# # File name: TCPIP$BIND_CONF.TEMPLATE_ZONE # Product: VSI TCP/IP Services for OpenVMS # Version: V6.0-24 # # Copyright 2015-2021 VMS Software, Inc. # # # # DESCRIPTION: # # This file contains configuration information for the Forwderer BIND # Server with a local Zone. # # Before starting the BIND server, you must edit this file and copy # it to SYS$SPECIFIC:[TCPIP$BIND]TCPIP$BIND.CONF. # # Refer to the VSI TCP/IP Services for OpenVMS Management guide for # instructions on editing and using this file. # ######## # Note # ######## /* * C-style comments are OK */ // So are C++-style comments # So are shell-style comments // watch out for ";" -- it's important! //Define Host list acl clients { localnets; }; options { directory "SYS$SPECIFIC:[TCPIP$BIND]"; max-cache-size 10m; //The maximum amount of memory to use for the server's //cache, in bytes. //A value of 0 is special, meaning that records are //purged from the cache only when their TTLs expire. //The default is 0. recursion yes; //If yes, and a DNS query requests recursion, then //the server will attempt to do all the work required //to answer the query. If recursion is off and the //server does not already know the answer, it will //return a referral response. The default is yes. //BIND Server first tries to find a zone that the server has the authority //for and most matches the query name. //If this search fails, the server forwards the query to the forwarders //specified below. //forward first; //This option is only meaningful if the forwarders //list is not empty. forward only; //Forceto foward a query to the forwaders. //Specifies the IP addresses to be used for forwarding. //The default is the empty list (no forwarding). forwarders { 8.8.8.8; 8.8.4.4; }; /* DNS related options */ dnssec-enable yes; //Enable DNSSEC support. Unless set to yes, //bind behaves as if it does not support DNSSEC. //The default is yes dnssec-validation auto; //Enable DNSSEC validation. //Note dnssec-enable also needs to be set to //yes to be effective. The default is yes. listen-on port 53 { any; //Enable bind on port 53 on any interface }; listen-on-v6 port 53 { //Enable bind with IPv6 localhost; }; allow-query-cache { any; }; //Allow to reply from the local cache allow-query { clients; }; //Access Control by ACl "clients" allow-recursion { clients; }; //Only listed hosts are allowed to make //recursive queries through this server # allow-query { any; }; //Only queries from hosts in the address # //list will be accepted # allow-recursion { any; }; //Only listed hosts are allowed to make # //recursive queries through this server # allow-transfer { any; }; //Only listed hosts are allowed to receive # //zone transfers }; zone "." IN { type hint; file "root.hint"; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "loopback.db"; }; zone "localhost" IN { type master; file "localhost.db"; }; //Local Zone Definition zone "local" IN { type master; file "local.zone"; }; //Please do not use the secret key as it is and refer to READ.ME for //generating a secret key and configuring RNDC interface. //RNDC Crypto Information #key "rndc-key" { # algorithm hmac-md5; # secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; #}; //RNDC Command Interface #controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; #}; logging { channel "default_log" { file "SYS$SPECIFIC:[TCPIP$BIND]TCPIP$NAMED_RUN.LOG"; print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level severity dynamic; }; channel moderate_debug { file "foo"; // foo severity debug 3; // level 3 debugging to file print-time yes; // timestamp log entries print-category yes; // print category name print-severity yes; // print severity level /* * Note that debugging must have been turned on either * on the command line or with a signal to get debugging * output (non-debugging output will still be written to * this channel). */ }; /* * There are many categories, so you can send the logs * you want to see wherever you want, without seeing logs you * don't want. Right now the categories are * * default the catch-all. many things still * aren't classified into categories, and * they all end up here. also, if you * don't specify any channels for a * category, the default category is used * instead. * config high-level configuration file * processing * queries what used to be called "query logging" * lame-servers messages like "Lame server on ..." * statistics * update dynamic update * ncache negative caching * xfer-in zone transfers we're receiving * xfer-out zone transfers we're sending * notify the NOTIFY protocol * cname messages like "XX points to a CNAME" * security approved/unapproved requests */ category default { "default_log"; }; category config { "default_log"; }; category dispatch { "default_log"; }; category general { "default_log"; }; category queries { "default_log"; }; category resolver { "default_log"; }; category client { "default_log"; }; category database { "default_log"; }; category network { "default_log"; }; category security { "default_log"; }; category unmatched { "default_log"; }; category dnssec { "default_log"; }; category notify { "default_log"; }; category config { "default_log"; }; category xfer-in { "default_log"; }; category xfer-out { "default_log"; }; category update { "default_log"; }; category lame-servers { "default_log"; }; category update { "default_log"; }; category cname { "default_log"; }; };