DNS BIND Security Statements

This section describes the statements available in BIND 9.x relating to security. Full list of statements.


 random-device "path_to_device";
 random-device "/dev/random";

Defines a source or randomness (or entropy) within the system. Defaults to /dev/random. This device is needed for DNSSEC operations such as TKEY transactions and dynamic update of signed zones. Operations requiring entropy will fail when the specified source has been exhausted. The random-device option takes effect during the initial configuration load at server startup time and is ignored on subsequent reloads. This statement may only be used in a global options clause.


 sig-validity-interval days ;
 sig-validity-interval 60 ;

sig-validity-interval Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates will expire. The default is 30 days. The maximum value is 10 years (3660 days). The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew. This statement may be used in a zone or a global options clause.

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
5 install bind
6 samples
7 named.conf
8 dns records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfc's
change log