DNS BIND zone clause

This section describes the zone clause which controls the properties and functionality associated with each zone. The zone clause may take many statements to provide a high degree of granularity. statements have global scope if they are specified in an options clause not associated with a particular zone. Using a statement in a zone clause means it is applicable only to that zone, will always override or contradict any global statement (defined in a options clause).

The zone clause can take any of the statements shown below, the items in square brackets after each statement indicate what other clauses the statement can appear in.

  allow-notify { address_match_list }; [ Opt, View, Zone ]
  allow-query { address_match_list }; [ Opt, View, Zone ]
  allow-transfer { address_match_list }; [ Opt, View, Zone ]
  allow-update { address_match_list }; [ Zone ]
  allow-update-forwarding { address_match_list }; [ Opt, View, Zone ]
  also-notify { ip_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  alt-transfer-source ( ipv4 | * ) [ port ( integer | * )]; [ Opt, View, Zone ]
  alt-transfer-source-v6 ( ipv6 | * ) [ port ( integer | * ) ]; [ Opt, View, Zone ]
  check-names ( fail | warn | ignore ); [ Zone ]
  database "database-name params"; [ Zone ]
  delegation-only ( yes | no ) ; [ Zone ]
  dialup dialup_options; [ Opt, View, Zone ]
  file "file_name" ; [ Zone ]
  forward ( only | first ); [ Opt, View, Zone ]
  forwarders { ipv4_addr | ipv6_addr [port ip_port] ; ... ] }; [ Opt, View, Zone ]
  ixfr-from-differences ( yes | no); [ Opt, View, Zone ]
  key-directory path_name; [ Opt, View, Zone ]
  masters [port ip_port] { ( masters_list | ip_addr 
      [port ip_port] [key key] ) ; [...] } ; ] [ Zone ]
  max-journal-size size_in_bytes; [ Opt, View, Zone ]
  max-refresh-time seconds ; [ Opt, View, Zone ]
  max-retry-time seconds ; [ Opt, View, Zone ]
  max-transfer-idle-in minutes; [ Opt, View, Zone ]
  max-transfer-idle-out minutes; [ Opt, View, Zone ]
  max-transfer-time-in minutes; [ Opt, View, Zone ]
  max-transfer-time-out minutes; [ Opt, View, Zone ]
  min-refresh-time seconds ; [ Opt, View, Zone ]
  min-retry-time seconds ; [ Opt, View, Zone ]
  multi-master ( yes | no ) ; [ Opt, View, Zone ]
  notify ( yes | no | explicit ); [ Opt, View, Zone ]
  notify-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  notify-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  sig-validity-interval number ; [ Opt, View, Zone ]
  sig-validity-interval days ; [ Opt, View, Zone ]
  transfer-source (ip4_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  transfer-source-v6 (ip6_addr | *) [port ip_port] ; [ Opt, View, Zone ]
  type zone_type; [ Zone ]
  update-policy { update_policy_rule [...] }; [ Zone ]
  use-alt-transfer-source ( yes | no ); [ Opt, View, Zone ]
  zone-statistics ( yes | no ) ; [ Opt, View, Zone ]

zone Clause Syntax

zone "zone_name" [class] {
   // zone statements
zone "example.com" {

The zone_name field is a quoted string and defines the zone to which the statements in this zone clause apply e.g. "example.com". class is optional and if omitted class IN is defaulted.


 check-names (warn|fail|ignore) ;
 check-names fail;

The check-names statement will cause any host name for the zone to be checked for compliance with RFC 952 and RFC 1123 and take the defined action. Care should be taken when using this statement because many modern RRs e.g. SRV use names which do not meet these standards (they contain underscore) but which are permitted by RFC 2181 which greatly liberalized the rules for names (see labels and names). The default is not to perform host name checks. check-names may also appear in a view or options clause where it has a different syntax.


 file "file_name";
 file "slave.example.com";

Defines the file used by the zone in quoted string format e.g. "slave.example.com" - or whatever convention you use. The file entry is mandatory for master and hint and optional - but highly recommended - for slave and not required for forward zones. The file may be an absolute path or relative to directory.

// defines an optional slave file used to save zone data
 type slave;
 file "slave.example.com";
// defines a master zone file 
 type master;
 file "master.example.net";


 masters [ port pg_num ] { ( masters_list | ipv4
             [port p_num] | ipv6 [port p_num ] ) [ key "key_string" ]; ... };
 masters {;};

This statement is valid only with slave zones and defines one or more IP addresses and optional ports numbers of servers that hold the master zone file. The slave will use the defined IP address(es) to update the zone file when the SOA RR refresh parameter is reached. The pg_num parameters changes the port number used for zone transfers for all the listed servers. The p_num parameters changes the port number for the specific IP address. masters_list references a list of masters defined in a masters clause. The key value defines the key to be used to authenticate the zone transfer. The following example shows three masters one of which will use port 1127 for zone transfers and one of which is an IPv6 address:

// named.conf fragment
zone "example.com" in {
    type slave;
    file "slave.example.com";
    masters {; port 1127; 2001:db8:0:1::15};


 type zone_type;
 type forward;

The zone type may take one of the following values:

master The server has a master copy of the zone data and provides authoritative answers for the zone.
forward A zone of type forward is simply a way to configure forwarding on a per-domain or per zone basis. To be effective both a forward and forwarders statement should be included. If no forwarders statement is present or an empty list is provided then no forwarding will be done for the domain canceling the effects of any forwarders in the options clause.
hint The initial set of root-servers is defined using a hint zone. When the server starts up it uses the hints zone file to find a root name server and get the most recent list of root name servers. If no hint zone is specified for class IN, the server uses a compiled-in default set of root servers. Classes other than IN have no built-in defaults hints. 'hint' zone files are covered in more detail under required zones.
slave A slave zone is a replica of the master zone and obtains its zone data by zone transfer operations. The slave will respond authoritatively for the zone as long as it has valid (not timed out) zone data. The masters statement specifies one or more IP addresses of master servers that the slave contacts to refresh or update its copy of the zone data. When the TTL specified by the refresh parameter is reached the slave will query the SOA RR from the zone master. If the sn paramater (serial number) is greater than the current value a zone tansfer is initiated. If the slave cannot obtain a new copy of the zone data when the SOA expiry value is reached then it will stop responding for the zone. Authentication to the master can also be done with per-server TSIG keys (see masters statement). By default zone transfers are made from port 53 but this can be changed using the masters statement. If a file statement is defined then the zone data will be written to this file whenever the zone is changed and reloaded from this file on a server restart.
stub A stub zone is similar to a slave zone except that it replicates only the NS records of a master zone instead of the entire zone. Stub zones are not a standard part of the DNS they are a feature specific to the BIND implementation and should not be used unless there is a specific requirement.
delegation-only Indicates only referrals (or delegations) will be issued for the zone and should used for TLDs only not leaf (non TLD) zones. The generation of referrals in leaf zones is determined by the RRs contained in it (see Chapter 9 Delegation of Sub-domains).

Pro DNS and BIND by Ron Aitchison


tech info
guides home
dns articles
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
5 install bind
6 samples
7 named.conf
8 dns records
9 howtos
10 tools
11 trouble
12 bind api's
13 dns security
bits & bytes
15 messages
notes & tips
registration FAQ
dns resources
dns rfc's
change log