| Option Name | Option Description | Data Type | Block | Tags | Supported Versions | Example | Grammar |
| allow-new-zones | Controls whether zones can be added to the BIND nameserver at runtime using rndc addzone. The default value is no. If set to "yes," the BIND server would allow the dynamic addition of new zones through rndc addzone. | boolean | options, view | server,zone | all | Enter yes or no. Eg: yes | <boolean> |
| allow-notify | Controls which specific servers (identified by the [address-match-list]) are authorized to send NOTIFY messages to inform a name server about the changes to a specific zone. This is crucial for maintaining security and ensuring that only trusted servers trigger zone transfers. These specific servers defined by the allow-notify option are in addition to addresses defined in the primaries option for the zone. If not specified, by default the name server of a zone accepts Notify messages from the configured zone Primary server(s) . | address_list | view, options, zone(secondary) | transfer | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-query | Defines an ACL to control who can query this server based on the address match list definition. [allow-query] may also be specified under the zone statement, in which case it overrides the [allow-query] under the options statement. If not specified, the default is to allow queries from all hosts. | address_list | zone(primary, secondary), view, options | query | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-query-on | Specifies on which name server interface(s) queries will be accepted. For example, this option could be configured to allow queries on the interface(s) facing the internal network. For a query to be accepted, it must be allowed by both allow-query and allow-query-on ACLs. If a query is not permitted by both ACLs, it will be refused. | address_list | options, zone(primary, secondary), view | query | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-query-cache | Specifies which hosts based on the address match list may receive query answers from the server's cache. If not specified this option defaults to the address match list specified in the allow-recursion option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}. | address_list | options, view | transfer | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-query-cache-on | Specifies on which name server interface(s) queries will be accepted that may receive answers from the server's cache. For example this option could be configured to allow cache queries on the interface(s) facing the internal network. | address_list | options, view | transfer | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-recursion | Defines an ACL on who can issue recursive queries to this server based on the address match list definition. If not specified this option defaults to the address match list specified in the allow-query-cache option; if this is not set then that set in the allow-query option is used; otherwise this option defaults to {localnets; localhosts;}. | address_list | view, options | dnssec, transfer | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-recursion-on | Specifies on which name server interface(s) recursive queries will be accepted. For example this option could be configured to allow recursive queries on the interface(s) facing the internal network. The default is to accept recursive queries on all server interfaces. | address_list | options, view | server, query | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-transfer | Specifies an ACL on who can receive a zone transfer from this server. The default is any. | string | options, view, zone(rimary, secondary) | dnssec, zone | all | Enter address_match_list of hosts that are allowed to transfer the zone information from this server. Eg: { 192.168.0.3; 192.168.0.4; } | [ port <integer> ] [ transport <string> ] { <address_match_element>; ... } |
| allow-update | Defines an ACL on who can perform a dynamic DNS update based on the address match list definition. The default is none. If the more granular update-policy option is specified within options view or zone blocks allow-update must not also be specified within the corresponding statement block. | address_list | view, options,zone(primary) | dnssec,server,query | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| allow-update-forwarding | Specifies an ACL defining from whom dynamic updates will be accepted for slave zones which will in turn be forwarded to the zone's master server. The default is none. ISC recommends using either any or none the default. This pushes the enforcement of update acceptance from this slave server to the master server. | address_list | view, options, zone(secondary) | dnssec, transfer | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| also-notify | Defines a set of IP addresses with or without corresponding port numbers to which to send Notify messages when a zone is updated (default = empty i.e. none). This option specifies additional Notify recipients to those specified in the zone's NS records. | string | options,zone, view | deprecated, logging | all | Enter the list of servers that are allowed to transfer the zone information. Eg: { 192.168.1.1; 192.168.1.2; } | [ port <integer> ] [ source ( <ipv4_address> | * ) ] [ source-v6 ( <ipv6_address> | * ) ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... } |
| alt-transfer-source | Specifies an alternate transfer source IPv4 address and optionally port for performing inbound zone transfers or for issuing SOA queries or forwarded dynamic updates if the transaction failed with transfer-source parameters. Note that the use-alt-transfer-source yes option must be set. | string | options,view, zone(secondar) | dnssec | all | Enter alternative transfer source. Eg: 192.168.9.6 | ( <ipv4_address> | * ) [ port ( <integer> | * )] |
| alt-transfer-source-v6 | Specifies an alternate transfer source IPv6 address and optionally port for performing inbound zone transfers or for issuing SOA queries or forwarded dynamic updates if the transaction failed with transfer-source-v6 parameters. Note that the use-alt-transfer-source yes option must be set. | string | options,view, zone(secondary) | transfer | all | Enter alternative transfer-source-v6. Eg: 2001:db8::1 | ( <ipv6_address> | * ) [ port ( <integer> | * )] |
| answer-cookie | Specifies whether the server will include the COOKIE EDNS options in responses. The default is yes and it is suggested this be set to no only to rectify operational problems | boolean | options | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| attach-cache | By default each view has its own cache database. This option enables the sharing of a common cache database across some or all views. When set in the options directive, all views will use the specified [cache-name] cache. Particular views may use their own cache by specifying a different cache-name within the view statement block. Cache sharing among views requires each view to support common cache-impacting parameters: check-names cleaning-interval dnssec-accept-expired dnssec-validation max-cache-ttl max-ncache-ttl max-cache-size and zero-no-soa-ttl. | string | options, view | view | all | Enter the cache name. Eg: named-cache | <string> |
| auth-nxdomain | Allows the server to always claim that a negative answer from its cache is actually authoritative even if it isn't; the default is no do not always claim authoritative answers. | boolean | options, view | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| auto-dnssec | This option defines the degree of automation for BIND's automated DNSSEC key and signature management features. The allow setting enables key updates and zone resigning when the user initiates the rndc sign zone command corresponding to this zone. maintain includes the allow setting capability and adds the automation of key activation revocation retirement and deletion according to each key's timing metadata as specified using the dnssec-keygen utility. create adds to the maintain functionality the ability to automatically create new keys when needed (Note - this has not yet been implemented). The off setting (default) disables automated DNSSEC management. | string | options, zone, view | dnssec | all | Valid values: allow, maintain, create or off Eg: allow | ( allow | maintain | create | off ) |
| automatic-interface-scan | Configures named to recan network interfaces on the server when interface addresses are added or removed. The default is yes. | boolean | options | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| avoid-v4-udp-ports | Specifies which port numbers to avoid as system-assigned source UDP ports over IPv4 typically to avoid firewall-blocked port numbers | string | options | dnssec | all | Enter a list of ports that are valid sources for UDP/IPv4 messages. Valid values: list of ports or port ranges Eg: { 7080; range 480 500; } | { <portrange>; ... } |
| avoid-v6-udp-ports | Specifies which port numbers to avoid as system-assigned source UDP ports over IPv6 typically to avoid firewall-blocked port numbers | string | options | transfer | all | Enter a list of ports that are valid sources for UDP/IPv4 messages. Valid values: list of ports or port ranges Eg: { 7080; range 480 500; } | { <portrange>; ... } |
| bindkeys-file | Specifies the pathname on the server for the trusted keys for use in DNSSEC Lookaside Validation. The default is /etc/bind.keys. | quoted_string | options | query | all | Enter the pathname of a file to override the built-in trusted keys provided by named. Eg: "/etc/bind/keys.bind" | <quoted_string> |
| blackhole | Defines an ACL defined by the address match list from which this server will not accept queries nor use to resolve a query. The default is none. | address_list | options | dnssec | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| check-dup-records | Configures the server to check its master zones for resource records that are treated differently by DNSSEC but are semantically equal in plain DNS. The default is warn. | string | options, view,zone | deprecated, dnssec, query | all | Enter fail, warn or ignore Eg: warn | ( fail | warn | ignore ) |
| check-integrity | When set to yes, it configures the server to perform zone integrity checks after the loading of master zones; the integrity check consists of assuring MX and SRV records refer to hosts that have corresponding A or AAAA records (intra-zone checks only) and that glue records exist for delegated zones. The default is yes. | boolean | options, view, zone | zone | all | Enter yes or no. Eg: yes | <boolean> |
| check-mx | Performs checking on MX records and will fail warn (default) or ignore based on whether the RDATA contains an IP address. | string | view, options, zone | dnssec, zone, logging | all | Enter fail, warn or ignore Eg: warn | ( fail | warn | ignore ) |
| check-names | Configures the server to validate owner names of A AAAA and MX records as well as RDATA names in NS SOA and MX records and also PTR records resolved based on queries for owners within ip6.arpa or in-addr.arpa zones. When defined within the options or view statement but not within zone declarations checking can be focused to master zones (default = fail) slave zones (default = warn) or responses received from other servers (response default = ignore). | string | options, view,zone | dnssec,zone | all | Grammmer: ( primary/ master | secondary / slave | response ) ( fail | warn | ignore ) | ( primary / master | secondary / slave | response ) ( fail | warn | ignore ) |
| check-sibling | Configures the server to verify that glue records (A/AAAA) exist for sibling zones i.e. other zones delegated by this server (as a common parent). For example the Rdata field of an NS record for a delegated zone may refer to a name server in a sibling zone: blog.manageengine.com. IN NS ns.products.manageengine.com. Setting this option to yes drives the server to verify that a glue (A/AAAA) record exists for ns.products.manageengine.com. The default value is yes. check-sibling only takes effect when check-integrity is set to "yes." This ensures that the DNS server performs integrity checks, including the verification of glue records for sibling zones. If not specified, the server, by default, verifies the existence of glue records for sibling zones when check-integrity is enabled. | boolean | options, view, zone (primary) | zone | all | Enter yes or no. Eg: yes | <boolean> |
| check-spf | If check-integrity is set, this option dictates whether to check for the presence of a TXT record if an SPF record is found. Sender Policy Framework (SPF) RR Types have been deprecated given the embedded deployments of SPF using the TXT record instead. The default value is warn. | string | options,view, zone(primary) | zone | all | Enter warn or ignore Eg: warn | ( warn | ignore ) |
| check-srv-cname | Configures the BIND server to verify that SRV records do not refer to CNAME records.This option is particularly relevant when the overall integrity of DNS responses is being checked (check-integrity is set to yes). fail: The server fails to process the SRV records that refer to CNAMEs. It may reject or ignore such records. warn: The server issues a warning when it encounters SRV records referring to CNAMEs. The processing continues, but a warning is logged. ignore: The server ignores the fact that SRV records refer to CNAMEs and proceeds with processing without generating warnings or errors. If check-srv-cname is not explicitly configured, the default response is set to warn. This makes the server to issue a warning when SRV records refer to CNAMEs, but it still processes the records. | string | options, view, zone (primary) | zone | all | Enter fail, warn or ignore Eg: warn | ( fail | warn | ignore ) |
| check-wildcard | If set to yes, it instructs the server to issue a warning upon detecting a non-fully resolvable wildcard (*) in its master zones. The default is yes. | boolean | options, view, zone(primary) | zone | all | Enter yes or no. Eg: yes | <boolean> |
| clients-per-query | Defines the minimum initial number of simultaneous outstanding recursive queries for a given name (i.e. of the same qname qtype qclass). In this context the server issuing such queries is the ""client"" referred to by the option name. (default = 10) | integer | options, view | server | all | Enter a valid integer. Eg:100 | <integer> |
| cookie-algorithm | Defines the algorithm to be used when generating the server cookie, which serves as a lightweight DNS message authentication mechanism. The default is aes if supported by the server, otherwise siphash24. | string | options | server | all | Valid values: aes, siphash24 Eg: aes | ( aes | siphash24 ) |
| cookie-secret | Specifies the shared secret used for generating and verifying EDNS COOKIE options within an anycast cluster. The shared secret is encoded as a hex string and needs to be 128 bits for AES128, 160 bits for SHA1 and 256 bits for SHA256. If not set, the system will generate a random secret at startup. | string | options | server | all | Use this option to pre-set the server cookie string. Eg:"8217891bcbbca1b7903069d20d20c4c2" | <string> |
| coresize | Defines the maximum size of a core dump file. The default is default which is the default core dump file size permitted by the operating system. | string | options | deprecated | all | Enter size in bytes followed by an additional suffix 'k', 'm or 'g'. Eg:3k | <sizeval> |
| datasize | Defines the maximum size of memory the server may use. The default is default which is the amount of memory allocated by the operating system by default though this option is useful when specifying a size greater than the operating system default if this amount is too small. | string | options | deprecated | all | Enter size in bytes followed by an additional suffix 'k', 'm or 'g'. Eg:3k | <sizeval> |
| deny-answer-addresses | Configures the server to filter out (drop) address (A or AAAA) query responses from external DNS servers where the address(es) contained in the answer section fall within the address_match_list definition to mitigate rebinding attacks. However, all address answers where the query name matches the [except-from name-list] will be accepted. For example a server configured with deny-answer-addresses {192.0.2.0/24;} except-from {"manageengine.com";}; will drop A records in the answer section containing an address within the 192.0.2.0/24 space except where the query name falls within the manageengine.com domain or subdomain. | string | view, options | query, Content filtering | all | Enter ipv4 addresses of A or AAAA records to be rejected. Eg:{ 192.168.1.1; 192.168.1.2; } except-from {ns3.example.com;} | { <address_match_element>; ... } [ except-from { <string>; ... } ] |
| deny-answer-aliases | Configures the server to filter out (drop) alias (CNAME or DNAME) query responses from external DNS servers where the alias(es) contained in the answer section fall within the alias-list definition to mitigate rebinding attacks. However all alias answers where the query name matches the except-from name-list will be accepted. For example a server configured with deny-answer-aliases {"manageengine.com";} except-from {"blog.manageengine.com";}; will drop CNAME or DNAME records within the answer section of the response containing an answer within the manageengine.com domain or subdomains except where the query name falls within the blog.manageengine.com domain or subdomains. | string | options, view | query, Content fintering | all | Enter list of aliases of CNAME or DNAME records to be rejected. Eg:{ns1.example.com;ns2.example.com;} except-from {ns3.example.com;} | { <string>; ... } [ except-from { <string>; ... } ] |
| dialup | Concentrates all communications between servers to the time when a dialup connection is made based on timing set in the heartbeat-interval option overriding the refresh timer to send out SOA (refresh) queries and NOTIFYs only at this interval. More granular control is available using: notify parameter, which directs the server to send only NOTIFYs during the connection with normal refresh processing. notify-passive parameter which indicates the server will send NOTIFYs during the heartbeat interval while suspending normal refresh processing. refresh suspends NOTIFYs during heartbeat intervals but sends refresh queries during the heartbeat interval. passive disables normal refresh processing notify-passive sends NOTIFYs during the heartbeat and suppresses refresh processing. | string | view, options, zone(primary, secondary) | transfer | all | Valid Values: notify, notify-passive, passive, refresh or <boolean> Eg: notify | ( notify | notify-passive | passive | refresh | <boolean> ) |
| directory | Specifies the location of the current working directory on the server. Any relative (non-absolute) pathnames are interpreted as relative to this directory. If a directory is not specified, the working directory defaults to ".", the directory from which the server was started. | quoted_string | options | server | all | Enter the server's working directory. Eg:"var/local/named/workingdirectory" | <quoted_string> |
| disable-algorithms | Disables the specified DNSSEC algorithm(s) when processing queries for the specified domain and its subdomains. Multiple occurrences of this statement are permitted. | string | options, view | dnssec | all | Enter zone name and dnssec algorithms that need to be disabled. Eg: "example.com" { "NSECRSASHA1"; "DH"; } | <string> { <string>; ... } |
| disable-ds-digests | Disables specified DS/DLV digest types at and below the specified domain. Multiple statements are permitted. | string | view, options | zone, dnssec | all | Enter zone name and ds digest algorithms that need to be disabled. Eg: "example.com" { "SHA-384"; "SHA-256"; } | <string> { <string>; ... } |
| disable-empty-zone | Disables an individual empty zone identified by zone_name. Multiple statements are permitted. | string | options, view | zone, server | all | Enter zone name in which empty zones are to be disabled. Eg: "zone_name" | <string> |
| dns64 | Supports the DNS64 IPv4-IPv6 co-existence strategy by allowing an IPv6 host to connect to an IPv4 destination via a NAT64 gateway, whose IP address is a concatenation of the specified IPv6 prefix and an IPv4 address returned via A record queries (when no native AAAA record answers are provided). The DNS64 service provides this mapping function. The clients parameter indicates an address match list of clients for whom the service is provided; the default is any. The mapped parameter indicates which IPv4 addresses within the A resource record set shall be mapped to corresponding AAAA answers. The exclude parameter defines that any queried IPv6 addresses falling within the specified network will not be subject to DNS64 translation. If set to exclude { 2001:db8::/32; }, DNS64 translation will be bypassed for IPv6 addresses within the specified network.The suffix can be used to specify additional bits to include in the mapped response following the IPv4 address (the default is :: ). The recursive-only parameter indicates whether to apply DNS64 mapping to recursive queries only, and the break-dnssec will not modify(add or remove) DNSSEC records from the authoritative server response if the value is no and will do so if the value is set to yes. | string | options, view | query | all | dns64 <netprefix> { break-dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive-only <boolean>; suffix <ipv6_address>; } | |
| dns64-contact | Supports the DNS64 IPv4-IPv6 co-existence strategy as discussed above. This option defines the administrative contact name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction. | string | options, view | server | all | Enter the name of the contact for dns64 zones. Eg: "contacts.example.com" | <string> |
| dns64-server | Supports the DNS64 IPv4-IPv6 co-existence strategy as described above. This option defines the DNS server name that will appear in the SOA record for the ipv6.arpa zone corresponding to the mapped AAAA records created by appending the IPv4 address to the IPv6 prefix during a DNS64 transaction. | string | view, options | server | all | Enter the name of the server for dns64 zones. Eg: "ns1.example.com" | <string> |
| dnskey-sig-validity | Defines the number of days in the future when DNSSEC signatures that are automatically generated for DNSKEY RRsets as a result of dynamic updates will expire. This option is disabled if set to 0; otherwise it overrides the sig-validity-interval option for DNSKEY records. The maximum value is 3660 (10 years). | integer | options, view, zone | deprecated | all | Enter a valid integer. Eg:100 | <integer> |
| dnsrps-enable | Enables or disables the DNS Response Policy Service (DNSRPS) API, which enables use of an external response policy provider as an alternative to response policy zones. | boolean | options, view | server, security | all | Enter yes or no. Eg: yes | <boolean> |
| dnsrps-options | Configures the DNS Response Policy Service (RPS) provider library, librpz; the text is passed to the library, concatenated with settings derived from the response policy statement. | string | options, view | server, security | all | { <unspecified-text> } | |
| dnssec-accept-expired | Instructs the server to accept expired signatures for DNSSEC validation. The default is no. | boolean | view, options | query | all | Enter yes or no. Eg: yes | <boolean> |
| dnssec-dnskey-kskonly | This option is a parameter for BIND's automated DNSSEC key and signature management features. When set to yes and update-check-ksk is set to yes only KSKs will be used to sign the DNSKEY,CDNSKEY, and CDS RRsets at the zone apex; otherwise ZSKs may be used to sign the DNSKEY RRset. When the option update-check-ksk is set to no this option is ignored. | boolean | view, zone, options | query | all | Enter yes or no. Eg: yes | <boolean> |
| dnssec-enable | Enables or disables DNS Security Extensions (DNSSEC) validation in the BIND DNS server. When set to "yes," it indicates that DNSSEC validation should be enabled, enhancing the security of DNS responses by verifying their cryptographic signatures. | boolean | options | security | 9.9,9.11,9.16 | Enter yes or no. Eg: yes | <boolean> |
| dnssec-loadkeys-interval | Specifies the interval between checks for new keys or changes in key timing metadata when auto-dnssec maintain; is configured. The default is 60 (minutes) the minimum value is 1 and the maximum value is 1440. | integer | options, view,zone(primary, secondary) | query | all | Enter a valid integer. Eg:100 | <integer> |
| dnssec-lookaside | refers to the mechanism for managing DNS Security Extensions (DNSSEC) trust anchors using a lookaside validation approach. When configured, BIND can use a separate repository, known as a lookaside, to fetch and manage DNSSEC trust anchors. This allows administrators to maintain and update trust anchors outside of the DNS tree, providing flexibility in managing DNSSEC trust relationships. | string | options | query | 9.9,9.11,9.16 | Enter a valid domain name. Eg:dnssec-lookaside "manageengine.com"; This example suggests that BIND should use a lookaside validation approach for DNSSEC and fetch trust anchors associated with the "manageengine.com" domain. The actual value would depend on the specific configuration and requirements of the DNSSEC implementation. | <string> |
| dnssec-must-be-secure | Specifies a domain (including subdomains) that must provide secure resolution as validated by trusted-key configuration or DLV when set to yes. When set to no secure resolution is not required for this domain. | string | view, options | dnssec | all | <string> <boolean> | |
| dnssec-policy | Defines a DNSSEC key and signing policy (KASP) for a zone. This is a string referring to a dnssec-policy block. The default is none. | quoted_string | options, view, zone(primary) | dnssec | 9.16,9.18 | <string> | |
| dnssec-secure-to-insecure | When set to yes this allows the DNSKEY record(s) to be deleted in the zone(s) via BIND's automated DNSSEC key and signature management features introduced in BIND 9.7.0. Deleting these records effectively transitions the zone(s) from secure to insecure. The default is no. If set to yes, and if the DNSKEY RRset at the zone apex is deleted, all RRSIG and NSEC records are removed from the zone as well. | boolean | options, view, zone(primary) | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| dnssec-update-mode | Configures automated signing of new or changed resource records and automated resigning of RRSets when nearing signature expiration when set to maintain. When set to no-resign new or changed resource records will be signed but automated resigning of RRSets when nearing signature expiration will be disabled. | string | options, view | dnssec | all | Valid values: maintain, no-resign Eg: maintain | ( maintain | no-resign ) |
| dnssec-validation | Turns on DNSSEC validation processing when set to yes. dnssec-enable must also be set to yes. The default is yes. | string | options, view | dnssec | all | Valid values: yes, no, auto Eg: auto | ( yes | no | auto ) |
| dnstap | Defines message types to be logged under the dnstap query logging feature. Message type can be client, auth, resolver, forwarder, or all. Specifying type all causes all dnstap messages to be logged, regardless of type. Each type may take an additional argument to indicate whether to log query messages or response messages; if not specified, both queries and responses are logged. | string | options, view | logging | all | Eg:{auth; client response; resolver query;} | { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... } |
| dnstap-identity | Defines an identity to include in dnstap messages. The default is hostname, i.e., the server's hostname. | string | options | logging | all | Enter an identity string to send in dnstap messages. example: "my-dns" | ( <quoted_string> | none | hostname ) |
| dnstap-output | dnstap logging destination including specification of destination as a file or a UNIX domain socket followed by the path of the file or socket. | string | options | logging | all | Enter the path to which the dnstap frame stream should be sent. Eg: unix "/var/run/bind/dnstap.sock" | ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ] |
| dnstap-version | Specifies a version string to inclue in dnstap messages. | string | options | logging | all | Enter version value in quoted string Valid values: quoted version string, none Eg:"version2" | ( <quoted_string> | none ) |
| dscp | Specifies the value of the differentiated services code point (DSCP) in the IPv4 header to classify outgoing DNS traffic on operating systems that support DSCP. Valid values for ip_dscp are 0-63 and the default is "not configured". It is now obsolete and has no effect. | integer | options, view, zone(secondary) | logging | all | Enter a valid integer. Eg:100 | <integer> |
| dual-stack-servers | Specifies external name server IP addresses or hostnames that have access to both IPv4 and IPv6 transport. This option has no effect if the server on which this option is configured is itself dual-stacked. | string | view, options | dnssec | all | Eg: {"usr/app" port 70; 192.168.0.1 port 80;} | [ port <integer> ] { ( <quoted_string> [ port <integer> ] | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ); ... } |
| dump-file | Specifies the file pathname to place the dump file when told to dump its database via rndc dumpdb; the default is named_dump.db | quoted_string | options | logging | all | Enter the pathname of the file where the server dumps the database after rndc dumpdb. Eg:"/var/named/dumpfile" | <quoted_string> |
| edns-udp-size | Defines the advertised EDNS UDP buffer size in bytes ranging from 512 to 4096 (default) | integer | server, options, view | query | all | Enter a valid integer. Eg:100 | <integer> |
| empty-contact | Specifies the zone contact that will appear in the SOA record created in empty zones. If not specified "." is used. | string | options, view | zone, server | all | Enter the contact name in the returned SOA record for empty zones. Eg: "one.example.com" | <string> |
| empty-server | Specifies the server name that will appear in the SOA record created in empty zones. If not specified the empty zone's name will be used. | string | options, view | zone, server | all | Enter the server name in the returned SOA record for empty zones. Eg: "ns1.example.com" | <string> |
| empty-zones-enable | Enables (yes) or disables (no) creation of empty zones on the server. Empty zones are enabled by default. | boolean | options, view | zone, server | all | Enter yes or no. Eg: yes | <boolean> |
| fetch-quota-params | Defines parameters for the dynamic resizing of the fetches-per-server option in response to detected congestion. The number parameter indicates how often the moving average ratio of timeouts to responses should be calculated based on the number of queries received (default = 100 queries). The remaining arguments define the low ratio threshold (default 0.1), the high threshold (default 0.3) and the discount parameter (default 0.7) respectively where a higher discount weighs more recent events higher than earlier events. This option requires BIND to be built with configure -enable-fetchlimit . | string | options, view | query, server | all | Enter the parameters for dynamic resizing of the fetches-per-server quota in response to detected congestion. Eg:100 0.1 0.3 0.4 | <integer> <fixedpoint> <fixedpoint> <fixedpoint> |
| fetches-per-server | Defines the maximum number of simultaneous iterative queries that may be sent to a single name server. The default is 0 which indicates no limit. This quota is dynamically adjusted based on the setting of the fetch-quota-params option. The optional drop or fail keyword indicates whether the server shall drop those queries exceeding the quota with no response or respond with a SERVFAIL. The default is fail. | string | options, view | query, server | all | Enter the maximum number of simultaneous iterative queries allowed to be sent by a server to an upstream name server before the server blocks additional queries. Eg:100 | <integer> [ ( drop | fail ) ] |
| fetches-per-zone | Defines the maximum number of simultaneous iterative queries that may be sent for a given domain. The default is 0 which indicates no limit. This quota is dynamically adjusted based on the setting of the fetch-quota-params option. The optional drop or fail keyword indicates whether the server shall drop those queries exceeding the quota with no response or respond with a SERVFAIL. The default is fail. | string | options, view | query, server | all | Enter the maximum number of simultaneous iterative queries allowed to any one domain before the server blocks new queries for data in or beneath that zone. Eg:200 | <integer> [ ( drop | fail ) ] |
| files | Defines the maximum number of files the DNS service may have open concurrently. The default is unlimited. | integer | options | query | all | Enter a valid integer. Eg:100 | <integer> |
| flush-zones-on-shutdown | When signaled to exit via the SIGTERM signal the server will discard any pending zone writes from journal files; the default is no indicating zone writes should first be performed | boolean | options | zone | all | Enter yes or no. Eg: yes | <boolean> |
| forward | Configures the server to either: use only those servers configured in the forwarders statement to resolve queries (forward only) or to first query a server listed in the forwarders statement and upon receiving no resolution answer query another server (e.g. based on cached information or hints file configuration) (forward first). | string | options, zone, view | query | all | Enter first or only Eg: first | ( first | only ) |
| forwarders | Specifies the IP address(es) of servers to query when using forwarding. The default is an empty list i.e. no forwarding but when the empty list is used within a zone statement while forwarders are configured within the server options statement then those forwarders are enabled on the server but not for the zone with the empty forwarders list (i.e. acts as negation). | string | options, zone, view | query | all | Eg:port 8080 {192.168.0.1 port 80;} | [ port <integer> ] [ tls <string> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ tls <string> ]; ... } |
| fstrm-set-buffer-hint | Configures the threshold number of bytes to accumulate in the output buffer before forcing a buffer flush in the high speed framing library, libfstrm used by dnstap. The minimum is 1024, the maximum is 65536, and the default is 8192. | integer | options | logging | all | Enter a valid integer. Eg:100 | <integer> |
| fstrm-set-flush-timeout | Defines the number of seconds to allow unflushed data to remain in the output buffer in the high speed framing library, libfstrm used by dnstap. The minimum (and default) is 1 second, the maximum is 600 seconds (10 minutes). | integer | options | logging | all | Enter a valid integer. Eg:100 | <integer> |
| fstrm-set-input-queue-size | Specifies the number of queue entries to allocate for each input queue for the high speed framing library, libfstrm used by dnstap. This value must be a power of 2. The minimum is 2, the maximum is 16384, and the default is 512. | integer | options | logging | all | Enter a valid integer. Eg:100 | <integer> |
| fstrm-set-output-notify-threshold | The number of outstanding queue entries to allow on an input queue before waking the I/O thread for the high speed framing library, libfstrm used by dnstap. The minimum is 1 and the default is 32. | integer | options | logging | all | Enter a valid integer. Eg:100 | <integer> |
| fstrm-set-output-queue-model | Controls the queuing semantics to use for queue objects for the high speed framing library, libfstrm used by dnstap. The default is mpsc (multiple producer, single consumer); the other option is spsc (single producer, single consumer). | string | options | logging | all | Enter the queuing semantics to use for queue objects. Valid values: mpsc or spsc Eg: mpsc | ( mpsc | spsc ) |
| fstrm-set-output-queue-size | Defines the number of queue entries to allocate for each output queue for the high speed framing library, libfstrm used by dnstap. The minimum is 2, the maximum is system-dependent, and the default is 64. | integer | options | logging | all | Enter a valid integer. Eg:100 | <integer> |
| fstrm-set-reopen-interval | Defines the number of seconds to wait between attempts to reopen a closed output stream for the high speed framing library, libfstrm used by dnstap. The default is 5 seconds, the minimum is 1 second, and the maximum is 600 seconds (10 minutes). | duration | options | logging | all | Enter time in seconds or a valid ISO 8601 duration Eg: 40 | <duration> |
| geoip-directory | Defines the directory containing the GeoIP .dat database files for GeoIP initialization. By default this option is not configured and the libGeoIP built-in directory is used for GeoIP features. | string | options | server | all | Enter the directory containing GeoIP database or none. Eg: "/usr/data/geoip" | ( <quoted_string> | none ) |
| glue-cache | Enables caching of address (A and AAAA) glue records to speed performance when adding these records tothe additional section of DNS response messages. The default is yes. | boolean | options, view | deprecated | all | Enter yes or no. Eg: yes | <boolean> |
| heartbeat-interval | Defines the heartbeat interval governing frequency of tasks for zones defined with the dialup option set to a value other than no (default = 60 [minutes]). | integer | options | deprecated | all | Enter a valid integer. Eg:100 | <integer> |
| hostname | Defines a host name to be provided in response to a TXT query of class CHAOS for owner hostname.bind. The default is the hostname of the server on which named is running as determined by a gethostname() call. Setting hostname_string to none disables processing of these queries. | string | options | server | all | Enter the hostname of the server to return in response to a hostname.bind query. Eg: "example.com" | ( <quoted_string> | none ) |
| http-listener-clients | Sets a limit on the number of concurrent DoH clients (HTTP/2 connections) on a per-listener basis, rather than globally. This is important because it allows for more granular control over resource allocation and can prevent idle HTTP clients from hogging resources that could be used by other TCP clients. The http-listener-clients option sets a default quota size for each listener, which can be overridden by a listener-clients option within an http clause in the BIND configuration. The default value for http-listener-clients is 300. Setting it to 0 disables the quota facility, which is useful for testing and benchmarking purposes. We settled for the value 300 for now because this value is large enough to serve some clients while not large enough to let the server be abused too much, taking into consideration that it might need to serve clients over other DNS transports. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| http-streams-per-connection | Sets a hard limit on the number of concurrent HTTP/2 streams that can be open on a single DoH connection. When this limit is reached, the HTTP/2 session will be closed by the server. This is a crucial setting to prevent overloading the server with too many concurrent requests on a single connection. The default limit is set to 100 streams per connection, based on the assumption that most libnghttp2-based clients will not exceed this number. However, administrators can lower this number if needed. It can be set globally using the http-streams-per-connection option or within an individual http clause using the streams-per-connection option. Setting the limit to 0 disables it, which is not recommended except for benchmarking in controlled environments. Together, the two options (http-listener-clients and http-streams-per-connection) allow administrators to effectively manage the load that HTTP clients can place on a DNS server operating over HTTP/2, ensuring efficient resource usage and preventing server overload. | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| http-port | Specifies the port number on which the DNS server listens for incoming HTTP connections. This is typically used for DNS-over-HTTP (DoH) services, where DNS queries are sent over HTTP rather than traditional DNS transport protocols. By setting this option, an administrator can define a custom port for HTTP traffic if the default one is not suitable or needs to be changed due to conflicts or security policies. | integer | options | query,server | all | Enter a valid integer. Eg:100 | <integer> |
| inline-signing | The inline-signing DNS option is related to DNSSEC (Domain Name System Security Extensions), which adds security measures to the DNS protocol to counteract threats like cache poisoning and man-in-the-middle attacks. When inline-signing is enabled for a zone, the DNS server automatically signs the zone's data with DNSSEC keys according to the configured parameters. This process happens "inline" during the zone publishing process, which means that the server generates DNSSEC signatures on-the-fly as it serves responses, simplifying the management of signed zones. This is particularly useful for operators who want to maintain unsigned zone files while still serving signed DNS data, as it removes the need for separate zone-signing procedures. | boolean | dnssec-policy, zone | dnssec, zone | all | Enter yes or no. Eg: yes | <boolean> |
| interface-interval | Defines the interval governing the frequency of scans for new or removed network interfaces on the server to begin listening on new interfaces and stop listening on deleted interfaces as permitted with corresponding listen-on settings. The default is 60 [minutes]. | duration | options | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| ipv4only-contact | This configuration option specifies a contact address or mechanism that is used exclusively for IPv4 communication. It is used to define an email, IP address, or a URL for contacting the DNS server administrator or support team using only IPv4. This is important in networks that maintain separate contact points for IPv4 and IPv6 for administrative or technical reasons. | string | options, view | server | all | Enter the contact for the IPV4ONLY.ARPA zone created by dns64. Eg: "contact.example.com" | <string> |
| ipv4only-enable | This setting is typically used to enable or disable a service or feature that is intended to operate only over IPv4. By setting this to true (or enabled), the DNS server might restrict its operations to IPv4, either globally or for a specific service, such as zone transfers or dynamic updates. This could be useful for compatibility with legacy systems or in environments where IPv6 is not supported or desired. | boolean | options, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| ipv4only-server | This option defines the server or set of servers that the DNS service should use exclusively for IPv4 traffic. It may designate specific DNS servers that are reachable only via IPv4, or it could configure the server to respond to DNS queries only over IPv4. Such a configuration might be necessary in networks that are segregated based on IP versions or where IPv6 connectivity is not reliable or available. | string | options, view | query | all | Enter the name of the server for the IPV4ONLY.ARPA zone created by dns64. Eg: "ns1.example.com" | <string> |
| ixfr-from-differences | When set to yes the server will compute the differences between a new version of a zone (upon reload as a master or zone transfer receipt as a slave) and use the differences between these for IXFR processing. The parameters master and slave may be defined at the view and zone statements to apply this processing to master zones or slave zones respectively within the view or zone. | string | options, view, zone | transfer | all | Valid values: primary, master, secondary, slave or a boolean value. Eg: master | ( primary | master | secondary | slave | <boolean> ) |
| keep-response-order | Specifies the set of addresses with the address match list to which the server will send responses to TCP queries in the same order in which they were received. The default is none. | address_list | options | dnssec | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| key-directory | The full directory pathname in which public and private key files are stored on the server for processing of dynamic updates of DNSSEC secure zones. If not specified the current working directory is used. | quoted_string | options, view, zone | dnssec | all | Enter the directory where the public and private DNSSEC key files should be found. Eg: "/var/dnssec/keyfolder" | <quoted_string> |
| lame-ttl | Defines the number of seconds the server will cache a lame server designation; i.e. a given server is not authoritative for a zone that's delegated to it (default = 600 [seconds]). | duration | view, options | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| listen-on | Specifies the network interface the server listens for queries; the default is to listen on port 53 on all interfaces. Multiple listen-on statements may be defined. | string | options | server | all | Eg: { 192.168.1.1; 192.168.1.2; } | [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... } |
| listen-on-v6 | Specifies the network interface parameters on which the server will listen for queries using IPv6 transport. If this option is not specified the server will not listen on any of the server's IPv6 addresses unless BIND was invoked with the -6 option when it will listen on all IPv6 interfaces. | string | options | server | all | Eg: { 192.168.1.1; 192.168.1.2; } | [ port <integer> ] [ tls <string> ] [ http <string> ] { <address_match_element>; ... } |
| lmdb-mapsize | Sets the maximum size for the memory map of the new-zone database (NZD) in Lightning Memory-Mapped Database (LMDB) format when BIND is built with liblmdb. The LMDB stores zone configuration information when using rndc addzone. The default is 32MB. | string | view, options | server | all | Enter size in bytes followed by an additional suffix 'k', 'm or 'g'. Eg:3k | <sizeval> |
| lock-file | Specifies the pathname of a file on which named will attempt to acquire a file lock when starting up for the first time as confirmation another server is not already running. Setting path_name to none disables this feature and the default is /var/run/named/named.lock. | string | options | server | all | Enter the pathname of the file on which named attempts to acquire a file lock when starting for the first time. Valid values: none, filepath Eg: "/var/locks/named.lock" | ( <quoted_string> | none ) |
| managed-keys-directory | The directory in which files used to track managed keys are located. By default this is the named working directory. | quoted_string | options | dnssec | all | Enter the directory in which to store the files that track managed DNSSEC keys. Eg: "/var/named/example.mkeys" | <quoted_string> |
| masterfile-format | Specifies the format of zone files on the server. The default is text . Setting to raw will omit some name checking features and setting to map uses an image of a BIND 9 in-memory zone database but is very server architecture specific. | string | options, zone, view | zone, server | all | Valid values: raw, text Eg: raw | ( raw | text ) |
| masterfile-style | When masterfile-format is set to text , this option specifies whether a dump of the zone files is formatted in multi-line format with owner names expressed relative to a shared origin when set to relative which may be easier for human consumption or with fully qualified owner names when set to full which may be easier for script processing. | string | options, zone, view | server | all | Valid values: full, relative Eg: full | ( full | relative ) |
| match-mapped-addresses | Specifies that the server should map IPv4 addresses associated with an IPv4-mapped IPv6 address against defined address match lists for processing. This option is intended solely for use as a work around for a Linux kernel quirk for IPv6-enabled Linux servers. | boolean | options | query | all | Enter yes or no. Eg: yes | <boolean> |
| max-cache-size | Sets the maximum memory size to be used for the server's cache. If using DNS views the specified size applies to the cache size for each view. When the amount of data in the cache approaches the limit the server will prematurely expire records to remain within the bound (default = 0 which means that records are purged from cache when their TTLs expire). | string | view, options | dnssec,zone | all | Enter default, unlimited, or percentage size or enter size in bytes followed by an additional suffix 'k', 'm or 'g'. Eg:3k | ( default | unlimited | <sizeval> | <percentage> ) |
| max-cache-ttl | Defines the maximum retention time for cached [positive] information. The default is 7 days. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| max-clients-per-query | Defines the maximum number of simultaneous outstanding recursive queries for a given name (i.e. of the same qname qtype qclass) before dropping additional clients. In this context the server issuing such queries is the "client" referred to by the option name (default = 100). | integer | options, view | server | all | Enter a valid integer. Eg:100 | <integer> |
| max-ixfr-ratio | Sets the threshold expressed as a percentage of pending ixfr size to the full zone size above which an AXFR will be used instead of an IXFR for a zone transfer request. The default, unlimited, disables ratio checking.The minimum percentage value is 1%. | string | options, zone, view | transfer | all | Valid values: unlimited, percentage value Eg: 25 | ( unlimited | <percentage> ) |
| max-journal-size | Specifies the maximum size of each journal file. The default is unlimited. | string | options, zone, view | transfer | all | Enter size of journal files. Valid values: default, unlimited, size in bytes followed by additional suffix 'k', 'm' or 'g'. Eg: 1g | ( default | unlimited | <sizeval> ) |
| max-ncache-ttl | Defines the maximum number of seconds the server will cache negative answers. The default is 10800 [seconds] or 3 days and the maximum value is 7 days. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| max-records | Specfies the maximum number of records permitted in a zone. The default is 0 which means unlimited. | integer | options, view, zone | zone, transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-recursion-depth | Defines the maximum number of resolution redirections permitted for a given query. A redirection occurs when resolving a domain name requires the resolution of another name. The default is 7. | integer | options, view | server | all | Enter a valid integer. Eg:100 | <integer> |
| max-recursion-queries | Defines the maximum number of iterative queries that may be sent for a given recursive query. The root and TLD iterative queries are not counted against this max and the default is 75. | integer | options, view | query, server | all | Enter a valid integer. Eg:100 | <integer> |
| max-refresh-time | Defines the maximum refresh interval for SOA refresh attempts to the master. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-retry-time | Defines the maximum retry time at which the server should retry a failed zone transfer. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-rsa-exponent-size | Defines the maximum RSA exponent size that will be accepted when validating DNSSEC responses (in bits). Valid values are 0 (default, equivalent to 4096), 35 to 4096. | integer | options | dnssec, query | all | Enter a valid integer. Eg:100 | <integer> |
| max-stale-ttl | If the stale answers feature is enabled (via option stale-answer-enable yes or rndc serve-stale on), this option sets the maximum time beyond the TTL expiry of a record to retain it in cache. The default is one week. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| max-transfer-idle-in | Specifies a limit on the duration of idle time during an inbound zone transfer (default = 60 [minutes]). Once exceeded the zone transfer will be terminated. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-transfer-idle-out | Specifies a limit on the duration of idle time during an outbound zone transfer (default = 60 [minutes]). Once exceeded the zone transfer will be terminated. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-transfer-time-in | Specifies a limit on the duration of an inbound zone transfer (default = 120 [minutes]). Once exceeded the zone transfer will be terminated. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-transfer-time-out | Specifies a limit on the duration of an outbound zone transfer (default = 120 [minutes]). Once exceeded the zone transfer will be terminated. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| max-udp-size | Defines the maximum EDNS UDP packet size the server will send in bytes ranging from 512 to 4096 (default) | integer | options, server, view | query | all | Enter a valid integer. Eg:100 | <integer> |
| max-zone-ttl | Defines the maximum permissible TTL value for all zones or a particular zone on the server. This is useful when rolling DNSSEC keys to to enable the to-be-rolled key to remain available until corresponding RRSIG records have expired from cahces. | string | options, view, zone, dnssec-policy | zone, query | all | Enter maximum permissible ttl in seconds. Valid values: unlimited, ISO duration, Eg: 10 | ( unlimited | <duration> ) |
| memstatistics | Turns on (yes) or off (no) writing of memory statistics to the file specified in the memstatistics-file option. The default is no unless named was started with the "-m record" switch. | boolean | options | logging, server | all | Enter yes or no. Eg: yes | <boolean> |
| memstatistics-file | This specifies the pathname of the file to which the server will write memory usage statistics. The default is named.memstats. | quoted_string | options | logging, server | all | Enter the pathname of the file where the server writes memory usage statistics on exit. Eg: "/var/bind/example.memstats". | <quoted_string> |
| message-compression | Configures the server to use DNS name compression for regular queries (compression is always used for incremental or absolute zone transfers) | boolean | options, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| min-cache-ttl | Defines the minimum time the server will cache affirmative answers. Valid values range from 0 to 90s. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| min-ncache-ttl | Defines the minimum time the server will cache negative answers. Valid values range from 0 to 90s. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| min-refresh-time | Defines the minimum SOA refresh time to query the master. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| min-retry-time | Defines the minimum retry time at which the server should retry a failed zone transfer. | integer | options, view, zone | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| minimal-any | This option governs responses to ANY queries, i.e., RRType of "*" for a given qname. If set to yes, only one RRType (and associated DNSSEC signatures) for the queried name will be provided in the response instead of all RRTypes for the queried name if set to no (default). | boolean | options, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| minimal-responses | When set to yes this option instructs the server to only add records to the authority and additional sections of the response when required e.g. for negative responses or delegations. When set to no-auth, the server will only add records to the authority section if required but may add records to the additional section. When set to no-auth-recursive, limiting of authority and additional section resource records applies to recursive queries. The default is no. | string | options, view | query | all | Valid values: no-auth, no-auth-recursive, boolean value(yes or no). Eg: yes | ( no-auth | no-auth-recursive | <boolean> ) |
| multi-master | When set to yes the server will not log when its serial number is greater than that on another master | boolean | options, view, zone | transfer | all | Enter yes or no. Eg: yes | <boolean> |
| new-zones-directory | Specifies the directory in which to store configuration parameters added via rndc addzone. | quoted_string | options, view | zone | all | Enter the directory where configuration parameters are stored for zones added by rndc addzone. Eg: "/var/named/new.zone" | <quoted_string> |
| no-case-compress | Responses to queriers within the scope of the address match list will include non-compression of case-sensitive answers. With case compression (default), example.com and example.COM are the same and hence compressed; with no-case-compression, both versions of the answer are included in the response. | options, view | server | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } | |
| nocookie-udp-size | Defines the maximum size in bytes of UDP responses to queries without a valid server cookie. The default is 4096 but the max-udp-size option may further limit the response size. | integer | options, view | query | all | Enter a valid integer. Eg:100 | <integer> |
| notify | This option governs the sending of NOTIFY messages: yes - NOTIFY messages are sent to all servers with NS records for the zone except the zone master (primary) identified by the MNAME field of the zone's SOA record; NOTIFY messages are also sent to those defined in the also-notify option explicit - NOTIFY messages are sent only to those servers identified in the also-notify option. master-only - NOTIFY messages are sent only for master/primary zones no - no NOTIFY messages are sent | string | options | query | all | Valid values: explicit, master-only, primary, a boolean value. Eg: master-only | ( explicit | master-only | primary-only | <boolean> ) |
| notify-delay | This option defines the number of seconds to wait between sending sets of Notify messages. The default is 0. | integer | options, view, zone | transfer, zone | all | Enter a valid integer. Eg:100 | <integer> |
| notify-rate | This option defines the rate of notify requests per second. The default is 20. | integer | options | transfer, zone | all | Enter a valid integer. Eg:100 | <integer> |
| notify-source | Defines the server's network interface (IPv4 address) and optionally source UDP port for sending Notify messages. | string | options, server, view, zone | transfer | all | Enter the IPv4 address to be used for outgoing NOTIFY messages. Eg: 192.168.2.4 | ( <ipv4_address> | * ) |
| notify-to-soa | Facilitates hidden master configurations when set to yes by instructing the server to send a Notify message as appropriate to the server listed in the SOA record master name (MNAME) field. In hidden master configurations MNAME may be configured with the name of a slave server. If set to no a Notify will not be sent to the server listed in the MNAME field. | boolean | options, view, zone | transfer | all | Enter yes or no. Eg: yes | <boolean> |
| nta-lifetime | This parameter configures the default time that a negative trust anchor (nta) is ignored when added via rndc nta. An nta disables DNSSEC validation for zones known to be failing validation due to misconfiguration. The duration may be entered using TTL-style formats for seconds, minutes or hours. The default is one hour. | duration | options, view | dnssec | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| nta-recheck | Negative trust anchor (nta) configuration enables you to disable DNSSEC validation for a given domain due to know misconfiguration issues. Named will periodically issue a query to each nta domain to determine if it has been repaired, i.e., whether DNSSEC validation is accurate. This option sets the duration of the periodicity of these checks. These checks can be disabled by setting the valude to 0; the default is 5s. | duration | options, view | dnssec | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| nxdomain-redirect | Defines a redirect namespace to replace an NXDOMAIN received from an authoritative server with the original query name plus the specified string. If a relevant zone of type redirect is defined, it shall override the setting of this option. | string | options, view | query | all | Enter redirect url for non existent domain Eg:redirect.example.com | <string> |
| parental-source | The concept of a "parental source" in DNS configurations involves using dedicated DNS IP addresses specifically for parental control. This setup aims to maintain consistent content filtering and protection, even during user IP address changes. When the parental control DNS receives queries from an unrecognized IP, it defaults to a safe mode, blocking all sites or allowing only a pre-approved list, thereby ensuring continuous protection and reducing the risk of bypassing content restrictions due to IP address updates. This approach requires a separate DNS infrastructure, distinct from standard DNS services, to manage and enforce these safety policies effectively. | string | options, view, zone | dnssec | all | Enter the local IPv4 source address to be used to send parental DS queries. Eg: 192.168.3.2 | ( <ipv4_address> | * ) |
| pid-file | Specifies the pathname of the file to which the server writes its process ID. The default is /var/run/named.pid (pre BIND 9.6) or /var/run/named/named.pid (BIND 9.6+). If the pathname parameter is specified as none no pid file will be written. | string | options | server | all | Enter the filepath of pid-file. Valid values: none, filename enclosed in quotes Eg:"/var/process/example.pid" | ( <quoted_string> | none ) |
| port | Specifies the UDP/TCP port number used by the server for sending and receiving DNS messages. This option is intended primarily for server testing purposes as setting the value to other than 53 the default will inhibit communications with the global DNS | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| preferred-glue | Specifies the preferred resource record type that will be specified first in the additional section of a query response for an NS record. The default is NONE no preference. | string | options, view | query | all | Valid values: A, AAAA or NONE Eg: A | <string> |
| prefetch | Specifies whether the server should refresh its cache for soon-to-expire cached data ensuring the cache always has an answer. The number parameter defines the trigger TTL at which prefetch will take place when a cached record with a lower TTL is encountered durign query processing. The default value is 0 which disables prefetch and other valid values are 1-10. The second optional parameter defines the eligibility TTL, or the smallest original TTL value that will be accepted for eligibility for prefetch. The default value is 9 and the value must be at least six seconds greater than the trigger TTL value. | string | options, view | query | all | Enter a trigger ttl and eligibility ttl seperated by space. Eg: 2 9 | <integer> [ <integer> ] |
| provide-ixfr | Used in options or server statements to configure a server configured as master for its zones to honor IXFR requests from slaves or not. | boolean | options, server, view | transfer | all | Enter yes or no. Eg: yes | <boolean> |
| qname-minimization | Qname minimization calls for servers to convey the queryname (Qname) in queries in the context of the authoritative server being queried. For example, the server would include only the TLD in teh Qname when querying the root servers. This reduces the number of queries on the Internet with the fully qualified query intact to reduce exposure. Setting to strict follows this process as defined in RFC 7816 while relaxed (default value) supports this as well with a fallback to non-minimized qnames upon receipt of an NXDOMAIN or other error response. Disabled and off disables qname minimization on queries. | string | options, view | query | all | Valid values: strict, relaxed, disabled or off Eg: strict | ( strict | relaxed | disabled | off ) |
| query-source | Defines the local network interface (IPv4 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore the port parameter should generally not be specified. | string | options, server, view | query | all | Enter the IPV4 address used as the source for outgoing queries from the server. Eg:192.168.2.3 | [ address ] ( <ipv4_address> | * ) |
| query-source-v6 | Defines the local network interface (IPv6 address) and source port for UDP-based queries issued to other servers to obtain a query answer TCP-based queries always use a random source port and it's recommended that UDP also do so to reduce the risk of cache poisoning. Therefore the port parameter should generally not be specified. | string | options, server, view | query | all | Enter the IPV6 address used as the source for outgoing queries from the server. Eg: 2001:db8::1 | [ address ] ( <ipv6_address> | * ) |
| querylog | When set to yes logging of queries is enabled upon named startup; query logging is otherwise determined by the queries logging category setting. | boolean | options | logging, server | all | Enter yes or no. Eg: yes | <boolean> |
| rate-limit | Enables specification of parameters designed to minimize the use of this server in amplifying reflection denial of service attacks which inundate a spoofed (target) IP address. The server will limit nearly identical answers for a given IP address (or addresses within a block if ipv4-prefix-number (default = 24) or ipv6-prefix-number (default = 56) are specified and/or for a given namespace is a domain is specified. Responses by type (responses, referrals, nodata, nxdomains or errors) or all can be limited based on the quantity of responses already provided as specified in the respective "per-second" parameter. The qps-scale parameter dampens the responses/errors/nxdomains or all per second values to tighten defenses during an attack based on the overall query rate. For example if qps-scale is set to 250 and responses-per-second is 20, then a total query rate of 1000 qps changes the effective responses-per-second to (250/1000)*20 = 5. The optional parameters on responses-per-second control initiation of rate limiting to response or amplification factors to minimum sizes. Size applies to the minimum response size that will trigger this parameter; ratio indicates the policy applies for responses where the response size/request size ratio exceeds this value. | string | options, view | query | all | rate-limit { [responses-per-second number ;] [referrals-per-second number ;] [nodata-per-second number ;] [nxdomains-per-second number ; ] [errors-per-second number ; ] [all-per-second number ; ] [window number ; ] [log-only (yes | no) ; ] [qps-scale number ; ] [ipv4-prefix-length number ; ] [ipv6-prefix-length number ; ] [slip number ; ] [exempt-clients {addr_match_list} ; ] [max-table-size number ; ] [min-table-size number ; ] }; | rate-limit { all-per-second <integer>; errors-per-second <integer>; exempt-clients { <address_match_element>; ... }; ipv4-prefix-length <integer>; ipv6-prefix-length <integer>; log-only <boolean>; max-table-size <integer>; min-table-size <integer>; nodata-per-second <integer>; nxdomains-per-second <integer>; qps-scale <integer>; referrals-per-second <integer>; responses-per-second <integer>; slip <integer>; window <integer>; } |
| recursion | Turn recursion on or off. If set to yes the server will perform recursion to obtain the answer for the client; if no the server will attempt to give an authoritative answer cached information or a referral to another name server. | boolean | options, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| recursive-clients | Defines the maximum number of simultaneous recursive lookups the server will perform on behalf of clients (default = 1000). | integer | options | query | all | Enter a valid integer. Eg:100 | <integer> |
| request-expire | Configures the server to request the EDNS EXPIRE value from its master server. This value indicates the time remaining until the zone expires if not refreshed. The use case for this option applies when a server, configured as a slave requests zone transfers from another slave. The default is yes. | boolean | options,server,view, zone | transfer. query | all | Enter yes or no. Eg: yes | <boolean> |
| request-ixfr | Used in options or server statement to configure a slave to request IXFRs of its master or not. | boolean | options,server,view, zone | transfer | all | Enter yes or no. Eg: yes | <boolean> |
| request-nsid | When set to yes, an empty EDNS0 Name Server Identifier (NSID) option is sent with all queries to authoritative name servers during iterative name resolution. Returned NSID values are logged in the resolver logging category at level info. Default = no. | boolean | options,server,view | query | all | Enter yes or no. Eg: yes | <boolean> |
| require-server-cookie | Configures the server to require a valid server cookie within a query from a cookie aware client before sending a full response in reply. The BADCOOKIE error is sent if the cookie is absent or invalid. | boolean | options, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| reserved-sockets | Enables specification of the number of file descriptors supported by the operating system to keep named within this constraint (Default =512). | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| resolver-nonbackoff-tries | Defines the number of queries sent prior to applying backoff retries. | integer | options, view | server | all | Enter a valid integer. Eg:100 | <integer> |
| resolver-query-timeout | Enables specification of the number of seconds the server should await a response to a query before failing (SERVFAIL). The default is 10 and the maximum is 30. | integer | options, view | query | all | Enter a valid integer. Eg:100 | <integer> |
| resolver-retry-interval | Defines the time between successive query retries. | integer | options, view | server,query | all | Enter a valid integer. Eg:100 | <integer> |
| response-padding | Enables padding of responses using the EDNS Padding option to maintain consistent packet sizes to improve confidentiality of DNS queries transmitted over encrypted channels. The response will be padded up to blocksize bytes if and only if the query a)contains an EDNS Padding option, b) includes a valid server cookie or uses TCP, c) is not signed using TSIG or SIG(0), and d) is from a client falling within the specified address_match_element. | string | response-padding | query | all | Enter EDNS padding size in bytes. Eg:{ 192.168.0.1; 192.168.0.2;} block-size 256 | { <address_match_element>; ... } block-size <integer> |
| response-policy | Also known as "DNS Firewall," this option enables specification of modified responses to queries for the specified zone in accordance with the response policy zone initiative where domain registrars may share valid (e.g. non-spammers) domain names to enable resolution while not resolving others modifying or otherwise processing responses for "invalid" domain names as identified via backlist/whitelist queries. Please consult our DNS firewall section for specification details. | string | options, view | security, query, zone, server | all | Eg: { zone "badlist" add-soa yes; } | { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ ede <string> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ] |
| reuseport | The reuseport DNS option allows a DNS server to enable multiple processes to bind to the same port number for incoming traffic, facilitating load balancing across processes and improving the server's ability to handle high volumes of parallel requests. | boolean | options | server | all | Enter yes or no. Eg: yes | <boolean> |
| root-delegation-only | Enables enforcement of delegation-only processing in root and TLDs except those domains listed within the namelist after the exclude keyword. | string | options | query | all | Enter exclude list of domain names. Eg: exclude { "com"; "net"; "example.org"; } | [ exclude { <string>; ... } ] |
| root-key-sentinel | Enables the server to respond to DNS root key sentinal queries to enable the querier to deduce the trusted root zone key configured on the server. These queries are useful for administrators and Internet researchers to verify key configurations, e.g., prior to a key rollover. | boolean | options, view | server | all | Enter yes or no. Eg: yes | <boolean> |
| rrset-order | It enables the specification of the ordering of resource records when multiple records apply to the query. The rrtype parameter refers to a resource record type (e.g., MX) and a given domain name (e.g., manageengine.com). Ordering (ordertype) may be: fixed -the order in which they are defined in the zone, random or cyclic -roundrobin. none Records are returned in the order they were retrieved from the database. This order is indeterminate but remains consistent as long as the database is not modified. | string | options, view | query | all | Enter the order in which equal RRs (RRsets) are returned. Eg:rrset-order { type A name "foo.isc.org" order random; type AAAA name "foo.isc.org" order cyclic; name "bar.isc.org" order fixed; name "*.bar.isc.org" order random; name "*.baz.isc.org" order cyclic; }; | { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... } |
| secroots-file | Specifies the pathname of the file to which the rndc secroots command dumps security roots. (default = named.secroots). | quoted_string | options | dnssec | all | Enter the pathname of the file where the server dumps security roots. Eg: "/var/named/example.secroots" | <quoted_string> |
| send-cookie | Configures the server to send an EDNS COOKIE with each query to provide identification to the queried server to avoid potential rate limiting treatment. | boolean | options, server, view | query | all | Enter yes or no. Eg: yes | <boolean> |
| serial-query-rate | Specifies the maximum number of serial number queries per second to be sent to the master (across all zones) (default = 20). | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| serial-update-method | Configures the server with the zone serial number format in its SOA record. Setting to increment sets the format to a monotontically increasing integer. The unixtime format indicates the number of seconds since the UNIX epoch unless the serial number is already greater than this value, in whihc case it is incremented by 1. The date method defines the serial number format as YYYYMMDDXX where XX is an incremented value from 00 to 99. | string | options, view, zone | zone | all | Enter the update method to be used for the zone serial number in the SOA record. Valid values: date, increment or unixtime Eg: date | ( date | increment | unixtime ) |
| server-id | Specifies the ID that the server should provide in response to a name server identifier (NSID) query or a query for owner ID.SERVER of type TXT in class CHAOS. This information can be helpful in identifying the responding server in an anycast deployment. Defining the server-id_string as none (the default) disables responses to such queries and setting it to hostname returns the configured hostname (per gethostbyname() sockets call). | string | options | server | all | Enter the ID of the server to return in response to a ID.SERVER query. Valid values: none, hostname, custom server id enclosed in quote Eg: "example_server" | ( <quoted_string> | none | hostname ) |
| servfail-ttl | Defines the number of seconds to cache a SERVFAIL response due to DNSSEC validation or other server failure. This cache is ignored for queries with the Checking Disabled (CD) bit set to enable querying without validation if desired. The default is 1s, a value of 0 disables such caching and the maximum value is 30s. | duration | options, view | server | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| session-keyalg | When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the key generation algorithm is HMAC-SHA256 but this option enables overriding this default. Valid values of algorithm are: hmac-sha1 hmac-sha224 hmac-sha256 hmac-sha384 and hmac-md5. | string | options | security | all | Enter a valid algorithm to use for the TSIG session key. Eg: hmac-sha256 | <string> |
| session-keyfile | When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the file is /var/run/named/session.key though an alternative pathname may be defined using this option. | string | options | security | all | Enter pathname of the file where a TSIG session key is written. Eg: "/var/keyfolder/example.key" | ( <quoted_string> | none ) |
| session-keyname | When BIND's pre-defined update-policy local; is configured named automatically creates a TSIG key to sign local dynamic updates. By default the keyname is local-ddns though this option may be specified to define a different keyname. | string | options | security | all | Enter a name for the TSIG session key. Eg: example-key | <string> |
| sig-signing-nodes | Specifies the maximum number of "nodes" (unique RRSet owners) that are examined during a zone re-signing evaluation to determine if re-signature is required or not for each. The default is 100. | integer | options, view, zone | dnssec | all | Enter a valid integer. Eg:100 | <integer> |
| sig-signing-signatures | Specifies the maximum number of RRSets that will be re-signed during an automatic re-signing process. This option bounds the number of signatures performed during a re-sign. The default is 10. | integer | options, view, zone | dnssec | all | Enter a valid integer. Eg:100 | <integer> |
| sig-signing-type | Specifies the RData Type to be used when generating key signing records. The default is 65535. | integer | options, view, zone | dnssec | all | Enter a valid integer. Eg:100 | <integer> |
| sig-validity-interval | Defines the expiration date as the number of days in the future for DNSSEC signatures automatically generated for dynamic updates to a secure zone. The default is 30 days and the maximum value is 10 years. The re-sign parameter defines the remaining time on RRSet signatures within which the server should re-sign the RRSet. If days is < 7 then re-sign is defined in units of hours; otherwise it is in days. If re-sign is not specified days/4 will be used as the assumed re-sign value. This option can be overidden for DNSKEY records via the dnskey-sig-validity option. | string | view, options, zone | obsolete | all | Enter number of days. Eg: 60 | <integer> [ <integer> ] |
| sortlist | Enables specification of the order of query responses based on source of query respond with preferred list of responses. Here are the details on the syntax and interpretation of the sortlist option. | address_list | view, options | query | all | Enter a list of valid ip_addresses/netprefixes/acl_names/server_keys enclosed within curly braces seperated by semicolons Eg: { 192.168.1.1; 192.168.1.2; } | { <address_match_element>; ... } |
| stacksize | Defines the maximum size of stack memory the server may use. The default is default which is the amount of stack memory allocated by the operating system by default. | string | options | query | all | Enter size in bytes followed by an additional suffix 'k', 'm or 'g'. Eg:3k | <sizeval> |
| stale-answer-client-timeout | Defines the duration the server will wait before attempting to answer the query with a stale resource record from cache; if an answer is resolved in the meantime, the server will answer and refresh its cache wtih the resolved value. The minimum value is 0 (immediately return stale records) and the maximum is the value of resolver-query-timeout minus one second. The default is off (which is equivalent to disabled) and this option is ignored if stale-answer-enable is set to no. | string | options, view | server,query | all | Enter amount of time in milliseconds.To dusable this option enter disabled or off. Eg: 100 | ( disabled | off | <integer> ) |
| stale-answer-enable | Enables the server to respond with cached resource records whose TTL has expired when an authoritative server cannot be reached. The default is no. When set to yes, stale-cache-enable should also be set to yes. | boolean | options, view | server,query | all | Enter yes or no. Eg: yes | <boolean> |
| stale-answer-ttl | Defines the TTL to be transmitted on stale resource records (records retained in cache whose TTL has expired). The default is 1s. | duration | options, view | query | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| stale-cache-enable | Enables the server to cache rather than expire state resource records, i.e., those whose TTL has expired when an authoritative server cannot be reached. The default is yes. | boolean | options, view | server,query | all | Enter yes or no. Eg: yes | <boolean> |
| stale-refresh-time | If authoritative name servers for a queried zone are not answering queries, the recursive server will reply to its clients' queries with stale resource records without attempting to query the authoritative servers for the specified duration. The default is 30s and a value of 0 disables this feature, enabling full resolution attempts for every query regardless of authoritative servers status. | duration | options, view | server,query | all | Enter time in seconds or a valid ISO 8601 duration example: 40 | <duration> |
| startup-notify-rate | Defines the rate of Notify requests sent when the name server is first starting up or when zones have been newly added. The default rate is 20 per second. | integer | options | zone,transfer | all | Enter a valid integer. Eg:100 | <integer> |
| statistics-file | Specifies this pathname of the file to which the server appends statistics when the rndc stats command is executed. The default is named.stats. | quoted_string | options | logging, server | all | Enter pathname of files enclosed in quotes. Eg: "/var/named/named.stats" | <quoted_string> |
| synth-from-dnssec | Setting to yes (default) could improve DNSSEC resolution performance by enabling synthesized validated responses based on cached NSEC (NSEC3 support not yet implemented) records and other RRsets that have been previously validated. | boolean | options, view | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| tcp-advertised-timeout | Sets the timeout value the server will send in reponses containing the EDNS TCP Keepalive option specified in units of 100ms. Valid values range from 0 (close TCP connections immediately) to 65535, and the default is 300 (30s). | integer | options | query | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-clients | Limits number of concurrent TCP connections (default = 100). | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-idle-timeout | Defines the length of time the server waits on an idle TCP connection before closing it when the client is not using the EDNS TCP Keepalive option. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 1200 (2m), and the default is 300 (30s). | integer | options | query | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-initial-timeout | Defines the length of time the server waits on a new TCP connection for the first message from the client before closing the connection. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 65535, and the default is 300 (30s). | integer | options | query, server | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-keepalive-timeout | Specifies the length of time the server waits on an idle TCP connection before closing it when the client is using the EDNS TCP Keepalive option. This timeout is specified in units of 100ms. Valid values range from 1 (0.1s) to 1200 (2m), and the default is 300 (30s). If you have plans to serve DNS-over-HTTPS, you might want to set tcp-initial-timeout, tcp-keepalive-timeout, and tcp-idle-timeout to the minimum values that work for you. Setting them to tcp-initial-timeout 100, tcp-keepalive-timeout 100 and tcp-idle-timeout 100 (ten seconds) is a good setting to try. | integer | options | query | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-listen-queue | Specifies the queue depth for listening for TCP connections (default and minimum = 3). | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-receive-buffer | Specifies the size of the buffer that the DNS server uses to receive data over TCP connections. The buffer is a block of memory allocated for storing incoming data until it can be processed. A receive buffer of the correct size can improve the server's ability to handle incoming data efficiently, especially when multiple or large DNS queries are received simultaneously over TCP. If the buffer is too small, it may result in slow data processing and the need for retransmissions if packets are dropped. If too large, it may waste system resources without any added performance benefit. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| tcp-send-buffer | Determines the size of the buffer for sending data to clients or other DNS servers via TCP. The send buffer holds outgoing data before it is transmitted over the network. Configuring an appropriate send buffer size is crucial for the efficient handling of outbound traffic, particularly when the server is sending large amounts of data, such as DNSSEC responses or during DNS zone transfers. A send buffer that is too small might lead to underutilization of the available network bandwidth, causing delays in data transmission. Conversely, a buffer that is too large could unnecessarily consume memory resources. Both tcp-receive-buffer and tcp-send-buffer need to be set in consideration of the operating system limits, network conditions, and expected traffic loads to balance resource usage with performance and reliability. Proper tuning of these parameters can lead to a more responsive and stable DNS service, especially under high load or in networks with high latency. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| tkey-dhkey | This option specified the Diffie-Hellman key to use to generate shared keys with clients when using the Diffie-Hellman mode of TKEY. In most cases this should be the server's hostname. | string | options | security | all | Enter key-id and key-tag seperated by space Eg: "key-id" "key-tag" | <quoted_string> <quoted_string> |
| tkey-domain | This option specifies the domainname that should be appended to the names of all shared keys generated during a TKEY exchange. In most cases the domainname should be the server's domain name. | quoted_string | options | security | all | Enter tkey domain in quoted string Eg: "example.com" | <quoted_string> |
| tkey-gssapi-credential | This option configures the credential to be used to authenticate keys for use with the GSS-TSIG protocol e.g. when performing secure updates to Microsoft Windows DNS. Currently a Kerberos principal is supported | quoted_string | options | security | all | Eg: "DNS/example.com"; | <quoted_string> |
| tkey-gssapi-keytab | Defines the pathname to the key file used to authenticate Kerberos 5 credentials. If not set the typical system key file is /etc/krb5.keytab. | quoted_string | options | security | all | Eg: "/etc/krb5.keytab" | <quoted_string> |
| tls-port | Designates the specific port number for secure DNS queries over TLS. The standard port for DNS over TLS is 853, as defined by IANA (Internet Assigned Numbers Authority). By setting the tls port option, a DNS server is instructed to establish secure connections with clients that request DNS resolution through TLS, ensuring that DNS queries and responses are encrypted and secure from eavesdropping as well as man-in-the-middle attacks. It's an essential part of implementing DoT on a DNS server, which is increasingly important for enhancing privacy and security in DNS transactions. | integer | options | query, server | all | Enter a valid integer. Eg:100 | <integer> |
| transfer-format | Specifies on a master server which format to employ for zone transfers: one-answer means one resource record per message while many-answers (the default) means multiple records as many as will fit within the message size are placed within each transfer message. | string | options, server, view | transfer | all | Valid values: many-answers, one-answer Eg: many-answers | ( many-answers | one-answer ) |
| transfer-message-size | Intended primarily for testing, this option defines a soft upper bound on uncompressed zone transfer messages over TCP. If the message size exceeds this bound, multiple messages will be sent unless the Rdata of a single resource record exceeds the bound it will be sent regardless. Valid values range from 512 to 65535 and the default is 20480. | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| transfer-source | Defines the server's network interface (IPv4 address and optionally port number) on which incoming zone transfers will be bound. This option also specifies the source IP address and optionally source UDP port for SOA query messages and forwarded dynamic updates. | string | options, server, view, zone | transfer | all | Enter which local IPv4 address is bounded to TCP connections used to fetch zones transferred inbound by the server. Eg: 192.168.0.2 | ( <ipv4_address> | * ) |
| transfer-source-v6 | Defines the server's network interface (IPv6 address and optionally port number) on which inbound zone transfers will be bound. This option also specifies the source IPv6 address and optionally source UDP port for SOA query messages and forwarded dynamic updates. | string | options, server, view, zone | transfer | all | Enter which local IPv6 address is bounded to TCP connections used to fetch zones transferred inbound by the server. Eg: 2001:db8::1 | ( <ipv6_address> | * ) |
| transfers-in | Specifies a limit to the total number of concurrently running inbound zone transfers (default = 10). | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| transfers-out | Specifies a limit to the total number of concurrently running outbound zone transfers (default = 10). | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| transfers-per-ns | Specifies a limit on the number of concurrently running inbound zone transfers from any given server (default = 2) | integer | options | transfer | all | Enter a valid integer. Eg:100 | <integer> |
| trust-anchor-telemetry | The trust-anchor-telemetry DNS option enables a DNS server to automatically query for DNSSEC trust anchors to monitor their status, ensuring they are current and valid for the authentication of DNS responses. This feature helps maintain DNS security by facilitating the automatic update of trust anchors during key rollover events, in compliance with DNSSEC standards. | boolean | options, view | dnssec | all | Enter yes or no. Eg: yes | <boolean> |
| try-tcp-refresh | If a zone refresh query via UDP fails this option when set to yes configures the server to reattempt using TCP. The default is yes. | boolean | options, view, zone | transfer | all | Enter yes or no. Eg: yes | <boolean> |
| udp-receive-buffer | This option sets the size of the buffer that the DNS server uses to receive UDP (User Datagram Protocol) packets. A larger receive buffer can improve performance by allowing the server to handle more incoming requests simultaneously, especially during traffic spikes. If the buffer is too small, the server may drop incoming requests because it doesn't have enough space to store them, leading to increased query times or failed requests. Configuring the right size for the UDP receive buffer is a balance: too small, and you risk losing packets; too large, and you may waste system resources or run into other limits set by the operating system. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| udp-send-buffer | This option sets the size of the buffer used for sending UDP packets from the DNS server. Just as with the receive buffer, a send buffer that's too small can lead to packet loss and poor performance, especially when responding to a large volume of requests.Conversely, a buffer that's too large could be inefficient, potentially holding onto data longer than necessary and using more memory than needed. The send buffer size can affect how quickly the server can respond to requests and handle outgoing traffic loads. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| update-check-ksk | Configures the server to use KSK(s) (KSK flag on the corresponding DNSKEY resource record is set) to sign the DNSKEY RRset only (if set to yes) or to ignore the KSK flag and use all zone keys to sign the zone (if set to no). The default of yes effectively requires the use of separate zone KSKs and ZSKs while a setting of no enables use of one key per zone. | boolean | options, view, zone | obsolete | all | Enter yes or no. Eg: yes | <boolean> |
| update-quota | Specifies the maximum number of concurrent DNS UPDATE messages that can be processed by the server. This is the maximum number of simultaneous DNS UPDATE messages that the server will accept for updating local authoritiative zones or forwarding to a primary server. The default is 100. | integer | options | server | all | Enter a valid integer. Eg:100 | <integer> |
| use-alt-transfer-source | Controls the use of alternative transfer source options for v4 and v6 (alt-transfer-source and alt-transfer-source-v6 respectively). | boolean | options | server | all | Enter yes or no. Eg: yes | <boolean> |
| use-v4-udp-ports | Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv4 queries. Values set in the avoid-v4-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535. Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise queries using these port numbers will fail. | string | options | deprecated | all | Enter a list of ports that are valid sources for UDP/IPv4 messages. Valid values: list of ports or port ranges Eg: { 7080; range 480 500; } | { <portrange>; ... } |
| use-v6-udp-ports | Enables specification of a range or pool of port numbers from which a randomly selected value will be used to set the source port for outbound IPv6 queries. Values set in the avoid-v6-udp-ports option will be excluded from this port list for port number generation. The default range is 1024 65535. Note: Make sure your port range coincides with those permitted by the operating system on which named is running for named; otherwise queries using these port numbers will fail. | string | options | deprecated | all | Enter a list of ports that are valid sources for UDP/IPv4 messages. Valid values: list of ports or port ranges Eg: { 7080; range 480 500; } | { <portrange>; ... } |
| v6-bias | Indicates the number of milliseconds of preference to give to IPv6 name servers. When determining the next name server to try, this indicates by how many milliseconds to prefer IPv6 name servers. The default is 50 milliseconds. | integer | options, view | query,server | all | Enter a valid integer. Eg:100 | <integer> |
| validate-except | This option disables DNSSEC validation for specified domains and respective subdomains. While negative trust anchors enable this functionality on a temporary basis, this option enables permanent disabling of validation for these domains, such as unsigned local-use domains for example. | string | options, view | dnssec | all | Enter a list of domain names at and beneath which DNSSEC validation should not be performed. Eg:{ "example1.com"; "example2.com"; } | { <string>; ... } |
| version | This option specifies the string the server should provide in response to give to a TXT query of class CHAOS for name version.bind. Setting version_string to "none" disables responding to these queries. | string | options | server | all | Enter a version number enclosed in quotes that will be returned on a version.bind query. If not required enter none. Eg:"12.0.4" | ( <quoted_string> | none ) |
| zero-no-soa-ttl | Instructs the server to set the TTL to zero when returning an authoritative negative response to an SOA query (default = yes). | boolean | view, zone, options | server,query, zone | all | Enter yes or no. Eg: yes | <boolean> |
| zero-no-soa-ttl-cache | Instructs the server when caching a negative response to an SOA query to set the TTL to zero (default = no). | boolean | options, view | server,query,zone | all | Enter yes or no. Eg: yes | <boolean> |
| zone-statistics | Instructs the server to collect statistical data on all zones (or per zone control/override in zone statement). | string | view,zone,options | zone, logging | all | Either one of the three values : full/terse/none or a boolean value(yes or no) Eg: full | ( full | terse | none | <boolean> ) |