summaryrefslogtreecommitdiff
path: root/bin/tests/named.conf
blob: 1f96981d117c082837ba78bb0806d8bb453cc62b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
/*
 * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 * Copyright (C) 1999-2001  Internet Software Consortium.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 * PERFORMANCE OF THIS SOFTWARE.
 */

/* $Id: named.conf,v 1.58 2007/06/19 23:46:59 tbox Exp $ */

/*
 * This is a worthless, nonrunnable example of a named.conf file that has
 * every conceivable syntax element in use.  We use it to test the parser.
 * It could also be used as a conceptual template for users of new features.
 */

/*
 * C-style comments are OK
 */

// So are C++-style comments

# So are shell-style comments

// watch out for ";" -- it's important!

options {
	additional-from-auth true;
	additional-from-cache false;

	version "my version string";
	random-device "/dev/random";
	directory "/tmp";

	port 666;

	sig-validity-interval 33;

# Obsolete
	named-xfer "/usr/libexec/named-xfer";	// _PATH_XFER

	dump-file "named_dump.db";  	// _PATH_DUMPFILE
	pid-file "/var/run/named.pid";  // _PATH_PIDFILE
	statistics-file "named.stats";  // _PATH_STATS
	memstatistics-file "named.memstats";	// _PATH_MEMSTATS

	max-cache-ttl 999;
	auth-nxdomain yes;		// always set AA on NXDOMAIN.
					// don't set this to 'no' unless
					// you know what you're doing -- older
					// servers won't like it.

# Obsolete
	deallocate-on-exit no;

	dialup yes;

# Obsolete
	fake-iquery no;

	fetch-glue yes;
	has-old-clients yes;
	host-statistics no;

# Obsolete
	multiple-cnames no;		// if yes, then a name my have more
					// than one CNAME RR.  This use
					// is non-standard and is not
					// recommended, but it is available
					// because previous releases supported
					// it and it was used by large sites
					// for load balancing.

	notify yes;			// send NOTIFY messages.  You can set
					// notify on a zone-by-zone
					// basis in the "zone" statement
					// see (below)
	recursion yes;
	rfc2308-type1	no;

# Obsolete
	use-id-pool yes;

# Obsolete
	treat-cr-as-space yes;

	also-notify { 10.0.2.3; };

	// The "forward" option is only meaningful if you've defined
	// forwarders.  "first" gives the normal BIND
	// forwarding behavior, i.e. ask the forwarders first, and if that
	// doesn't work then do the full lookup.  You can also say
	// "forward only;" which is what used to be specified with
	// "slave" or "options forward-only".  "only" will never attempt
	// a full lookup; only the forwarders will be used.
	forward first;
	forwarders {
		1.2.3.4;
		5.6.7.8;
	};

	check-names master fail;
	check-names slave warn;
	check-names response ignore;

	allow-query { any; };
	allow-transfer { any; };
	allow-recursion { !any; };
	blackhole { 45/24; };

	listen-on {
		10/24;
		10.0.0.3;
	};

	listen-on port 53 { any; };

	listen-on { 5.6.7.8; };

	listen-on port 1234 {
		!1.2.3.4;
		1.2.3/24;
	};

	listen-on-v6 {
		1:1:1:1:1:1:1:1;
	};

	listen-on-v6 port 777 {
		2:2:2:2:2:2:2:2;
	};

	query-source-v6 address 8:7:6:5:4:3:2:1 port *;
	query-source port * address 10.0.0.54  ;

	lame-ttl 444;

	max-transfer-time-in 300;
	max-transfer-time-out 10;
	max-transfer-idle-in 100;
	max-transfer-idle-out 11;

	max-retry-time 1234;
	min-retry-time 1111;
	max-refresh-time 888;
	min-refresh-time 777;
 
	max-ncache-ttl 333;
	min-roots 15;
	serial-queries 34;

	transfer-format one-answer;

	transfers-in 10;
	transfers-per-ns 2;
	transfers-out 0;

	transfer-source 10.0.0.5;
	transfer-source-v6 4:3:2:1:5:6:7:8;

	request-ixfr yes;
	provide-ixfr yes;

# Now called 'provide-ixfr'
#    maintain-ixfr-base no;   // If yes, keep transaction log file for IXFR

	max-ixfr-log-size 20m;
	coresize 100;
	datasize 101;
	files 230;
	max-cache-size 1m;
	stacksize 231;
	cleaning-interval 1000;
	heartbeat-interval 1001;
	interface-interval 1002;
	statistics-interval 1003;

	topology {
		10/8;

		!1.2.3/24;

		{ 1.2/16; 3/8; };


	};

	sortlist { 10/8; 11/8; };

	tkey-domain	"foo.com";
	tkey-dhkey	"xyz" 666 ;

	rrset-order {
		class IN type A name "foo" order random;
		order cyclic;
	};
};

/*
 * Control listeners, for "ndc".  Every nameserver needs at least one.
 */
controls {
	// 'inet' lines without a 'port' defaults to 'port 953'
	// 'keys' must be used and the list must have at least one entry
	inet * port 52 allow { any; } keys { "key2"; };
	unix "/var/run/ndc" perm 0600 owner 0 group 0;	// ignored by named.
	inet 10.0.0.1 allow { any; key foo; } keys { "key4";};
	inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; };
	inet 10.0.0.2 allow { none; };
};

zone "master.demo.zone" {
	type master;			// what used to be called "primary"
	database "somedb -option1 -option2 arg1 arg2 arg3";
	file "master.demo.zone";
	check-names fail;
	allow-update { none; };
	allow-update-forwarding { 10.0.0.5; !any; };
	allow-transfer { any; };
	allow-query { any; };
	sig-validity-interval 990;
	notify explicit;
	also-notify {  1.0.0.1; };	// don't notify any nameservers other
					// than those on the NS list for this
					// zone
	forward first;
	forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; };
};

zone "slave.demo.zone" {
	type slave;			// what used to be called "secondary"
	file "slave.demo.zone";
	ixfr-base  "slave.demo.zone.ixfr";  // File name for IXFR transaction log file
	masters {
		1.2.3.4 port 10 key "foo"; // where to zone transfer from
		5.6.7.8;
		6.7.8.9 key "zippo";
	};
	transfer-source 10.0.0.53;	// fixes multihoming problems
	check-names warn;
	allow-update { none; };
	allow-transfer { any; };
	allow-update-forwarding { any; };
	allow-query { any; };
	max-transfer-time-in 120;	// if not set, global option is used.
	max-transfer-time-out 1;	// if not set, global option is used.
	max-transfer-idle-in 2;	// if not set, global option is used.
	max-transfer-idle-out 3;	// if not set, global option is used.
	also-notify { 1.0.0.2; };
	forward only;
	forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
};

key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };

view "test-view" in {
	key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
	also-notify { 10.2.2.3; };
	trusted-keys {
		foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz";
	};
	sig-validity-interval 45;
	max-cache-size 100000;
	allow-query { 10.0.0.30;};
	additional-from-cache false;
	additional-from-auth no;
	match-clients { 10.0.0.1 ; };
	check-names master warn;
	check-names slave ignore;
	check-names response fail;
	auth-nxdomain false;
	recursion true;
	provide-ixfr false;
	request-ixfr true;
	fetch-glue true;
	notify false;
	rfc2308-type1 false;
	transfer-source 10.0.0.55;
	transfer-source-v6 4:3:8:1:5:6:7:8;
	query-source port * address 10.0.0.54  ;
 	query-source-v6 address 6:6:6:6:6:6:6:6 port *;
	max-transfer-time-out 45;
	max-transfer-idle-out 55;
	cleaning-interval 100;
	min-roots 3;
	lame-ttl 477;
	max-ncache-ttl 333;
	max-cache-ttl 777;
	transfer-format many-answers;
	max-retry-time 7;
	min-retry-time 4;
	max-refresh-time 999;
	min-refresh-time 111;
 
	zone "view-zone.com" {
		type master;
		allow-update-forwarding { 10.0.0.34;};
		file "view-zone-master";
	};

	server 5.6.7.8 {
		keys "viewkey";
	};

	server 10.9.8.7 {
		keys "non-viewkey";
	};
	dialup yes;
};


zone "stub.demo.zone" {
	type stub;			// stub zones are like slave zones,
					// except that only the NS records
					// are transferred.
	dialup yes;
	file "stub.demo.zone";
	masters {
		1.2.3.4 ;		// where to zone transfer from
		5.6.7.8 port 999;
	};
	check-names warn;
	allow-update { none; };
	allow-transfer { any; };
	allow-query { any; };

	max-retry-time 10;
	min-retry-time 11;
	max-refresh-time 12;
	min-refresh-time 13;
 
	max-transfer-time-in 120;	// if not set, global option is used.
	pubkey 257 255 1 "a useless key";
	pubkey 257 255 1 "another useless key";
};

zone "." {
	type hint;			// used to be specified w/ "cache"
	file "cache.db";
//	pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};

trusted-keys {
	"." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
};


acl can_query { !1.2.3/24; any; };	// network 1.2.3.0 mask 255.255.255.0
					// is disallowed; rest are OK
acl can_axfr { 1.2.3.4; can_query; };	// host 1.2.3.4 and any host allowed
					// by can_query are OK

zone "disabled-zone.com" {
	type master;
	file "bar";

	max-retry-time 100;
	min-retry-time 110;
	max-refresh-time 120;
	min-refresh-time 130;
};

zone "non-default-acl.demo.zone" {
	type master;
	file "foo";
	allow-query { can_query; };
	allow-transfer { can_axfr; };
	allow-update {
		1.2.3.4;
		5.6.7.8;
	};
	pubkey 666 665 664 "key of the beast";
	// Errors trapped by parser:
	//	identity or name not absolute
	//	'wildcard' match type and no wildcard character in name
	//
	// issues:
	//	- certain rdatatype values (such as "key") are config file keywords and
	// 	  must be quoted or a syntax error will occur.
	//

	update-policy {
		grant root.domain. subdomain host.domain. A MX CNAME;
		grant sub.root.domain. wildcard *.host.domain. A;
		grant root.domain. name host.domain. a ns md mf cname soa mb mg
			mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
			isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx
			cert a6 dname opt unspec tkey tsig ;
		grant foo.bar.com. self foo.bar.com. a;
	};
};

key sample_key {			// for TSIG; supported by parser
	algorithm hmac-md5;		// but not yet implemented in the
	secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
};

key key2 {
	algorithm hmac-md5;
	secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
};

acl key_acl { key sample_key; };	// a request signed with sample_key

server 1.2.3.4 {
	request-ixfr no;
	provide-ixfr no;
	bogus no;			// if yes, we won't query or listen
					// to this server
	transfer-format one-answer;	// set transfer format for this
					// server (see the description of
					// 'transfer-format' above)
					// if not specified, the global option
					// will be used
	transfers 0;			// not implemented
	keys { "sample_key" };	// for TSIG; supported by the parser
					// but not yet implemented in the
					// rest of the server
# Now called 'request-ixfr'
#	support-ixfr yes;      // for IXFR supported by server
					// if yes, the listed server talks IXFR
};

logging {
	/*
	 * All log output goes to one or more "channels"; you can make as
	 * many of them as you want.
	 */

	channel syslog_errors {		// this channel will send errors or
		syslog user;		// or worse to syslog (user facility)
		severity error;
	};

	channel stderr_errors {
		stderr;
	};

	/*
	 * Channels have a severity level.  Messages at severity levels
	 * greater than or equal to the channel's level will be logged on
	 * the channel.  In order of decreasing severity, the levels are:
	 *
	 * 	critical		a fatal error
	 *	error
	 *	warning
	 *	notice			a normal, but significant event
	 *	info			an informational message
	 *	debug 1			the least detailed debugging info
	 *	...
	 *	debug 99		the most detailed debugging info
	 */

	/*
	 * Here are the built-in channels:
	 *
	 * 	channel default_syslog {
	 *		syslog daemon;
	 *		severity info;
	 *	};
	 *
	 *	channel default_debug {
	 *		file "named.run";	// note: stderr is used instead
	 *					// of "named.run" if the server
	 *					// is started with the "-f"
	 *					// option.
	 *		severity dynamic;	// this means log debugging
	 *					// at whatever debugging level
	 *					// the server is at, and don't
	 *					// log anything if not
	 *					// debugging.
	 *	};
	 *
	 *	channel null {			// this is the bit bucket;
	 *		file "/dev/null";	// any logging to this channel
	 *					// is discarded.
	 *	};
	 *
	 *	channel default_stderr {	// writes to stderr
	 *		file "<stderr>";	// this is illustrative only;
	 *					// there's currently no way
	 *					// of saying "stderr" in the
	 *					// configuration language.
	 *					// i.e. don't try this at home.
	 *		severity info;
	 *	};
	 *
	 *	default_stderr only works before the server daemonizes (i.e.
	 *	during initial startup) or when it is running in foreground
	 *	mode (-f command line option).
	 */

	/*
	 * There are many categories, so you can send the logs
	 * you want to see wherever you want, without seeing logs you
	 * don't want.  Right now the categories are
	 *
	 *	default			the catch-all.  many things still
	 *				aren't classified into categories, and
	 *				they all end up here.  also, if you
	 *				don't specify any channels for a
	 *				category, the default category is used
	 *				instead.
	 *	config			high-level configuration file
	 *				processing
	 *	parser			low-level configuration file processing
	 *	queries			what used to be called "query logging"
	 *	lame-servers		messages like "Lame server on ..."
	 *	statistics
	 *	panic			if the server has to shut itself
	 *				down due to an internal problem, it
	 *				logs the problem here (as well as
	 *				in the problem's native category)
	 *	update			dynamic update
	 *	ncache			negative caching
	 *	xfer-in			zone transfers we're receiving
	 *	xfer-out		zone transfers we're sending
	 *	db			all database operations
	 *	eventlib		debugging info from the event system
	 *				(see below)
	 *	packet			dumps of packets received and sent
	 *				(see below)
	 *	notify			the NOTIFY protocol
	 *	cname			messages like "XX points to a CNAME"
	 *	security		approved/unapproved requests
	 *	os			operating system problems
	 *	insist			consistency check failures
	 *	maintenance		periodic maintenance
	 *	load			zone loading
	 *	response-checks		messages like
	 *				"Malformed response ..."
	 *				"wrong ans. name ..."
	 *				"unrelated additional info ..."
	 *				"invalid RR type ..."
	 *				"bad referral ..."
	 */

	category parser {
		syslog_errors;		// you can log to as many channels
		default_syslog;		// as you want
	};

	category lame-servers { null; };	// don't log these at all

	channel moderate_debug {
		file "foo";			// foo
		severity debug 3;		// level 3 debugging to file
		print-time yes;			// timestamp log entries
		print-category yes;		// print category name
		print-severity yes;		// print severity level
		/*
		 * Note that debugging must have been turned on either
		 * on the command line or with a signal to get debugging
		 * output (non-debugging output will still be written to
		 * this channel).
		 */
	};

	channel another {
		file "bar" versions 99 size 10M;
		severity info;
	};

	channel third {
		file "bar" size 100000 versions unlimited;
		severity debug; // use default debug level
	};

	/*
	 * If you don't want to see "zone XXXX loaded" messages but do
	 * want to see any problems, you could do the following.
	 */
	channel no_info_messages {
		syslog;
		severity notice;
	};

	category load { no_info_messages; };

	/*
	 * You can also define category "default"; it gets used when no
	 * "category" statement has been given for a category.
	 */
	category default {
		default_syslog;
		moderate_debug;
	};

	/*
	 * If you don't define category default yourself, the default
	 * default category will be used.  It is
	 *
	 * 	category default { default_syslog; default_debug; };
	 */

	/*
	 * If you don't define category panic yourself, the default
	 * panic category will be used.  It is
	 *
	 * 	category panic { default_syslog; default_stderr; };
	 */

	/*
	 * Two categories, 'packet' and 'eventlib', are special.  Only one
	 * channel may be assigned to each of them, and it must be a
	 * file channel.  If you don't define them  yourself, they default to
	 *
 	 *	category eventlib { default_debug; };
	 *
	 *	category packet { default_debug; };
	 */
};

#include "filename";			// can't do within a statement