nsd.conf.sample.in revision 1.1.1.3 
1#
2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
3#
4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
5#
6# See LICENSE for the license.
7#
8
9# This is a comment.
10# Sample configuration file
11# include: "file" # include that file's text over here.  Globbed, "*.conf"
12
13# options for the nsd server
14server:
15	# Number of NSD servers to fork.  Put the number of CPUs to use here.
16	# server-count: 1
17
18	# uncomment to specify specific interfaces to bind (default are the
19	# wildcard interfaces 0.0.0.0 and ::0).
20	# For servers with multiple IP addresses, list them one by one,
21	# or the source address of replies could be wrong.
22	# Use ip-transparent to be able to list addresses that turn on later.
23	# ip-address: 1.2.3.4
24	# ip-address: 1.2.3.4@5678
25	# ip-address: 12fe::8ef0
26
27	# Allow binding to non local addresses. Default no.
28	# ip-transparent: no
29
30	# Allow binding to addresses that are down.  Default no.
31	# ip-freebind: no
32
33	# use the reuseport socket option for performance. Default no.
34	# reuseport: no
35
36	# enable debug mode, does not fork daemon process into the background.
37	# debug-mode: no
38
39	# use systemd for readiness signalling.
40	# use-systemd: no
41
42	# listen on IPv4 connections
43	# do-ip4: yes
44
45	# listen on IPv6 connections
46	# do-ip6: yes
47
48	# port to answer queries on. default is 53.
49	# port: 53
50
51	# Verbosity level.
52	# verbosity: 0
53
54	# After binding socket, drop user privileges.
55	# can be a username, id or id.gid.
56	# username: @user@
57
58	# Run NSD in a chroot-jail.
59	# make sure to have pidfile and database reachable from there.
60	# by default, no chroot-jail is used.
61	# chroot: "@configdir@"
62
63	# The directory for zonefile: files.  The daemon chdirs here.
64	# zonesdir: "@zonesdir@"
65	
66	# the list of dynamically added zones.
67	# zonelistfile: "@zonelistfile@"
68
69	# the database to use
70	# if set to "" then no disk-database is used, less memory usage.
71	# database: "@dbfile@"
72
73	# log messages to file. Default to stderr and syslog (with
74	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
75	# logfile: "@logfile@"
76
77	# File to store pid for nsd in.
78	# pidfile: "@pidfile@"
79
80	# The file where secondary zone refresh and expire timeouts are kept.
81	# If you delete this file, all secondary zones are forced to be 
82	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
83	# xfrdfile: "@xfrdfile@"
84
85	# The directory where zone transfers are stored, in a subdir of it.
86	# xfrdir: "@xfrdir@"
87
88	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
89	# hide-version: no
90
91	# version string the server responds with for chaos queries.
92	# default is 'NSD x.y.z' with the server's version number.
93	# version: "NSD"
94
95	# identify the server (CH TXT ID.SERVER entry).
96	# identity: "unidentified server"
97
98	# NSID identity (hex string, or "ascii_somestring"). default disabled.
99	# nsid: "aabbccdd"
100
101	# Maximum number of concurrent TCP connections per server.
102	# tcp-count: 100
103
104	# Maximum number of queries served on a single TCP connection.
105	# By default 0, which means no maximum.
106	# tcp-query-count: 0
107
108	# Override the default (120 seconds) TCP timeout.
109	# tcp-timeout: 120
110
111	# Maximum segment size (MSS) of TCP socket on which the server
112	# responds to queries. Default is 0, system default MSS.
113	# tcp-mss: 0
114
115	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
116	# Default is 0, system default MSS.
117	# outgoing-tcp-mss: 0
118
119	# Preferred EDNS buffer size for IPv4.
120	# ipv4-edns-size: 4096
121
122	# Preferred EDNS buffer size for IPv6.
123	# ipv6-edns-size: 4096
124
125	# statistics are produced every number of seconds. Prints to log.
126	# Default is 0, meaning no statistics are produced.
127	# statistics: 3600
128
129	# Number of seconds between reloads triggered by xfrd.
130	# xfrd-reload-timeout: 1
131	
132	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
133	# log-time-ascii: yes
134
135	# round robin rotation of records in the answer.
136	# round-robin: no
137
138	# minimal-responses only emits extra data for referrals.
139	# minimal-responses: no
140
141	# refuse queries of type ANY.  For stopping floods.
142	# refuse-any: no
143
144	# check mtime of all zone files on start and sighup
145	# zonefiles-check: yes
146	
147	# write changed zonefiles to disk, every N seconds.
148	# default is 0(disabled) or 3600(if database is "").
149	# zonefiles-write: 3600
150
151	# RRLconfig
152	# Response Rate Limiting, size of the hashtable. Default 1000000.
153	# rrl-size: 1000000
154
155	# Response Rate Limiting, maximum QPS allowed (from one query source).
156	# If set to 0, ratelimiting is disabled. Also set
157	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
158	# Default is @ratelimit_default@.
159	# rrl-ratelimit: 200
160
161	# Response Rate Limiting, number of packets to discard before
162	# sending a SLIP response (a truncated one, allowing an honest
163	# resolver to retry with TCP). Default is 2 (one half of the
164	# queries will receive a SLIP response, 0 disables SLIP (all
165	# packets are discarded), 1 means every request will get a
166	# SLIP response.  When the ratelimit is hit the traffic is
167	# divided by the rrl-slip value.
168	# rrl-slip: 2
169
170	# Response Rate Limiting, IPv4 prefix length. Addresses are
171	# grouped by netblock. 
172	# rrl-ipv4-prefix-length: 24
173
174	# Response Rate Limiting, IPv6 prefix length. Addresses are
175	# grouped by netblock. 
176	# rrl-ipv6-prefix-length: 64
177
178	# Response Rate Limiting, maximum QPS allowed (from one query source)
179	# for whitelisted types. Default is @ratelimit_default@.
180	# rrl-whitelist-ratelimit: 2000
181	# RRLend
182
183# Remote control config section. 
184remote-control:
185	# Enable remote control with nsd-control(8) here.
186	# set up the keys and certificates with nsd-control-setup.
187	# control-enable: no
188
189	# what interfaces are listened to for control, default is on localhost.
190	# with an absolute path, a unix local named pipe is used for control
191	# (and key and cert files are not needed, use directory permissions).
192	# control-interface: 127.0.0.1
193	# control-interface: ::1
194
195	# port number for remote control operations (uses TLS over TCP).
196	# control-port: 8952
197
198	# nsd server key file for remote control.
199	# server-key-file: "@configdir@/nsd_server.key"
200
201	# nsd server certificate file for remote control.
202	# server-cert-file: "@configdir@/nsd_server.pem"
203
204	# nsd-control key file.
205	# control-key-file: "@configdir@/nsd_control.key"
206
207	# nsd-control certificate file.
208	# control-cert-file: "@configdir@/nsd_control.pem"
209
210
211# Secret keys for TSIGs that secure zone transfers.
212# You could include: "secret.keys" and put the 'key:' statements in there,
213# and give that file special access control permissions.
214#
215# key:
216	# The key name is sent to the other party, it must be the same
217	#name: "keyname"
218	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
219	#algorithm: sha256
220	# secret material, must be the same as the other party uses.
221	# base64 encoded random number.
222	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
223	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
224
225
226# Patterns have zone configuration and they are shared by one or more zones.
227# 
228# pattern:
229	# name by which the pattern is referred to
230	#name: "myzones"
231	# the zonefile for the zones that use this pattern.
232	# if relative then from the zonesdir (inside the chroot).
233	# the name is processed: %s - zone name (as appears in zone:name).
234	# %1 - first character of zone name, %2 second, %3 third.
235	# %z - topleveldomain label of zone, %y, %x next labels in name.
236	# if label or character does not exist you get a dot '.'.
237	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
238	#zonefile: "%s.zone"
239	
240	# If no master and slave access control elements are provided,
241	# this zone will not be served to/from other servers.
242
243	# A master zone needs notify: and provide-xfr: lists.  A slave
244	# may also allow zone transfer (for debug or other secondaries).
245	# notify these slaves when the master zone changes, address TSIG|NOKEY
246	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
247	#notify: 192.0.2.1 NOKEY
248	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
249	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
250	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
251	# set the number of retries for notify.
252	#notify-retry: 5
253
254	# uncomment to provide AXFR to all the world
255	# provide-xfr: 0.0.0.0/0 NOKEY
256	# provide-xfr: ::0/0 NOKEY
257
258	# A slave zone needs allow-notify: and request-xfr: lists.
259	#allow-notify: 2001:db8::0/64 my_tsig_key_name
260	# By default, a slave will request a zone transfer with IXFR/TCP.
261	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
262	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
263	#request-xfr: 192.0.2.2 the_tsig_key_name
264	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
265	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
266	# Allow AXFR fallback if the master does not support IXFR. Default
267	# is yes.
268	#allow-axfr-fallback: yes
269	# set local interface for sending zone transfer requests.
270	# default is let the OS choose.
271	#outgoing-interface: 10.0.0.10
272	# limit the refresh and retry interval in seconds.
273	#max-refresh-time: 2419200
274	#min-refresh-time: 0
275	#max-retry-time: 1209600
276	#min-retry-time: 0
277	# Slave server tries zone transfer to all masters and picks highest
278	# zone version available, for when masters have different versions.
279	#multi-master-check: no
280
281	# limit the zone transfer size (in bytes), stops very large transfers
282	# 0 is no limits enforced.
283	# size-limit-xfr: 0
284
285	# if compiled with --enable-zone-stats, give name of stat block for
286	# this zone (or group of zones).  Output from nsd-control stats.
287	# zonestats: "%s"
288
289	# if you give another pattern name here, at this point the settings
290	# from that pattern are inserted into this one (as if it were a 
291	# macro).  The statement can be given in between other statements,
292	# because the order of access control elements can make a difference
293	# (which master to request from first, which slave to notify first).
294	#include-pattern: "common-masters"
295
296
297# Fixed zone entries.  Here you can config zones that cannot be deleted.
298# Zones that are dynamically added and deleted are put in the zonelist file.
299#
300# zone:
301 	# name: "example.com"
302 	# you can give a pattern here, all the settings from that pattern
303 	# are then inserted at this point
304 	# include-pattern: "master"
305 	# You can also specify (additional) options directly for this zone.
306 	# zonefile: "example.com.zone"
307 	# request-xfr: 192.0.2.1 example.com.key
308
309	# RRLconfig
310	# Response Rate Limiting, whitelist types
311	# rrl-whitelist: nxdomain
312	# rrl-whitelist: error
313	# rrl-whitelist: referral
314	# rrl-whitelist: any
315	# rrl-whitelist: rrsig
316	# rrl-whitelist: wildcard
317	# rrl-whitelist: nodata
318	# rrl-whitelist: dnskey
319	# rrl-whitelist: positive
320	# rrl-whitelist: all
321	# RRLend
322
323