acl { ; ... }; // may occur multiple times controls { inet ( | | * ) [ port ( | * ) ] allow { ; ... } [ keys { ; ... } ] [ read-only ]; // may occur multiple times unix perm owner group [ keys { ; ... } ] [ read-only ]; // may occur multiple times }; // may occur multiple times dlz { database ; search ; }; // may occur multiple times dnssec-policy { cdnskey ; cds-digest-types { ; ... }; dnskey-ttl ; inline-signing ; keys { ( csk | ksk | zsk ) [ key-directory | key-store ] lifetime algorithm [ tag-range ] [ ]; ... }; max-zone-ttl ; nsec3param [ iterations ] [ optout ] [ salt-length ]; offline-ksk ; parent-ds-ttl ; parent-propagation-delay ; publish-safety ; purge-keys ; retire-safety ; signatures-jitter ; signatures-refresh ; signatures-validity ; signatures-validity-dnskey ; zone-propagation-delay ; }; // may occur multiple times dyndb { }; // may occur multiple times http { endpoints { ; ... }; listener-clients ; streams-per-connection ; }; // may occur multiple times key { algorithm ; secret ; }; // may occur multiple times key-store { directory ; pkcs11-uri ; }; // may occur multiple times logging { category { ; ... }; // may occur multiple times channel { buffered ; file [ versions ( unlimited | ) ] [ size ] [ suffix ( increment | timestamp ) ]; null; print-category ; print-severity ; print-time ( iso8601 | iso8601-utc | local | ); severity ; stderr; syslog [ ]; }; // may occur multiple times }; managed-keys { ( static-key | initial-key | static-ds | initial-ds ) ; ... }; // may occur multiple times, deprecated options { allow-new-zones ; allow-notify { ; ... }; allow-proxy { ; ... }; // experimental allow-proxy-on { ; ... }; // experimental allow-query { ; ... }; allow-query-cache { ; ... }; allow-query-cache-on { ; ... }; allow-query-on { ; ... }; allow-recursion { ; ... }; allow-recursion-on { ; ... }; allow-transfer [ port ] [ transport ] { ; ... }; allow-update { ; ... }; allow-update-forwarding { ; ... }; also-notify [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... }; answer-cookie ; attach-cache ; auth-nxdomain ; automatic-interface-scan ; avoid-v4-udp-ports { ; ... }; // deprecated avoid-v6-udp-ports { ; ... }; // deprecated bindkeys-file ; // test only blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; check-dup-records ( fail | warn | ignore ); check-integrity ; check-mx ( fail | warn | ignore ); check-mx-cname ( fail | warn | ignore ); check-names ( primary | master | secondary | slave | response ) ( fail | warn | ignore ); // may occur multiple times check-sibling ; check-spf ( warn | ignore ); check-srv-cname ( fail | warn | ignore ); check-svcb ; check-wildcard ; clients-per-query ; cookie-algorithm ( siphash24 ); cookie-secret ; // may occur multiple times deny-answer-addresses { ; ... } [ except-from { ; ... } ]; deny-answer-aliases { ; ... } [ except-from { ; ... } ]; dialup ( notify | notify-passive | passive | refresh | ); // deprecated directory ; disable-algorithms { ; ... }; // may occur multiple times disable-ds-digests { ; ... }; // may occur multiple times disable-empty-zone ; // may occur multiple times dns64 { break-dnssec ; clients { ; ... }; exclude { ; ... }; mapped { ; ... }; recursive-only ; suffix ; }; // may occur multiple times dns64-contact ; dns64-server ; dnskey-sig-validity ; // obsolete dnsrps-enable ; // not configured dnsrps-library ; // not configured dnsrps-options { }; // not configured dnssec-accept-expired ; dnssec-dnskey-kskonly ; // obsolete dnssec-loadkeys-interval ; dnssec-must-be-secure ; // may occur multiple times, deprecated dnssec-policy ; dnssec-secure-to-insecure ; // obsolete dnssec-update-mode ( maintain | no-resign ); // obsolete dnssec-validation ( yes | no | auto ); dnstap { ( all | auth | client | forwarder | resolver | update ) [ ( query | response ) ]; ... }; // not configured dnstap-identity ( | none | hostname ); // not configured dnstap-output ( file | unix ) [ size ( unlimited | ) ] [ versions ( unlimited | ) ] [ suffix ( increment | timestamp ) ]; // not configured dnstap-version ( | none ); // not configured dual-stack-servers [ port ] { ( [ port ] | [ port ] | [ port ] ); ... }; dump-file ; edns-udp-size ; empty-contact ; empty-server ; empty-zones-enable ; fetch-quota-params ; fetches-per-server [ ( drop | fail ) ]; fetches-per-zone [ ( drop | fail ) ]; flush-zones-on-shutdown ; forward ( first | only ); forwarders [ port ] [ tls ] { ( | ) [ port ] [ tls ]; ... }; fstrm-set-buffer-hint ; // not configured fstrm-set-flush-timeout ; // not configured fstrm-set-input-queue-size ; // not configured fstrm-set-output-notify-threshold ; // not configured fstrm-set-output-queue-model ( mpsc | spsc ); // not configured fstrm-set-output-queue-size ; // not configured fstrm-set-reopen-interval ; // not configured geoip-directory ( | none ); heartbeat-interval ; // deprecated hostname ( | none ); http-listener-clients ; http-port ; http-streams-per-connection ; https-port ; interface-interval ; ipv4only-contact ; ipv4only-enable ; ipv4only-server ; ixfr-from-differences ( primary | master | secondary | slave | ); keep-response-order { ; ... }; // obsolete key-directory ; lame-ttl ; listen-on [ port ] [ proxy ] [ tls ] [ http ] { ; ... }; // may occur multiple times listen-on-v6 [ port ] [ proxy ] [ tls ] [ http ] { ; ... }; // may occur multiple times lmdb-mapsize ; managed-keys-directory ; masterfile-format ( raw | text ); masterfile-style ( full | relative ); match-mapped-addresses ; max-cache-size ( default | unlimited | | ); max-cache-ttl ; max-clients-per-query ; max-ixfr-ratio ( unlimited | ); max-journal-size ( default | unlimited | ); max-ncache-ttl ; max-query-restarts ; max-records ; max-records-per-type ; max-recursion-depth ; max-recursion-queries ; max-refresh-time ; max-retry-time ; max-rsa-exponent-size ; max-stale-ttl ; max-transfer-idle-in ; max-transfer-idle-out ; max-transfer-time-in ; max-transfer-time-out ; max-types-per-name ; max-udp-size ; max-validation-failures-per-fetch ; // experimental max-validations-per-fetch ; // experimental max-zone-ttl ( unlimited | ); // deprecated memstatistics ; memstatistics-file ; message-compression ; min-cache-ttl ; min-ncache-ttl ; min-refresh-time ; min-retry-time ; minimal-any ; minimal-responses ( no-auth | no-auth-recursive | ); multi-master ; new-zones-directory ; no-case-compress { ; ... }; nocookie-udp-size ; notify ( explicit | master-only | primary-only | ); notify-delay ; notify-rate ; notify-source ( | * ); notify-source-v6 ( | * ); notify-to-soa ; nsec3-test-zone ; // test only nta-lifetime ; nta-recheck ; nxdomain-redirect ; parental-source ( | * ); parental-source-v6 ( | * ); pid-file ( | none ); port ; preferred-glue ; prefetch [ ]; provide-ixfr ; qname-minimization ( strict | relaxed | disabled | off ); query-source [ address ] ( | * ); query-source-v6 [ address ] ( | * ); querylog ; rate-limit { all-per-second ; errors-per-second ; exempt-clients { ; ... }; ipv4-prefix-length ; ipv6-prefix-length ; log-only ; max-table-size ; min-table-size ; nodata-per-second ; nxdomains-per-second ; qps-scale ; referrals-per-second ; responses-per-second ; slip ; window ; }; recursing-file ; recursion ; recursive-clients ; request-expire ; request-ixfr ; request-nsid ; require-server-cookie ; resolver-query-timeout ; resolver-use-dns64 ; response-padding { ; ... } block-size ; response-policy { zone [ add-soa ] [ log ] [ max-policy-ttl ] [ min-update-interval ] [ policy ( cname | disabled | drop | given | no-op | nodata | nxdomain | passthru | tcp-only ) ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ ede ]; ... } [ add-soa ] [ break-dnssec ] [ max-policy-ttl ] [ min-update-interval ] [ min-ns-dots ] [ nsip-wait-recurse ] [ nsdname-wait-recurse ] [ qname-wait-recurse ] [ recursive-only ] [ nsip-enable ] [ nsdname-enable ] [ dnsrps-enable ] [ dnsrps-options { } ]; responselog ; reuseport ; root-key-sentinel ; rrset-order { [ class ] [ type ] [ name ] ; ... }; secroots-file ; send-cookie ; serial-query-rate ; serial-update-method ( date | increment | unixtime ); server-id ( | none | hostname ); servfail-ttl ; session-keyalg ; session-keyfile ( | none ); session-keyname ; sig-signing-nodes ; sig-signing-signatures ; sig-signing-type ; sig-validity-interval [ ]; // obsolete sig0checks-quota ; // experimental sig0checks-quota-exempt { ; ... }; // experimental sortlist { ; ... }; // deprecated stale-answer-client-timeout ( disabled | off | ); stale-answer-enable ; stale-answer-ttl ; stale-cache-enable ; stale-refresh-time ; startup-notify-rate ; statistics-file ; synth-from-dnssec ; tcp-advertised-timeout ; tcp-clients ; tcp-idle-timeout ; tcp-initial-timeout ; tcp-keepalive-timeout ; tcp-listen-queue ; tcp-receive-buffer ; tcp-send-buffer ; tkey-domain ; tkey-gssapi-credential ; tkey-gssapi-keytab ; tls-port ; transfer-format ( many-answers | one-answer ); transfer-message-size ; transfer-source ( | * ); transfer-source-v6 ( | * ); transfers-in ; transfers-out ; transfers-per-ns ; trust-anchor-telemetry ; try-tcp-refresh ; udp-receive-buffer ; udp-send-buffer ; update-check-ksk ; // obsolete update-quota ; use-v4-udp-ports { ; ... }; // deprecated use-v6-udp-ports { ; ... }; // deprecated v6-bias ; validate-except { ; ... }; version ( | none ); zero-no-soa-ttl ; zero-no-soa-ttl-cache ; zone-statistics ( full | terse | none | ); }; parental-agents [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] |