nsd.conf.sample.in revision 1.1.1.5
1# 2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). 3# 4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. 5# 6# See LICENSE for the license. 7# 8 9# This is a comment. 10# Sample configuration file 11# include: "file" # include that file's text over here. Globbed, "*.conf" 12 13# options for the nsd server 14server: 15 # Number of NSD servers to fork. Put the number of CPUs to use here. 16 # server-count: 1 17 18 # uncomment to specify specific interfaces to bind (default are the 19 # wildcard interfaces 0.0.0.0 and ::0). 20 # For servers with multiple IP addresses, list them one by one, 21 # or the source address of replies could be wrong. 22 # Use ip-transparent to be able to list addresses that turn on later. 23 # ip-address: 1.2.3.4 24 # ip-address: 1.2.3.4@5678 25 # ip-address: 12fe::8ef0 26 27 # Allow binding to non local addresses. Default no. 28 # ip-transparent: no 29 30 # Allow binding to addresses that are down. Default no. 31 # ip-freebind: no 32 33 # use the reuseport socket option for performance. Default no. 34 # reuseport: no 35 36 # override maximum socket send buffer size. Default of 0 results in 37 # send buffer size being set to 1048576 (bytes). 38 # send-buffer-size: 1048576 39 40 # override maximum socket receive buffer size. Default of 0 results in 41 # receive buffer size being set to 1048576 (bytes). 42 # receive-buffer-size: 1048576 43 44 # enable debug mode, does not fork daemon process into the background. 45 # debug-mode: no 46 47 # listen on IPv4 connections 48 # do-ip4: yes 49 50 # listen on IPv6 connections 51 # do-ip6: yes 52 53 # port to answer queries on. default is 53. 54 # port: 53 55 56 # Verbosity level. 57 # verbosity: 0 58 59 # After binding socket, drop user privileges. 60 # can be a username, id or id.gid. 61 # username: @user@ 62 63 # Run NSD in a chroot-jail. 64 # make sure to have pidfile and database reachable from there. 65 # by default, no chroot-jail is used. 66 # chroot: "@configdir@" 67 68 # The directory for zonefile: files. The daemon chdirs here. 69 # zonesdir: "@zonesdir@" 70 71 # the list of dynamically added zones. 72 # zonelistfile: "@zonelistfile@" 73 74 # the database to use 75 # if set to "" then no disk-database is used, less memory usage. 76 # database: "@dbfile@" 77 78 # log messages to file. Default to stderr and syslog (with 79 # facility LOG_DAEMON). stderr disappears when daemon goes to bg. 80 # logfile: "@logfile@" 81 82 # File to store pid for nsd in. 83 # pidfile: "@pidfile@" 84 85 # The file where secondary zone refresh and expire timeouts are kept. 86 # If you delete this file, all secondary zones are forced to be 87 # 'refreshing' (as if nsd got a notify). Set to "" to disable. 88 # xfrdfile: "@xfrdfile@" 89 90 # The directory where zone transfers are stored, in a subdir of it. 91 # xfrdir: "@xfrdir@" 92 93 # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries 94 # hide-version: no 95 96 # don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries 97 # hide-identity: no 98 99 # version string the server responds with for chaos queries. 100 # default is 'NSD x.y.z' with the server's version number. 101 # version: "NSD" 102 103 # identify the server (CH TXT ID.SERVER entry). 104 # identity: "unidentified server" 105 106 # NSID identity (hex string, or "ascii_somestring"). default disabled. 107 # nsid: "aabbccdd" 108 109 # Maximum number of concurrent TCP connections per server. 110 # tcp-count: 100 111 112 # Accept (and immediately close) TCP connections after maximum number 113 # of connections is reached to prevent kernel connection queue from 114 # growing. 115 # tcp-reject-overflow: no 116 117 # Maximum number of queries served on a single TCP connection. 118 # By default 0, which means no maximum. 119 # tcp-query-count: 0 120 121 # Override the default (120 seconds) TCP timeout. 122 # tcp-timeout: 120 123 124 # Maximum segment size (MSS) of TCP socket on which the server 125 # responds to queries. Default is 0, system default MSS. 126 # tcp-mss: 0 127 128 # Maximum segment size (MSS) of TCP socket for outgoing AXFR request. 129 # Default is 0, system default MSS. 130 # outgoing-tcp-mss: 0 131 132 # Preferred EDNS buffer size for IPv4. 133 # ipv4-edns-size: 4096 134 135 # Preferred EDNS buffer size for IPv6. 136 # ipv6-edns-size: 4096 137 138 # statistics are produced every number of seconds. Prints to log. 139 # Default is 0, meaning no statistics are produced. 140 # statistics: 3600 141 142 # Number of seconds between reloads triggered by xfrd. 143 # xfrd-reload-timeout: 1 144 145 # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. 146 # log-time-ascii: yes 147 148 # round robin rotation of records in the answer. 149 # round-robin: no 150 151 # minimal-responses only emits extra data for referrals. 152 # minimal-responses: no 153 154 # Do not return additional information if the apex zone of the 155 # additional information is configured but does not match the apex zone 156 # of the initial query. 157 # confine-to-zone: no 158 159 # refuse queries of type ANY. For stopping floods. 160 # refuse-any: no 161 162 # check mtime of all zone files on start and sighup 163 # zonefiles-check: yes 164 165 # write changed zonefiles to disk, every N seconds. 166 # default is 0(disabled) or 3600(if database is ""). 167 # zonefiles-write: 3600 168 169 # RRLconfig 170 # Response Rate Limiting, size of the hashtable. Default 1000000. 171 # rrl-size: 1000000 172 173 # Response Rate Limiting, maximum QPS allowed (from one query source). 174 # If set to 0, ratelimiting is disabled. Also set 175 # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. 176 # Default is @ratelimit_default@. 177 # rrl-ratelimit: 200 178 179 # Response Rate Limiting, number of packets to discard before 180 # sending a SLIP response (a truncated one, allowing an honest 181 # resolver to retry with TCP). Default is 2 (one half of the 182 # queries will receive a SLIP response, 0 disables SLIP (all 183 # packets are discarded), 1 means every request will get a 184 # SLIP response. When the ratelimit is hit the traffic is 185 # divided by the rrl-slip value. 186 # rrl-slip: 2 187 188 # Response Rate Limiting, IPv4 prefix length. Addresses are 189 # grouped by netblock. 190 # rrl-ipv4-prefix-length: 24 191 192 # Response Rate Limiting, IPv6 prefix length. Addresses are 193 # grouped by netblock. 194 # rrl-ipv6-prefix-length: 64 195 196 # Response Rate Limiting, maximum QPS allowed (from one query source) 197 # for whitelisted types. Default is @ratelimit_default@. 198 # rrl-whitelist-ratelimit: 2000 199 # RRLend 200 201 # Service clients over TLS (on the TCP sockets), with plain DNS inside 202 # the TLS stream. Give the certificate to use and private key. 203 # Default is "" (disabled). Requires restart to take effect. 204 # tls-service-key: "path/to/privatekeyfile.key" 205 # tls-service-pem: "path/to/publiccertfile.pem" 206 # tls-service-ocsp: "path/to/ocsp.pem" 207 # tls-port: 853 208 209# DNSTAP config section, if compiled with that 210# dnstap: 211 # set this to yes and set one or more of dnstap-log-..-messages to yes. 212 # dnstap-enable: no 213 # dnstap-socket-path: "/var/run/dnstap.sock" 214 # dnstap-send-identity: no 215 # dnstap-send-version: no 216 # dnstap-identity: "" 217 # dnstap-version: "" 218 # dnstap-log-auth-query-messages: no 219 # dnstap-log-auth-response-messages: no 220 221# Remote control config section. 222remote-control: 223 # Enable remote control with nsd-control(8) here. 224 # set up the keys and certificates with nsd-control-setup. 225 # control-enable: no 226 227 # what interfaces are listened to for control, default is on localhost. 228 # with an absolute path, a unix local named pipe is used for control 229 # (and key and cert files are not needed, use directory permissions). 230 # control-interface: 127.0.0.1 231 # control-interface: ::1 232 233 # port number for remote control operations (uses TLS over TCP). 234 # control-port: 8952 235 236 # nsd server key file for remote control. 237 # server-key-file: "@configdir@/nsd_server.key" 238 239 # nsd server certificate file for remote control. 240 # server-cert-file: "@configdir@/nsd_server.pem" 241 242 # nsd-control key file. 243 # control-key-file: "@configdir@/nsd_control.key" 244 245 # nsd-control certificate file. 246 # control-cert-file: "@configdir@/nsd_control.pem" 247 248 249# Secret keys for TSIGs that secure zone transfers. 250# You could include: "secret.keys" and put the 'key:' statements in there, 251# and give that file special access control permissions. 252# 253# key: 254 # The key name is sent to the other party, it must be the same 255 #name: "keyname" 256 # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512 257 #algorithm: sha256 258 # secret material, must be the same as the other party uses. 259 # base64 encoded random number. 260 # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 261 #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" 262 263 264# Patterns have zone configuration and they are shared by one or more zones. 265# 266# pattern: 267 # name by which the pattern is referred to 268 #name: "myzones" 269 # the zonefile for the zones that use this pattern. 270 # if relative then from the zonesdir (inside the chroot). 271 # the name is processed: %s - zone name (as appears in zone:name). 272 # %1 - first character of zone name, %2 second, %3 third. 273 # %z - topleveldomain label of zone, %y, %x next labels in name. 274 # if label or character does not exist you get a dot '.'. 275 # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" 276 #zonefile: "%s.zone" 277 278 # If no master and slave access control elements are provided, 279 # this zone will not be served to/from other servers. 280 281 # A master zone needs notify: and provide-xfr: lists. A slave 282 # may also allow zone transfer (for debug or other secondaries). 283 # notify these slaves when the master zone changes, address TSIG|NOKEY 284 # IP can be ipv4 and ipv6, with @port for a nondefault port number. 285 #notify: 192.0.2.1 NOKEY 286 # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED 287 # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 288 #provide-xfr: 192.0.2.0/24 my_tsig_key_name 289 # set the number of retries for notify. 290 #notify-retry: 5 291 292 # uncomment to provide AXFR to all the world 293 # provide-xfr: 0.0.0.0/0 NOKEY 294 # provide-xfr: ::0/0 NOKEY 295 296 # A slave zone needs allow-notify: and request-xfr: lists. 297 #allow-notify: 2001:db8::0/64 my_tsig_key_name 298 # By default, a slave will request a zone transfer with IXFR/TCP. 299 # If you want to make use of IXFR/UDP use: UDP addr tsigkey 300 # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey 301 #request-xfr: 192.0.2.2 the_tsig_key_name 302 # Attention: You cannot use UDP and AXFR together. AXFR is always over 303 # TCP. If you use UDP, we higly recommend you to deploy TSIG. 304 # Allow AXFR fallback if the master does not support IXFR. Default 305 # is yes. 306 #allow-axfr-fallback: yes 307 # set local interface for sending zone transfer requests. 308 # default is let the OS choose. 309 #outgoing-interface: 10.0.0.10 310 # limit the refresh and retry interval in seconds. 311 #max-refresh-time: 2419200 312 #min-refresh-time: 0 313 #max-retry-time: 1209600 314 #min-retry-time: 0 315 # Slave server tries zone transfer to all masters and picks highest 316 # zone version available, for when masters have different versions. 317 #multi-master-check: no 318 319 # limit the zone transfer size (in bytes), stops very large transfers 320 # 0 is no limits enforced. 321 # size-limit-xfr: 0 322 323 # if compiled with --enable-zone-stats, give name of stat block for 324 # this zone (or group of zones). Output from nsd-control stats. 325 # zonestats: "%s" 326 327 # if you give another pattern name here, at this point the settings 328 # from that pattern are inserted into this one (as if it were a 329 # macro). The statement can be given in between other statements, 330 # because the order of access control elements can make a difference 331 # (which master to request from first, which slave to notify first). 332 #include-pattern: "common-masters" 333 334 335# Fixed zone entries. Here you can config zones that cannot be deleted. 336# Zones that are dynamically added and deleted are put in the zonelist file. 337# 338# zone: 339 # name: "example.com" 340 # you can give a pattern here, all the settings from that pattern 341 # are then inserted at this point 342 # include-pattern: "master" 343 # You can also specify (additional) options directly for this zone. 344 # zonefile: "example.com.zone" 345 # request-xfr: 192.0.2.1 example.com.key 346 347 # RRLconfig 348 # Response Rate Limiting, whitelist types 349 # rrl-whitelist: nxdomain 350 # rrl-whitelist: error 351 # rrl-whitelist: referral 352 # rrl-whitelist: any 353 # rrl-whitelist: rrsig 354 # rrl-whitelist: wildcard 355 # rrl-whitelist: nodata 356 # rrl-whitelist: dnskey 357 # rrl-whitelist: positive 358 # rrl-whitelist: all 359 # RRLend 360 361