|
HP OpenVMS Systems Documentation |
|
HP TCP/IP Services for OpenVMS
|
| Previous | Contents | Index |
Table 6-7 describes the Boolean BIND server configuration options.
| Option | Description |
|---|---|
| auth-nxdomain |
If YES, then the AA bit is always set on NXDOMAIN responses, even if
the server is not actually authoritative.
The default is NO. This is a change from BIND Version 8. If you are upgrading from old software, you might need to set this option to YES. |
| deallocate-on-exit | This option was used in BIND Version 8 to enable checking for memory leaks on exit. BIND Version 9 ignores this option and always performs the checks. |
| dialup |
If YES, then the server treats all zones as if they are doing zone
transfers across a dial-on-demand dialup link, which can be brought up
by traffic originating from this server. This has different effects
according to zone type, and it concentrates the zone maintenance so
that it all happens in a short interval, once every
heartbeat-interval
and during the one call. It also suppresses some of the normal zone
maintenance traffic. The default is NO.
The dialup option can also be specified in the view and zone statements. In these cases, it overrides the global dialup option. If the zone is a master zone, the server sends out a NOTIFY request to all the slaves. This triggers the zone serial number check in the slave (providing it supports NOTIFY), allowing the slave to verify the zone while the connection is active. If the zone is a slave or stub zone, then the server suppresses the regular "zone up to date" (refresh) queries and performs them only when the heartbeat-interval expires, in addition to sending NOTIFY requests. Finer control can be achieved by using the following options:
|
| fake-iquery | In BIND Version 8, this option was used to enable simulating the obsolete DNS query type IQUERY. BIND Version 9 never does IQUERY simulation. |
| fetch-glue | This option is obsolete. In BIND Version 8, this option caused the server to attempt to fetch glue resource records it lacked when constructing the additional data section of a response. In BIND Version 9, the server does not fetch glue resource records. |
| has-old-clients | This option was incorrectly implemented in BIND Version 8 and is ignored by BIND Version 9. |
| host-statistics | In BIND Version 8, this option enabled the keeping of statistics for every host with which the name server interacts. This option is not implemented in BIND Version 9. |
| maintain-ixfr-base | This option is obsolete. It was used in BIND Version 8 to determine whether a transaction log was kept for incremental zone transfers. BIND Version 9 maintains a transaction log whenever possible. To disable outgoing incremental zone transfers, set the provide-ixfr option to NO. See Section 6.5.3.7 for more information. |
| minimal-responses | Specifies that when the server generates responses, it adds records to the authority and additional data sections only when they are required (for example, for delegations and negative responses). This might improve the performance of the server. The default is NO. |
| multiple-cnames | This option was used in BIND Version 8 to allow a domain name to allow multiple CNAME records in violation of the DNS standards. BIND Version 9 strictly enforces the CNAME rules, both in master files and dynamic updates. |
| notify |
Sends DNS NOTIFY messages when a zone changes for which the server is
authoritative (see Section 6.5.5). The messages are sent to the servers
listed in the zone's NS records (except the master server identified in
the SOA MNAME field) and to any servers listed in the
also-notify
option. If this option is explicitly set (the default), notifications
are sent only to servers explicitly listed using
also-notify
. If it is set to NO, notifications are not sent.
The notify option can also be specified in the zone statement. This overrides the notify option in the options statement. |
| recursion | When a DNS query requests recursion, specifies that the server will attempt to do all the work required to answer the query. If the recursion option is off and the server does not already know the answer, it returns a referral response. The default is YES. Note that setting the recursion option to NO does not prevent clients from getting data from the server's cache; it only prevents new data from being cached as an effect of client queries. Caching can still occur as an effect of the server's internal operation, such as NOTIFY address lookups. |
| rfc2308-type1 |
Setting this option to YES causes the server to send NS records along
with the SOA record for negative answers. The default is NO.
This option is not yet implemented. |
| use-id-pool | This option is obsolete. BIND Version 9 always allocates query IDs from a pool. |
| zone-statistics | Collects statistical data on all zones in the server. These statistics can be accessed using the rndc stats command, which dumps them to the file listed in the statistics-file option. See Section 6.10 for more information. |
| use-ixfr | This option is obsolete. If you need to disable IXFR to a particular server, see the information about the provide-ixfr option in Section 6.5.3.7. |
| treat-cr-as-space | This option was used in BIND 8 to make the server treat carriage return characters the same way as a space or tab character---to facilitate loading of zone files. In BIND 9, these characters are always accepted and the option is ignored. |
|
additional-from-auth
additional-from-cache |
These options control the behavior of an authoritative server when
answering queries that have additional data or when following CNAME and
DNAME chains.
When both of these options are set to YES (the default) and a query is being answered from authoritative data (a zone configured into the server), the additional data section of the reply is filled in using data from other authoritative zones and from the cache. In some situations this is undesirable, such as when there is concern over the correctness of the cache, or in servers where slave zones can be added and modified by untrusted third parties. Also, avoiding the search for this additional data speeds up server operations at the possible expense of additional queries to resolve what otherwise would be provided in the additional section. For example, if a query asks for an MX record for host
FOO.EXAMPLE.COM, the following record is found:
The address records (A and AAAA) for MAIL.EXAMPLE.NET are provided as well, if they are known. Setting these options to NO disables this behavior. These options are intended for use in authoritative-only servers or in authoritative-only views. If you attempt to set these options to NO without also specifying recursion no , the server ignores the options and log a warning message. Specifying additional-from-cache no disables the use of the cache not only for additional data lookups, but also when looking up the answer. This is usually the desired behavior in an authoritative-only server where the correctness of the cached data is an issue. When a name server is nonrecursively queried for a name that is not below the apex of any served zone, it normally answers with an "upward referral" to the root servers or to the servers of some other known parent of the query name. Because the data in an upward referral comes from the cache, the server cannot provide upward referrals when additional-from-cache no has been specified. Instead, the server responds to such queries with "REFUSED." This should not cause any problems, because upward referrals are not required for the resolution process. |
| match-mapped-addresses | When this option is set, an IPv4-mapped IPv6 address matches any address match list entries that match the corresponding IPv4 address. Use of this option is not necessary on OpenVMS systems. |
The forwarding facility helps you create a large, sitewide cache on a few servers, thereby reducing traffic over links to external name servers. It can also be used to allow queries by servers that do not have direct access to the Internet but that want to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.
Table 6-8 describes the forwarding options.
| Option | Description |
|---|---|
| forward | Meaningful only if the forwarders list is not empty. A value of first (the default) causes the server to query the forwarders first, and if that does not answer the question, the server then looks for the answer itself. If only is specified, the server queries only the forwarders. |
| forwarders | Specifies the IP addresses to be used for forwarding. The default is the empty list (no forwarding). |
Forwarding can also be configured on a per-domain basis, allowing for
the global forwarding options to be overridden in a variety of ways.
You can set particular domains to use different forwarders, or have a
different forward only/first behavior, or not to forward at all. See
Section 6.5.3.10 for more information.
6.5.3.6.3 Access Control Options
Access to the server can be restricted based on the IP address of the requesting system. See Section 6.5.2 for details on how to specify IP address lists.
Table 6-9 describes the access control options.
| Option | Description |
|---|---|
| allow-notify | Specifies which hosts are allowed to notify slaves of a zone change in addition to the zone masters. The allow-notify option can also be specified in the zone statement; in this case, it overrides the allow-notify option in the options statement. The allow-notify option is meaningful only for a slave zone. If this option is not specified, the default is to process notify messages from only a zone's master. |
| allow-query | Specifies which hosts are allowed to ask ordinary questions. The allow-query option can also be specified in the zone statement; in this case, it overrides the allow-query option in the options statement. If this option is not specified, the default is to allow queries from all hosts. |
| allow-recursion | Specifies which hosts are allowed to make recursive queries through this server. If this option is not specified, the default is to allow recursive queries from all hosts. Note that disallowing recursive queries for a host does not prevent the host from retrieving data that is already in the server's cache. |
| allow-v6-synthesis | Specifies which hosts are to receive synthetic responses to IPv6 queries, as described in Section 6.5.3.6.12. |
| allow-transfer | Specifies which hosts are allowed to receive zone transfers from the server. The allow-transfer option can also be specified in the zone statement; in this case, it overrides the allow-transfer statement in the options statment. If this option is not specified, the default is to allow transfers to all hosts. |
| blackhole | Specifies a list of addresses from which the server will not accept queries or will not use to resolve a query. The server will not respond queries from these addresses. The default is NONE. |
The interfaces and ports from which the server answers queries can be specified using the listen-on options. Table 6-10 describes the listen-on options.
| Option | Description |
|---|---|
| listen-on |
Specifies the port for listening for queries sent using IPv4 addresses.
The listen-on option takes an optional port number and an address_match_list . The server listens on all interfaces allowed by the address match list. If a port is not specified, port 53 is used. Multiple
listen-on
statements are allowed. For example:
These statements enable the name server on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4. If the listen-on option is not specified, the server listens on port 53 on all interfaces. |
| listen-on-v6 |
Specifies the ports on which the server listens for incoming queries
sent using IPv6. The server does not bind a separate socket to each
IPv6 interface address as it does for IPv4. Instead, it always listens
on the IPv6 wildcard address. Therefore, the values allowed for the
address_match_list
argument to the
listen-on-v6
option are:
Multiple
listen-on-v6
options can be used to listen on multiple ports. For example:
To make the server not listen on any IPv6 address, specify the
following:
If the listen-on-v6 option is not specified, the server does not listen on any IPv6 address. |
If the server does not know the answer to a question, it queries other name servers. The query address options allow you to specify the address and port for these queries.
Table 6-11 describes the query address options.
| Option | Description |
|---|---|
| query-source |
Specifies the IPv4 address and port used for such queries. If the
address is a wildcard character or is omitted, a wildcard IP address
(INADDR_ANY) is used. If the port is a wildcard character or is
omitted, a random unprivileged port is used. The default is:
query-source address * port *; |
| query-source-v6 |
Specifies the IPv6 address and port used for such queries. The default
is:
query-source-v6 address * port * |
The address specified in the
query-source
option is used for both UDP and TCP queries, but the port applies only
to UDP queries. TCP queries always use a random, unprivileged port.
6.5.3.6.6 Zone Transfer Options
BIND includes mechanisms to facilitate zone transfers and to limit the amount of load that transfers place on the system. Table 6-12 describes the zone transfer options.
| Option | Description |
|---|---|
| also-notify | Defines a global list of IP addresses of name servers that are also sent NOTIFY messages whenever a fresh copy of the zone is loaded, in addition to the servers listed in the zone's NS records. This helps to ensure that copies of the zones will quickly converge on stealth servers. If an also-notify list is given in a zone statement, that list overrides the also-notify options in the options statement. When a zone notify statement is set to NO, the IP addresses in the global also-notify list are not sent NOTIFY messages for that zone. The default is the empty list (no global notification list). |
| max-transfer-time-in | Inbound zone transfers running longer than this many minutes are terminated. The default is 120 minutes. |
| max-transfer-idle-in | Inbound zone transfers making no progress in this many minutes are terminated. The default is 60 minutes. |
| max-transfer-time-out | Outbound zone transfers running longer than this many minutes are terminated. The default is 120 minutes. |
| max-transfer-idle-out | Outbound zone transfers making no progress in this many minutes are terminated. The default is 60 minutes. |
| serial-query-rate | Slave servers periodically query master servers to find out whether zone serial numbers have changed. Each such query uses a minute amount of the slave server's network bandwidth. To limit the amount of bandwidth used, BIND 9 limits the rate at which queries are sent. The value of the serial-query-rate option is the maximum number of queries sent per second. The default is 20. |
| serial-queries | In BIND 8, this option set the maximum number of concurrent serial number queries allowed to be outstanding at any given time. BIND 9 does not limit the number of outstanding serial queries and ignores the serial-queries option. Instead, it limits the rate at which the queries are sent as defined by the serial-query-rate option. |
| transfer-format |
Specifies whether zone transfers are sent using the one-answer format
or the many-answers format. The
transfer-format
option is used on the master server to determine which format it sends.
When set to
one-answer
, it uses one DNS message per resource record transferred. When set to
many-answers
, it packs as many resource records as possible into a message.
many-answers
is more efficient, but it is supported only by relatively new slave
servers, such as BIND Version 9, BIND Version 8, and later versions of
BIND Version 4. The default is
many-answers
.
The transfer-format option can be overridden on a per-server basis by using the server statement. |
| transfers-in | Specifies the maximum number of inbound zone transfers that can be running concurrently. The default value is 10. Increasing the transfers-in value might speed up the convergence of slave zones, but it also might increase the load on the local system. |
| transfers-out | Specifies the maximum number of outbound zone transfers that can be running concurrently. Zone transfer requests in excess of the limit are refused. The default value is 10. |
| transfers-per-ns | Specifies the maximum number of inbound zone transfers that can be concurrently transferring from a given remote name server. The default value is 2. Increasing the value of the transfers-per-ns option might speed up the convergence of slave zones, but it also might increase the load on the remote name server. This option can be overridden on a per-server basis by using the transfers phrase of the server statement. |
| transfer-source | Determines which local address is bound to IPv4 TCP connections used to fetch zones transferred inbound by the server. It also determines the source IPv4 address and, optionally, the UDP port used for the refresh queries and forwarded dynamic updates. If not set, this option defaults to a system-controlled value, which is usually the address of the interface closest to the remote end. This address must appear in the remote end's allow-transfer option for the zone being transferred, if one is specified. This statement sets the transfer source for all zones, but it can be overridden on a per-view or per-zone basis by including a transfer-source statement within the view or zone statement in the configuration file. |
| transfer-source-v6 | Determines which local address is bound to IPv6 TCP connections used to fetch zones transferred inbound by the server. This is the same as the transfer-source option, except zone transfers are performed using IPv6. |
| notify-source |
Determines which local source address and, optionally, UDP port is used
to send NOTIFY messages. This address must appear in the slave server's
masters
clause in the
zone
statement or in an
allow-notify
clause.
This statement sets the notify-source for all zones, but it can be overridden on a per-zone or per-view basis by including a notify-source statement within the zone or view statement in the configuration file. |
| notify-source-v6 | Determines which local source address and, optionally, UDP port is used to send NOTIFY messages. This option is identical to notify-source , but it applies to NOTIFY messages sent to IPv6 addresses. |
| Previous | Next | Contents | Index |