HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

211

212

213

214

215

216

217

218

219

220

named.conf(4) named.conf(4)

notify See the description of notify above.

zone-statistics

If yes, the server will keep statistical information for this zone, which can be dumped to

the statistics-ﬁle deﬁned in the server options.

sig-validity-interval

See the description of sig-validity-interval.

transfer-source

See the description of transfer-source.

transfer-source-v6

See the description of transfer-source-v6.

notify-source

See the description of notify-source.

notify-source-v6

See the description of notify-source-v6.

min-refresh-time

, max-refresh-time

min-retry-time

, max-retry-time

See the descriptions above.

Dynamic Update Policies

BIND 9.2 supports two alternative methods of granting clients, the right to perform dynamic updates to a

zone, conﬁgured by the

allow-update and update-policy

option, respectively.

The

allow-update clause works the same way as in previous versions of BIND. It grants given clients

the permission to update any record of any name in the zone.

The

update-policy clause is new in BIND 9.2 and allows more ﬁne-grained control over what updates

are allowed. A set of rules is speciﬁed, where each rule either grants or denies permissions for one or

more names to be updated by one or more identities. If the dynamic update request message is signed

(that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.

Rules are speciﬁed in the

update-policy

zone option, and are only meaningful for master zones.

When the

update-policy statement is present, it is a conﬁguration error for the

allow-update

statement to be present. The update-policy

statement only examines the signer of a message; the

source address is not relevant.

A sample rule deﬁnition is as shown below:

( grant | deny ) identity nametype name [ types ]

Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is

immediately granted or denied and no further rules are examined. A rule is matched when the signer

matches the identity ﬁeld, the name matches the name ﬁeld, and the type is speciﬁed in the type ﬁeld.

The identity ﬁeld speciﬁes a name or a wildcard name. The nametype ﬁeld has four values: name, sub-

domain, wildcard, and self:

name Matches when the updated name is the same as the name in the name ﬁeld.

subdomain Matches when the updated name is a subdomain of the name in the name ﬁeld (which

includes the name itself).

wildcard Matches when the updated name is a valid expansion of the wildcard name in the name

ﬁeld.

self Matches when the updated name is the same as the message signer. The name ﬁeld is

ignored.

If no types are speciﬁed, the rule matches all types except SIG, NS, SOA, and NXT. Types may be

speciﬁed by name, including "ANY" (ANY matches all types except NXT, which can never be updated).

Zone File

Types of Resource Records and When to Use Them:

This section describes the concept of a Resource Record (RR) and explains when each is used as per RFC

1034.

HP-UX 11i Version 2: August 2003 − 22 − Hewlett-Packard Company Section 4−−197