This is a summary of the named.conf options supported by this version of BIND 9. acl <string> { <address_match_element>; ... }; // may occur multiple times controls { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times unix <quoted_string> perm <integer> owner <integer> group <integer> [ keys { <string>; ... } ] [ read-only <boolean> ]; // may occur multiple times }; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dnssec-policy <string> { dnskey-ttl <duration>; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; max-zone-ttl <duration>; nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ]; parent-ds-ttl <duration>; parent-propagation-delay <duration>; parent-registration-delay <duration>; // obsolete publish-safety <duration>; purge-keys <duration>; retire-safety <duration>; signatures-refresh <duration>; signatures-validity <duration>; signatures-validity-dnskey <duration>; zone-propagation-delay <duration>; }; // may occur multiple times dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times key <string> { algorithm <string>; secret <string>; }; // may occur multiple times logging { category <string> { <string>; ... }; // may occur multiple times channel <string> { buffered <boolean>; file <quoted_string> [ versions ( unlimited | <integer> ) ] [ size <size> ] [ suffix ( increment | timestamp ) ]; null; print-category <boolean>; print-severity <boolean>; print-time ( iso8601 | iso8601-utc | local | <boolean> ); severity <log_severity>; stderr; syslog [ <syslog_facility> ]; }; // may occur multiple times }; lwres { <unspecified-text> }; // obsolete, may occur multiple times managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated masters <string> [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; // may occur multiple times options { acache-cleaning-interval <integer>; // obsolete acache-enable <boolean>; // obsolete additional-from-auth <boolean>; // obsolete additional-from-cache <boolean>; // obsolete allow-new-zones <boolean>; allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-cache { <address_match_element>; ... }; allow-query-cache-on { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-recursion { <address_match_element>; ... }; allow-recursion-on { <address_match_element>; ... }; allow-transfer { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; allow-v6-synthesis { <address_match_element>; ... }; // obsolete also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; answer-cookie <boolean>; attach-cache <string>; auth-nxdomain <boolean>; // default changed auto-dnssec ( allow | maintain | off ); // deprecated automatic-interface-scan <boolean>; avoid-v4-udp-ports { <portrange>; ... }; avoid-v6-udp-ports { <portrange>; ... }; bindkeys-file <quoted_string>; blackhole { <address_match_element>; ... }; cache-file <quoted_string>; // deprecated catalog-zones { zone <string> [ default-masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard <boolean>; cleaning-interval <integer>; // obsolete clients-per-query <integer>; cookie-algorithm ( aes | siphash24 ); cookie-secret <string>; // may occur multiple times coresize ( default | unlimited | <sizeval> ); datasize ( default | unlimited | <sizeval> ); deallocate-on-exit <boolean>; // ancient deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ]; deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ]; dialup ( notify | notify-passive | passive | refresh | <boolean> ); directory <quoted_string>; disable-algorithms <string> { <string>; ... }; // may occur multiple times disable-ds-digests <string> { <string>; ... }; // may occur multiple times disable-empty-zone <string>; // may occur multiple times dns64 <netprefix> { break-dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive-only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64-contact <string>; dns64-server <string>; dnskey-sig-validity <integer>; dnsrps-enable <boolean>; // not configured dnsrps-options { <unspecified-text> }; // not configured dnssec-accept-expired <boolean>; dnssec-dnskey-kskonly <boolean>; dnssec-enable <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-lookaside ( <string> trust-anchor <string> | auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure <string> <boolean>; // may occur multiple times dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; dnstap-identity ( <quoted_string> | none | hostname ); dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( increment | timestamp ) ]; dnstap-version ( <quoted_string> | none ); dscp <integer>; // deprecated dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] [ dscp <integer> ] | <ipv4_address> [ port <integer> ] [ dscp <integer> ] | <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... }; dump-file <quoted_string>; edns-udp-size <integer>; empty-contact <string>; empty-server <string>; empty-zones-enable <boolean>; fake-iquery <boolean>; // ancient fetch-glue <boolean>; // ancient fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches-per-server <integer> [ ( drop | fail ) ]; fetches-per-zone <integer> [ ( drop | fail ) ]; files ( default | unlimited | <sizeval> ); filter-aaaa { <address_match_element>; ... }; // obsolete filter-aaaa-on-v4 <boolean>; // obsolete filter-aaaa-on-v6 <boolean>; // obsolete flush-zones-on-shutdown <boolean>; forward ( first | only ); forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; fstrm-set-buffer-hint <integer>; fstrm-set-flush-timeout <integer>; fstrm-set-input-queue-size <integer>; fstrm-set-output-notify-threshold <integer>; fstrm-set-output-queue-model ( mpsc | spsc ); fstrm-set-output-queue-size <integer>; fstrm-set-reopen-interval <duration>; geoip-directory ( <quoted_string> | none ); geoip-use-ecs <boolean>; // obsolete glue-cache <boolean>; has-old-clients <boolean>; // ancient heartbeat-interval <integer>; host-statistics <boolean>; // ancient host-statistics-max <integer>; // ancient hostname ( <quoted_string> | none ); interface-interval <duration>; ixfr-from-differences ( primary | master | secondary | slave | <boolean> ); keep-response-order { <address_match_element>; ... }; key-directory <quoted_string>; lame-ttl <duration>; listen-on [ port <integer> ] [ dscp <integer> ] { <address_match_element>; ... }; // may occur multiple times listen-on-v6 [ port <integer> ] [ dscp <integer> ] { <address_match_element>; ... }; // may occur multiple times lmdb-mapsize <sizeval>; lock-file ( <quoted_string> | none ); maintain-ixfr-base <boolean>; // ancient managed-keys-directory <quoted_string>; masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); match-mapped-addresses <boolean>; max-acache-size ( unlimited | <sizeval> ); // obsolete max-cache-size ( default | unlimited | <sizeval> | <percentage> ); max-cache-ttl <duration>; max-clients-per-query <integer>; max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-ncache-ttl <duration>; max-records <integer>; max-recursion-depth <integer>; max-recursion-queries <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-rsa-exponent-size <integer>; max-stale-ttl <duration>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-udp-size <integer>; max-zone-ttl ( unlimited | <duration> ); memstatistics <boolean>; memstatistics-file <quoted_string>; message-compression <boolean>; min-cache-ttl <duration>; min-ncache-ttl <duration>; min-refresh-time <integer>; min-retry-time <integer>; min-roots <integer>; // ancient minimal-any <boolean>; minimal-responses ( no-auth | no-auth-recursive | <boolean> ); multi-master <boolean>; multiple-cnames <boolean>; // ancient named-xfer <quoted_string>; // ancient new-zones-directory <quoted_string>; no-case-compress { <address_match_element>; ... }; nocookie-udp-size <integer>; nosit-udp-size <integer>; // obsolete notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-rate <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only nta-lifetime <duration>; nta-recheck <duration>; nxdomain-redirect <string>; parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; pid-file ( <quoted_string> | none ); port <integer>; preferred-glue <string>; prefetch <integer> [ <integer> ]; provide-ixfr <boolean>; qname-minimization ( strict | relaxed | disabled | off ); query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; querylog <boolean>; queryport-pool-ports <integer>; // obsolete queryport-pool-updateinterval <integer>; // obsolete random-device ( <quoted_string> | none ); rate-limit { all-per-second <integer>; errors-per-second <integer>; exempt-clients { <address_match_element>; ... }; ipv4-prefix-length <integer>; ipv6-prefix-length <integer>; log-only <boolean>; max-table-size <integer>; min-table-size <integer>; nodata-per-second <integer>; nxdomains-per-second <integer>; qps-scale <integer>; referrals-per-second <integer>; responses-per-second <integer>; slip <integer>; window <integer>; }; recursing-file <quoted_string>; recursion <boolean>; recursive-clients <integer>; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; request-sit <boolean>; // obsolete require-server-cookie <boolean>; reserved-sockets <integer>; resolver-nonbackoff-tries <integer>; resolver-query-timeout <integer>; resolver-retry-interval <integer>; response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; reuseport <boolean>; rfc2308-type1 <boolean>; // ancient root-delegation-only [ exclude { <string>; ... } ]; root-key-sentinel <boolean>; rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; secroots-file <quoted_string>; send-cookie <boolean>; serial-queries <integer>; // ancient serial-query-rate <integer>; serial-update-method ( date | increment | unixtime ); server-id ( <quoted_string> | none | hostname ); servfail-ttl <duration>; session-keyalg <string>; session-keyfile ( <quoted_string> | none ); session-keyname <string>; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; sit-secret <string>; // obsolete sortlist { <address_match_element>; ... }; stacksize ( default | unlimited | <sizeval> ); stale-answer-client-timeout ( disabled | off | <integer> ); stale-answer-enable <boolean>; stale-answer-ttl <duration>; stale-cache-enable <boolean>; stale-refresh-time <duration>; startup-notify-rate <integer>; statistics-file <quoted_string>; statistics-interval <integer>; // ancient suppress-initial-notify <boolean>; // not yet implemented synth-from-dnssec <boolean>; tcp-advertised-timeout <integer>; tcp-clients <integer>; tcp-idle-timeout <integer>; tcp-initial-timeout <integer>; tcp-keepalive-timeout <integer>; tcp-listen-queue <integer>; tkey-dhkey <quoted_string> <integer>; tkey-domain <quoted_string>; tkey-gssapi-credential <quoted_string>; tkey-gssapi-keytab <quoted_string>; topology { <address_match_element>; ... }; // ancient transfer-format ( many-answers | one-answer ); transfer-message-size <integer>; transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfers-in <integer>; transfers-out <integer>; transfers-per-ns <integer>; treat-cr-as-space <boolean>; // ancient trust-anchor-telemetry <boolean>; // experimental try-tcp-refresh <boolean>; update-check-ksk <boolean>; update-quota <integer>; use-alt-transfer-source <boolean>; use-id-pool <boolean>; // ancient use-ixfr <boolean>; // obsolete use-queryport-pool <boolean>; // obsolete use-v4-udp-ports { <portrange>; ... }; use-v6-udp-ports { <portrange>; ... }; v6-bias <integer>; validate-except { <string>; ... }; version ( <quoted_string> | none ); zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; parental-agents <string> [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; // may occur multiple times plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times primaries <string> [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; // may occur multiple times server <netprefix> { bogus <boolean>; edns <boolean>; edns-udp-size <integer>; edns-version <integer>; keys <server_key>; max-udp-size <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; padding <integer>; provide-ixfr <boolean>; query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; request-sit <boolean>; // obsolete send-cookie <boolean>; support-ixfr <boolean>; // obsolete tcp-keepalive <boolean>; tcp-only <boolean>; transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfers <integer>; }; // may occur multiple times statistics-channels { inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | * ) ] [ allow { <address_match_element>; ... } ]; // may occur multiple times }; // may occur multiple times trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated view <string> [ <class> ] { acache-cleaning-interval <integer>; // obsolete acache-enable <boolean>; // obsolete additional-from-auth <boolean>; // obsolete additional-from-cache <boolean>; // obsolete allow-new-zones <boolean>; allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-cache { <address_match_element>; ... }; allow-query-cache-on { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-recursion { <address_match_element>; ... }; allow-recursion-on { <address_match_element>; ... }; allow-transfer { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; allow-v6-synthesis { <address_match_element>; ... }; // obsolete also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; attach-cache <string>; auth-nxdomain <boolean>; // default changed auto-dnssec ( allow | maintain | off ); // deprecated cache-file <quoted_string>; // deprecated catalog-zones { zone <string> [ default-masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... } ] [ zone-directory <quoted_string> ] [ in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard <boolean>; cleaning-interval <integer>; // obsolete clients-per-query <integer>; deny-answer-addresses { <address_match_element>; ... } [ except-from { <string>; ... } ]; deny-answer-aliases { <string>; ... } [ except-from { <string>; ... } ]; dialup ( notify | notify-passive | passive | refresh | <boolean> ); disable-algorithms <string> { <string>; ... }; // may occur multiple times disable-ds-digests <string> { <string>; ... }; // may occur multiple times disable-empty-zone <string>; // may occur multiple times dlz <string> { database <string>; search <boolean>; }; // may occur multiple times dns64 <netprefix> { break-dnssec <boolean>; clients { <address_match_element>; ... }; exclude { <address_match_element>; ... }; mapped { <address_match_element>; ... }; recursive-only <boolean>; suffix <ipv6_address>; }; // may occur multiple times dns64-contact <string>; dns64-server <string>; dnskey-sig-validity <integer>; dnsrps-enable <boolean>; // not configured dnsrps-options { <unspecified-text> }; // not configured dnssec-accept-expired <boolean>; dnssec-dnskey-kskonly <boolean>; dnssec-enable <boolean>; // obsolete dnssec-loadkeys-interval <integer>; dnssec-lookaside ( <string> trust-anchor <string> | auto | no ); // obsolete, may occur multiple times dnssec-must-be-secure <string> <boolean>; // may occur multiple times dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; dnssec-update-mode ( maintain | no-resign ); dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port <integer> ] [ dscp <integer> ] | <ipv4_address> [ port <integer> ] [ dscp <integer> ] | <ipv6_address> [ port <integer> ] [ dscp <integer> ] ); ... }; dyndb <string> <quoted_string> { <unspecified-text> }; // may occur multiple times edns-udp-size <integer>; empty-contact <string>; empty-server <string>; empty-zones-enable <boolean>; fetch-glue <boolean>; // ancient fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; fetches-per-server <integer> [ ( drop | fail ) ]; fetches-per-zone <integer> [ ( drop | fail ) ]; filter-aaaa { <address_match_element>; ... }; // obsolete filter-aaaa-on-v4 <boolean>; // obsolete filter-aaaa-on-v6 <boolean>; // obsolete forward ( first | only ); forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; glue-cache <boolean>; ixfr-from-differences ( primary | master | secondary | slave | <boolean> ); key <string> { algorithm <string>; secret <string>; }; // may occur multiple times key-directory <quoted_string>; lame-ttl <duration>; lmdb-mapsize <sizeval>; maintain-ixfr-base <boolean>; // ancient managed-keys { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); match-clients { <address_match_element>; ... }; match-destinations { <address_match_element>; ... }; match-recursive-only <boolean>; max-acache-size ( unlimited | <sizeval> ); // obsolete max-cache-size ( default | unlimited | <sizeval> | <percentage> ); max-cache-ttl <duration>; max-clients-per-query <integer>; max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-ncache-ttl <duration>; max-records <integer>; max-recursion-depth <integer>; max-recursion-queries <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-stale-ttl <duration>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-udp-size <integer>; max-zone-ttl ( unlimited | <duration> ); message-compression <boolean>; min-cache-ttl <duration>; min-ncache-ttl <duration>; min-refresh-time <integer>; min-retry-time <integer>; min-roots <integer>; // ancient minimal-any <boolean>; minimal-responses ( no-auth | no-auth-recursive | <boolean> ); multi-master <boolean>; new-zones-directory <quoted_string>; no-case-compress { <address_match_element>; ... }; nocookie-udp-size <integer>; nosit-udp-size <integer>; // obsolete notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only nta-lifetime <duration>; nta-recheck <duration>; nxdomain-redirect <string>; parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; plugin ( query ) <string> [ { <unspecified-text> } ]; // may occur multiple times preferred-glue <string>; prefetch <integer> [ <integer> ]; provide-ixfr <boolean>; qname-minimization ( strict | relaxed | disabled | off ); query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; queryport-pool-ports <integer>; // obsolete queryport-pool-updateinterval <integer>; // obsolete rate-limit { all-per-second <integer>; errors-per-second <integer>; exempt-clients { <address_match_element>; ... }; ipv4-prefix-length <integer>; ipv6-prefix-length <integer>; log-only <boolean>; max-table-size <integer>; min-table-size <integer>; nodata-per-second <integer>; nxdomains-per-second <integer>; qps-scale <integer>; referrals-per-second <integer>; responses-per-second <integer>; slip <integer>; window <integer>; }; recursion <boolean>; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; request-sit <boolean>; // obsolete require-server-cookie <boolean>; resolver-nonbackoff-tries <integer>; resolver-query-timeout <integer>; resolver-retry-interval <integer>; response-padding { <address_match_element>; ... } block-size <integer>; response-policy { zone <string> [ add-soa <boolean> ] [ log <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval <duration> ] [ min-ns-dots <integer> ] [ nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> } ]; rfc2308-type1 <boolean>; // ancient root-delegation-only [ exclude { <string>; ... } ]; root-key-sentinel <boolean>; rrset-order { [ class <string> ] [ type <string> ] [ name <quoted_string> ] <string> <string>; ... }; send-cookie <boolean>; serial-update-method ( date | increment | unixtime ); server <netprefix> { bogus <boolean>; edns <boolean>; edns-udp-size <integer>; edns-version <integer>; keys <server_key>; max-udp-size <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; padding <integer>; provide-ixfr <boolean>; query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ dscp <integer> ]; request-expire <boolean>; request-ixfr <boolean>; request-nsid <boolean>; request-sit <boolean>; // obsolete send-cookie <boolean>; support-ixfr <boolean>; // obsolete tcp-keepalive <boolean>; tcp-only <boolean>; transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfers <integer>; }; // may occur multiple times servfail-ttl <duration>; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; sortlist { <address_match_element>; ... }; stale-answer-client-timeout ( disabled | off | <integer> ); stale-answer-enable <boolean>; stale-answer-ttl <duration>; stale-cache-enable <boolean>; stale-refresh-time <duration>; suppress-initial-notify <boolean>; // not yet implemented synth-from-dnssec <boolean>; topology { <address_match_element>; ... }; // ancient transfer-format ( many-answers | one-answer ); transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; trust-anchor-telemetry <boolean>; // experimental trust-anchors { <string> ( static-key | initial-key | static-ds | initial-ds ) <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... }; // may occur multiple times, deprecated try-tcp-refresh <boolean>; update-check-ksk <boolean>; use-alt-transfer-source <boolean>; use-queryport-pool <boolean>; // obsolete v6-bias <integer>; validate-except { <string>; ... }; zero-no-soa-ttl <boolean>; zero-no-soa-ttl-cache <boolean>; zone <string> [ <class> ] { allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-transfer { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; auto-dnssec ( allow | maintain | off ); // deprecated check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( fail | warn | ignore ); check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard <boolean>; database <string>; delegation-only <boolean>; dialup ( notify | notify-passive | passive | refresh | <boolean> ); dlz <string>; dnskey-sig-validity <integer>; dnssec-dnskey-kskonly <boolean>; dnssec-loadkeys-interval <integer>; dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; dnssec-update-mode ( maintain | no-resign ); file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; in-view <string>; inline-signing <boolean>; ixfr-base <quoted_string>; // ancient ixfr-from-differences <boolean>; ixfr-tmp-file <quoted_string>; // ancient journal <quoted_string>; key-directory <quoted_string>; maintain-ixfr-base <boolean>; // ancient masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-records <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-zone-ttl ( unlimited | <duration> ); min-refresh-time <integer>; min-retry-time <integer>; multi-master <boolean>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; pubkey <integer> <integer> <integer> <quoted_string>; // ancient request-expire <boolean>; request-ixfr <boolean>; serial-update-method ( date | increment | unixtime ); server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; server-names { <string>; ... }; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; try-tcp-refresh <boolean>; type ( primary | master | secondary | slave | mirror | delegation-only | forward | hint | redirect | static-stub | stub ); update-check-ksk <boolean>; update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } ); use-alt-transfer-source <boolean>; zero-no-soa-ttl <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; // may occur multiple times zone-statistics ( full | terse | none | <boolean> ); }; // may occur multiple times zone <string> [ <class> ] { allow-notify { <address_match_element>; ... }; allow-query { <address_match_element>; ... }; allow-query-on { <address_match_element>; ... }; allow-transfer { <address_match_element>; ... }; allow-update { <address_match_element>; ... }; allow-update-forwarding { <address_match_element>; ... }; also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; auto-dnssec ( allow | maintain | off ); // deprecated check-dup-records ( fail | warn | ignore ); check-integrity <boolean>; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( fail | warn | ignore ); check-sibling <boolean>; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-wildcard <boolean>; database <string>; delegation-only <boolean>; dialup ( notify | notify-passive | passive | refresh | <boolean> ); dlz <string>; dnskey-sig-validity <integer>; dnssec-dnskey-kskonly <boolean>; dnssec-loadkeys-interval <integer>; dnssec-policy <string>; dnssec-secure-to-insecure <boolean>; dnssec-update-mode ( maintain | no-resign ); file <quoted_string>; forward ( first | only ); forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; in-view <string>; inline-signing <boolean>; ixfr-base <quoted_string>; // ancient ixfr-from-differences <boolean>; ixfr-tmp-file <quoted_string>; // ancient journal <quoted_string>; key-directory <quoted_string>; maintain-ixfr-base <boolean>; // ancient masterfile-format ( map | raw | text ); masterfile-style ( full | relative ); masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient max-ixfr-ratio ( unlimited | <percentage> ); max-journal-size ( default | unlimited | <sizeval> ); max-records <integer>; max-refresh-time <integer>; max-retry-time <integer>; max-transfer-idle-in <integer>; max-transfer-idle-out <integer>; max-transfer-time-in <integer>; max-transfer-time-out <integer>; max-zone-ttl ( unlimited | <duration> ); min-refresh-time <integer>; min-retry-time <integer>; multi-master <boolean>; notify ( explicit | master-only | primary-only | <boolean> ); notify-delay <integer>; notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; notify-to-soa <boolean>; nsec3-test-zone <boolean>; // test only parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; pubkey <integer> <integer> <integer> <quoted_string>; // ancient request-expire <boolean>; request-ixfr <boolean>; serial-update-method ( date | increment | unixtime ); server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; server-names { <string>; ... }; sig-signing-nodes <integer>; sig-signing-signatures <integer>; sig-signing-type <integer>; sig-validity-interval <integer> [ <integer> ]; transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ]; try-tcp-refresh <boolean>; type ( primary | master | secondary | slave | mirror | delegation-only | forward | hint | redirect | static-stub | stub ); update-check-ksk <boolean>; update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... } ); use-alt-transfer-source <boolean>; zero-no-soa-ttl <boolean>; zone-statistics ( full | terse | none | <boolean> ); }; // may occur multiple times