named(1M) named(1M)
NAME
named - Internet name server
SYNOPSIS
named [-d level] [-p port] [[-b] bootfile] [-q] [-r]
DESCRIPTION
named is the name server of the Internet domain. It is used by the
hosts on the Internet to provide access to the Internet distributed
naming database. An operations guide ("BOG") can be found in
/usr/lib/named. For more information, see RFC-1034 and RFC-1035.
named provides negative caching. Negative caching means that the domain
name server internally stores any negative responses that it receives
from other domain name servers as a result of a query. In this way, the
domain name server can answer its own queries for a certain amount of
time, without having to access other domain name servers.
OPTIONS
No option specified:
named reads the file /etc/named.boot for any initial data and
listens for queries on a privileged port.
-d level
level indicates the set of messages to be output. Each level
includes the messages of any lower level, e.g. level 2 includes
the messages of level 1.
level:
1 initialization information, syntax errors, DNS packet errors
2 IP addresses of remote servers for lookup, round-trip
values, duplicate and errored responses, system/user
queries, zone transfers, negative caching
3 detailed information: database file updates, duplicate
queries, system queries, names of remote servers used during
lookup, number of addresses for each server, SOA response
4 query and response packets received
5 internal error messages
6 additional error messages
7 no additional information
8 no additional information
9 no additional information
Page 1 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
10 query and response packets send by NFS
11 additional error messages
-p port
Use non-standard port numbers. The default is the standard port
number as returned by getservbyname(3N) for service "domain". The
argument can specify two port numbers separated by a slash ("/") in
which case the first port is that used when contacting remote
servers, and the second one is the service port bound by the local
instance of named. This is used mostly for debugging purposes.
-b bootfile
the bootfile file is used instead of /etc/named.boot for initial-
izing.
-q Trace all incoming queries. NOTE: This option is deprecated in
favor of the boot file directive options query-log.
-r Turns recursion off in the server. Answers can come only from
local (primary or secondary) zones. This can be used on root
servers. NOTE: This option is deprecated in favor of the boot
file line options no-recursion.
Any additional argument is taken as the name of the boot file. If mul-
tiple boot files are specified, only the last is used.
The boot file contains information about where the name server is to
get its initial data. Lines in the boot file cannot be continued on
subsequent lines. The following is a small example:
;
; boot file for name server
;
directory /usr/local/adm/named
; type domain source host/file backup file
cache . root.cache
primary Berkeley.EDU berkeley.edu.zone
primary 32.128.IN-ADDR.ARPA ucbhosts.rev
secondary CC.Berkeley.EDU 128.32.137.8 128.32.137.3 cc.zone.bak
secondary 6.32.128.IN-ADDR.ARPA 128.32.137.8 128.32.137.3 cc.rev.bak
primary 0.0.127.IN-ADDR.ARPA localhost.rev
forwarders 10.0.0.78 10.2.0.78
limit transfers-in 10
limit datasize 64M
limit transfers-per-ns 2
options forward-only query-log fake-iquery
The "directory" line causes the server to change its working directory
to the directory specified. This can be important for the correct pro-
cessing of $INCLUDE files in primary zone files.
Page 2 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
The "cache" line specifies that data in "root.cache" is to be placed
in the backup cache. Its main use is to specify data such as locations
of root domain servers. This cache is not used during normal opera-
tion, but is used as "hints" to find the current root servers. The
file "root.cache" is in the same format as "berkeley.edu.zone". There
can be more than one "cache" file specified. The "root.cache" file
should be retrieved periodically from FTP.RS.INTERNIC.NET since it
contains a list of root servers, and this list changes periodically.
The first example "primary" line states that the file
"berkeley.edu.zone" contains authoritative data for the "Berkeley.EDU"
zone. The file "berkeley.edu.zone" contains data in the master file for-
mat described in RFC 883. All domain names are relative to the origin,
in this case, "Berkeley.EDU" (see below for a more detailed descrip-
tion). The second "primary" line states that the file "ucbhosts.rev"
contains authoritative data for the domain "32.128.IN-ADDR.ARPA", which
is used to translate addresses in network 128.32 to hostnames. Each mas-
ter file should begin with an SOA record for the zone (see below).
The first example "secondary" line specifies that all authoritative
data under "CC.Berkeley.EDU" is to be transferred from the name server
at 128.32.137.8. If the transfer fails it will try 128.32.137.3 and
continue trying the addresses, up to 10, listed on this line. The
secondary copy is also authoritative for the specified domain. The
first non-dotted-quad address on this line will be taken as a filename
in which to backup the transferred zone. The name server will load the
zone from this backup file if it exists when it boots, providing a
complete copy even if the master servers are unreachable. Whenever a
new copy of the domain is received by automatic zone transfer from one
of the master servers, this file will be updated. If no file name is
given, a temporary file will be used, and will be deleted after each
successful zone transfer. This is not recommended since it is a need-
less waste of bandwidth. The second example "secondary" line states
that the address-to-hostname mapping for the subnet 128.32.136 should
be obtained from the same list of master servers as the previous zone.
The "forwarders" line specifies the addresses of site-wide servers
that will accept recursive queries from other servers. If the boot
file specifies one or more forwarders, then the server will send all
queries for data not in the cache to the forwarders first. Each for-
warder will be asked in turn until an answer is returned or the list
is exhausted. If no answer is forthcoming from a forwarder, the server
will continue as it would have without the forwarders line unless it
is in "forward-only" mode. The forwarding facility is useful to cause
a large site-wide cache to be generated on a master, and to reduce
traffic over links to outside servers. It can also be used to allow
servers to run that do not have direct access to the Internet, but
wish to look up exterior names anyway.
The "slave" line (deprecated) is allowed for backward compatibility.
Its meaning is identical to "options forward-only".
Page 3 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
The "sortlist" line (not shown) can be used to indicate networks that
are to be preferred over other networks. Queries for host addresses
from hosts on the same network as the server will receive responses
with local network addresses listed first, then addresses on the sort
list, then other addresses.
The "xfrnets" line (not shown) can be used to implement primitive
access control. If this line is given, then your name server will only
answer zone transfer requests from hosts which are on networks listed
in your "xfrnets" lines. This line may also be given as "tcplist" for
compatibility with older, interim servers.
The "include" line (not shown) can be used to process the contents of
some other file as though they appeared in place of the "include"
line. This is useful if you have a lot of zones or if you have logical
groupings of zones which are maintained by different people. The
"include" line takes one argument, that being the name of the file
whose contents are to be included. No quotes are necessary around the
file name.
The "bogusns" line (not shown) tells BIND that no queries are to be
sent to the specified name server addresses (which are specified as
dotted quads, not as domain names). This is useful when you know that
some popular server has bad data in a zone or cache, and you want to
avoid contamination while the problem is being fixed.
The "limit" line can be used to change BIND's internal limits, some of
which (datasize, for example) are implemented by the system and others
(like transfers-in) by BIND itself. The number following the limit
name can be scaled by postfixing a "k", "m", or "g" for kilobytes,
megabytes, and gigabytes respectively. datasize's argument sets the
process data size enforced by the kernel. transfers-in's argument is
the number of named-xfer(1M) subprocesses which BIND will spawn at any
one time. transfers-per-ns's argument is the maximum number of zone
transfers (default: 2) to be simultaneously initiated to any given
remote name server.
The "options" line introduces a boolean specifier that changes the
behavior of BIND. More than one option can be specified in a single
line. The currently defined options are as follows: no-recursion,
which will cause BIND to answer with a referral rather than actual
data whenever it receives a query for a name it is not authoritative
for - don't set this on a server that is listed in any host's
resolv.conf(4) file; no-fetch-glue, which keeps BIND from fetching
missing glue when constructing the "additional data" section of a
response; this can be used in conjunction with no-recursion to prevent
BIND's cache from ever growing in size or becoming corrupted;
query-log, which causes all queries to be logged via syslogd(1M) -
this is a lot of data, don't turn it on lightly; forward-only, which
causes the server to query only its forwarders - this option is nor-
mally used on machine that wishes to run a server but for physical or
administrative reasons cannot be given access to the Internet; and
Page 4 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
fake-iquery, which tells BIND to send back a useless and bogus reply
to "inverse queries" rather than responding with an error - this is
helpful if you have a lot of microcomputers or SunOS hosts or both.
The "max-fetch" line (not shown) is allowed for backward compatibil-
ity; its meaning is identical to "limit transfers-in".
The master file consists of control information and a list of resource
records for objects in the zone of the forms:
$INCLUDE filename optdomain
$ORIGIN domain
domain optttl optclass type resourcerecorddata
where domain is "." for root, "@" for the current origin, or a stan-
dard domain name. If domain is a standard domain name that does not
end with ".", the current origin is appended to the domain. Domain
names ending with "." are unmodified. The optdomain field is used to
define an origin for the data in an included file. It is equivalent to
placing a $ORIGIN statement before the first line of the included
file. The field is optional. Neither the optdomain field nor $ORIGIN
statements in the included file modify the current origin for this
file. The optttl field is an optional integer number for the time-
to-live field. It defaults to zero, meaning the minimum value speci-
fied in the SOA record for the zone. The optclass field is the object
address type; currently only one type is supported, IN, for objects
connected to the DARPA Internet. The type field contains one of the
following tokens; the format of data expected in the
resourcerecorddata field is in parentheses in the following list:
A A host address (dotted quad).
NS An authoritative name server (domain).
MX A mail exchanger (domain), preceded by a preference value
(0..32767), with lower numeric values representing higher log-
ical preferences.
CNAME The canonical name for an alias (domain).
SOA Marks the start of a zone of authority (domain of originating
host, domain address of maintainer, a serial number and the
following parameters in seconds: refresh, retry, expire and
minimum TTL [see RFC 883]).
NULL A null resource record (no format or data).
RP A Responsible Person for some domain name (mailbox, TXT-
referral).
PTR A domain name pointer (domain).
Page 5 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
HINFO Host information (CPU type, OS type).
TXT Free-form textual data; define secure zones (see below).
Resource records normally end at the end of a line, but may be contin-
ued across lines between opening and closing parentheses. Comments are
introduced by semicolons and continue to the end of the line.
Note that there are other resource record types, not shown here. You
should consult the BIND Operations Guide ("BOG"; see /usr/lib/named)
for the complete list. Some resource record types may have been stand-
ardized in newer RFC's but not yet implemented in this version of
BIND.
Each master zone file should begin with an SOA record for the zone. An
example SOA record is as follows:
@ IN SOA ucbvax.Berkeley.EDU. rwh.ucbvax.Berkeley.EDU. (
1989020501 ; serial
10800 ; refresh
3600 ; retry
3600000 ; expire
86400 ) ; minimum
The SOA specifies a serial number, which should be changed each time
the master file is changed. Note that the serial number can be given
as a dotted number, but this is a very unwise thing to do since the
translation to normal integers is via concatenation rather than multi-
plication and addition. You can spell out the year, month, day of
month, and 0..99 version number and still fit inside the unsigned 32-
bit size of this field. It's true that we will have to rethink this
strategy in the year 4294 (Greg.) but we're not worried about it.
Secondary servers check the serial number at intervals specified by
the refresh time in seconds; if the serial number changes, a zone
transfer will be done to load the new data. If a master server cannot
be contacted when a refresh is due, the retry time specifies the
interval at which refreshes should be attempted. If a master server
cannot be contacted within the interval given by the expire time, all
data from the zone is discarded by secondary servers. The minimum
value is the time-to-live ("TTL") used by records in the file with no
explicit time-to-live value.
Secure zones implement named security on a zone by zone basis. It is
designed to use a permission list of networks or hosts which may
obtain particular information from the zone.
In order to use zone security you must have at least one "secure_zone"
TXT resource record. Unless a "secure_zone" record exists for a given
zone, no restrictions will be applied to the data in that zone. The
format of the "secure_zone" TXT resource record is:
securezone addr-class TXT string
Page 6 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
The addr-class may be either HS or IN. The syntax for the string is
either "network address:netmask" or "host IP address:H".
"network address:netmask" allows queries from an entire network. If
the netmask is omitted, named will use the default netmask for the
network address specified.
"host IP address:H" allows queries from a host. The "H" after the ":"
is required to differentiate the host address from a network address.
Multiple "secure_zone" TXT resource records are allowed in the same
zone file.
For example, you can set up a zone to only answer Hesiod requests from
the masked class B network 130.215.0.0 and from host 128.23.10.56 by
adding the following two TXT resource record's:
securezone HS TXT "130.215.0.0:255.255.0.0"
securezone HS TXT "128.23.10.56:H"
This feature can be used to restrict access to a Hesiod password map
or to separate internal and external internet address resolution on a
firewall machine without needing to run a separate named for internal
and external address resolution.
Note that you will need to include your loopback interface (127.0.0.1)
in your "secure_zone" record, or your local clients won't be able to
resolve names.
Signal handling
The following signals have the specified effect when sent to the
server process using the kill(1) command.
SIGHUP Causes server to read /etc/named.boot and reload the data-
base. SIGHUP will also cause the server to check the serial
number on all secondary zones. Normally the serial numbers
are only checked at the SOA-specified intervals.
SIGINT Dumps the current database and cache to
/var/tmp/nameddump.db.
SIGUSR1 Turns on debugging; each subsequent SIGUSR1 increments the
debug level (up to level 11).
SIGUSR2 Turns off debugging (debug level 0).
SIGIOT Dumps statistics data into /var/tmp/named.stats. Statistics
data is appended to the file.
SIGWINCH Toggles logging of all incoming queries via syslogd(1M).
Page 7 Reliant UNIX 5.44 Printed 11/98
named(1M) named(1M)
FILES
/etc/named.boot
name server configuration boot file
/etc/named.pid
the process ID
/var/tmp/named.run
debug output
/var/tmp/nameddump.db
dump of the name servers database
/var/tmp/named.stats
name server statistics data
/usr/lib/named/bog.ascii
/usr/lib/named/bog.ps
Name Server Operations Guide for BIND ("BOG"); ASCII and
PostScript format
SEE ALSO
kill(1), inetd(1M), resolver(3N), resolv.conf(4).
Page 8 Reliant UNIX 5.44 Printed 11/98