"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "nsd.conf.5.in" between
nsd-4.3.5.tar.gz and nsd-4.3.6.tar.gz

About: NSD is an authoritative only, high performance, simple name server daemon.

nsd.conf.5.in  (nsd-4.3.5):nsd.conf.5.in  (nsd-4.3.6)
.TH "nsd.conf" "5" "Jan 26, 2021" "NLnet Labs" "nsd 4.3.5" .TH "nsd.conf" "5" "Apr 6, 2021" "NLnet Labs" "nsd 4.3.6"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license. .\" See LICENSE for the license.
.SH "NAME" .SH "NAME"
.B nsd.conf .B nsd.conf
\- NSD configuration file \- NSD configuration file
.SH "SYNOPSIS" .SH "SYNOPSIS"
.B nsd.conf .B nsd.conf
.SH "DESCRIPTION" .SH "DESCRIPTION"
.B Nsd.conf .B Nsd.conf
is used to configure nsd(8). The file format has attributes and is used to configure nsd(8). The file format has attributes and
skipping to change at line 537 skipping to change at line 537
default, and listens for localhost by default. It uses TLS over TCP default, and listens for localhost by default. It uses TLS over TCP
where the server and client authenticate to each other with self\-signed where the server and client authenticate to each other with self\-signed
certificates. The self\-signed certificates can be generated with the certificates. The self\-signed certificates can be generated with the
\fInsd\-control\-setup\fR tool. The key files are read by NSD before \fInsd\-control\-setup\fR tool. The key files are read by NSD before
the chroot and before dropping user permissions, so they can be outside the chroot and before dropping user permissions, so they can be outside
the chroot and readable by the superuser only. the chroot and readable by the superuser only.
.TP .TP
.B control\-enable:\fR <yes or no> .B control\-enable:\fR <yes or no>
Enable remote control, default is no. Enable remote control, default is no.
.TP .TP
.B control\-interface:\fR <ip4 or ip6> .B control\-interface:\fR <ip4 or ip6 | interface name | absolute path>
NSD will bind to the listed addresses to service control requests NSD will bind to the listed addresses to service control requests
(on TCP). Can be given multiple times to bind multiple ip\-addresses. (on TCP). Can be given multiple times to bind multiple ip\-addresses.
Use 0.0.0.0 and ::0 to service the wildcard interface. If none are given Use 0.0.0.0 and ::0 to service the wildcard interface. If none are given
NSD listens to the localhost 127.0.0.1 and ::1 interfaces for control, NSD listens to the localhost 127.0.0.1 and ::1 interfaces for control,
if control is enabled with control\-enable. if control is enabled with control\-enable.
.IP .IP
If an interface name is used instead of ip4 or ip6, the list of IP addresses
associated with that interface is picked up and used at server start.
.IP
With an absolute path, a unix local named pipe is used for control. The With an absolute path, a unix local named pipe is used for control. The
file is created with user and group that is configured and access bits file is created with user and group that is configured and access bits
are set to allow members of the group access. Further access can be are set to allow members of the group access. Further access can be
controlled by setting permissions on the directory containing the control controlled by setting permissions on the directory containing the control
socket file. The key and cert files are not used when control is via the socket file. The key and cert files are not used when control is via the
named pipe, because access control is via file and directory permission. named pipe, because access control is via file and directory permission.
.TP .TP
.B control\-port:\fR <number> .B control\-port:\fR <number>
The port number for remote control service. 8952 by default. The port number for remote control service. 8952 by default.
.TP .TP
skipping to change at line 596 skipping to change at line 599
names that start with "_implicit_" are used internally for zones that names that start with "_implicit_" are used internally for zones that
have no pattern (they are defined in nsd.conf directly). have no pattern (they are defined in nsd.conf directly).
.TP .TP
.B include\-pattern:\fR <pattern\-name> .B include\-pattern:\fR <pattern\-name>
The options from the given pattern are included at this point in The options from the given pattern are included at this point in
this pattern. The referenced pattern must be defined above this one. this pattern. The referenced pattern must be defined above this one.
.TP .TP
.B <zone option>:\fR <value> .B <zone option>:\fR <value>
The zone options such as The zone options such as
.BR zonefile , .BR zonefile ,
.BR allow\-query ,
.BR allow\-notify , .BR allow\-notify ,
.BR request\-xfr , .BR request\-xfr ,
.BR allow\-axfr\-fallback , .BR allow\-axfr\-fallback ,
.BR notify , .BR notify ,
.BR notify\-retry , .BR notify\-retry ,
.BR provide\-xfr , .BR provide\-xfr ,
.BR zonestats , .BR zonestats ,
and and
.B outgoing\-interface .B outgoing\-interface
can be given. They are applied to the patterns and zones that include can be given. They are applied to the patterns and zones that include
skipping to change at line 650 skipping to change at line 654
.B %2\fR is replaced with the second character of the zone name. .B %2\fR is replaced with the second character of the zone name.
.IP .IP
.B %3\fR is replaced with the third character of the zone name. .B %3\fR is replaced with the third character of the zone name.
.IP .IP
.B %z\fR is replaced with the toplevel domain name of the zone. .B %z\fR is replaced with the toplevel domain name of the zone.
.IP .IP
.B %y\fR is replaced with the next label under the toplevel domain. .B %y\fR is replaced with the next label under the toplevel domain.
.IP .IP
.B %x\fR is replaced with the next-next label under the toplevel domain. .B %x\fR is replaced with the next-next label under the toplevel domain.
.TP .TP
.B allow\-query:\fR <ip\-spec> <key\-name | NOKEY | BLOCKED>
Access control list. When at least one \fBallow\-query\fR option is
specified, then the in the \fBallow\-query\fR options specified addresses
are are allowed to query the server for the zone. Queries from unlisted or
specifically BLOCKED addresses are discarded. If NOKEY is given no TSIG
signature is required. BLOCKED supersedes other entries, other entries are
scanned for a match in the order of the statements. Without
\fBallow\-query\fR options, queries are allowed from any IP address
without TSIG key (which is the default).
.P
.RS
The ip\-spec is either a plain IP address (IPv4 or IPv6), or can be
a subnet of the form 1.2.3.4/24, or masked like
1.2.3.4&255.255.255.0 or a range of the form 1.2.3.4\-1.2.3.25.
Note the ip\-spec ranges do not use spaces around the /, &, @ and \-
symbols.
.RE
.TP
.B allow\-notify:\fR <ip\-spec> <key\-name | NOKEY | BLOCKED> .B allow\-notify:\fR <ip\-spec> <key\-name | NOKEY | BLOCKED>
Access control list. The listed (primary) address is allowed to Access control list. The listed (primary) address is allowed to
send notifies to this (secondary) server. Notifies from unlisted or send notifies to this (secondary) server. Notifies from unlisted or
specifically BLOCKED addresses are discarded. If NOKEY is given no specifically BLOCKED addresses are discarded. If NOKEY is given no
TSIG signature is required. TSIG signature is required.
BLOCKED supersedes other entries, other entries are scanned for a match BLOCKED supersedes other entries, other entries are scanned for a match
in the order of the statements. in the order of the statements.
.P .P
.RS .RS
The ip\-spec is either a plain IP address (IPv4 or IPv6), or can be The ip\-spec is either a plain IP address (IPv4 or IPv6), or can be
skipping to change at line 815 skipping to change at line 837
.B secret:\fR <base64 blob> .B secret:\fR <base64 blob>
The base64 encoded shared secret. It is possible to put the The base64 encoded shared secret. It is possible to put the
.B secret: .B secret:
declaration (and base64 blob) into a different file, and then to declaration (and base64 blob) into a different file, and then to
.B include: .B include:
that file. In this way the key secret and the rest of the configuration that file. In this way the key secret and the rest of the configuration
file, which may have different security policies, can be split apart. file, which may have different security policies, can be split apart.
The content of the secret is the agreed base64 secret content. To make it The content of the secret is the agreed base64 secret content. To make it
up, enter a password (its length must be a multiple of 4 characters, A\-Za\-z0\- 9), or use up, enter a password (its length must be a multiple of 4 characters, A\-Za\-z0\- 9), or use
dev-random output through a base64 encode filter. dev-random output through a base64 encode filter.
.SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts a collector process that writes the log information to the
destination.
.TP
.B dnstap-enable:\fR <yes or no>
If dnstap is enabled. Default no. If yes, it connects to the dnstap server
and if any of the dnstap-log-..-messages options is enabled it sends logs
for those messages to the server.
.TP
.B dnstap-socket-path:\fR <file name>
Sets the unix socket file name for connecting to the server that is
listening on that socket. Default is "@dnstap_socket_path@".
.TP
.B dnstap-send-identity:\fR <yes or no>
If enabled, the server identity is included in the log messages.
Default is no.
.TP
.B dnstap-send-version:\fR <yes or no>
If enabled, the server version if included in the log messages.
Default is no.
.TP
.B dnstap-identity:\fR <string>
The identity to send with messages, if "" the hostname is used.
Default is "".
.TP
.B dnstap-version:\fR <string>
The version to send with messages, if "" the package version is used.
Default is "".
.TP
.B dnstap-log-auth-query-messages:\fR <yes or no>
Enable to log auth query messages. Default is no.
These are client queries to NSD.
.TP
.B dnstap-log-auth-response-messages:\fR <yes or no>
Enable to log auth response messages. Default is no.
These are responses from NSD to clients.
.SH "NSD CONFIGURATION FOR BIND9 HACKERS" .SH "NSD CONFIGURATION FOR BIND9 HACKERS"
BIND9 is a name server implementation with its own configuration BIND9 is a name server implementation with its own configuration
file format, named.conf(5). BIND9 types zones as 'Master' or 'Slave'. file format, named.conf(5). BIND9 types zones as 'Master' or 'Slave'.
.SS "Slave zones" .SS "Slave zones"
For a slave zone, the master servers are listed. The master servers are For a slave zone, the master servers are listed. The master servers are
queried for zone data, and are listened to for update notifications. queried for zone data, and are listened to for update notifications.
In NSD these two properties need to be configured separately, by listing In NSD these two properties need to be configured separately, by listing
the master address in allow\-notify and request\-xfr statements. the master address in allow\-notify and request\-xfr statements.
.P .P
In BIND9 you only need to provide allow\-notify elements for In BIND9 you only need to provide allow\-notify elements for
 End of changes. 6 change blocks. 
2 lines changed or deleted 61 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)