|
server 1.2.3.4 {
|
|
bogus no; // if yes, we won't query or listen
|
|
// to this server
|
|
transfer-format one-answer; // set transfer format for this
|
|
// server (see the description of
|
|
// 'transfer-format' above)
|
|
// if not specified, the global option
|
|
// will be used
|
|
transfers 0; // not implemented
|
|
keys { sample_key; key2; }; // for TSIG; sign requests to this
|
|
// server with this key
|
|
support-ixfr yes; // for IXFR supported by server
|
|
// if yes, the listed server talks IXFR
|
|
};
|
|
|
|
logging {
|
|
/*
|
|
* All log output goes to one or more "channels"; you can make as
|
|
* many of them as you want.
|
|
*/
|
|
|
|
channel syslog_errors { // this channel will send errors or
|
|
syslog user; // or worse to syslog (user facility)
|
|
severity error;
|
|
};
|
|
|
|
/*
|
|
* Channels have a severity level. Messages at severity levels
|
|
* greater than or equal to the channel's level will be logged on
|
|
* the channel. In order of decreasing severity, the levels are:
|
|
*
|
|
* critical a fatal error
|
|
* error
|
|
* warning
|
|
* notice a normal, but significant event
|
|
* info an informational message
|
|
* debug 1 the least detailed debugging info
|
|
* ...
|
|
* debug 99 the most detailed debugging info
|
|
*/
|
|
|
|
/*
|
|
* Here are the built-in channels:
|
|
*
|
|
* channel default_syslog {
|
|
* syslog daemon;
|
|
* severity info;
|
|
* };
|
|
*
|
|
* channel default_debug {
|
|
* file "named.run"; // note: stderr is used instead
|
|
* // of "named.run" if the server
|
|
* // is started with the "-f"
|
|
* // option.
|
|
* severity dynamic; // this means log debugging
|
|
* // at whatever debugging level
|
|
* // the server is at, and don't
|
|
* // log anything if not
|
|
* // debugging.
|
|
* };
|
|
*
|
|
* channel null { // this is the bit bucket;
|
|
* file "/dev/null"; // any logging to this channel
|
|
* // is discarded.
|
|
* };
|
|
*
|
|
* channel default_stderr { // writes to stderr
|
|
* file "<stderr>"; // this is illustrative only;
|
|
* // there's currently no way
|
|
* // of saying "stderr" in the
|
|
* // configuration language.
|
|
* // i.e. don't try this at home.
|
|
* severity info;
|
|
* };
|
|
*
|
|
* default_stderr only works before the server daemonizes (i.e.
|
|
* during initial startup) or when it is running in foreground
|
|
* mode (-f command line option).
|
|
*/
|
|
|
|
/*
|
|
* There are many categories, so you can send the logs
|
|
* you want to see wherever you want, without seeing logs you
|
|
* don't want. Right now the categories are
|
|
*
|
|
* default the catch-all. many things still
|
|
* aren't classified into categories, and
|
|
* they all end up here. also, if you
|
|
* don't specify any channels for a
|
|
* category, the default category is used
|
|
* instead.
|
|
* config high-level configuration file
|
|
* processing
|
|
* parser low-level configuration file processing
|
|
* queries what used to be called "query logging"
|
|
* lame-servers messages like "Lame server on ..."
|
|
* statistics
|
|
* panic if the server has to shut itself
|
|
* down due to an internal problem, it
|
|
* logs the problem here (as well as
|
|
* in the problem's native category)
|
|
* update dynamic update
|
|
* ncache negative caching
|
|
* xfer-in zone transfers we're receiving
|
|
* xfer-out zone transfers we're sending
|
|
* db all database operations
|
|
* eventlib debugging info from the event system
|
|
* (see below)
|
|
* packet dumps of packets received and sent
|
|
* (see below)
|
|
* notify the NOTIFY protocol
|
|
* cname messages like "XX points to a CNAME"
|
|
* security approved/unapproved requests
|
|
* os operating system problems
|
|
* insist consistency check failures
|
|
* maintenance periodic maintenance
|
|
* load zone loading
|
|
* response-checks messages like
|
|
* "Malformed response ..."
|
|
* "wrong ans. name ..."
|
|
* "unrelated additional info ..."
|
|
* "invalid RR type ..."
|
|
* "bad referral ..."
|
|
*/
|
|
|
|
category parser {
|
|
syslog_errors; // you can log to as many channels
|
|
default_syslog; // as you want
|
|
};
|
|
|
|
category lame-servers { null; }; // don't log these at all
|
|
|
|
channel moderate_debug {
|
|
severity debug 3; // level 3 debugging to file
|
|
file "foo"; // foo
|
|
print-time yes; // timestamp log entries
|
|
print-category yes; // print category name
|
|
print-severity yes; // print severity level
|
|
/*
|
|
* Note that debugging must have been turned on either
|
|
* on the command line or with a signal to get debugging
|
|
* output (non-debugging output will still be written to
|
|
* this channel).
|
|
*/
|
|
};
|
|
|
|
/*
|
|
* If you don't want to see "zone XXXX loaded" messages but do
|
|
* want to see any problems, you could do the following.
|
|
*/
|
|
channel no_info_messages {
|
|
syslog;
|
|
severity notice;
|
|
};
|
|
|
|
category load { no_info_messages; };
|
|
|
|
/*
|
|
* You can also define category "default"; it gets used when no
|
|
* "category" statement has been given for a category.
|
|
*/
|
|
category default {
|
|
default_syslog;
|
|
moderate_debug;
|
|
};
|
|
|
|
/*
|
|
* If you don't define category default yourself, the default
|
|
* default category will be used. It is
|
|
*
|
|
* category default { default_syslog; default_debug; };
|
|
*/
|
|
|
|
/*
|
|
* If you don't define category panic yourself, the default
|
|
* panic category will be used. It is
|
|
*
|
|
* category panic { default_syslog; default_stderr; };
|
|
*/
|
|
|
|
/*
|
|
* Two categories, 'packet' and 'eventlib', are special. Only one
|
|
* channel may be assigned to each of them, and it must be a
|
|
* file channel. If you don't define them yourself, they default to
|
|
*
|
|
* category eventlib { default_debug; };
|
|
*
|
|
* category packet { default_debug; };
|
|
*/
|
|
};
|
|
|
|
include "filename"; // can't do within a statement
|