nsd.conf.sample.in revision 1.1.1.7
1# 2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). 3# 4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. 5# 6# See LICENSE for the license. 7# 8 9# This is a comment. 10# Sample configuration file 11# include: "file" # include that file's text over here. Globbed, "*.conf" 12 13# options for the nsd server 14server: 15 # Number of NSD servers to fork. Put the number of CPUs to use here. 16 # server-count: 1 17 18 # Set overall CPU affinity for NSD processes on Linux and FreeBSD. 19 # Any server/xfrd CPU affinity value will be masked by this value. 20 # cpu-affinity: 0 1 2 3 21 22 # Bind NSD server(s), configured by server-count (1-based), to a 23 # dedicated core. Single core affinity improves L1/L2 cache hits and 24 # reduces pipeline stalls/flushes. 25 # 26 # server-1-cpu-affinity: 0 27 # server-2-cpu-affinity: 1 28 # ... 29 # server-<N>-cpu-affinity: 2 30 31 # Bind xfrd to a dedicated core. 32 # xfrd-cpu-affinity: 3 33 34 # Specify specific interfaces to bind (default are the wildcard 35 # interfaces 0.0.0.0 and ::0). 36 # For servers with multiple IP addresses, list them one by one, 37 # or the source address of replies could be wrong. 38 # Use ip-transparent to be able to list addresses that turn on later. 39 # ip-address: 1.2.3.4 40 # ip-address: 1.2.3.4@5678 41 # ip-address: 12fe::8ef0 42 # 43 # IP addresses can be configured per-server to avoid waking up more 44 # than one server when a packet comes in (thundering herd problem) or 45 # to partition sockets across servers to improve select/poll 46 # performance. 47 # 48 # ip-address: 1.2.3.4 servers="1-2 3" 49 # ip-address: 1.2.3.4@5678 servers="4-5 6" 50 # 51 # When several interfaces are configured to listen on the same subnet, 52 # care must be taken to ensure responses go out the same interface the 53 # corresponding query came in on to avoid problems with load balancers 54 # and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket 55 # option to bind a socket to a specified device. For FreeBSD, to 56 # achieve the same result, specify the routing table to use after the 57 # IP address to use SO_SETFIB. 58 # 59 # Complement with socket partitioning and CPU affinity for attack 60 # mitigation benefits. i.e. only a single core is maxed out if a 61 # specific IP address is under attack. 62 # 63 # ip-address: 1.2.3.4 setfib=0 bindtodevice=yes 64 # ip-address: 1.2.3.5@6789 setfib=1 bindtodevice=yes 65 66 # Allow binding to non local addresses. Default no. 67 # ip-transparent: no 68 69 # Allow binding to addresses that are down. Default no. 70 # ip-freebind: no 71 72 # Use SO_REUSEPORT socket option for performance. Default no. 73 # reuseport: no 74 75 # override maximum socket send buffer size. Default of 0 results in 76 # send buffer size being set to 1048576 (bytes). 77 # send-buffer-size: 1048576 78 79 # override maximum socket receive buffer size. Default of 0 results in 80 # receive buffer size being set to 1048576 (bytes). 81 # receive-buffer-size: 1048576 82 83 # enable debug mode, does not fork daemon process into the background. 84 # debug-mode: no 85 86 # listen on IPv4 connections 87 # do-ip4: yes 88 89 # listen on IPv6 connections 90 # do-ip6: yes 91 92 # port to answer queries on. default is 53. 93 # port: 53 94 95 # Verbosity level. 96 # verbosity: 0 97 98 # After binding socket, drop user privileges. 99 # can be a username, id or id.gid. 100 # username: @user@ 101 102 # Run NSD in a chroot-jail. 103 # make sure to have pidfile and database reachable from there. 104 # by default, no chroot-jail is used. 105 # chroot: "@configdir@" 106 107 # The directory for zonefile: files. The daemon chdirs here. 108 # zonesdir: "@zonesdir@" 109 110 # the list of dynamically added zones. 111 # zonelistfile: "@zonelistfile@" 112 113 # the database to use 114 # if set to "" then no disk-database is used, less memory usage. 115 # database: "@dbfile@" 116 117 # log messages to file. Default to stderr and syslog (with 118 # facility LOG_DAEMON). stderr disappears when daemon goes to bg. 119 # logfile: "@logfile@" 120 121 # log only to syslog. 122 # log-only-syslog: no 123 124 # File to store pid for nsd in. 125 # pidfile: "@pidfile@" 126 127 # The file where secondary zone refresh and expire timeouts are kept. 128 # If you delete this file, all secondary zones are forced to be 129 # 'refreshing' (as if nsd got a notify). Set to "" to disable. 130 # xfrdfile: "@xfrdfile@" 131 132 # The directory where zone transfers are stored, in a subdir of it. 133 # xfrdir: "@xfrdir@" 134 135 # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries 136 # hide-version: no 137 138 # don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries 139 # hide-identity: no 140 141 # Drop UPDATE queries 142 # drop-updates: no 143 144 # version string the server responds with for chaos queries. 145 # default is 'NSD x.y.z' with the server's version number. 146 # version: "NSD" 147 148 # identify the server (CH TXT ID.SERVER entry). 149 # identity: "unidentified server" 150 151 # NSID identity (hex string, or "ascii_somestring"). default disabled. 152 # nsid: "aabbccdd" 153 154 # Maximum number of concurrent TCP connections per server. 155 # tcp-count: 100 156 157 # Accept (and immediately close) TCP connections after maximum number 158 # of connections is reached to prevent kernel connection queue from 159 # growing. 160 # tcp-reject-overflow: no 161 162 # Maximum number of queries served on a single TCP connection. 163 # By default 0, which means no maximum. 164 # tcp-query-count: 0 165 166 # Override the default (120 seconds) TCP timeout. 167 # tcp-timeout: 120 168 169 # Maximum segment size (MSS) of TCP socket on which the server 170 # responds to queries. Default is 0, system default MSS. 171 # tcp-mss: 0 172 173 # Maximum segment size (MSS) of TCP socket for outgoing AXFR request. 174 # Default is 0, system default MSS. 175 # outgoing-tcp-mss: 0 176 177 # reduce these settings to save memory for NSD, to about 178 # xfrd-tcp-max: 32 and xfrd-tcp-pipeline: 128, also rrl-size: 1000 179 # other memory is determined by server-count, tcp-count and zone data 180 # max number of sockets used for outgoing zone transfers. 181 # Increase this to allow more sockets for zone transfers. 182 # xfrd-tcp-max: 128 183 # max number of simultaneous outgoing zone transfers over one socket. 184 # xfrd-tcp-pipeline: 128 185 186 # Preferred EDNS buffer size for IPv4. 187 # ipv4-edns-size: 1232 188 189 # Preferred EDNS buffer size for IPv6. 190 # ipv6-edns-size: 1232 191 192 # statistics are produced every number of seconds. Prints to log. 193 # Default is 0, meaning no statistics are produced. 194 # statistics: 3600 195 196 # Number of seconds between reloads triggered by xfrd. 197 # xfrd-reload-timeout: 1 198 199 # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. 200 # log-time-ascii: yes 201 202 # round robin rotation of records in the answer. 203 # round-robin: no 204 205 # minimal-responses only emits extra data for referrals. 206 # minimal-responses: no 207 208 # Do not return additional information if the apex zone of the 209 # additional information is configured but does not match the apex zone 210 # of the initial query. 211 # confine-to-zone: no 212 213 # refuse queries of type ANY. For stopping floods. 214 # refuse-any: no 215 216 # check mtime of all zone files on start and sighup 217 # zonefiles-check: yes 218 219 # write changed zonefiles to disk, every N seconds. 220 # default is 0(disabled) or 3600(if database is ""). 221 # zonefiles-write: 3600 222 223 # RRLconfig 224 # Response Rate Limiting, size of the hashtable. Default 1000000. 225 # rrl-size: 1000000 226 227 # Response Rate Limiting, maximum QPS allowed (from one query source). 228 # If set to 0, ratelimiting is disabled. Also set 229 # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. 230 # Default is @ratelimit_default@. 231 # rrl-ratelimit: 200 232 233 # Response Rate Limiting, number of packets to discard before 234 # sending a SLIP response (a truncated one, allowing an honest 235 # resolver to retry with TCP). Default is 2 (one half of the 236 # queries will receive a SLIP response, 0 disables SLIP (all 237 # packets are discarded), 1 means every request will get a 238 # SLIP response. When the ratelimit is hit the traffic is 239 # divided by the rrl-slip value. 240 # rrl-slip: 2 241 242 # Response Rate Limiting, IPv4 prefix length. Addresses are 243 # grouped by netblock. 244 # rrl-ipv4-prefix-length: 24 245 246 # Response Rate Limiting, IPv6 prefix length. Addresses are 247 # grouped by netblock. 248 # rrl-ipv6-prefix-length: 64 249 250 # Response Rate Limiting, maximum QPS allowed (from one query source) 251 # for whitelisted types. Default is @ratelimit_default@. 252 # rrl-whitelist-ratelimit: 2000 253 # RRLend 254 255 # Service clients over TLS (on the TCP sockets), with plain DNS inside 256 # the TLS stream. Give the certificate to use and private key. 257 # Default is "" (disabled). Requires restart to take effect. 258 # tls-service-key: "path/to/privatekeyfile.key" 259 # tls-service-pem: "path/to/publiccertfile.pem" 260 # tls-service-ocsp: "path/to/ocsp.pem" 261 # tls-port: 853 262 263 # Certificates used to authenticate connections made upstream for 264 # Transfers over TLS (XoT). Default is "" (default verify locations). 265 # tls-cert-bundle: "path/to/ca-bundle.pem" 266 267verify: 268 # Enable zone verification. Default is no. 269 # enable: no 270 271 # Port to answer verifier queries on. Default is 5347. 272 # port: 5347 273 274 # Interfaces to bind for zone verification (default are the localhost 275 # interfaces, usually 127.0.0.1 and ::1). To bind to to multiple IP 276 # addresses, list them one by one. Socket options cannot be specified 277 # for verify ip-address options. 278 # ip-address: 127.0.0.1 279 # ip-address: 127.0.0.1@5347 280 # ip-address: ::1 281 282 # Verify zones by default. Default is yes. 283 # verify-zones: yes 284 285 # Command to execute for zone verification. 286 # verifier: ldns-verify-zone 287 # verifier: validns - 288 # verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA 289 290 # Maximum number of verifiers to run concurrently. Default is 1. 291 # verifier-count: 1 292 293 # Feed updated zone to verifier over standard input. Default is yes. 294 # verifier-feed-zone: yes 295 296 # Number of seconds before verifier is killed (0 is forever). 297 # verifier-timeout: 0 298 299# DNSTAP config section, if compiled with that 300# dnstap: 301 # set this to yes and set one or more of dnstap-log-..-messages to yes. 302 # dnstap-enable: no 303 # dnstap-socket-path: "@dnstap_socket_path@" 304 # dnstap-send-identity: no 305 # dnstap-send-version: no 306 # dnstap-identity: "" 307 # dnstap-version: "" 308 # dnstap-log-auth-query-messages: no 309 # dnstap-log-auth-response-messages: no 310 311# Remote control config section. 312remote-control: 313 # Enable remote control with nsd-control(8) here. 314 # set up the keys and certificates with nsd-control-setup. 315 # control-enable: no 316 317 # what interfaces are listened to for control, default is on localhost. 318 # interfaces can be specified by IP address or interface name. 319 # with an interface name, all IP addresses associated with that 320 # interface are used. 321 # with an absolute path, a unix local named pipe is used for control 322 # (and key and cert files are not needed, use directory permissions). 323 # control-interface: 127.0.0.1 324 # control-interface: ::1 325 # control-interface: lo 326 327 # port number for remote control operations (uses TLS over TCP). 328 # control-port: 8952 329 330 # nsd server key file for remote control. 331 # server-key-file: "@configdir@/nsd_server.key" 332 333 # nsd server certificate file for remote control. 334 # server-cert-file: "@configdir@/nsd_server.pem" 335 336 # nsd-control key file. 337 # control-key-file: "@configdir@/nsd_control.key" 338 339 # nsd-control certificate file. 340 # control-cert-file: "@configdir@/nsd_control.pem" 341 342 343# Secret keys for TSIGs that secure zone transfers. 344# You could include: "secret.keys" and put the 'key:' statements in there, 345# and give that file special access control permissions. 346# 347# key: 348 # The key name is sent to the other party, it must be the same 349 #name: "keyname" 350 # algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512 351 #algorithm: sha256 352 # secret material, must be the same as the other party uses. 353 # base64 encoded random number. 354 # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 355 #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" 356 357# The tls-auth clause establishes authentication attributes to use when 358# authenticating the far end of an outgoing TLS connection in access control 359# lists used for XFR-over-TLS. If authentication fails, the XFR request will not 360# be made. Support for TLS 1.3 is required for XFR-over-TLS. It has the 361# following attributes: 362# 363# tls-auth: 364 # The tls-auth name. Used to refer to this TLS auth information in the access control list. 365 #name: "tls-authname" 366 # The authentication domain name as defined in RFC8310. 367 #auth-domain-name: "example.com" 368 369 # Client certificate and private key for Mutual TLS authentication 370 #client-cert: "path/to/clientcert.pem" 371 #client-key: "path/to/clientkey.key" 372 #client-key-pw: "password" 373 374# Patterns have zone configuration and they are shared by one or more zones. 375# 376# pattern: 377 # name by which the pattern is referred to 378 #name: "myzones" 379 # the zonefile for the zones that use this pattern. 380 # if relative then from the zonesdir (inside the chroot). 381 # the name is processed: %s - zone name (as appears in zone:name). 382 # %1 - first character of zone name, %2 second, %3 third. 383 # %z - topleveldomain label of zone, %y, %x next labels in name. 384 # if label or character does not exist you get a dot '.'. 385 # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" 386 #zonefile: "%s.zone" 387 388 # The allow-query allows an access control list to be specified 389 # for a zone to be queried. Without an allow-query option, any 390 # IP address is allowed to send queries for the zone. 391 # This could be useful for example to not leak content from a zone 392 # which is only offered for transfer to secondaries over TLS. 393 #allow-query: 192.0.2.0/24 NOKEY 394 395 # If no master and slave access control elements are provided, 396 # this zone will not be served to/from other servers. 397 398 # A master zone needs notify: and provide-xfr: lists. A slave 399 # may also allow zone transfer (for debug or other secondaries). 400 # notify these slaves when the master zone changes, address TSIG|NOKEY 401 # IP can be ipv4 and ipv6, with @port for a nondefault port number. 402 #notify: 192.0.2.1 NOKEY 403 # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED 404 # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 405 #provide-xfr: 192.0.2.0/24 my_tsig_key_name 406 # set the number of retries for notify. 407 #notify-retry: 5 408 # if yes, store and provide IXFRs. 409 #store-ixfr: no 410 # number of IXFR versions to store, at most. 411 #ixfr-number: 5 412 # size in bytes of max storage to use for IXFR versions. 413 #ixfr-size: 1048576 414 # if yes, create IXFR when a zonefile is read by the server. 415 #create-ixfr: no 416 417 # uncomment to provide AXFR to all the world 418 # provide-xfr: 0.0.0.0/0 NOKEY 419 # provide-xfr: ::0/0 NOKEY 420 421 # A slave zone needs allow-notify: and request-xfr: lists. 422 #allow-notify: 2001:db8::0/64 my_tsig_key_name 423 # By default, a slave will request a zone transfer with IXFR/TCP. 424 # If you want to make use of IXFR/UDP use: UDP addr tsigkey 425 # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey 426 # If you want to require use of XFR-over-TLS use: addr tsigkey tlsauthname 427 #request-xfr: 192.0.2.2 the_tsig_key_name 428 #request-xfr: 192.0.2.2 the_tsig_key_name the_tls_auth_name 429 # Attention: You cannot use UDP and AXFR together. AXFR is always over 430 # TCP. If you use UDP, we highly recommend you to deploy TSIG. 431 # Allow AXFR fallback if the master does not support IXFR. Default 432 # is yes. 433 #allow-axfr-fallback: yes 434 # set local interface for sending zone transfer requests. 435 # default is let the OS choose. 436 #outgoing-interface: 10.0.0.10 437 # limit the refresh and retry interval in seconds. 438 #max-refresh-time: 2419200 439 #min-refresh-time: 0 440 #max-retry-time: 1209600 441 #min-retry-time: 0 442 # Lower bound of expire interval in seconds. The value can be "refresh+retry+1" 443 # in which case the lower bound of expire interval is the sum of the refresh and 444 # retry values (limited to the bounds given with the above parameters), plus 1. 445 #min-expire-time: 0 446 447 # Slave server tries zone transfer to all masters and picks highest 448 # zone version available, for when masters have different versions. 449 #multi-master-check: no 450 451 # limit the zone transfer size (in bytes), stops very large transfers 452 # 0 is no limits enforced. 453 # size-limit-xfr: 0 454 455 # if compiled with --enable-zone-stats, give name of stat block for 456 # this zone (or group of zones). Output from nsd-control stats. 457 # zonestats: "%s" 458 459 # if you give another pattern name here, at this point the settings 460 # from that pattern are inserted into this one (as if it were a 461 # macro). The statement can be given in between other statements, 462 # because the order of access control elements can make a difference 463 # (which master to request from first, which slave to notify first). 464 #include-pattern: "common-masters" 465 466 # Verify zone before publishing. 467 # Default is value of verify-zones in verify. 468 # verify-zone: yes 469 470 # Command to execute for zone verification. 471 # Default is verifier in verify. 472 # verifier: ldns-verify-zone 473 # verifier: validns - 474 # verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA 475 476 # Feed updated zone to verifier over standard input. 477 # Default is value of verifier-feed-zone in verify. 478 # verifier-feed-zone: yes 479 480 # Number of seconds before verifier is killed (0 is forever). 481 # Default is verifier-timeout in verify. 482 # verifier-timeout: 0 483 484# Fixed zone entries. Here you can config zones that cannot be deleted. 485# Zones that are dynamically added and deleted are put in the zonelist file. 486# 487# zone: 488 # name: "example.com" 489 # you can give a pattern here, all the settings from that pattern 490 # are then inserted at this point 491 # include-pattern: "master" 492 # You can also specify (additional) options directly for this zone. 493 # zonefile: "example.com.zone" 494 # request-xfr: 192.0.2.1 example.com.key 495 496 # RRLconfig 497 # Response Rate Limiting, whitelist types 498 # rrl-whitelist: nxdomain 499 # rrl-whitelist: error 500 # rrl-whitelist: referral 501 # rrl-whitelist: any 502 # rrl-whitelist: rrsig 503 # rrl-whitelist: wildcard 504 # rrl-whitelist: nodata 505 # rrl-whitelist: dnskey 506 # rrl-whitelist: positive 507 # rrl-whitelist: all 508 # RRLend 509 510