HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
n
named.conf(4) named.conf(4)
(BIND 9.3)
max-transfer-time-out
See the description in The options Statement section.
min-refresh-time
See the description in The options Statement section.
min-retry-time
See the description in The options Statement section.
multi-master
This should be set when you have multiple masters for a zone and the addresses refer to
different machines. If yes,
named will not log when the serial number on the master is
less than what
named currently has. The default is
no.
notify See the description in The options Statement section.
notify-source
See the description in The options Statement section.
notify-source-v6
See the description in The options Statement section.
sig-validity-interval
See the description in The options Statement section.
transfer-source
See the description in The options Statement section.
transfer-source-v6
See the description in The options Statement section.
update-policy
Specifies a "Simple Secure Update" policy. See the Dynamic Update Policies section for
more details.
use-alt-transfer-source
See the description in The options Statement section.
zone-statistics
If yes, the server will keep statistical information for this zone, which can be dumped to
the statistics-file
defined in the server options.
Dynamic Update Policies
BIND 9.3 supports two alternative methods of granting clients the right to perform dynamic updates to a
zone, configured by the
allow-update and update-policy
options, respectively.
The
allow-update clause works the same way as in previous versions of BIND. It grants given clients
the permission to update any record of any name in the zone.
The update-policy clause is new in BIND 9.3 and allows more fine-grained control over what updates
are allowed. A set of rules is specified, where each rule either grants or denies permissions for one or more
names to be updated by one or more identities. If the dynamic update request message is signed (that is, it
includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the
update-policy zone option, and are only meaningful for master zones. When
the update-policy statement is present, it is a configuration error for the allow-update statement
to be present. The update-policy statement only examines the signer of a message; the source
address is not relevant.
A sample rule definition is as shown below:
( grant | deny ) identity nametype name [ types ]
Each rule grants or denies privileges. Once a message has successfully matched a rule, the operation is
immediately granted or denied and no further rules are examined. A rule is matched when the signer
matches the identity field, the name matches the name field, and the type is specified in the list in the types
field.
The identity field specifies a name or a wildcard name. Normally, this is the name of the TSIG or SIG(0)
key used to sign the update request. When a TKEY exchange has been used to create a shared secret, the
identity of the shared secret is the same as the identity of the key used to authenticate the TKEY
exchange. When the identity field specifies a wildcard name, it is subject to DNS wildcard expansion, so
260 Hewlett-Packard Company − 28 − HP-UX 11i Version 3: February 2007