bind/doc/misc/primary.zoneopt

zone <string> [ <class> ] {
	type primary;
	allow-query { <address_match_element>; ... };
	allow-query-on { <address_match_element>; ... };
	allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };
	allow-update { <address_match_element>; ... };
	also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	auto-dnssec ( allow | maintain | off );
	check-dup-records ( fail | warn | ignore );
	check-integrity <boolean>;
	check-mx ( fail | warn | ignore );
	check-mx-cname ( fail | warn | ignore );
	check-names ( fail | warn | ignore );
	check-sibling <boolean>;
	check-spf ( warn | ignore );
	check-srv-cname ( fail | warn | ignore );
	check-wildcard <boolean>;
	database <string>;
	dialup ( notify | notify-passive | passive | refresh | <boolean> );
	dlz <string>;
	dnskey-sig-validity <integer>;
	dnssec-dnskey-kskonly <boolean>;
	dnssec-loadkeys-interval <integer>;
	dnssec-policy <string>;
	dnssec-secure-to-insecure <boolean>;
	dnssec-update-mode ( maintain | no-resign );
	file <quoted_string>;
	forward ( first | only );
	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
	inline-signing <boolean>;
	ixfr-from-differences <boolean>;
	journal <quoted_string>;
	key-directory <quoted_string>;
	masterfile-format ( raw | text );
	masterfile-style ( full | relative );
	max-ixfr-ratio ( unlimited | <percentage> );
	max-journal-size ( default | unlimited | <sizeval> );
	max-records <integer>;
	max-transfer-idle-out <integer>;
	max-transfer-time-out <integer>;
	max-zone-ttl ( unlimited | <duration> );
	notify ( explicit | master-only | primary-only | <boolean> );
	notify-delay <integer>;
	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	notify-to-soa <boolean>;
	nsec3-test-zone <boolean>; // test only
	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
	serial-update-method ( date | increment | unixtime );
	sig-signing-nodes <integer>;
	sig-signing-signatures <integer>;
	sig-signing-type <integer>;
	sig-validity-interval <integer> [ <integer> ];
	update-check-ksk <boolean>;
	update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | krb5-subdomain-self-rhs | ms-self | ms-selfsub | ms-subdomain | ms-subdomain-self-rhs | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
	zero-no-soa-ttl <boolean>;
	zone-statistics ( full | terse | none | <boolean> );
};
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`zone <string> [ <class> ] {`
remove old zone type documentation we now document zone type as either "primary" or "secondary", omitting the old terms (though they are still accepted). 2022-02-23 17:18:38 -08:00			`type primary;`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`allow-query { <address_match_element>; ... };`
			`allow-query-on { <address_match_element>; ... };`
Extend ACL syntax handling code with 'port' and 'transport' options This commit extends ACL syntax handling code with 'port' and 'transport' options. Currently, the extended syntax is available only for allow-transfer options. 2021-11-04 16:52:49 +02:00			`allow-transfer [ port <integer> ] [ transport <string> ] { <address_match_element>; ... };`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`allow-update { <address_match_element>; ... };`
Change primaries objects to remote-servers Change the primaries configuration objects to the more generic remote-servers, that we can reuse for other purposes (such as parental-agents). 2021-05-07 11:31:15 +02:00			`also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> \| <ipv4_address> [ port <integer> ] \| <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`alt-transfer-source ( <ipv4_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
			`alt-transfer-source-v6 ( <ipv6_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
			`auto-dnssec ( allow \| maintain \| off );`
			`check-dup-records ( fail \| warn \| ignore );`
			`check-integrity <boolean>;`
			`check-mx ( fail \| warn \| ignore );`
			`check-mx-cname ( fail \| warn \| ignore );`
			`check-names ( fail \| warn \| ignore );`
			`check-sibling <boolean>;`
			`check-spf ( warn \| ignore );`
			`check-srv-cname ( fail \| warn \| ignore );`
			`check-wildcard <boolean>;`
			`database <string>;`
			`dialup ( notify \| notify-passive \| passive \| refresh \| <boolean> );`
			`dlz <string>;`
regenerate doc 2018-05-21 19:59:10 +00:00			`dnskey-sig-validity <integer>;`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`dnssec-dnskey-kskonly <boolean>;`
			`dnssec-loadkeys-interval <integer>;`
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations. 2019-09-02 16:24:48 +02:00			`dnssec-policy <string>;`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`dnssec-secure-to-insecure <boolean>;`
			`dnssec-update-mode ( maintain \| no-resign );`
			`file <quoted_string>;`
			`forward ( first \| only );`
			`forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> \| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };`
			`inline-signing <boolean>;`
			`ixfr-from-differences <boolean>;`
			`journal <quoted_string>;`
			`key-directory <quoted_string>;`
Remove the mastefile-format map option As previously announced, this commit removes the masterfile-format format 'map' from named, all the tools, the documentation and the system tests. 2021-09-16 11:46:13 +02:00			`masterfile-format ( raw \| text );`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`masterfile-style ( full \| relative );`
build doc 2020-03-09 15:40:00 -07:00			`max-ixfr-ratio ( unlimited \| <percentage> );`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`max-journal-size ( default \| unlimited \| <sizeval> );`
			`max-records <integer>;`
			`max-transfer-idle-out <integer>;`
			`max-transfer-time-out <integer>;`
prep 9.15.6 2019-11-17 07:25:57 +00:00			`max-zone-ttl ( unlimited \| <duration> );`
add "primary-only" as a synonym for "master-only" update the "notify" option to use RFC 8499 terminology as well. 2020-06-17 02:45:07 -07:00			`notify ( explicit \| master-only \| primary-only \| <boolean> );`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`notify-delay <integer>;`
			`notify-source ( <ipv4_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
			`notify-source-v6 ( <ipv6_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
			`notify-to-soa <boolean>;`
Remove auto-generated rst files in repo in favour of grammar pretty printer 2022-06-24 13:16:53 +02:00			`nsec3-test-zone <boolean>; // test only`
Add parental-agents configuration Introduce a way to configure parental agents that can be used to query DS records to be used in automatic key rollovers. 2021-05-07 11:36:40 +02:00			`parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> \| <ipv4_address> [ port <integer> ] \| <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };`
Add "parental-source[-v6]" config option Similar to "notify-source" and "transfer-source", add options to set the source address when querying parental agents for DS records. 2021-05-14 11:33:51 +02:00			`parental-source ( <ipv4_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
			`parental-source-v6 ( <ipv6_address> \| * ) [ port ( <integer> \| * ) ] [ dscp <integer> ];`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`serial-update-method ( date \| increment \| unixtime );`
			`sig-signing-nodes <integer>;`
			`sig-signing-signatures <integer>;`
			`sig-signing-type <integer>;`
			`sig-validity-interval <integer> [ <integer> ];`
			`update-check-ksk <boolean>;`
Add {krb5,ms}-subdomain-self-rhs update policy rules The new rules compare the target name in PTR and SRV records against the machine name embedded in the kerberos principal. This can be used to further restrict what PTR and SRV records can be added or deleted via dynamic updates if desired. 2018-08-24 09:19:38 +10:00			`update-policy ( local \| { ( deny \| grant ) <string> ( 6to4-self \| external \| krb5-self \| krb5-selfsub \| krb5-subdomain \| krb5-subdomain-self-rhs \| ms-self \| ms-selfsub \| ms-subdomain \| ms-subdomain-self-rhs \| name \| self \| selfsub \| selfwild \| subdomain \| tcp-self \| wildcard \| zonesub ) [ <string> ] <rrtypelist>; ... };`
[master] automatically generate named.conf grammars for the ARM 4873. [doc] Grammars for named.conf included in the ARM are now automatically generated by the configuration parser itself. As a side effect of the work needed to separate zone type grammars from each other, this also makes checking of zone statements in named-checkconf more correct and consistent. [RT #36957] 2018-01-22 11:00:45 -08:00			`zero-no-soa-ttl <boolean>;`
			`zone-statistics ( full \| terse \| none \| <boolean> );`
			`};`