mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-10 18:28:43 -04:00
716b936045
Previously a hard-coded limitation of maximum two key or message verification checks were introduced when checking the message's SIG(0) signature. It was done in order to protect against possible DoS attacks. The logic behind choosing the number two was that more than one key should only be required only during key rotations, and in that case two keys are enough. But later it became apparent that there are other use cases too where even more keys are required, see issue number #5050 in GitLab. This change introduces two new configuration options for the views, sig0key-checks-limit and sig0message-checks-limit, which define how many keys are allowed to be checked to find a matching key, and how many message verifications are allowed to take place once a matching key has been found. The latter protects against expensive cryptographic operations when there are keys with colliding tags and algorithm numbers, with default being 2, and the former protects against a bit less expensive key parsing operations and defaults to 16.
599 lines
26 KiB
Text
599 lines
26 KiB
Text
acl <string> { <address_match_element>; ... }; // may occur multiple times
|
|
|
|
controls {
|
|
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
|
|
unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times
|
|
}; // may occur multiple times
|
|
|
|
dlz <string> {
|
|
database <string>;
|
|
search <boolean>;
|
|
}; // may occur multiple times
|
|
|
|
dnssec-policy <string> {
|
|
cdnskey <boolean>;
|
|
cds-digest-types { <string>; ... };
|
|
dnskey-ttl <duration>;
|
|
inline-signing <boolean>;
|
|
keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... };
|
|
max-zone-ttl <duration>;
|
|
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
|
|
offline-ksk <boolean>;
|
|
parent-ds-ttl <duration>;
|
|
parent-propagation-delay <duration>;
|
|
publish-safety <duration>;
|
|
purge-keys <duration>;
|
|
retire-safety <duration>;
|
|
signatures-jitter <duration>;
|
|
signatures-refresh <duration>;
|
|
signatures-validity <duration>;
|
|
signatures-validity-dnskey <duration>;
|
|
zone-propagation-delay <duration>;
|
|
}; // may occur multiple times
|
|
|
|
dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
|
|
|
|
http <string> {
|
|
endpoints { <quoted_string>; ... };
|
|
listener-clients <integer>;
|
|
streams-per-connection <integer>;
|
|
}; // optional (only available if configured), may occur multiple times
|
|
|
|
key <string> {
|
|
algorithm <string>;
|
|
secret <string>;
|
|
}; // may occur multiple times
|
|
|
|
key-store <string> {
|
|
directory <string>;
|
|
pkcs11-uri <quoted_string>;
|
|
}; // may occur multiple times
|
|
|
|
logging {
|
|
category <string> { <string>; ... }; // may occur multiple times
|
|
channel <string> {
|
|
buffered <boolean>;
|
|
file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ];
|
|
null;
|
|
print-category <boolean>;
|
|
print-severity <boolean>;
|
|
print-time ( iso8601 | iso8601-utc | iso8601-tzinfo | local | <boolean> );
|
|
severity <log_severity>;
|
|
stderr;
|
|
syslog [ <syslog_facility> ];
|
|
}; // may occur multiple times
|
|
};
|
|
|
|
options {
|
|
allow-new-zones <boolean>;
|
|
allow-notify { <address_match_element>; ... };
|
|
allow-proxy { <address_match_element>; ... }; // experimental
|
|
allow-proxy-on { <address_match_element>; ... }; // experimental
|
|
allow-query { <address_match_element>; ... };
|
|
allow-query-cache { <address_match_element>; ... };
|
|
allow-query-cache-on { <address_match_element>; ... };
|
|
allow-query-on { <address_match_element>; ... };
|
|
allow-recursion { <address_match_element>; ... };
|
|
allow-recursion-on { <address_match_element>; ... };
|
|
allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
|
|
allow-update { <address_match_element>; ... };
|
|
allow-update-forwarding { <address_match_element>; ... };
|
|
also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
|
|
answer-cookie <boolean>;
|
|
attach-cache <string>;
|
|
auth-nxdomain <boolean>;
|
|
automatic-interface-scan <boolean>;
|
|
bindkeys-file <quoted_string>; // test only
|
|
blackhole { <address_match_element>; ... };
|
|
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
|
|
check-dup-records ( fail | warn | ignore );
|
|
check-integrity <boolean>;
|
|
check-mx ( fail | warn | ignore );
|
|
check-mx-cname ( fail | warn | ignore );
|
|
check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
|
|
check-sibling <boolean>;
|
|
check-spf ( warn | ignore );
|
|
check-srv-cname ( fail | warn | ignore );
|
|
check-svcb <boolean>;
|
|
check-wildcard <boolean>;
|
|
clients-per-query <integer>;
|
|
cookie-algorithm ( siphash24 );
|
|
cookie-secret <string>; // may occur multiple times
|
|
deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
|
|
deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
|
|
directory <quoted_string>;
|
|
disable-algorithms <string> { <string>; ... }; // may occur multiple times
|
|
disable-ds-digests <string> { <string>; ... }; // may occur multiple times
|
|
disable-empty-zone <string>; // may occur multiple times
|
|
dns64 <netprefix> {
|
|
break-dnssec <boolean>;
|
|
clients { <address_match_element>; ... };
|
|
exclude { <address_match_element>; ... };
|
|
mapped { <address_match_element>; ... };
|
|
recursive-only <boolean>;
|
|
suffix <ipv6_address>;
|
|
}; // may occur multiple times
|
|
dns64-contact <string>;
|
|
dns64-server <string>;
|
|
dnskey-sig-validity <integer>; // obsolete
|
|
dnsrps-enable <boolean>; // obsolete
|
|
dnsrps-library <quoted_string>; // obsolete
|
|
dnsrps-options { <unspecified-text> }; // obsolete
|
|
dnssec-accept-expired <boolean>;
|
|
dnssec-dnskey-kskonly <boolean>; // obsolete
|
|
dnssec-loadkeys-interval <integer>;
|
|
dnssec-policy <string>;
|
|
dnssec-secure-to-insecure <boolean>; // obsolete
|
|
dnssec-update-mode ( maintain | no-resign ); // obsolete
|
|
dnssec-validation ( yes | no | auto );
|
|
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // optional (only available if configured)
|
|
dnstap-identity ( <quoted_string> | none | hostname ); // optional (only available if configured)
|
|
dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; // optional (only available if configured)
|
|
dnstap-version ( <quoted_string> | none ); // optional (only available if configured)
|
|
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
|
|
dump-file <quoted_string>;
|
|
edns-udp-size <integer>;
|
|
empty-contact <string>;
|
|
empty-server <string>;
|
|
empty-zones-enable <boolean>;
|
|
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
|
|
fetches-per-server <integer> [ ( drop | fail ) ];
|
|
fetches-per-zone <integer> [ ( drop | fail ) ];
|
|
flush-zones-on-shutdown <boolean>;
|
|
forward ( first | only );
|
|
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
|
|
fstrm-set-buffer-hint <integer>; // optional (only available if configured)
|
|
fstrm-set-flush-timeout <integer>; // optional (only available if configured)
|
|
fstrm-set-input-queue-size <integer>; // optional (only available if configured)
|
|
fstrm-set-output-notify-threshold <integer>; // optional (only available if configured)
|
|
fstrm-set-output-queue-model ( mpsc | spsc ); // optional (only available if configured)
|
|
fstrm-set-output-queue-size <integer>; // optional (only available if configured)
|
|
fstrm-set-reopen-interval <duration>; // optional (only available if configured)
|
|
geoip-directory ( <quoted_string> | none );
|
|
hostname ( <quoted_string> | none );
|
|
http-listener-clients <integer>; // optional (only available if configured)
|
|
http-port <integer>; // optional (only available if configured)
|
|
http-streams-per-connection <integer>; // optional (only available if configured)
|
|
https-port <integer>; // optional (only available if configured)
|
|
interface-interval <duration>;
|
|
ipv4only-contact <string>;
|
|
ipv4only-enable <boolean>;
|
|
ipv4only-server <string>;
|
|
ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
|
|
keep-response-order { <address_match_element>; ... }; // obsolete
|
|
key-directory <quoted_string>;
|
|
lame-ttl <duration>;
|
|
listen-on [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
|
|
listen-on-v6 [ port <integer> ] [ proxy <string> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... }; // may occur multiple times
|
|
lmdb-mapsize <sizeval>; // optional (only available if configured)
|
|
managed-keys-directory <quoted_string>;
|
|
masterfile-format ( raw | text );
|
|
masterfile-style ( full | relative );
|
|
match-mapped-addresses <boolean>;
|
|
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
|
|
max-cache-ttl <duration>;
|
|
max-clients-per-query <integer>;
|
|
max-ixfr-ratio ( unlimited | <percentage> );
|
|
max-journal-size ( default | unlimited | <sizeval> );
|
|
max-ncache-ttl <duration>;
|
|
max-query-count <integer>;
|
|
max-query-restarts <integer>;
|
|
max-records <integer>;
|
|
max-records-per-type <integer>;
|
|
max-recursion-depth <integer>;
|
|
max-recursion-queries <integer>;
|
|
max-refresh-time <integer>;
|
|
max-retry-time <integer>;
|
|
max-rsa-exponent-size <integer>;
|
|
max-stale-ttl <duration>;
|
|
max-transfer-idle-in <integer>;
|
|
max-transfer-idle-out <integer>;
|
|
max-transfer-time-in <integer>;
|
|
max-transfer-time-out <integer>;
|
|
max-types-per-name <integer>;
|
|
max-udp-size <integer>;
|
|
max-validation-failures-per-fetch <integer>; // experimental
|
|
max-validations-per-fetch <integer>; // experimental
|
|
max-zone-ttl ( unlimited | <duration> ); // deprecated
|
|
memstatistics <boolean>;
|
|
memstatistics-file <quoted_string>;
|
|
message-compression <boolean>;
|
|
min-cache-ttl <duration>;
|
|
min-ncache-ttl <duration>;
|
|
min-refresh-time <integer>;
|
|
min-retry-time <integer>;
|
|
min-transfer-rate-in <integer> <integer>;
|
|
minimal-any <boolean>;
|
|
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
|
|
multi-master <boolean>;
|
|
new-zones-directory <quoted_string>;
|
|
no-case-compress { <address_match_element>; ... };
|
|
nocookie-udp-size <integer>;
|
|
notify ( explicit | master-only | primary-only | <boolean> );
|
|
notify-delay <integer>;
|
|
notify-rate <integer>;
|
|
notify-source ( <ipv4_address> | * );
|
|
notify-source-v6 ( <ipv6_address> | * );
|
|
notify-to-soa <boolean>;
|
|
nsec3-test-zone <boolean>; // test only
|
|
nta-lifetime <duration>;
|
|
nta-recheck <duration>;
|
|
nxdomain-redirect <string>;
|
|
parental-source ( <ipv4_address> | * );
|
|
parental-source-v6 ( <ipv6_address> | * );
|
|
pid-file ( <quoted_string> | none );
|
|
port <integer>;
|
|
preferred-glue <string>;
|
|
prefetch <integer> [ <integer> ];
|
|
provide-ixfr <boolean>;
|
|
qname-minimization ( strict | relaxed | disabled | off );
|
|
query-source [ address ] ( <ipv4_address> | * | none );
|
|
query-source-v6 [ address ] ( <ipv6_address> | * | none );
|
|
querylog <boolean>;
|
|
rate-limit {
|
|
all-per-second <integer>;
|
|
errors-per-second <integer>;
|
|
exempt-clients { <address_match_element>; ... };
|
|
ipv4-prefix-length <integer>;
|
|
ipv6-prefix-length <integer>;
|
|
log-only <boolean>;
|
|
max-table-size <integer>;
|
|
min-table-size <integer>;
|
|
nodata-per-second <integer>;
|
|
nxdomains-per-second <integer>;
|
|
qps-scale <integer>;
|
|
referrals-per-second <integer>;
|
|
responses-per-second <integer>;
|
|
slip <integer>;
|
|
window <integer>;
|
|
};
|
|
recursing-file <quoted_string>;
|
|
recursion <boolean>;
|
|
recursive-clients <integer>;
|
|
request-expire <boolean>;
|
|
request-ixfr <boolean>;
|
|
request-ixfr-max-diffs <integer>;
|
|
request-nsid <boolean>;
|
|
require-server-cookie <boolean>;
|
|
resolver-query-timeout <integer>;
|
|
resolver-use-dns64 <boolean>;
|
|
response-padding { <address_match_element>; ... } block-size <integer>;
|
|
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
|
|
responselog <boolean>;
|
|
reuseport <boolean>;
|
|
root-key-sentinel <boolean>;
|
|
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
|
|
secroots-file <quoted_string>;
|
|
send-cookie <boolean>;
|
|
send-report-channel <string>;
|
|
serial-query-rate <integer>;
|
|
serial-update-method ( date | increment | unixtime );
|
|
server-id ( <quoted_string> | none | hostname );
|
|
servfail-ttl <duration>;
|
|
session-keyalg <string>;
|
|
session-keyfile ( <quoted_string> | none );
|
|
session-keyname <string>;
|
|
sig-signing-nodes <integer>;
|
|
sig-signing-signatures <integer>;
|
|
sig-signing-type <integer>;
|
|
sig-validity-interval <integer> [ <integer> ]; // obsolete
|
|
sig0checks-quota <integer>; // experimental
|
|
sig0checks-quota-exempt { <address_match_element>; ... }; // experimental
|
|
sig0key-checks-limit <integer>;
|
|
sig0message-checks-limit <integer>;
|
|
stale-answer-client-timeout ( disabled | off | <integer> );
|
|
stale-answer-enable <boolean>;
|
|
stale-answer-ttl <duration>;
|
|
stale-cache-enable <boolean>;
|
|
stale-refresh-time <duration>;
|
|
startup-notify-rate <integer>;
|
|
statistics-file <quoted_string>;
|
|
synth-from-dnssec <boolean>;
|
|
tcp-advertised-timeout <integer>;
|
|
tcp-clients <integer>;
|
|
tcp-idle-timeout <integer>;
|
|
tcp-initial-timeout <integer>;
|
|
tcp-keepalive-timeout <integer>;
|
|
tcp-listen-queue <integer>;
|
|
tcp-receive-buffer <integer>;
|
|
tcp-send-buffer <integer>;
|
|
tkey-domain <quoted_string>;
|
|
tkey-gssapi-credential <quoted_string>;
|
|
tkey-gssapi-keytab <quoted_string>;
|
|
tls-port <integer>;
|
|
transfer-format ( many-answers | one-answer );
|
|
transfer-message-size <integer>;
|
|
transfer-source ( <ipv4_address> | * );
|
|
transfer-source-v6 ( <ipv6_address> | * );
|
|
transfers-in <integer>;
|
|
transfers-out <integer>;
|
|
transfers-per-ns <integer>;
|
|
trust-anchor-telemetry <boolean>;
|
|
try-tcp-refresh <boolean>;
|
|
udp-receive-buffer <integer>;
|
|
udp-send-buffer <integer>;
|
|
update-check-ksk <boolean>; // obsolete
|
|
update-quota <integer>;
|
|
v6-bias <integer>;
|
|
validate-except { <string>; ... };
|
|
version ( <quoted_string> | none );
|
|
zero-no-soa-ttl <boolean>;
|
|
zero-no-soa-ttl-cache <boolean>;
|
|
zone-statistics ( full | terse | none | <boolean> );
|
|
};
|
|
|
|
plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
|
|
|
|
remote-servers <string> [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; // may occur multiple times
|
|
|
|
server <netprefix> {
|
|
bogus <boolean>;
|
|
edns <boolean>;
|
|
edns-udp-size <integer>;
|
|
edns-version <integer>;
|
|
keys <server_key>;
|
|
max-udp-size <integer>;
|
|
notify-source ( <ipv4_address> | * );
|
|
notify-source-v6 ( <ipv6_address> | * );
|
|
padding <integer>;
|
|
provide-ixfr <boolean>;
|
|
query-source [ address ] ( <ipv4_address> | * );
|
|
query-source-v6 [ address ] ( <ipv6_address> | * );
|
|
request-expire <boolean>;
|
|
request-ixfr <boolean>;
|
|
request-ixfr-max-diffs <integer>;
|
|
request-nsid <boolean>;
|
|
require-cookie <boolean>;
|
|
send-cookie <boolean>;
|
|
tcp-keepalive <boolean>;
|
|
tcp-only <boolean>;
|
|
transfer-format ( many-answers | one-answer );
|
|
transfer-source ( <ipv4_address> | * );
|
|
transfer-source-v6 ( <ipv6_address> | * );
|
|
transfers <integer>;
|
|
}; // may occur multiple times
|
|
|
|
statistics-channels {
|
|
inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times
|
|
}; // optional (only available if configured), may occur multiple times
|
|
|
|
tls <string> {
|
|
ca-file <quoted_string>;
|
|
cert-file <quoted_string>;
|
|
cipher-suites <string>;
|
|
ciphers <string>;
|
|
dhparam-file <quoted_string>;
|
|
key-file <quoted_string>;
|
|
prefer-server-ciphers <boolean>;
|
|
protocols { <string>; ... };
|
|
remote-hostname <quoted_string>;
|
|
session-tickets <boolean>;
|
|
}; // may occur multiple times
|
|
|
|
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
|
|
|
|
view <string> [ <class> ] {
|
|
allow-new-zones <boolean>;
|
|
allow-notify { <address_match_element>; ... };
|
|
allow-proxy { <address_match_element>; ... }; // experimental
|
|
allow-proxy-on { <address_match_element>; ... }; // experimental
|
|
allow-query { <address_match_element>; ... };
|
|
allow-query-cache { <address_match_element>; ... };
|
|
allow-query-cache-on { <address_match_element>; ... };
|
|
allow-query-on { <address_match_element>; ... };
|
|
allow-recursion { <address_match_element>; ... };
|
|
allow-recursion-on { <address_match_element>; ... };
|
|
allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
|
|
allow-update { <address_match_element>; ... };
|
|
allow-update-forwarding { <address_match_element>; ... };
|
|
also-notify [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
|
|
attach-cache <string>;
|
|
auth-nxdomain <boolean>;
|
|
catalog-zones { zone <string> [ default-primaries [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <server-list> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... };
|
|
check-dup-records ( fail | warn | ignore );
|
|
check-integrity <boolean>;
|
|
check-mx ( fail | warn | ignore );
|
|
check-mx-cname ( fail | warn | ignore );
|
|
check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times
|
|
check-sibling <boolean>;
|
|
check-spf ( warn | ignore );
|
|
check-srv-cname ( fail | warn | ignore );
|
|
check-svcb <boolean>;
|
|
check-wildcard <boolean>;
|
|
clients-per-query <integer>;
|
|
deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ];
|
|
deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ];
|
|
disable-algorithms <string> { <string>; ... }; // may occur multiple times
|
|
disable-ds-digests <string> { <string>; ... }; // may occur multiple times
|
|
disable-empty-zone <string>; // may occur multiple times
|
|
dlz <string> {
|
|
database <string>;
|
|
search <boolean>;
|
|
}; // may occur multiple times
|
|
dns64 <netprefix> {
|
|
break-dnssec <boolean>;
|
|
clients { <address_match_element>; ... };
|
|
exclude { <address_match_element>; ... };
|
|
mapped { <address_match_element>; ... };
|
|
recursive-only <boolean>;
|
|
suffix <ipv6_address>;
|
|
}; // may occur multiple times
|
|
dns64-contact <string>;
|
|
dns64-server <string>;
|
|
dnskey-sig-validity <integer>; // obsolete
|
|
dnsrps-enable <boolean>; // obsolete
|
|
dnsrps-options { <unspecified-text> }; // obsolete
|
|
dnssec-accept-expired <boolean>;
|
|
dnssec-dnskey-kskonly <boolean>; // obsolete
|
|
dnssec-loadkeys-interval <integer>;
|
|
dnssec-policy <string>;
|
|
dnssec-secure-to-insecure <boolean>; // obsolete
|
|
dnssec-update-mode ( maintain | no-resign ); // obsolete
|
|
dnssec-validation ( yes | no | auto );
|
|
dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // optional (only available if configured)
|
|
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... };
|
|
dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times
|
|
edns-udp-size <integer>;
|
|
empty-contact <string>;
|
|
empty-server <string>;
|
|
empty-zones-enable <boolean>;
|
|
fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
|
|
fetches-per-server <integer> [ ( drop | fail ) ];
|
|
fetches-per-zone <integer> [ ( drop | fail ) ];
|
|
forward ( first | only );
|
|
forwarders [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... };
|
|
ipv4only-contact <string>;
|
|
ipv4only-enable <boolean>;
|
|
ipv4only-server <string>;
|
|
ixfr-from-differences ( primary | master | secondary | slave | <boolean> );
|
|
key <string> {
|
|
algorithm <string>;
|
|
secret <string>;
|
|
}; // may occur multiple times
|
|
key-directory <quoted_string>;
|
|
lame-ttl <duration>;
|
|
lmdb-mapsize <sizeval>; // optional (only available if configured)
|
|
masterfile-format ( raw | text );
|
|
masterfile-style ( full | relative );
|
|
match-clients { <address_match_element>; ... };
|
|
match-destinations { <address_match_element>; ... };
|
|
match-recursive-only <boolean>;
|
|
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
|
|
max-cache-ttl <duration>;
|
|
max-clients-per-query <integer>;
|
|
max-ixfr-ratio ( unlimited | <percentage> );
|
|
max-journal-size ( default | unlimited | <sizeval> );
|
|
max-ncache-ttl <duration>;
|
|
max-query-count <integer>;
|
|
max-query-restarts <integer>;
|
|
max-records <integer>;
|
|
max-records-per-type <integer>;
|
|
max-recursion-depth <integer>;
|
|
max-recursion-queries <integer>;
|
|
max-refresh-time <integer>;
|
|
max-retry-time <integer>;
|
|
max-stale-ttl <duration>;
|
|
max-transfer-idle-in <integer>;
|
|
max-transfer-idle-out <integer>;
|
|
max-transfer-time-in <integer>;
|
|
max-transfer-time-out <integer>;
|
|
max-types-per-name <integer>;
|
|
max-udp-size <integer>;
|
|
max-validation-failures-per-fetch <integer>; // experimental
|
|
max-validations-per-fetch <integer>; // experimental
|
|
max-zone-ttl ( unlimited | <duration> ); // deprecated
|
|
message-compression <boolean>;
|
|
min-cache-ttl <duration>;
|
|
min-ncache-ttl <duration>;
|
|
min-refresh-time <integer>;
|
|
min-retry-time <integer>;
|
|
min-transfer-rate-in <integer> <integer>;
|
|
minimal-any <boolean>;
|
|
minimal-responses ( no-auth | no-auth-recursive | <boolean> );
|
|
multi-master <boolean>;
|
|
new-zones-directory <quoted_string>;
|
|
no-case-compress { <address_match_element>; ... };
|
|
nocookie-udp-size <integer>;
|
|
notify ( explicit | master-only | primary-only | <boolean> );
|
|
notify-delay <integer>;
|
|
notify-source ( <ipv4_address> | * );
|
|
notify-source-v6 ( <ipv6_address> | * );
|
|
notify-to-soa <boolean>;
|
|
nsec3-test-zone <boolean>; // test only
|
|
nta-lifetime <duration>;
|
|
nta-recheck <duration>;
|
|
nxdomain-redirect <string>;
|
|
parental-source ( <ipv4_address> | * );
|
|
parental-source-v6 ( <ipv6_address> | * );
|
|
plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times
|
|
preferred-glue <string>;
|
|
prefetch <integer> [ <integer> ];
|
|
provide-ixfr <boolean>;
|
|
qname-minimization ( strict | relaxed | disabled | off );
|
|
query-source [ address ] ( <ipv4_address> | * | none );
|
|
query-source-v6 [ address ] ( <ipv6_address> | * | none );
|
|
rate-limit {
|
|
all-per-second <integer>;
|
|
errors-per-second <integer>;
|
|
exempt-clients { <address_match_element>; ... };
|
|
ipv4-prefix-length <integer>;
|
|
ipv6-prefix-length <integer>;
|
|
log-only <boolean>;
|
|
max-table-size <integer>;
|
|
min-table-size <integer>;
|
|
nodata-per-second <integer>;
|
|
nxdomains-per-second <integer>;
|
|
qps-scale <integer>;
|
|
referrals-per-second <integer>;
|
|
responses-per-second <integer>;
|
|
slip <integer>;
|
|
window <integer>;
|
|
};
|
|
recursion <boolean>;
|
|
request-expire <boolean>;
|
|
request-ixfr <boolean>;
|
|
request-ixfr-max-diffs <integer>;
|
|
request-nsid <boolean>;
|
|
require-server-cookie <boolean>;
|
|
resolver-query-timeout <integer>;
|
|
resolver-use-dns64 <boolean>;
|
|
response-padding { <address_match_element>; ... } block-size <integer>;
|
|
response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ];
|
|
root-key-sentinel <boolean>;
|
|
rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... };
|
|
send-cookie <boolean>;
|
|
send-report-channel <string>;
|
|
serial-update-method ( date | increment | unixtime );
|
|
server <netprefix> {
|
|
bogus <boolean>;
|
|
edns <boolean>;
|
|
edns-udp-size <integer>;
|
|
edns-version <integer>;
|
|
keys <server_key>;
|
|
max-udp-size <integer>;
|
|
notify-source ( <ipv4_address> | * );
|
|
notify-source-v6 ( <ipv6_address> | * );
|
|
padding <integer>;
|
|
provide-ixfr <boolean>;
|
|
query-source [ address ] ( <ipv4_address> | * );
|
|
query-source-v6 [ address ] ( <ipv6_address> | * );
|
|
request-expire <boolean>;
|
|
request-ixfr <boolean>;
|
|
request-ixfr-max-diffs <integer>;
|
|
request-nsid <boolean>;
|
|
require-cookie <boolean>;
|
|
send-cookie <boolean>;
|
|
tcp-keepalive <boolean>;
|
|
tcp-only <boolean>;
|
|
transfer-format ( many-answers | one-answer );
|
|
transfer-source ( <ipv4_address> | * );
|
|
transfer-source-v6 ( <ipv6_address> | * );
|
|
transfers <integer>;
|
|
}; // may occur multiple times
|
|
servfail-ttl <duration>;
|
|
sig-signing-nodes <integer>;
|
|
sig-signing-signatures <integer>;
|
|
sig-signing-type <integer>;
|
|
sig-validity-interval <integer> [ <integer> ]; // obsolete
|
|
sig0key-checks-limit <integer>;
|
|
sig0message-checks-limit <integer>;
|
|
stale-answer-client-timeout ( disabled | off | <integer> );
|
|
stale-answer-enable <boolean>;
|
|
stale-answer-ttl <duration>;
|
|
stale-cache-enable <boolean>;
|
|
stale-refresh-time <duration>;
|
|
synth-from-dnssec <boolean>;
|
|
transfer-format ( many-answers | one-answer );
|
|
transfer-source ( <ipv4_address> | * );
|
|
transfer-source-v6 ( <ipv6_address> | * );
|
|
trust-anchor-telemetry <boolean>;
|
|
trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times
|
|
try-tcp-refresh <boolean>;
|
|
update-check-ksk <boolean>; // obsolete
|
|
v6-bias <integer>;
|
|
validate-except { <string>; ... };
|
|
zero-no-soa-ttl <boolean>;
|
|
zero-no-soa-ttl-cache <boolean>;
|
|
zone-statistics ( full | terse | none | <boolean> );
|
|
}; // may occur multiple times
|
|
|