HardenedBSD/contrib/bind/bin/named/named.conf
Peter Wemm 6b6ac9438f Import bind v8.2.2.p5, minus the crypto for the time being. The bind
package does have BXA export approval, but the licensing strings on the
dnssafe code are a bit unpleasant.  The crypto is easy to restore and bind
will run without it - just without full dnssec support.

Obtained from:	The Internet Software Consortium (www.isc.org)
1999-11-30 02:43:11 +00:00

457 lines
14 KiB
Plaintext

/*
* This is a worthless, nonrunnable example of a named.conf file that has
* every conceivable syntax element in use. We use it to test the parser.
* It could also be used as a conceptual template for users of new features.
*/
/*
* C-style comments are OK
*/
// So are C++-style comments
# So are shell-style comments
// watch out for ";" -- it's important!
options {
directory "."; // use current directory
named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
dump-file "named_dump.db"; // _PATH_DUMPFILE
pid-file "/var/run/named.pid"; // _PATH_PIDFILE
statistics-file "named.stats"; // _PATH_STATS
memstatistics-file "named.memstats"; // _PATH_MEMSTATS
check-names master fail;
check-names slave warn;
check-names response ignore;
host-statistics no;
deallocate-on-exit no; // Painstakingly deallocate all
// objects when exiting instead of
// letting the OS clean up for us.
// Useful a memory leak is suspected.
// Final statistics are written to the
// memstatistics-file.
datasize default;
stacksize default;
coresize default;
files unlimited;
recursion yes;
fetch-glue yes;
fake-iquery no;
notify yes; // send NOTIFY messages. You can set
// notify on a zone-by-zone
// basis in the "zone" statement
// see (below)
max-serial-queries 4; // number of parallel SOA queries
// we can have outstanding for master
// zone change testing purposes
auth-nxdomain yes; // always set AA on NXDOMAIN.
// don't set this to 'no' unless
// you know what you're doing -- older
// servers won't like it.
multiple-cnames no; // if yes, then a name my have more
// than one CNAME RR. This use
// is non-standard and is not
// recommended, but it is available
// because previous releases supported
// it and it was used by large sites
// for load balancing.
allow-query { any; };
allow-transfer { any; };
transfers-in 10; // DEFAULT_XFERS_RUNNING, cannot be
// set > than MAX_XFERS_RUNNING (20)
transfers-per-ns 2; // DEFAULT_XFERS_PER_NS
transfers-out 0; // not implemented
max-transfer-time-in 120; // MAX_XFER_TIME; the default number
// of minutes an inbound zone transfer
// may run. May be set on a per-zone
// basis.
/*
* The "transfer-format" option specifies the way outbound zone
* transfers (i.e. from us to them) are formatted. Two values are
* allowed:
*
* one-answer Each RR gets its own DNS message.
* This format is not very efficient,
* but is widely understood. All
* versions of BIND prior to 8.1 generate
* this format for outbound zone
* and require it on inbound transfers.
*
* many-answers As many RRs as will fit are put into
* each DNS message. This format is
* the most efficient, but is only known
* to work with BIND 8. Patches to
* BIND 4.9.5 named-xfer that enable it
* to understand 'many-answers' will be
* available.
*
* If you are going to be doing zone transfers to older servers, you
* shouldn't use 'many-answers'. 'transfer-format' may also be set
* on a host-by-host basis using the 'server' statement (see below).
*/
transfer-format one-answer;
query-source address * port *;
/*
* The "forward" option is only meaningful if you've defined
* forwarders. "first" gives the normal BIND
* forwarding behavior, i.e. ask the forwarders first, and if that
* doesn't work then do the full lookup. You can also say
* "forward only;" which is what used to be specified with
* "slave" or "options forward-only". "only" will never attempt
* a full lookup; only the forwarders will be used.
*/
forward first;
forwarders { }; // default is no forwarders
/*
* Here's a forwarders example that isn't trivial
*/
/*
forwarders {
1.2.3.4;
5.6.7.8;
};
*/
topology { localhost; localnets; }; // prefer local nameservers
/*
* Here's a more complicated topology example; it's commented out
* because only one topology block is allowed.
*
topology {
10/8; // prefer network 10.0.0.0
// netmask 255.0.0.0 most
!1.2.3/24; // don't like 1.2.3.0 netmask
// 255.255.255.0 at all
{ 1.2/16; 3/8; }; // like 1.2.0.0 netmask 255.255.0.0
// and 3.0.0.0 netmask 255.0.0.0
// equally well, but less than 10/8
};
*/
listen-on port 53 { any; }; // listen for queries on port 53 on
// any interface on the system
// (i.e. all interfaces). The
// "port 53" is optional; if you
// don't specify a port, port 53
// is assumed.
/*
* Multiple listen-on statements are allowed. Here's a more
* complicated example:
*/
/*
listen-on { 5.6.7.8; }; // listen on port 53 on interface
// 5.6.7.8
listen-on port 1234 { // listen on port 1234 on any
!1.2.3.4; // interface on network 1.2.3
1.2.3/24; // netmask 255.255.255.0, except for
}; // interface 1.2.3.4.
*/
/*
* Interval Timers
*/
cleaning-interval 60; // clean the cache of expired RRs
// every 'cleaning-interval' minutes
interface-interval 60; // scan for new or deleted interfaces
// every 'interface-interval' minutes
statistics-interval 60; // log statistics every
// 'statistics-interval' minutes
/*
* IXFR options
*/
maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
max-ixfr-log-size 20; // Not implemented, maximum size the
// IXFR transaction log file to grow
};
/*
* Control listeners, for "ndc". Every nameserver needs at least one.
*/
controls {
inet * port 52 allow { any; }; // a bad idea
unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default
};
zone "master.demo.zone" {
type master; // what used to be called "primary"
file "master.demo.zone";
check-names fail;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
// notify yes; // send NOTIFY messages for this
// zone? The global option is used
// if "notify" is not specified
// here.
also-notify { }; // don't notify any nameservers other
// than those on the NS list for this
// zone
};
zone "slave.demo.zone" {
type slave; // what used to be called "secondary"
file "slave.demo.zone";
ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file
masters {
1.2.3.4; // where to zone transfer from
5.6.7.8;
};
transfer-source 10.0.0.53; // fixes multihoming problems
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
also-notify { }; // don't notify any nameservers other
// than those on the NS list for this
// zone
};
zone "stub.demo.zone" {
type stub; // stub zones are like slave zones,
// except that only the NS records
// are transferred.
file "stub.demo.zone";
masters {
1.2.3.4; // where to zone transfer from
5.6.7.8;
};
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
max-transfer-time-in 120; // if not set, global option is used.
};
zone "." {
type hint; // used to be specified w/ "cache"
file "cache.db";
pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
trusted-keys {
. 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};
acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
// by can_query are OK
zone "non-default-acl.demo.zone" {
type master;
file "foo";
allow-query { can_query; };
allow-transfer { can_axfr; };
allow-update {
1.2.3.4;
5.6.7.8;
};
};
key sample_key { // for TSIG
algorithm hmac-md5; // hmac-md5 is the supported algorithm
secret "abcdefgh"; // base 64 encoded secret
};
key key2 {
algorithm hmac-md5;
secret "87654321";
};
acl key_acl { key sample_key; }; // a request signed with sample_key
server 1.2.3.4 {
bogus no; // if yes, we won't query or listen
// to this server
transfer-format one-answer; // set transfer format for this
// server (see the description of
// 'transfer-format' above)
// if not specified, the global option
// will be used
transfers 0; // not implemented
keys { sample_key; key2; }; // for TSIG; sign requests to this
// server with this key
support-ixfr yes; // for IXFR supported by server
// if yes, the listed server talks IXFR
};
logging {
/*
* All log output goes to one or more "channels"; you can make as
* many of them as you want.
*/
channel syslog_errors { // this channel will send errors or
syslog user; // or worse to syslog (user facility)
severity error;
};
/*
* Channels have a severity level. Messages at severity levels
* greater than or equal to the channel's level will be logged on
* the channel. In order of decreasing severity, the levels are:
*
* critical a fatal error
* error
* warning
* notice a normal, but significant event
* info an informational message
* debug 1 the least detailed debugging info
* ...
* debug 99 the most detailed debugging info
*/
/*
* Here are the built-in channels:
*
* channel default_syslog {
* syslog daemon;
* severity info;
* };
*
* channel default_debug {
* file "named.run"; // note: stderr is used instead
* // of "named.run" if the server
* // is started with the "-f"
* // option.
* severity dynamic; // this means log debugging
* // at whatever debugging level
* // the server is at, and don't
* // log anything if not
* // debugging.
* };
*
* channel null { // this is the bit bucket;
* file "/dev/null"; // any logging to this channel
* // is discarded.
* };
*
* channel default_stderr { // writes to stderr
* file "<stderr>"; // this is illustrative only;
* // there's currently no way
* // of saying "stderr" in the
* // configuration language.
* // i.e. don't try this at home.
* severity info;
* };
*
* default_stderr only works before the server daemonizes (i.e.
* during initial startup) or when it is running in foreground
* mode (-f command line option).
*/
/*
* There are many categories, so you can send the logs
* you want to see wherever you want, without seeing logs you
* don't want. Right now the categories are
*
* default the catch-all. many things still
* aren't classified into categories, and
* they all end up here. also, if you
* don't specify any channels for a
* category, the default category is used
* instead.
* config high-level configuration file
* processing
* parser low-level configuration file processing
* queries what used to be called "query logging"
* lame-servers messages like "Lame server on ..."
* statistics
* panic if the server has to shut itself
* down due to an internal problem, it
* logs the problem here (as well as
* in the problem's native category)
* update dynamic update
* ncache negative caching
* xfer-in zone transfers we're receiving
* xfer-out zone transfers we're sending
* db all database operations
* eventlib debugging info from the event system
* (see below)
* packet dumps of packets received and sent
* (see below)
* notify the NOTIFY protocol
* cname messages like "XX points to a CNAME"
* security approved/unapproved requests
* os operating system problems
* insist consistency check failures
* maintenance periodic maintenance
* load zone loading
* response-checks messages like
* "Malformed response ..."
* "wrong ans. name ..."
* "unrelated additional info ..."
* "invalid RR type ..."
* "bad referral ..."
*/
category parser {
syslog_errors; // you can log to as many channels
default_syslog; // as you want
};
category lame-servers { null; }; // don't log these at all
channel moderate_debug {
severity debug 3; // level 3 debugging to file
file "foo"; // foo
print-time yes; // timestamp log entries
print-category yes; // print category name
print-severity yes; // print severity level
/*
* Note that debugging must have been turned on either
* on the command line or with a signal to get debugging
* output (non-debugging output will still be written to
* this channel).
*/
};
/*
* If you don't want to see "zone XXXX loaded" messages but do
* want to see any problems, you could do the following.
*/
channel no_info_messages {
syslog;
severity notice;
};
category load { no_info_messages; };
/*
* You can also define category "default"; it gets used when no
* "category" statement has been given for a category.
*/
category default {
default_syslog;
moderate_debug;
};
/*
* If you don't define category default yourself, the default
* default category will be used. It is
*
* category default { default_syslog; default_debug; };
*/
/*
* If you don't define category panic yourself, the default
* panic category will be used. It is
*
* category panic { default_syslog; default_stderr; };
*/
/*
* Two categories, 'packet' and 'eventlib', are special. Only one
* channel may be assigned to each of them, and it must be a
* file channel. If you don't define them yourself, they default to
*
* category eventlib { default_debug; };
*
* category packet { default_debug; };
*/
};
include "filename"; // can't do within a statement