nsd.conf.sample.in revision 1.1.1.6
1# 2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). 3# 4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. 5# 6# See LICENSE for the license. 7# 8 9# This is a comment. 10# Sample configuration file 11# include: "file" # include that file's text over here. Globbed, "*.conf" 12 13# options for the nsd server 14server: 15 # Number of NSD servers to fork. Put the number of CPUs to use here. 16 # server-count: 1 17 18 # Set overall CPU affinity for NSD processes on Linux and FreeBSD. 19 # Any server/xfrd CPU affinity value will be masked by this value. 20 # cpu-affinity: 0 1 2 3 21 22 # Bind NSD server(s), configured by server-count (1-based), to a 23 # dedicated core. Single core affinity improves L1/L2 cache hits and 24 # reduces pipeline stalls/flushes. 25 # 26 # server-1-cpu-affinity: 0 27 # server-2-cpu-affinity: 1 28 # ... 29 # server-<N>-cpu-affinity: 2 30 31 # Bind xfrd to a dedicated core. 32 # xfrd-cpu-affinity: 3 33 34 # Specify specific interfaces to bind (default are the wildcard 35 # interfaces 0.0.0.0 and ::0). 36 # For servers with multiple IP addresses, list them one by one, 37 # or the source address of replies could be wrong. 38 # Use ip-transparent to be able to list addresses that turn on later. 39 # ip-address: 1.2.3.4 40 # ip-address: 1.2.3.4@5678 41 # ip-address: 12fe::8ef0 42 # 43 # IP addresses can be configured per-server to avoid waking up more 44 # than one server when a packet comes in (thundering herd problem) or 45 # to partition sockets across servers to improve select/poll 46 # performance. 47 # 48 # ip-address: 1.2.3.4 servers="1-2 3" 49 # ip-address: 1.2.3.4@5678 servers="4-5 6" 50 # 51 # When several interfaces are configured to listen on the same subnet, 52 # care must be taken to ensure responses go out the same interface the 53 # corresponding query came in on to avoid problems with load balancers 54 # and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket 55 # option to bind a socket to a specified device. For FreeBSD, to 56 # achieve the same result, specify the routing table to use after the 57 # IP address to use SO_SETFIB. 58 # 59 # Complement with socket partitioning and CPU affinity for attack 60 # mitigation benefits. i.e. only a single core is maxed out if a 61 # specific IP address is under attack. 62 # 63 # ip-address: 1.2.3.4 setfib=0 bindtodevice=yes 64 # ip-address: 1.2.3.5@6789 setfib=1 bindtodevice=yes 65 66 # Allow binding to non local addresses. Default no. 67 # ip-transparent: no 68 69 # Allow binding to addresses that are down. Default no. 70 # ip-freebind: no 71 72 # Use SO_REUSEPORT socket option for performance. Default no. 73 # reuseport: no 74 75 # override maximum socket send buffer size. Default of 0 results in 76 # send buffer size being set to 1048576 (bytes). 77 # send-buffer-size: 1048576 78 79 # override maximum socket receive buffer size. Default of 0 results in 80 # receive buffer size being set to 1048576 (bytes). 81 # receive-buffer-size: 1048576 82 83 # enable debug mode, does not fork daemon process into the background. 84 # debug-mode: no 85 86 # listen on IPv4 connections 87 # do-ip4: yes 88 89 # listen on IPv6 connections 90 # do-ip6: yes 91 92 # port to answer queries on. default is 53. 93 # port: 53 94 95 # Verbosity level. 96 # verbosity: 0 97 98 # After binding socket, drop user privileges. 99 # can be a username, id or id.gid. 100 # username: @user@ 101 102 # Run NSD in a chroot-jail. 103 # make sure to have pidfile and database reachable from there. 104 # by default, no chroot-jail is used. 105 # chroot: "@configdir@" 106 107 # The directory for zonefile: files. The daemon chdirs here. 108 # zonesdir: "@zonesdir@" 109 110 # the list of dynamically added zones. 111 # zonelistfile: "@zonelistfile@" 112 113 # the database to use 114 # if set to "" then no disk-database is used, less memory usage. 115 # database: "@dbfile@" 116 117 # log messages to file. Default to stderr and syslog (with 118 # facility LOG_DAEMON). stderr disappears when daemon goes to bg. 119 # logfile: "@logfile@" 120 121 # log only to syslog. 122 # log-only-syslog: no 123 124 # File to store pid for nsd in. 125 # pidfile: "@pidfile@" 126 127 # The file where secondary zone refresh and expire timeouts are kept. 128 # If you delete this file, all secondary zones are forced to be 129 # 'refreshing' (as if nsd got a notify). Set to "" to disable. 130 # xfrdfile: "@xfrdfile@" 131 132 # The directory where zone transfers are stored, in a subdir of it. 133 # xfrdir: "@xfrdir@" 134 135 # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries 136 # hide-version: no 137 138 # don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries 139 # hide-identity: no 140 141 # Drop UPDATE queries 142 # drop-updates: no 143 144 # version string the server responds with for chaos queries. 145 # default is 'NSD x.y.z' with the server's version number. 146 # version: "NSD" 147 148 # identify the server (CH TXT ID.SERVER entry). 149 # identity: "unidentified server" 150 151 # NSID identity (hex string, or "ascii_somestring"). default disabled. 152 # nsid: "aabbccdd" 153 154 # Maximum number of concurrent TCP connections per server. 155 # tcp-count: 100 156 157 # Accept (and immediately close) TCP connections after maximum number 158 # of connections is reached to prevent kernel connection queue from 159 # growing. 160 # tcp-reject-overflow: no 161 162 # Maximum number of queries served on a single TCP connection. 163 # By default 0, which means no maximum. 164 # tcp-query-count: 0 165 166 # Override the default (120 seconds) TCP timeout. 167 # tcp-timeout: 120 168 169 # Maximum segment size (MSS) of TCP socket on which the server 170 # responds to queries. Default is 0, system default MSS. 171 # tcp-mss: 0 172 173 # Maximum segment size (MSS) of TCP socket for outgoing AXFR request. 174 # Default is 0, system default MSS. 175 # outgoing-tcp-mss: 0 176 177 # Preferred EDNS buffer size for IPv4. 178 # ipv4-edns-size: 1232 179 180 # Preferred EDNS buffer size for IPv6. 181 # ipv6-edns-size: 1232 182 183 # statistics are produced every number of seconds. Prints to log. 184 # Default is 0, meaning no statistics are produced. 185 # statistics: 3600 186 187 # Number of seconds between reloads triggered by xfrd. 188 # xfrd-reload-timeout: 1 189 190 # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. 191 # log-time-ascii: yes 192 193 # round robin rotation of records in the answer. 194 # round-robin: no 195 196 # minimal-responses only emits extra data for referrals. 197 # minimal-responses: no 198 199 # Do not return additional information if the apex zone of the 200 # additional information is configured but does not match the apex zone 201 # of the initial query. 202 # confine-to-zone: no 203 204 # refuse queries of type ANY. For stopping floods. 205 # refuse-any: no 206 207 # check mtime of all zone files on start and sighup 208 # zonefiles-check: yes 209 210 # write changed zonefiles to disk, every N seconds. 211 # default is 0(disabled) or 3600(if database is ""). 212 # zonefiles-write: 3600 213 214 # RRLconfig 215 # Response Rate Limiting, size of the hashtable. Default 1000000. 216 # rrl-size: 1000000 217 218 # Response Rate Limiting, maximum QPS allowed (from one query source). 219 # If set to 0, ratelimiting is disabled. Also set 220 # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. 221 # Default is @ratelimit_default@. 222 # rrl-ratelimit: 200 223 224 # Response Rate Limiting, number of packets to discard before 225 # sending a SLIP response (a truncated one, allowing an honest 226 # resolver to retry with TCP). Default is 2 (one half of the 227 # queries will receive a SLIP response, 0 disables SLIP (all 228 # packets are discarded), 1 means every request will get a 229 # SLIP response. When the ratelimit is hit the traffic is 230 # divided by the rrl-slip value. 231 # rrl-slip: 2 232 233 # Response Rate Limiting, IPv4 prefix length. Addresses are 234 # grouped by netblock. 235 # rrl-ipv4-prefix-length: 24 236 237 # Response Rate Limiting, IPv6 prefix length. Addresses are 238 # grouped by netblock. 239 # rrl-ipv6-prefix-length: 64 240 241 # Response Rate Limiting, maximum QPS allowed (from one query source) 242 # for whitelisted types. Default is @ratelimit_default@. 243 # rrl-whitelist-ratelimit: 2000 244 # RRLend 245 246 # Service clients over TLS (on the TCP sockets), with plain DNS inside 247 # the TLS stream. Give the certificate to use and private key. 248 # Default is "" (disabled). Requires restart to take effect. 249 # tls-service-key: "path/to/privatekeyfile.key" 250 # tls-service-pem: "path/to/publiccertfile.pem" 251 # tls-service-ocsp: "path/to/ocsp.pem" 252 # tls-port: 853 253 254# DNSTAP config section, if compiled with that 255# dnstap: 256 # set this to yes and set one or more of dnstap-log-..-messages to yes. 257 # dnstap-enable: no 258 # dnstap-socket-path: "/var/run/dnstap.sock" 259 # dnstap-send-identity: no 260 # dnstap-send-version: no 261 # dnstap-identity: "" 262 # dnstap-version: "" 263 # dnstap-log-auth-query-messages: no 264 # dnstap-log-auth-response-messages: no 265 266# Remote control config section. 267remote-control: 268 # Enable remote control with nsd-control(8) here. 269 # set up the keys and certificates with nsd-control-setup. 270 # control-enable: no 271 272 # what interfaces are listened to for control, default is on localhost. 273 # with an absolute path, a unix local named pipe is used for control 274 # (and key and cert files are not needed, use directory permissions). 275 # control-interface: 127.0.0.1 276 # control-interface: ::1 277 278 # port number for remote control operations (uses TLS over TCP). 279 # control-port: 8952 280 281 # nsd server key file for remote control. 282 # server-key-file: "@configdir@/nsd_server.key" 283 284 # nsd server certificate file for remote control. 285 # server-cert-file: "@configdir@/nsd_server.pem" 286 287 # nsd-control key file. 288 # control-key-file: "@configdir@/nsd_control.key" 289 290 # nsd-control certificate file. 291 # control-cert-file: "@configdir@/nsd_control.pem" 292 293 294# Secret keys for TSIGs that secure zone transfers. 295# You could include: "secret.keys" and put the 'key:' statements in there, 296# and give that file special access control permissions. 297# 298# key: 299 # The key name is sent to the other party, it must be the same 300 #name: "keyname" 301 # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512 302 #algorithm: sha256 303 # secret material, must be the same as the other party uses. 304 # base64 encoded random number. 305 # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 306 #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" 307 308 309# Patterns have zone configuration and they are shared by one or more zones. 310# 311# pattern: 312 # name by which the pattern is referred to 313 #name: "myzones" 314 # the zonefile for the zones that use this pattern. 315 # if relative then from the zonesdir (inside the chroot). 316 # the name is processed: %s - zone name (as appears in zone:name). 317 # %1 - first character of zone name, %2 second, %3 third. 318 # %z - topleveldomain label of zone, %y, %x next labels in name. 319 # if label or character does not exist you get a dot '.'. 320 # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" 321 #zonefile: "%s.zone" 322 323 # If no master and slave access control elements are provided, 324 # this zone will not be served to/from other servers. 325 326 # A master zone needs notify: and provide-xfr: lists. A slave 327 # may also allow zone transfer (for debug or other secondaries). 328 # notify these slaves when the master zone changes, address TSIG|NOKEY 329 # IP can be ipv4 and ipv6, with @port for a nondefault port number. 330 #notify: 192.0.2.1 NOKEY 331 # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED 332 # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 333 #provide-xfr: 192.0.2.0/24 my_tsig_key_name 334 # set the number of retries for notify. 335 #notify-retry: 5 336 337 # uncomment to provide AXFR to all the world 338 # provide-xfr: 0.0.0.0/0 NOKEY 339 # provide-xfr: ::0/0 NOKEY 340 341 # A slave zone needs allow-notify: and request-xfr: lists. 342 #allow-notify: 2001:db8::0/64 my_tsig_key_name 343 # By default, a slave will request a zone transfer with IXFR/TCP. 344 # If you want to make use of IXFR/UDP use: UDP addr tsigkey 345 # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey 346 #request-xfr: 192.0.2.2 the_tsig_key_name 347 # Attention: You cannot use UDP and AXFR together. AXFR is always over 348 # TCP. If you use UDP, we higly recommend you to deploy TSIG. 349 # Allow AXFR fallback if the master does not support IXFR. Default 350 # is yes. 351 #allow-axfr-fallback: yes 352 # set local interface for sending zone transfer requests. 353 # default is let the OS choose. 354 #outgoing-interface: 10.0.0.10 355 # limit the refresh and retry interval in seconds. 356 #max-refresh-time: 2419200 357 #min-refresh-time: 0 358 #max-retry-time: 1209600 359 #min-retry-time: 0 360 # Lower bound of expire interval in seconds. The value can be "refresh+retry+1" 361 # in which case the lower bound of expire interval is the sum of the refresh and 362 # retry values (limited to the bounds given with the above parameters), plus 1. 363 #min-expire-time: 0 364 365 # Slave server tries zone transfer to all masters and picks highest 366 # zone version available, for when masters have different versions. 367 #multi-master-check: no 368 369 # limit the zone transfer size (in bytes), stops very large transfers 370 # 0 is no limits enforced. 371 # size-limit-xfr: 0 372 373 # if compiled with --enable-zone-stats, give name of stat block for 374 # this zone (or group of zones). Output from nsd-control stats. 375 # zonestats: "%s" 376 377 # if you give another pattern name here, at this point the settings 378 # from that pattern are inserted into this one (as if it were a 379 # macro). The statement can be given in between other statements, 380 # because the order of access control elements can make a difference 381 # (which master to request from first, which slave to notify first). 382 #include-pattern: "common-masters" 383 384 385# Fixed zone entries. Here you can config zones that cannot be deleted. 386# Zones that are dynamically added and deleted are put in the zonelist file. 387# 388# zone: 389 # name: "example.com" 390 # you can give a pattern here, all the settings from that pattern 391 # are then inserted at this point 392 # include-pattern: "master" 393 # You can also specify (additional) options directly for this zone. 394 # zonefile: "example.com.zone" 395 # request-xfr: 192.0.2.1 example.com.key 396 397 # RRLconfig 398 # Response Rate Limiting, whitelist types 399 # rrl-whitelist: nxdomain 400 # rrl-whitelist: error 401 # rrl-whitelist: referral 402 # rrl-whitelist: any 403 # rrl-whitelist: rrsig 404 # rrl-whitelist: wildcard 405 # rrl-whitelist: nodata 406 # rrl-whitelist: dnskey 407 # rrl-whitelist: positive 408 # rrl-whitelist: all 409 # RRLend 410 411