"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "nsd.conf.5.in" between
nsd-4.3.6.tar.gz and nsd-4.3.7.tar.gz

About: NSD is an authoritative only, high performance, simple name server daemon.

nsd.conf.5.in  (nsd-4.3.6):nsd.conf.5.in  (nsd-4.3.7)
.TH "nsd.conf" "5" "Apr 6, 2021" "NLnet Labs" "nsd 4.3.6" .TH "nsd.conf" "5" "Jul 22, 2021" "NLnet Labs" "nsd 4.3.7"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved. .\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license. .\" See LICENSE for the license.
.SH "NAME" .SH "NAME"
.B nsd.conf .B nsd.conf
\- NSD configuration file \- NSD configuration file
.SH "SYNOPSIS" .SH "SYNOPSIS"
.B nsd.conf .B nsd.conf
.SH "DESCRIPTION" .SH "DESCRIPTION"
.B Nsd.conf .B Nsd.conf
is used to configure nsd(8). The file format has attributes and is used to configure nsd(8). The file format has attributes and
skipping to change at line 107 skipping to change at line 107
.SH "FILE FORMAT" .SH "FILE FORMAT"
There must be whitespace between keywords. Attribute keywords end There must be whitespace between keywords. Attribute keywords end
with a colon ':'. An attribute is followed by its containing with a colon ':'. An attribute is followed by its containing
attributes, or a value. attributes, or a value.
.P .P
At the top level only At the top level only
.BR server: , .BR server: ,
.BR key: , .BR key: ,
.BR pattern: , .BR pattern: ,
.BR zone: , .BR zone: ,
.BR tls-auth: ,
and and
.B remote-control: .B remote-control:
are allowed. These are followed by their attributes or a new top-level keyword. The are allowed. These are followed by their attributes or a new top-level keyword. The
.B zone: .B zone:
attribute is followed by zone options. The attribute is followed by zone options. The
.B server: .B server:
attribute is followed by global options for the attribute is followed by global options for the
.B NSD .B NSD
server. A server. A
.B key: .B key:
attribute is used to define keys for authentication. The attribute is used to define keys for authentication. The
.B pattern: .B pattern:
attribute is followed by the zone options for zones that use the pattern. attribute is followed by the zone options for zones that use the pattern.
A
.B tls-auth:
attribute is used to define credentials for authenticating an outgoing TLS conne
ction used for XFR-over-TLS.
.P .P
Files can be included using the Files can be included using the
.B include: .B include:
directive. It can appear anywhere, and takes a single filename as an directive. It can appear anywhere, and takes a single filename as an
argument. Processing continues as if the text from the included file argument. Processing continues as if the text from the included file
was copied into the config file at that point. If a chroot is used was copied into the config file at that point. If a chroot is used
an absolute filename is needed (with the chroot prepended), so that an absolute filename is needed (with the chroot prepended), so that
the include can be parsed before and after application of the chroot (and the include can be parsed before and after application of the chroot (and
the knowledge of what that chroot is). You can use '*' to include a the knowledge of what that chroot is). You can use '*' to include a
wildcard match of files, eg. "foo/nsd.d/*.conf". Also '?', '{}', '[]', wildcard match of files, eg. "foo/nsd.d/*.conf". Also '?', '{}', '[]',
skipping to change at line 491 skipping to change at line 495
.B rrl\-ipv6\-prefix\-length:\fR <subnet> .B rrl\-ipv6\-prefix\-length:\fR <subnet>
IPv6 prefix length. Addresses are grouped by netblock. Default 64. IPv6 prefix length. Addresses are grouped by netblock. Default 64.
.TP .TP
.B rrl\-whitelist\-ratelimit:\fR <qps> .B rrl\-whitelist\-ratelimit:\fR <qps>
The max qps for query sorts for a source, which have been The max qps for query sorts for a source, which have been
whitelisted. Default @ratelimit_default@ (with a suggested 2000 qps). With the r rl\-whitelist option you can set whitelisted. Default @ratelimit_default@ (with a suggested 2000 qps). With the r rl\-whitelist option you can set
specific queries to receive this qps limit instead of the normal limit. specific queries to receive this qps limit instead of the normal limit.
With the value 0 the rate is unlimited. With the value 0 the rate is unlimited.
.\" rrlend .\" rrlend
.TP .TP
.B answer\-cookie:\fR <yes or no>
Enable to answer to requests containig DNS Cookies as specified in RFC7873.
Default is yes.
.TP
.B cookie\-secret:\fR <128 bit hex string>
Servers in an anycast deployment need to be able to verify each other's DNS
Server Cookies. For this they need to share the secret used to construct and
verify the DNS Cookies. Default is a 128 bits random secret generated at
startup time. This option is ignored if a \fBcookie\-secret\-file\fR is
present. In that case the secrets from that file are used in DNS Cookie
calculations.
.TP
.B cookie\-secret\-file:\fR <filename>
File from which the secrets are read used in DNS Cookie calculations. When this
file exists, the secrets in this file are used and the secret specified by the
\fBcookie-secret\fR option is ignored.
Default is @configdir@/nsd_cookiesecrets.txt
The content of this file must be manipulated with the \fBadd_cookie_secret\fR,
\fBdrop_cookie_secret\fR and \fBactivate_cookie_secret\fR commands to the
\fInsd\-control\fR(8) tool. Please see that manpage how to perform a safe
cookie secret rollover.
.TP
.B tls\-service\-key:\fR <filename> .B tls\-service\-key:\fR <filename>
If enabled, the server provides TLS service on TCP sockets with the TLS If enabled, the server provides TLS service on TCP sockets with the TLS
service port number. The port number (853) is configured with tls\-port. service port number. The port number (853) is configured with tls\-port.
To turn it on, create an interface: option line in config with @port To turn it on, create an interface: option line in config with @port
appended to the IP-address. This creates the extra socket on which the appended to the IP-address. This creates the extra socket on which the
DNS over TLS service is provided. DNS over TLS service is provided.
.IP .IP
The file is the private key for the TLS session. The public certificate is The file is the private key for the TLS session. The public certificate is
in the tls-service-pem file. Default is "", turned off. Requires a in the tls-service-pem file. Default is "", turned off. Requires a
restart (a reload is not enough) if changed, because the private key is restart (a reload is not enough) if changed, because the private key is
skipping to change at line 522 skipping to change at line 549
-respout /path/to/ocsp.pem \\ -respout /path/to/ocsp.pem \\
-CAfile /path/to/ca_and_any_intermediate.pem \\ -CAfile /path/to/ca_and_any_intermediate.pem \\
-issuer /path/to/direct_issuer.pem \\ -issuer /path/to/direct_issuer.pem \\
-cert /path/to/cert.pem \\ -cert /path/to/cert.pem \\
-url "$( openssl x509 -noout -text -in /path/to/cert.pem | grep 'OCSP - URI:' | cut -d: -f2,3 )" -url "$( openssl x509 -noout -text -in /path/to/cert.pem | grep 'OCSP - URI:' | cut -d: -f2,3 )"
.RE .RE
.TP .TP
.B tls\-port:\fR <number> .B tls\-port:\fR <number>
The port number on which to provide TCP TLS service, default is 853, only The port number on which to provide TCP TLS service, default is 853, only
interfaces configured with that port number as @number get DNS over TLS service. interfaces configured with that port number as @number get DNS over TLS service.
.TP
.B tls\-cert\-bundle:\fR <filename>
If null or "", the default verify locations are used. Set it to the certificate
bundle file, for example "/etc/pki/tls/certs/ca-bundle.crt". These certificates
are used for authenticating Transfer over TLS (XoT) connections.
.SS "Remote Control" .SS "Remote Control"
The The
.B remote\-control: .B remote\-control:
clause is used to set options for using the \fInsd\-control\fR(8) clause is used to set options for using the \fInsd\-control\fR(8)
tool to give commands to the running NSD server. It is disabled by tool to give commands to the running NSD server. It is disabled by
default, and listens for localhost by default. It uses TLS over TCP default, and listens for localhost by default. It uses TLS over TCP
where the server and client authenticate to each other with self\-signed where the server and client authenticate to each other with self\-signed
certificates. The self\-signed certificates can be generated with the certificates. The self\-signed certificates can be generated with the
\fInsd\-control\-setup\fR tool. The key files are read by NSD before \fInsd\-control\-setup\fR tool. The key files are read by NSD before
the chroot and before dropping user permissions, so they can be outside the chroot and before dropping user permissions, so they can be outside
skipping to change at line 690 skipping to change at line 722
.RS .RS
The ip\-spec is either a plain IP address (IPv4 or IPv6), or can be The ip\-spec is either a plain IP address (IPv4 or IPv6), or can be
a subnet of the form 1.2.3.4/24, or masked like a subnet of the form 1.2.3.4/24, or masked like
1.2.3.4&255.255.255.0 or a range of the form 1.2.3.4\-1.2.3.25. 1.2.3.4&255.255.255.0 or a range of the form 1.2.3.4\-1.2.3.25.
A port number can be added using a suffix of @number, for example A port number can be added using a suffix of @number, for example
1.2.3.4@5300 or 1.2.3.4/24@5300 for port 5300. 1.2.3.4@5300 or 1.2.3.4/24@5300 for port 5300.
Note the ip\-spec ranges do not use spaces around the /, &, @ and \- Note the ip\-spec ranges do not use spaces around the /, &, @ and \-
symbols. symbols.
.RE .RE
.TP .TP
.B request\-xfr:\fR [AXFR|UDP] <ip\-address> <key\-name | NOKEY> .B request\-xfr:\fR [AXFR|UDP] <ip\-address> <key\-name | NOKEY> [tls\-auth\-nam e]
Access control list. The listed address (the master) is queried for Access control list. The listed address (the master) is queried for
AXFR/IXFR on update. A port number can be added using a suffix of @number, AXFR/IXFR on update. A port number can be added using a suffix of @number,
for example 1.2.3.4@5300. The specified key is used during AXFR/IXFR. for example 1.2.3.4@5300. The specified key is used during AXFR/IXFR. If
tls-auth-name is included, the specified tls-auth clause will be used to
perform authenticated XFR-over-TLS.
.P .P
.RS .RS
If the AXFR option is given, the server will not be contacted with If the AXFR option is given, the server will not be contacted with
IXFR queries but only AXFR requests will be made to the server. This IXFR queries but only AXFR requests will be made to the server. This
allows an NSD secondary to have a master server that runs NSD. If allows an NSD secondary to have a master server that runs NSD. If
the AXFR option is left out then both IXFR and AXFR requests are the AXFR option is left out then both IXFR and AXFR requests are
made to the master server. made to the master server.
.P .P
If the UDP option is given, the secondary will use UDP to transmit the IXFR If the UDP option is given, the secondary will use UDP to transmit the IXFR
requests. You should deploy TSIG when allowing UDP transport, to authenticate requests. You should deploy TSIG when allowing UDP transport, to authenticate
notifies and zone transfers. Otherwise, NSD is more vulnerable for notifies and zone transfers. Otherwise, NSD is more vulnerable for
Kaminsky\-style attacks. If the UDP option is left out then IXFR will be Kaminsky\-style attacks. If the UDP option is left out then IXFR will be
transmitted using TCP. transmitted using TCP.
.P
If a tls-auth-name is given then TLS (by default on port 853) will be used
for all zone transfers for the zone. If authentication of the master based on
the specified tls-auth authentication information fails, the XFR request will
not be sent. Support for TLS 1.3 is required for XFR-over-TLS.
.RE .RE
.TP .TP
.B allow\-axfr\-fallback:\fR <yes or no> .B allow\-axfr\-fallback:\fR <yes or no>
This option should be accompanied by request\-xfr. It (dis)allows NSD (as second ary) This option should be accompanied by request\-xfr. It (dis)allows NSD (as second ary)
to fallback to AXFR if the primary name server does not support IXFR. Default is yes. to fallback to AXFR if the primary name server does not support IXFR. Default is yes.
.TP .TP
.B size\-limit\-xfr:\fR <number> .B size\-limit\-xfr:\fR <number>
This option should be accompanied by request\-xfr. It specifies XFR temporary fi le size limit. It can be used to stop very large zone retrieval, that could oth erwise use up a lot of memory and disk space. This option should be accompanied by request\-xfr. It specifies XFR temporary fi le size limit. It can be used to stop very large zone retrieval, that could oth erwise use up a lot of memory and disk space.
If this option is 0, unlimited. Default value is 0. If this option is 0, unlimited. Default value is 0.
.TP .TP
skipping to change at line 837 skipping to change at line 876
.B secret:\fR <base64 blob> .B secret:\fR <base64 blob>
The base64 encoded shared secret. It is possible to put the The base64 encoded shared secret. It is possible to put the
.B secret: .B secret:
declaration (and base64 blob) into a different file, and then to declaration (and base64 blob) into a different file, and then to
.B include: .B include:
that file. In this way the key secret and the rest of the configuration that file. In this way the key secret and the rest of the configuration
file, which may have different security policies, can be split apart. file, which may have different security policies, can be split apart.
The content of the secret is the agreed base64 secret content. To make it The content of the secret is the agreed base64 secret content. To make it
up, enter a password (its length must be a multiple of 4 characters, A\-Za\-z0\- 9), or use up, enter a password (its length must be a multiple of 4 characters, A\-Za\-z0\- 9), or use
dev-random output through a base64 encode filter. dev-random output through a base64 encode filter.
.SS "TLS Auth Declarations"
The
.B tls-auth:
clause establishes authentication attributes to use when authenticating
the far end of an outgoing TLS connection used in access control lists for XFR-o
ver-TLS.
It has the following attributes.
.TP
.B name:\fR <string>
The tls-auth name. Used to refer to this TLS authentication information in the
access control list.
.TP
.B auth-domain-name:\fR <string>
The authentication domain name as defined in RFC8310.
.SS DNSTAP Logging Options .SS DNSTAP Logging Options
DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section.
This starts a collector process that writes the log information to the This starts a collector process that writes the log information to the
destination. destination.
.TP .TP
.B dnstap-enable:\fR <yes or no> .B dnstap-enable:\fR <yes or no>
If dnstap is enabled. Default no. If yes, it connects to the dnstap server If dnstap is enabled. Default no. If yes, it connects to the dnstap server
and if any of the dnstap-log-..-messages options is enabled it sends logs and if any of the dnstap-log-..-messages options is enabled it sends logs
for those messages to the server. for those messages to the server.
.TP .TP
 End of changes. 9 change blocks. 
3 lines changed or deleted 57 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)