"Fossies" - the Fresh Open Source Software Archive

Member "knot-2.9.2/doc/man/knot.conf.5in" (12 Dec 2019, 42414 Bytes) of package /linux/misc/dns/knot-2.9.2.tar.xz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "knot.conf.5in": 2.9.1_vs_2.9.2.

    1 .\" Man page generated from reStructuredText.
    2 .
    3 .TH "KNOT.CONF" "5" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
    4 .SH NAME
    5 knot.conf \- Knot DNS configuration file
    6 .
    7 .nr rst2man-indent-level 0
    8 .
    9 .de1 rstReportMargin
   10 \\$1 \\n[an-margin]
   11 level \\n[rst2man-indent-level]
   12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
   13 -
   14 \\n[rst2man-indent0]
   15 \\n[rst2man-indent1]
   16 \\n[rst2man-indent2]
   17 ..
   18 .de1 INDENT
   19 .\" .rstReportMargin pre:
   20 . RS \\$1
   21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
   22 . nr rst2man-indent-level +1
   23 .\" .rstReportMargin post:
   24 ..
   25 .de UNINDENT
   26 . RE
   27 .\" indent \\n[an-margin]
   28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
   29 .nr rst2man-indent-level -1
   30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
   31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
   32 ..
   33 .SH DESCRIPTION
   34 .sp
   35 Configuration files for Knot DNS use simplified YAML format. Simplified means
   36 that not all of the features are supported.
   37 .sp
   38 For the description of configuration items, we have to declare a meaning of
   39 the following symbols:
   40 .INDENT 0.0
   41 .IP \(bu 2
   42 \fIINT\fP – Integer
   43 .IP \(bu 2
   44 \fISTR\fP – Textual string
   45 .IP \(bu 2
   46 \fIHEXSTR\fP – Hexadecimal string (with \fB0x\fP prefix)
   47 .IP \(bu 2
   48 \fIBOOL\fP – Boolean value (\fBon\fP/\fBoff\fP or \fBtrue\fP/\fBfalse\fP)
   49 .IP \(bu 2
   50 \fITIME\fP – Number of seconds, an integer with possible time multiplier suffix
   51 (\fBs\fP ~ 1, \fBm\fP ~ 60, \fBh\fP ~ 3600 or \fBd\fP ~ 24 * 3600)
   52 .IP \(bu 2
   53 \fISIZE\fP – Number of bytes, an integer with possible size multiplier suffix
   54 (\fBB\fP ~ 1, \fBK\fP ~ 1024, \fBM\fP ~ 1024^2 or \fBG\fP ~ 1024^3)
   55 .IP \(bu 2
   56 \fIBASE64\fP – Base64 encoded string
   57 .IP \(bu 2
   58 \fIADDR\fP – IPv4 or IPv6 address
   59 .IP \(bu 2
   60 \fIDNAME\fP – Domain name
   61 .IP \(bu 2
   62 \&... – Multi\-valued item, order of the values is preserved
   63 .IP \(bu 2
   64 [ ] – Optional value
   65 .IP \(bu 2
   66 | – Choice
   67 .UNINDENT
   68 .sp
   69 The configuration consists of several fixed sections and optional module
   70 sections. There are 14 fixed sections (\fBmodule\fP, \fBserver\fP, \fBkey\fP, \fBacl\fP,
   71 \fBcontrol\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBsubmission\fP,
   72 \fBpolicy\fP, \fBremote\fP, \fBtemplate\fP, \fBzone\fP, \fBlog\fP).
   73 Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP).
   74 .sp
   75 Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each
   76 settings block begins with a unique identifier, which can be used as a reference
   77 from other sections (such an identifier must be defined in advance).
   78 .sp
   79 A multi\-valued item can be specified either as a YAML sequence:
   80 .INDENT 0.0
   81 .INDENT 3.5
   82 .sp
   83 .nf
   84 .ft C
   85 address: [10.0.0.1, 10.0.0.2]
   86 .ft P
   87 .fi
   88 .UNINDENT
   89 .UNINDENT
   90 .sp
   91 or as more single\-valued items each on an extra line:
   92 .INDENT 0.0
   93 .INDENT 3.5
   94 .sp
   95 .nf
   96 .ft C
   97 address: 10.0.0.1
   98 address: 10.0.0.2
   99 .ft P
  100 .fi
  101 .UNINDENT
  102 .UNINDENT
  103 .sp
  104 If an item value contains spaces or other special characters, it is necessary
  105 to enclose such value within double quotes \fB"\fP \fB"\fP\&.
  106 .SH COMMENTS
  107 .sp
  108 A comment begins with a \fB#\fP character and is ignored during processing.
  109 Also each configuration section or sequence block allows a permanent
  110 comment using the \fBcomment\fP item which is stored in the server beside the
  111 configuration.
  112 .SH INCLUDES
  113 .sp
  114 Another configuration file or files, matching a pattern, can be included at
  115 the top level in the current file. If the path is not absolute, then it
  116 is considered to be relative to the current file. The pattern can be
  117 an arbitrary string meeting POSIX \fIglob\fP requirements, e.g. dir/*.conf.
  118 Matching files are processed in sorted order.
  119 .INDENT 0.0
  120 .INDENT 3.5
  121 .sp
  122 .nf
  123 .ft C
  124 include: STR
  125 .ft P
  126 .fi
  127 .UNINDENT
  128 .UNINDENT
  129 .SH MODULE SECTION
  130 .sp
  131 Dynamic modules loading configuration.
  132 .sp
  133 \fBNOTE:\fP
  134 .INDENT 0.0
  135 .INDENT 3.5
  136 If configured with non\-empty \fB\(ga\-\-with\-moduledir=path\(ga\fP parameter, all
  137 shared modules in this directory will be automatically loaded.
  138 .UNINDENT
  139 .UNINDENT
  140 .INDENT 0.0
  141 .INDENT 3.5
  142 .sp
  143 .nf
  144 .ft C
  145 module:
  146   \- id: STR
  147     file: STR
  148 .ft P
  149 .fi
  150 .UNINDENT
  151 .UNINDENT
  152 .SS id
  153 .sp
  154 A module identifier in the form of the \fBmod\-\fP prefix and module name suffix.
  155 .SS file
  156 .sp
  157 A path to a shared library file with the module implementation.
  158 .sp
  159 \fBWARNING:\fP
  160 .INDENT 0.0
  161 .INDENT 3.5
  162 If the path is not absolute, the library is searched in the set of
  163 system directories. See \fBman dlopen\fP for more details.
  164 .UNINDENT
  165 .UNINDENT
  166 .sp
  167 \fIDefault:\fP \fB${libdir}/knot/modules\-${version}\fP/module_name.so
  168 (or \fB${path}\fP/module_name.so if configured with \fB\-\-with\-moduledir=path\fP)
  169 .SH SERVER SECTION
  170 .sp
  171 General options related to the server.
  172 .INDENT 0.0
  173 .INDENT 3.5
  174 .sp
  175 .nf
  176 .ft C
  177 server:
  178     identity: [STR]
  179     version: [STR]
  180     nsid: [STR|HEXSTR]
  181     rundir: STR
  182     user: STR[:STR]
  183     pidfile: STR
  184     udp\-workers: INT
  185     tcp\-workers: INT
  186     background\-workers: INT
  187     async\-start: BOOL
  188     tcp\-idle\-timeout: TIME
  189     tcp\-io\-timeout: INT
  190     tcp\-remote\-io\-timeout: INT
  191     tcp\-max\-clients: INT
  192     tcp\-reuseport: BOOL
  193     udp\-max\-payload: SIZE
  194     udp\-max\-payload\-ipv4: SIZE
  195     udp\-max\-payload\-ipv6: SIZE
  196     edns\-client\-subnet: BOOL
  197     answer\-rotation: BOOL
  198     listen: ADDR[@INT] ...
  199 .ft P
  200 .fi
  201 .UNINDENT
  202 .UNINDENT
  203 .sp
  204 \fBCAUTION:\fP
  205 .INDENT 0.0
  206 .INDENT 3.5
  207 When you change configuration parameters dynamically or via configuration file
  208 reload, some parameters in the Server section require restarting the Knot server
  209 so as the change take effect. See below for the details.
  210 .UNINDENT
  211 .UNINDENT
  212 .SS identity
  213 .sp
  214 An identity of the server returned in the response to the query for TXT
  215 record \fBid.server.\fP or \fBhostname.bind.\fP in the CHAOS class (\fI\%RFC 4892\fP).
  216 Set to an empty value to disable.
  217 .sp
  218 \fIDefault:\fP FQDN hostname
  219 .SS version
  220 .sp
  221 A version of the server software returned in the response to the query
  222 for TXT record \fBversion.server.\fP or \fBversion.bind.\fP in the CHAOS
  223 class (\fI\%RFC 4892\fP). Set to an empty value to disable.
  224 .sp
  225 \fIDefault:\fP server version
  226 .SS nsid
  227 .sp
  228 A DNS name server identifier (\fI\%RFC 5001\fP). Set to an empty value to disable.
  229 .sp
  230 \fIDefault:\fP FQDN hostname
  231 .SS rundir
  232 .sp
  233 A path for storing run\-time data (PID file, unix sockets, etc.).
  234 .sp
  235 Depending on the usage of this parameter, its change may require restart of the Knot
  236 server to take effect.
  237 .sp
  238 \fIDefault:\fP \fB${localstatedir}/run/knot\fP (configured with \fB\-\-with\-rundir=path\fP)
  239 .SS user
  240 .sp
  241 A system user with an optional system group (\fBuser:group\fP) under which the
  242 server is run after starting and binding to interfaces. Linux capabilities
  243 are employed if supported.
  244 .sp
  245 Change of this parameter requires restart of the Knot server to take effect.
  246 .sp
  247 \fIDefault:\fP root:root
  248 .SS pidfile
  249 .sp
  250 A PID file location.
  251 .sp
  252 Change of this parameter requires restart of the Knot server to take effect.
  253 .sp
  254 \fIDefault:\fP \fI\%rundir\fP/knot.pid
  255 .SS udp\-workers
  256 .sp
  257 A number of UDP workers (threads) used to process incoming queries
  258 over UDP.
  259 .sp
  260 Change of this parameter requires restart of the Knot server to take effect.
  261 .sp
  262 \fIDefault:\fP equal to the number of online CPUs
  263 .SS tcp\-workers
  264 .sp
  265 A number of TCP workers (threads) used to process incoming queries
  266 over TCP.
  267 .sp
  268 Change of this parameter requires restart of the Knot server to take effect.
  269 .sp
  270 \fIDefault:\fP equal to the number of online CPUs, default value is at least 10
  271 .SS background\-workers
  272 .sp
  273 A number of workers (threads) used to execute background operations (zone
  274 loading, zone updates, etc.).
  275 .sp
  276 Change of this parameter requires restart of the Knot server to take effect.
  277 .sp
  278 \fIDefault:\fP equal to the number of online CPUs, default value is at most 10
  279 .SS async\-start
  280 .sp
  281 If enabled, server doesn\(aqt wait for the zones to be loaded and starts
  282 responding immediately with SERVFAIL answers until the zone loads.
  283 .sp
  284 \fIDefault:\fP off
  285 .SS tcp\-idle\-timeout
  286 .sp
  287 Maximum idle time (in seconds) between requests on an inbound TCP connection.
  288 It means if there is no activity on an inbound TCP connection during this limit,
  289 the connection is closed by the server.
  290 .sp
  291 \fIMinimum:\fP 1 s
  292 .sp
  293 \fIDefault:\fP 10 s
  294 .SS tcp\-io\-timeout
  295 .sp
  296 Maximum time (in milliseconds) to receive or send one DNS message over an inbound
  297 TCP connection. It means this limit applies to normal DNS queries and replies,
  298 incoming DDNS, and outgoing zone transfers.
  299 Set to 0 for infinity.
  300 .sp
  301 \fIDefault:\fP 200 ms
  302 .SS tcp\-remote\-io\-timeout
  303 .sp
  304 Maximum time (in milliseconds) to receive or send one DNS message over an outbound
  305 TCP connection which has already been established to a configured remote server.
  306 It means this limit applies to incoming zone transfers, sending NOTIFY,
  307 DDNS forwarding, and DS check or push. This timeout includes the time needed
  308 for a network round\-trip and for a query processing by the remote.
  309 Set to 0 for infinity.
  310 .sp
  311 \fIDefault:\fP 5000 ms
  312 .SS tcp\-reuseport
  313 .sp
  314 If enabled, each TCP worker listens on its own socket and the OS kernel
  315 socket load balancing is emloyed using SO_REUSEPORT (or SO_REUSEPORT_LB
  316 on FreeBSD). Due to the lack of one shared socket, the server can offer
  317 higher response rate processing over TCP. However, in the case of
  318 time\-consuming requests (e.g. zone transfers of a TLD zone), enabled reuseport
  319 may result in delayed or not being responded client requests. So it is
  320 advisable to use this option on slave servers.
  321 .sp
  322 Change of this parameter requires restart of the Knot server to take effect.
  323 .sp
  324 \fIDefault:\fP off
  325 .SS tcp\-max\-clients
  326 .sp
  327 A maximum number of TCP clients connected in parallel, set this below the file
  328 descriptor limit to avoid resource exhaustion.
  329 .sp
  330 \fBNOTE:\fP
  331 .INDENT 0.0
  332 .INDENT 3.5
  333 It is advisable to adjust the maximum number of open files per process in your
  334 operating system configuration.
  335 .UNINDENT
  336 .UNINDENT
  337 .sp
  338 \fIDefault:\fP one half of the file descriptor limit for the server process
  339 .SS udp\-max\-payload
  340 .sp
  341 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
  342 .sp
  343 \fIDefault:\fP 1232
  344 .SS udp\-max\-payload\-ipv4
  345 .sp
  346 Maximum EDNS0 UDP payload size for IPv4.
  347 .sp
  348 \fIDefault:\fP 1232
  349 .SS udp\-max\-payload\-ipv6
  350 .sp
  351 Maximum EDNS0 UDP payload size for IPv6.
  352 .sp
  353 \fIDefault:\fP 1232
  354 .SS edns\-client\-subnet
  355 .sp
  356 Enable or disable EDNS Client Subnet support. If enabled, responses to queries
  357 containing the EDNS Client Subnet option
  358 always contain a valid EDNS Client Subnet option according to \fI\%RFC 7871\fP\&.
  359 .sp
  360 \fIDefault:\fP off
  361 .SS answer\-rotation
  362 .sp
  363 Enable or disable sorted\-rrset rotation in the answer section of normal replies.
  364 The rotation shift is simply determined by a query ID.
  365 .sp
  366 \fIDefault:\fP off
  367 .SS listen
  368 .sp
  369 One or more IP addresses where the server listens for incoming queries.
  370 Optional port specification (default is 53) can be appended to each address
  371 using \fB@\fP separator. Use \fB0.0.0.0\fP for all configured IPv4 addresses or
  372 \fB::\fP for all configured IPv6 addresses. Non\-local address binding is
  373 automatically enabled if supported by the operating system.
  374 .sp
  375 Change of this parameter requires restart of the Knot server to take effect.
  376 .sp
  377 \fIDefault:\fP not set
  378 .SH KEY SECTION
  379 .sp
  380 Shared TSIG keys used to authenticate communication with the server.
  381 .INDENT 0.0
  382 .INDENT 3.5
  383 .sp
  384 .nf
  385 .ft C
  386 key:
  387   \- id: DNAME
  388     algorithm: hmac\-md5 | hmac\-sha1 | hmac\-sha224 | hmac\-sha256 | hmac\-sha384 | hmac\-sha512
  389     secret: BASE64
  390 .ft P
  391 .fi
  392 .UNINDENT
  393 .UNINDENT
  394 .SS id
  395 .sp
  396 A key name identifier.
  397 .sp
  398 \fBNOTE:\fP
  399 .INDENT 0.0
  400 .INDENT 3.5
  401 This value MUST be exactly the same as the name of the TSIG key on the
  402 opposite master/slave server(s).
  403 .UNINDENT
  404 .UNINDENT
  405 .SS algorithm
  406 .sp
  407 A TSIG key algorithm. See
  408 \fI\%TSIG Algorithm Numbers\fP\&.
  409 .sp
  410 Possible values:
  411 .INDENT 0.0
  412 .IP \(bu 2
  413 \fBhmac\-md5\fP
  414 .IP \(bu 2
  415 \fBhmac\-sha1\fP
  416 .IP \(bu 2
  417 \fBhmac\-sha224\fP
  418 .IP \(bu 2
  419 \fBhmac\-sha256\fP
  420 .IP \(bu 2
  421 \fBhmac\-sha384\fP
  422 .IP \(bu 2
  423 \fBhmac\-sha512\fP
  424 .UNINDENT
  425 .sp
  426 \fIDefault:\fP not set
  427 .SS secret
  428 .sp
  429 Shared key secret.
  430 .sp
  431 \fIDefault:\fP not set
  432 .SH ACL SECTION
  433 .sp
  434 Access control list rule definitions. The ACLs are used to match incoming
  435 connections to allow or deny requested operation (zone transfer request, DDNS
  436 update, etc.).
  437 .INDENT 0.0
  438 .INDENT 3.5
  439 .sp
  440 .nf
  441 .ft C
  442 acl:
  443   \- id: STR
  444     address: ADDR[/INT] | ADDR\-ADDR ...
  445     key: key_id ...
  446     action: notify | transfer | update ...
  447     deny: BOOL
  448     update\-type: STR ...
  449     update\-owner: key | zone | name
  450     update\-owner\-match: sub\-or\-equal | equal | sub
  451     update\-owner\-name: STR ...
  452 .ft P
  453 .fi
  454 .UNINDENT
  455 .UNINDENT
  456 .SS id
  457 .sp
  458 An ACL rule identifier.
  459 .SS address
  460 .sp
  461 An ordered list of IP addresses, network subnets, or network ranges. The query
  462 must match one of them. Empty value means that address match is not required.
  463 .sp
  464 \fIDefault:\fP not set
  465 .SS key
  466 .sp
  467 An ordered list of \fI\%reference\fPs to TSIG keys. The query must
  468 match one of them. Empty value means that transaction authentication is not used.
  469 .sp
  470 \fIDefault:\fP not set
  471 .SS action
  472 .sp
  473 An ordered list of allowed (or denied) actions.
  474 .sp
  475 Possible values:
  476 .INDENT 0.0
  477 .IP \(bu 2
  478 \fBnotify\fP – Allow incoming notify.
  479 .IP \(bu 2
  480 \fBtransfer\fP – Allow zone transfer.
  481 .IP \(bu 2
  482 \fBupdate\fP – Allow zone updates.
  483 .UNINDENT
  484 .sp
  485 \fIDefault:\fP not set
  486 .SS deny
  487 .sp
  488 If enabled, instead of allowing, deny the specified \fI\%action\fP,
  489 \fI\%address\fP, \fI\%key\fP, or combination if these
  490 items. If no action is specified, deny all actions.
  491 .sp
  492 \fIDefault:\fP off
  493 .SS update\-type
  494 .sp
  495 A list of allowed types of Resource Records in a zone update. Every record in an update
  496 must match one of the specified types.
  497 .sp
  498 \fIDefault:\fP not set
  499 .SS update\-owner
  500 .sp
  501 This option restricts possible owners of Resource Records in a zone update by comparing
  502 them to either the \fI\%TSIG key\fP identity, the current zone name, or to a list of
  503 domain names given by the \fI\%update\-owner\-name\fP option.
  504 The comparison method is given by the \fI\%update\-owner\-match\fP option.
  505 .sp
  506 Possible values:
  507 .INDENT 0.0
  508 .IP \(bu 2
  509 \fBkey\fP — The owner of each updated RR must match the identity of the TSIG key if used.
  510 .IP \(bu 2
  511 \fBname\fP — The owner of each updated RR must match at least one name in the
  512 \fI\%update\-owner\-name\fP list.
  513 .IP \(bu 2
  514 \fBzone\fP — The owner of each updated RR must match the current zone name.
  515 .UNINDENT
  516 .sp
  517 \fIDefault:\fP not set
  518 .SS update\-owner\-match
  519 .sp
  520 This option defines how the owners of Resource Records in an update are matched to the domain name(s)
  521 set by the \fI\%update\-owner\fP option.
  522 .sp
  523 Possible values:
  524 .INDENT 0.0
  525 .IP \(bu 2
  526 \fBsub\-or\-equal\fP — The owner of each Resource Record in an update must either be equal to
  527 or be a subdomain of at least one domain set by \fI\%update\-owner\fP\&.
  528 .IP \(bu 2
  529 \fBequal\fP — The owner of each updated RR must be equal to at least one domain set by
  530 \fI\%update\-owner\fP\&.
  531 .IP \(bu 2
  532 \fBsub\fP — The owner of each updated RR must be a subdomain of, but MUST NOT be equal to at least
  533 one domain set by \fI\%update\-owner\fP\&.
  534 .UNINDENT
  535 .sp
  536 \fIDefault:\fP sub\-or\-equal
  537 .SS update\-owner\-name
  538 .sp
  539 A list of allowed owners of RRs in a zone update used with \fI\%update\-owner\fP
  540 set to \fBname\fP\&.
  541 .sp
  542 \fIDefault:\fP not set
  543 .SH CONTROL SECTION
  544 .sp
  545 Configuration of the server control interface.
  546 .INDENT 0.0
  547 .INDENT 3.5
  548 .sp
  549 .nf
  550 .ft C
  551 control:
  552     listen: STR
  553     timeout: TIME
  554 .ft P
  555 .fi
  556 .UNINDENT
  557 .UNINDENT
  558 .SS listen
  559 .sp
  560 A UNIX socket path where the server listens for control commands.
  561 .sp
  562 \fIDefault:\fP \fI\%rundir\fP/knot.sock
  563 .SS timeout
  564 .sp
  565 Maximum time (in seconds) the control socket operations can take.
  566 Set to 0 for infinity.
  567 .sp
  568 \fIDefault:\fP 5
  569 .SH STATISTICS SECTION
  570 .sp
  571 Periodic server statistics dumping.
  572 .INDENT 0.0
  573 .INDENT 3.5
  574 .sp
  575 .nf
  576 .ft C
  577 statistics:
  578     timer: TIME
  579     file: STR
  580     append: BOOL
  581 .ft P
  582 .fi
  583 .UNINDENT
  584 .UNINDENT
  585 .SS timer
  586 .sp
  587 A period after which all available statistics metrics will by written to the
  588 \fI\%file\fP\&.
  589 .sp
  590 \fIDefault:\fP not set
  591 .SS file
  592 .sp
  593 A file path of statistics output in the YAML format.
  594 .sp
  595 \fIDefault:\fP \fI\%rundir\fP/stats.yaml
  596 .SS append
  597 .sp
  598 If enabled, the output will be appended to the \fI\%file\fP
  599 instead of file replacement.
  600 .sp
  601 \fIDefault:\fP off
  602 .SH DATABASE SECTION
  603 .sp
  604 Configuration of databases for zone contents, DNSSEC metadata, or event timers.
  605 .INDENT 0.0
  606 .INDENT 3.5
  607 .sp
  608 .nf
  609 .ft C
  610 database:
  611     storage: STR
  612     journal\-db: STR
  613     journal\-db\-mode: robust | asynchronous
  614     journal\-db\-max\-size: SIZE
  615     kasp\-db: STR
  616     kasp\-db\-max\-size: SIZE
  617     timer\-db: STR
  618     timer\-db\-max\-size: SIZE
  619 .ft P
  620 .fi
  621 .UNINDENT
  622 .UNINDENT
  623 .SS storage
  624 .sp
  625 A data directory for storing journal, KASP, and timer databases.
  626 .sp
  627 \fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
  628 .SS journal\-db
  629 .sp
  630 An explicit specification of the persistent journal database directory.
  631 Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
  632 \fI\%storage\fP\&.
  633 .sp
  634 \fIDefault:\fP \fI\%storage\fP/journal
  635 .SS journal\-db\-mode
  636 .sp
  637 Specifies journal LMDB backend configuration, which influences performance
  638 and durability.
  639 .sp
  640 Possible values:
  641 .INDENT 0.0
  642 .IP \(bu 2
  643 \fBrobust\fP – The journal database disk sychronization ensures database
  644 durability but is generally slower.
  645 .IP \(bu 2
  646 \fBasynchronous\fP – The journal database disk synchronization is optimized for
  647 better performance at the expense of lower database durability in the case of
  648 a crash. This mode is recommended on slave nodes with many zones.
  649 .UNINDENT
  650 .sp
  651 \fIDefault:\fP robust
  652 .SS journal\-db\-max\-size
  653 .sp
  654 The hard limit for the journal database maximum size. There is no cleanup logic
  655 in journal to recover from reaching this limit. Journal simply starts refusing
  656 changes across all zones. Decreasing this value has no effect if it is lower
  657 than the actual database file size.
  658 .sp
  659 It is recommended to limit \fI\%journal\-max\-usage\fP
  660 per\-zone instead of \fI\%journal\-db\-max\-size\fP
  661 in most cases. Please keep this value larger than the sum of all zones\(aq
  662 journal usage limits. See more details regarding
  663 journal behaviour\&.
  664 .sp
  665 \fBNOTE:\fP
  666 .INDENT 0.0
  667 .INDENT 3.5
  668 This value also influences server\(aqs usage of virtual memory.
  669 .UNINDENT
  670 .UNINDENT
  671 .sp
  672 \fIDefault:\fP 20 GiB (1 GiB for 32\-bit)
  673 .SS kasp\-db
  674 .sp
  675 An explicit specification of the KASP database directory.
  676 Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
  677 \fI\%storage\fP\&.
  678 .sp
  679 \fIDefault:\fP \fI\%storage\fP/keys
  680 .SS kasp\-db\-max\-size
  681 .sp
  682 The hard limit for the KASP database maximum size.
  683 .sp
  684 \fBNOTE:\fP
  685 .INDENT 0.0
  686 .INDENT 3.5
  687 This value also influences server\(aqs usage of virtual memory.
  688 .UNINDENT
  689 .UNINDENT
  690 .sp
  691 \fIDefault:\fP 500 MiB
  692 .SS timer\-db
  693 .sp
  694 An explicit specification of the persistent timer database directory.
  695 Non\-absolute path (i.e. not starting with \fB/\fP) is relative to
  696 \fI\%storage\fP\&.
  697 .sp
  698 \fIDefault:\fP \fI\%storage\fP/timers
  699 .SS timer\-db\-max\-size
  700 .sp
  701 The hard limit for the timer database maximum size.
  702 .sp
  703 \fBNOTE:\fP
  704 .INDENT 0.0
  705 .INDENT 3.5
  706 This value also influences server\(aqs usage of virtual memory.
  707 .UNINDENT
  708 .UNINDENT
  709 .sp
  710 \fIDefault:\fP 100 MiB
  711 .SH KEYSTORE SECTION
  712 .sp
  713 DNSSEC keystore configuration.
  714 .INDENT 0.0
  715 .INDENT 3.5
  716 .sp
  717 .nf
  718 .ft C
  719 keystore:
  720   \- id: STR
  721     backend: pem | pkcs11
  722     config: STR
  723 .ft P
  724 .fi
  725 .UNINDENT
  726 .UNINDENT
  727 .SS id
  728 .sp
  729 A keystore identifier.
  730 .SS backend
  731 .sp
  732 A key storage backend type.
  733 .sp
  734 Possible values:
  735 .INDENT 0.0
  736 .IP \(bu 2
  737 \fBpem\fP – PEM files.
  738 .IP \(bu 2
  739 \fBpkcs11\fP – PKCS #11 storage.
  740 .UNINDENT
  741 .sp
  742 \fIDefault:\fP pem
  743 .SS config
  744 .sp
  745 A backend specific configuration. A directory with PEM files (the path can
  746 be specified as a relative path to \fI\%kasp\-db\fP) or
  747 a configuration string for PKCS #11 storage (\fI<pkcs11\-url> <module\-path>\fP).
  748 .sp
  749 \fBNOTE:\fP
  750 .INDENT 0.0
  751 .INDENT 3.5
  752 Example configuration string for PKCS #11:
  753 .INDENT 0.0
  754 .INDENT 3.5
  755 .sp
  756 .nf
  757 .ft C
  758 "pkcs11:token=knot;pin\-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
  759 .ft P
  760 .fi
  761 .UNINDENT
  762 .UNINDENT
  763 .UNINDENT
  764 .UNINDENT
  765 .sp
  766 \fIDefault:\fP \fI\%kasp\-db\fP/keys
  767 .SH SUBMISSION SECTION
  768 .sp
  769 Parameters of KSK submission checks.
  770 .INDENT 0.0
  771 .INDENT 3.5
  772 .sp
  773 .nf
  774 .ft C
  775 submission:
  776   \- id: STR
  777     parent: remote_id ...
  778     check\-interval: TIME
  779     timeout: TIME
  780 .ft P
  781 .fi
  782 .UNINDENT
  783 .UNINDENT
  784 .SS id
  785 .sp
  786 A submission identifier.
  787 .SS parent
  788 .sp
  789 A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
  790 presence of corresponding DS records in the case of KSK submission. All of them must
  791 have a corresponding DS for the rollover to continue. If none is specified, the
  792 rollover must be pushed forward manually.
  793 .sp
  794 \fIDefault:\fP not set
  795 .sp
  796 \fBTIP:\fP
  797 .INDENT 0.0
  798 .INDENT 3.5
  799 A DNSSEC\-validating resolver can be set as a parent.
  800 .UNINDENT
  801 .UNINDENT
  802 .SS check\-interval
  803 .sp
  804 Interval for periodic checks of DS presence on parent\(aqs DNS servers, in the
  805 case of the KSK submission.
  806 .sp
  807 \fIDefault:\fP 1 hour
  808 .SS timeout
  809 .sp
  810 After this time period (in seconds) the KSK submission is automatically considered
  811 successful, even if all the checks were negative or no parents are configured.
  812 Set to 0 for infinity.
  813 .sp
  814 \fIDefault:\fP 0
  815 .SH POLICY SECTION
  816 .sp
  817 DNSSEC policy configuration.
  818 .INDENT 0.0
  819 .INDENT 3.5
  820 .sp
  821 .nf
  822 .ft C
  823 policy:
  824   \- id: STR
  825     keystore: STR
  826     manual: BOOL
  827     single\-type\-signing: BOOL
  828     algorithm: rsasha1 | rsasha1\-nsec3\-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
  829     ksk\-size: SIZE
  830     zsk\-size: SIZE
  831     ksk\-shared: BOOL
  832     dnskey\-ttl: TIME
  833     zone\-max\-ttl: TIME
  834     zsk\-lifetime: TIME
  835     ksk\-lifetime: TIME
  836     propagation\-delay: TIME
  837     rrsig\-lifetime: TIME
  838     rrsig\-refresh: TIME
  839     rrsig\-pre\-refresh: TIME
  840     nsec3: BOOL
  841     nsec3\-iterations: INT
  842     nsec3\-opt\-out: BOOL
  843     nsec3\-salt\-length: INT
  844     nsec3\-salt\-lifetime: TIME
  845     signing\-threads: INT
  846     ksk\-submission: submission_id
  847     ds\-push: remote_id
  848     cds\-cdnskey\-publish: none | delete\-dnssec | rollover | always | double\-ds
  849     offline\-ksk: BOOL
  850 .ft P
  851 .fi
  852 .UNINDENT
  853 .UNINDENT
  854 .SS id
  855 .sp
  856 A policy identifier.
  857 .SS keystore
  858 .sp
  859 A \fI\%reference\fP to a keystore holding private key material
  860 for zones.
  861 .sp
  862 \fIDefault:\fP an imaginary keystore with all default values
  863 .sp
  864 \fBNOTE:\fP
  865 .INDENT 0.0
  866 .INDENT 3.5
  867 A configured keystore called "default" won\(aqt be used unless explicitly referenced.
  868 .UNINDENT
  869 .UNINDENT
  870 .SS manual
  871 .sp
  872 If enabled, automatic key management is not used.
  873 .sp
  874 \fIDefault:\fP off
  875 .SS single\-type\-signing
  876 .sp
  877 If enabled, Single\-Type Signing Scheme is used in the automatic key management
  878 mode.
  879 .sp
  880 \fIDefault:\fP off
  881 .SS algorithm
  882 .sp
  883 An algorithm of signing keys and issued signatures. See
  884 \fI\%DNSSEC Algorithm Numbers\fP\&.
  885 .sp
  886 Possible values:
  887 .INDENT 0.0
  888 .IP \(bu 2
  889 \fBrsasha1\fP
  890 .IP \(bu 2
  891 \fBrsasha1\-nsec3\-sha1\fP
  892 .IP \(bu 2
  893 \fBrsasha256\fP
  894 .IP \(bu 2
  895 \fBrsasha512\fP
  896 .IP \(bu 2
  897 \fBecdsap256sha256\fP
  898 .IP \(bu 2
  899 \fBecdsap384sha384\fP
  900 .IP \(bu 2
  901 \fBed25519\fP
  902 .UNINDENT
  903 .sp
  904 \fBNOTE:\fP
  905 .INDENT 0.0
  906 .INDENT 3.5
  907 Ed25519 algorithm is only available when compiled with GnuTLS 3.6.0+.
  908 .UNINDENT
  909 .UNINDENT
  910 .sp
  911 \fIDefault:\fP ecdsap256sha256
  912 .SS ksk\-size
  913 .sp
  914 A length of newly generated KSK or
  915 CSK keys.
  916 .sp
  917 \fIDefault:\fP 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
  918 .SS zsk\-size
  919 .sp
  920 A length of newly generated ZSK keys.
  921 .sp
  922 \fIDefault:\fP see default for \fI\%ksk\-size\fP
  923 .SS ksk\-shared
  924 .sp
  925 If enabled, all zones with this policy assigned will share one KSK.
  926 .sp
  927 \fIDefault:\fP off
  928 .SS dnskey\-ttl
  929 .sp
  930 A TTL value for DNSKEY records added into zone apex.
  931 .sp
  932 \fBNOTE:\fP
  933 .INDENT 0.0
  934 .INDENT 3.5
  935 Has infuence over ZSK key lifetime.
  936 .UNINDENT
  937 .UNINDENT
  938 .sp
  939 \fBWARNING:\fP
  940 .INDENT 0.0
  941 .INDENT 3.5
  942 Ensure all DNSKEYs with updated TTL are propagated before any subsequent
  943 DNSKEY rollover starts.
  944 .UNINDENT
  945 .UNINDENT
  946 .sp
  947 \fIDefault:\fP zone SOA TTL
  948 .SS zone\-max\-ttl
  949 .sp
  950 Declare (override) maximal TTL value among all the records in zone.
  951 .sp
  952 \fBNOTE:\fP
  953 .INDENT 0.0
  954 .INDENT 3.5
  955 It\(aqs generally recommended to override the maximal TTL computation by setting this
  956 explicitly whenever possible. It\(aqs required for DNSSEC Offline KSK and
  957 really reasonable when records are generated dynamically
  958 (e.g. by a module).
  959 .UNINDENT
  960 .UNINDENT
  961 .sp
  962 \fIDefault:\fP computed after zone is loaded
  963 .SS zsk\-lifetime
  964 .sp
  965 A period between ZSK activation and the next rollover initiation.
  966 .sp
  967 \fBNOTE:\fP
  968 .INDENT 0.0
  969 .INDENT 3.5
  970 More exactly, this period is measured since a ZSK is activated,
  971 and after this, a new ZSK is generated to replace it within
  972 following roll\-over.
  973 .sp
  974 ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl
  975 .sp
  976 Zero (aka infinity) value causes no ZSK rollover as a result.
  977 .UNINDENT
  978 .UNINDENT
  979 .sp
  980 \fIDefault:\fP 30 days
  981 .SS ksk\-lifetime
  982 .sp
  983 A period between KSK activation and the next rollover initiation.
  984 .sp
  985 \fBNOTE:\fP
  986 .INDENT 0.0
  987 .INDENT 3.5
  988 KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl,
  989 and KSK submission delay.
  990 .sp
  991 Zero (aka infinity) value causes no KSK rollover as a result.
  992 .sp
  993 This applies for CSK lifetime if single\-type\-signing is enabled.
  994 .UNINDENT
  995 .UNINDENT
  996 .sp
  997 \fIDefault:\fP 0
  998 .SS propagation\-delay
  999 .sp
 1000 An extra delay added for each key rollover step. This value should be high
 1001 enough to cover propagation of data from the master server to all slaves.
 1002 .sp
 1003 \fBNOTE:\fP
 1004 .INDENT 0.0
 1005 .INDENT 3.5
 1006 Has infuence over ZSK key lifetime.
 1007 .UNINDENT
 1008 .UNINDENT
 1009 .sp
 1010 \fIDefault:\fP 1 hour
 1011 .SS rrsig\-lifetime
 1012 .sp
 1013 A validity period of newly issued signatures.
 1014 .sp
 1015 \fBNOTE:\fP
 1016 .INDENT 0.0
 1017 .INDENT 3.5
 1018 The RRSIG\(aqs signature inception time is set to 90 minutes in the past. This
 1019 time period is not counted to the signature lifetime.
 1020 .UNINDENT
 1021 .UNINDENT
 1022 .sp
 1023 \fIDefault:\fP 14 days
 1024 .SS rrsig\-refresh
 1025 .sp
 1026 A period how long at least before a signature expiration the signature will be refreshed,
 1027 in order to prevent expired RRSIGs on slaves or resolvers\(aq caches.
 1028 .sp
 1029 \fIDefault:\fP 7 days
 1030 .SS rrsig\-pre\-refresh
 1031 .sp
 1032 A period how long at most before a signature refresh time the signature might be refreshed,
 1033 in order to refresh RRSIGs in bigger batches on a frequently updated zone
 1034 (avoid re\-sign event too often).
 1035 .sp
 1036 \fIDefault:\fP 1 hour
 1037 .SS nsec3
 1038 .sp
 1039 Specifies if NSEC3 will be used instead of NSEC.
 1040 .sp
 1041 \fIDefault:\fP off
 1042 .SS nsec3\-iterations
 1043 .sp
 1044 A number of additional times the hashing is performed.
 1045 .sp
 1046 \fIDefault:\fP 5
 1047 .SS nsec3\-opt\-out
 1048 .sp
 1049 If set, NSEC3 records won\(aqt be created for insecure delegations.
 1050 This speeds up the zone signing and reduces overall zone size.
 1051 .sp
 1052 \fBWARNING:\fP
 1053 .INDENT 0.0
 1054 .INDENT 3.5
 1055 NSEC3 with the Opt\-Out bit set no longer works as a proof of non\-existence
 1056 in this zone.
 1057 .UNINDENT
 1058 .UNINDENT
 1059 .sp
 1060 \fIDefault:\fP off
 1061 .SS nsec3\-salt\-length
 1062 .sp
 1063 A length of a salt field in octets, which is appended to the original owner
 1064 name before hashing.
 1065 .sp
 1066 \fIDefault:\fP 8
 1067 .SS nsec3\-salt\-lifetime
 1068 .sp
 1069 A validity period of newly issued salt field.
 1070 .sp
 1071 Zero value means infinity.
 1072 .sp
 1073 \fIDefault:\fP 30 days
 1074 .SS ksk\-submission
 1075 .sp
 1076 A reference to \fI\%submission\fP section holding parameters of
 1077 KSK submission checks.
 1078 .sp
 1079 \fIDefault:\fP not set
 1080 .SS ds\-push
 1081 .sp
 1082 An optional \fI\%reference\fP to authoritative DNS server of the
 1083 parent\(aqs zone. The remote server must be configured to accept DS record
 1084 updates via DDNS. Whenever a CDS record in the local zone is changed, the
 1085 corresponding DS record is sent as a dynamic update (DDNS) to the parent
 1086 DNS server. All previous DS records are deleted within the DDNS message.
 1087 It\(aqs possible to manage both child and parent zones by the same Knot DNS server.
 1088 .sp
 1089 \fBNOTE:\fP
 1090 .INDENT 0.0
 1091 .INDENT 3.5
 1092 This feature requires \fI\%cds\-cdnskey\-publish\fP
 1093 not to be set to \fBnone\fP\&.
 1094 .UNINDENT
 1095 .UNINDENT
 1096 .sp
 1097 \fBNOTE:\fP
 1098 .INDENT 0.0
 1099 .INDENT 3.5
 1100 Module Onlinesign doesn\(aqt support DS push.
 1101 .UNINDENT
 1102 .UNINDENT
 1103 .sp
 1104 \fIDefault:\fP not set
 1105 .SS signing\-threads
 1106 .sp
 1107 When signing zone or update, use this number of threads for parallel signing.
 1108 .sp
 1109 Those are extra threads independent of \fI\%Background workers\fP\&.
 1110 .sp
 1111 \fBNOTE:\fP
 1112 .INDENT 0.0
 1113 .INDENT 3.5
 1114 Some steps of the DNSSEC signing operation are not parallelized.
 1115 .UNINDENT
 1116 .UNINDENT
 1117 .sp
 1118 \fIDefault:\fP 1 (no extra threads)
 1119 .SS cds\-cdnskey\-publish
 1120 .sp
 1121 Controls if and how shall the CDS and CDNSKEY be published in the zone.
 1122 .sp
 1123 Possible values:
 1124 .INDENT 0.0
 1125 .IP \(bu 2
 1126 \fBnone\fP – Never publish any CDS or CDNSKEY records in the zone.
 1127 .IP \(bu 2
 1128 \fBdelete\-dnssec\fP – Publish special CDS and CDNSKEY records indicating turning off DNSSEC.
 1129 .IP \(bu 2
 1130 \fBrollover\fP – Publish CDS and CDNSKEY records only in the submission phase of KSK rollover.
 1131 .IP \(bu 2
 1132 \fBalways\fP – Always publish one CDS and one CDNSKEY records for the current KSK.
 1133 .IP \(bu 2
 1134 \fBdouble\-ds\fP – Always publish up to two CDS and two CDNSKEY records for ready and/or active KSKs.
 1135 .UNINDENT
 1136 .sp
 1137 \fBNOTE:\fP
 1138 .INDENT 0.0
 1139 .INDENT 3.5
 1140 If the zone keys are managed manually, the CDS and CDNSKEY rrsets may contain
 1141 more records depending on the keys available.
 1142 .UNINDENT
 1143 .UNINDENT
 1144 .sp
 1145 \fIDefault:\fP rollover
 1146 .SS offline\-ksk
 1147 .sp
 1148 Specifies if Offline KSK feature is enabled.
 1149 .sp
 1150 \fIDefault:\fP off
 1151 .SH REMOTE SECTION
 1152 .sp
 1153 Definitions of remote servers for outgoing connections (source of a zone
 1154 transfer, target for a notification, etc.).
 1155 .INDENT 0.0
 1156 .INDENT 3.5
 1157 .sp
 1158 .nf
 1159 .ft C
 1160 remote:
 1161   \- id: STR
 1162     address: ADDR[@INT] ...
 1163     via: ADDR[@INT] ...
 1164     key: key_id
 1165 .ft P
 1166 .fi
 1167 .UNINDENT
 1168 .UNINDENT
 1169 .SS id
 1170 .sp
 1171 A remote identifier.
 1172 .SS address
 1173 .sp
 1174 An ordered list of destination IP addresses which are used for communication
 1175 with the remote server. The addresses are tried in sequence until the
 1176 remote is reached. Optional destination port (default is 53)
 1177 can be appended to the address using \fB@\fP separator.
 1178 .sp
 1179 \fIDefault:\fP not set
 1180 .sp
 1181 \fBNOTE:\fP
 1182 .INDENT 0.0
 1183 .INDENT 3.5
 1184 If the remote is contacted and it refuses to perform requested action,
 1185 no more addresses will be tried for this remote.
 1186 .UNINDENT
 1187 .UNINDENT
 1188 .SS via
 1189 .sp
 1190 An ordered list of source IP addresses. The first address with the same family
 1191 as the destination address is used. Optional source port (default is random)
 1192 can be appended to the address using \fB@\fP separator.
 1193 .sp
 1194 \fIDefault:\fP not set
 1195 .SS key
 1196 .sp
 1197 A \fI\%reference\fP to the TSIG key which is used to authenticate
 1198 the communication with the remote server.
 1199 .sp
 1200 \fIDefault:\fP not set
 1201 .SH TEMPLATE SECTION
 1202 .sp
 1203 A template is shareable zone settings, which can simplify configuration by
 1204 reducing duplicates. A special default template (with the \fIdefault\fP identifier)
 1205 can be used for global zone configuration or as an implicit configuration
 1206 if a zone doesn\(aqt have another template specified.
 1207 .INDENT 0.0
 1208 .INDENT 3.5
 1209 .sp
 1210 .nf
 1211 .ft C
 1212 template:
 1213   \- id: STR
 1214     global\-module: STR/STR ...
 1215     # All zone options (excluding \(aqtemplate\(aq item)
 1216 .ft P
 1217 .fi
 1218 .UNINDENT
 1219 .UNINDENT
 1220 .SS id
 1221 .sp
 1222 A template identifier.
 1223 .SS global\-module
 1224 .sp
 1225 An ordered list of references to query modules in the form of \fImodule_name\fP or
 1226 \fImodule_name/module_id\fP\&. These modules apply to all queries.
 1227 .sp
 1228 \fBNOTE:\fP
 1229 .INDENT 0.0
 1230 .INDENT 3.5
 1231 This option is only available in the \fIdefault\fP template.
 1232 .UNINDENT
 1233 .UNINDENT
 1234 .sp
 1235 \fIDefault:\fP not set
 1236 .SH ZONE SECTION
 1237 .sp
 1238 Definition of zones served by the server.
 1239 .INDENT 0.0
 1240 .INDENT 3.5
 1241 .sp
 1242 .nf
 1243 .ft C
 1244 zone:
 1245   \- domain: DNAME
 1246     template: template_id
 1247     storage: STR
 1248     file: STR
 1249     master: remote_id ...
 1250     ddns\-master: remote_id
 1251     notify: remote_id ...
 1252     acl: acl_id ...
 1253     semantic\-checks: BOOL
 1254     disable\-any: BOOL
 1255     zonefile\-sync: TIME
 1256     zonefile\-load: none | difference | difference\-no\-serial | whole
 1257     journal\-content: none | changes | all
 1258     journal\-max\-usage: SIZE
 1259     journal\-max\-depth: INT
 1260     zone\-max\-size : SIZE
 1261     dnssec\-signing: BOOL
 1262     dnssec\-policy: STR
 1263     serial\-policy: increment | unixtime | dateserial
 1264     refresh\-min\-interval: TIME
 1265     refresh\-max\-interval: TIME
 1266     module: STR/STR ...
 1267 .ft P
 1268 .fi
 1269 .UNINDENT
 1270 .UNINDENT
 1271 .SS domain
 1272 .sp
 1273 A zone name identifier.
 1274 .SS template
 1275 .sp
 1276 A \fI\%reference\fP to a configuration template.
 1277 .sp
 1278 \fIDefault:\fP not set or \fIdefault\fP (if the template exists)
 1279 .SS storage
 1280 .sp
 1281 A data directory for storing zone files.
 1282 .sp
 1283 \fIDefault:\fP \fB${localstatedir}/lib/knot\fP (configured with \fB\-\-with\-storage=path\fP)
 1284 .SS file
 1285 .sp
 1286 A path to the zone file. Non\-absolute path (i.e. not starting with \fB/\fP) is
 1287 relative to \fI\%storage\fP\&.
 1288 It is also possible to use the following formatters:
 1289 .INDENT 0.0
 1290 .IP \(bu 2
 1291 \fB%c[\fP\fIN\fP\fB]\fP or \fB%c[\fP\fIN\fP\fB\-\fP\fIM\fP\fB]\fP – Means the \fIN\fPth
 1292 character or a sequence of characters beginning from the \fIN\fPth and ending
 1293 with the \fIM\fPth character of the textual zone name (see \fB%s\fP). The
 1294 indexes are counted from 0 from the left. All dots (including the terminal
 1295 one) are considered. If the character is not available, the formatter has no effect.
 1296 .IP \(bu 2
 1297 \fB%l[\fP\fIN\fP\fB]\fP – Means the \fIN\fPth label of the textual zone name
 1298 (see \fB%s\fP). The index is counted from 0 from the right (0 ~ TLD).
 1299 If the label is not available, the formatter has no effect.
 1300 .IP \(bu 2
 1301 \fB%s\fP – Means the current zone name in the textual representation.
 1302 The zone name doesn\(aqt include the terminating dot (the result for the root
 1303 zone is the empty string!).
 1304 .IP \(bu 2
 1305 \fB%%\fP – Means the \fB%\fP character.
 1306 .UNINDENT
 1307 .sp
 1308 \fBWARNING:\fP
 1309 .INDENT 0.0
 1310 .INDENT 3.5
 1311 Beware of special characters which are escaped or encoded in the \eDDD form
 1312 where DDD is corresponding decimal ASCII code.
 1313 .UNINDENT
 1314 .UNINDENT
 1315 .sp
 1316 \fIDefault:\fP \fI\%storage\fP/\fB%s\fP\&.zone
 1317 .SS master
 1318 .sp
 1319 An ordered list of \fI\%references\fP to zone master servers.
 1320 .sp
 1321 \fIDefault:\fP not set
 1322 .SS ddns\-master
 1323 .sp
 1324 A \fI\%reference\fP to zone primary master server.
 1325 If not specified, the first \fI\%master\fP server is used.
 1326 .sp
 1327 \fIDefault:\fP not set
 1328 .SS notify
 1329 .sp
 1330 An ordered list of \fI\%references\fP to remotes to which notify
 1331 message is sent if the zone changes.
 1332 .sp
 1333 \fIDefault:\fP not set
 1334 .SS acl
 1335 .sp
 1336 An ordered list of \fI\%references\fP to ACL rules which can allow
 1337 or disallow zone transfers, updates or incoming notifies.
 1338 .sp
 1339 \fIDefault:\fP not set
 1340 .SS semantic\-checks
 1341 .sp
 1342 If enabled, extra zone semantic checks are turned on.
 1343 .sp
 1344 Several checks are enabled by default and cannot be turned off. An error in
 1345 mandatory checks causes zone not to be loaded. An error in extra checks is
 1346 logged only.
 1347 .sp
 1348 Mandatory checks:
 1349 .INDENT 0.0
 1350 .IP \(bu 2
 1351 SOA record missing in the zone (\fI\%RFC 1034\fP)
 1352 .IP \(bu 2
 1353 An extra record together with CNAME record except for RRSIG and DS (\fI\%RFC 1034\fP)
 1354 .IP \(bu 2
 1355 Multiple CNAME record with the same owner
 1356 .IP \(bu 2
 1357 DNAME record having a record under it (\fI\%RFC 2672\fP)
 1358 .UNINDENT
 1359 .sp
 1360 Extra checks:
 1361 .INDENT 0.0
 1362 .IP \(bu 2
 1363 Missing NS record at the zone apex
 1364 .IP \(bu 2
 1365 Missing glue A or AAAA record
 1366 .IP \(bu 2
 1367 Invalid DNSKEY, DS, or NSEC3PARAM record
 1368 .IP \(bu 2
 1369 CDS or CDNSKEY inconsistency
 1370 .IP \(bu 2
 1371 Missing, invalid, or unverifiable RRSIG record
 1372 .IP \(bu 2
 1373 Invalid NSEC(3) record
 1374 .IP \(bu 2
 1375 Broken or non\-cyclic NSEC(3) chain
 1376 .UNINDENT
 1377 .sp
 1378 \fIDefault:\fP off
 1379 .SS disable\-any
 1380 .sp
 1381 If enabled, all authoritative ANY queries sent over UDP will be answered
 1382 with an empty response and with the TC bit set. Use this option to minimize
 1383 the risk of DNS reflection attack.
 1384 .sp
 1385 \fIDefault:\fP off
 1386 .SS zonefile\-sync
 1387 .sp
 1388 The time after which the current zone in memory will be synced with a zone file
 1389 on the disk (see \fI\%file\fP). The server will serve the latest
 1390 zone even after a restart using zone journal, but the zone file on the disk will
 1391 only be synced after \fBzonefile\-sync\fP time has expired (or after manual zone
 1392 flush). This is applicable when the zone is updated via IXFR, DDNS or automatic
 1393 DNSSEC signing. In order to completely disable automatic zone file synchronization,
 1394 set the value to \-1. In that case, it is still possible to force a manual zone flush
 1395 using the \fB\-f\fP option.
 1396 .sp
 1397 \fBNOTE:\fP
 1398 .INDENT 0.0
 1399 .INDENT 3.5
 1400 If you are serving large zones with frequent updates where
 1401 the immediate sync with a zone file is not desirable, increase the value.
 1402 .UNINDENT
 1403 .UNINDENT
 1404 .sp
 1405 \fIDefault:\fP 0 (immediate)
 1406 .SS zonefile\-load
 1407 .sp
 1408 Selects how the zone file contents are applied during zone load.
 1409 .sp
 1410 Possible values:
 1411 .INDENT 0.0
 1412 .IP \(bu 2
 1413 \fBnone\fP – The zone file is not used at all.
 1414 .IP \(bu 2
 1415 \fBdifference\fP – If the zone contents are already available during server start or reload,
 1416 the difference is computed between them and the contents of the zone file. This difference
 1417 is then checked for semantic errors and
 1418 applied to the current zone contents.
 1419 .IP \(bu 2
 1420 \fBdifference\-no\-serial\fP – Same as \fBdifference\fP, but the SOA serial in the zone file is
 1421 ignored, the server takes care of incrementing the serial automatically.
 1422 .IP \(bu 2
 1423 \fBwhole\fP – Zone contents are loaded from the zone file.
 1424 .UNINDENT
 1425 .sp
 1426 When \fBdifference\fP is configured and there are no zone contents yet (cold start of Knot
 1427 and no zone contents in journal), it behaves the same way like \fBwhole\fP\&.
 1428 .sp
 1429 \fIDefault:\fP whole
 1430 .SS journal\-content
 1431 .sp
 1432 Selects how the journal shall be used to store zone and its changes.
 1433 .sp
 1434 Possible values:
 1435 .INDENT 0.0
 1436 .IP \(bu 2
 1437 \fBnone\fP – The journal is not used at all.
 1438 .IP \(bu 2
 1439 \fBchanges\fP – Zone changes history is stored in journal.
 1440 .IP \(bu 2
 1441 \fBall\fP – Zone contents and history is stored in journal.
 1442 .UNINDENT
 1443 .sp
 1444 \fIDefault:\fP changes
 1445 .SS journal\-max\-usage
 1446 .sp
 1447 Policy how much space in journal DB will the zone\(aqs journal occupy.
 1448 .sp
 1449 \fBNOTE:\fP
 1450 .INDENT 0.0
 1451 .INDENT 3.5
 1452 Journal DB may grow far above the sum of journal\-max\-usage across
 1453 all zones, because of DB free space fragmentation.
 1454 .UNINDENT
 1455 .UNINDENT
 1456 .sp
 1457 \fIDefault:\fP 100 MiB
 1458 .SS journal\-max\-depth
 1459 .sp
 1460 Maximum history length of journal.
 1461 .sp
 1462 \fIMinimum:\fP 2
 1463 .sp
 1464 \fIDefault:\fP 2^64
 1465 .SS zone\-max\-size
 1466 .sp
 1467 Maximum size of the zone. The size is measured as size of the zone records
 1468 in wire format without compression. The limit is enforced for incoming zone
 1469 transfers and dynamic updates.
 1470 .sp
 1471 For incremental transfers (IXFR), the effective limit for the total size of
 1472 the records in the transfer is twice the configured value. However the final
 1473 size of the zone must satisfy the configured value.
 1474 .sp
 1475 \fIDefault:\fP 2^64
 1476 .SS dnssec\-signing
 1477 .sp
 1478 If enabled, automatic DNSSEC signing for the zone is turned on.
 1479 .sp
 1480 \fIDefault:\fP off
 1481 .SS dnssec\-policy
 1482 .sp
 1483 A \fI\%reference\fP to DNSSEC signing policy.
 1484 .sp
 1485 \fIDefault:\fP an imaginary policy with all default values
 1486 .sp
 1487 \fBNOTE:\fP
 1488 .INDENT 0.0
 1489 .INDENT 3.5
 1490 A configured policy called "default" won\(aqt be used unless explicitly referenced.
 1491 .UNINDENT
 1492 .UNINDENT
 1493 .SS serial\-policy
 1494 .sp
 1495 Specifies how the zone serial is updated after a dynamic update or
 1496 automatic DNSSEC signing. If the serial is changed by the dynamic update,
 1497 no change is made.
 1498 .sp
 1499 Possible values:
 1500 .INDENT 0.0
 1501 .IP \(bu 2
 1502 \fBincrement\fP – The serial is incremented according to serial number arithmetic.
 1503 .IP \(bu 2
 1504 \fBunixtime\fP – The serial is set to the current unix time.
 1505 .IP \(bu 2
 1506 \fBdateserial\fP – The 10\-digit serial (YYYYMMDDnn) is incremented, the first
 1507 8 digits match the current iso\-date.
 1508 .UNINDENT
 1509 .sp
 1510 \fBNOTE:\fP
 1511 .INDENT 0.0
 1512 .INDENT 3.5
 1513 In case of \fBunixtime\fP, if the resulting serial is lower or equal than current zone
 1514 (this happens e.g. in case of migrating from other policy or frequent updates)
 1515 the serial is incremented instead.
 1516 .sp
 1517 Use dateserial only if you expect less than 100 updates per day per zone.
 1518 .UNINDENT
 1519 .UNINDENT
 1520 .sp
 1521 \fIDefault:\fP increment
 1522 .SS refresh\-min\-interval
 1523 .sp
 1524 Forced minimum zone refresh interval to avoid flooding master.
 1525 .sp
 1526 \fIDefault:\fP 2
 1527 .SS refresh\-max\-interval
 1528 .sp
 1529 Forced maximum zone refresh interval.
 1530 .sp
 1531 \fIDefault:\fP not set
 1532 .SS module
 1533 .sp
 1534 An ordered list of references to query modules in the form of \fImodule_name\fP or
 1535 \fImodule_name/module_id\fP\&. These modules apply only to the current zone queries.
 1536 .sp
 1537 \fIDefault:\fP not set
 1538 .SH LOGGING SECTION
 1539 .sp
 1540 Server can be configured to log to the standard output, standard error
 1541 output, syslog (or systemd journal if systemd is enabled) or into an arbitrary
 1542 file.
 1543 .sp
 1544 There are 6 logging severity levels:
 1545 .INDENT 0.0
 1546 .IP \(bu 2
 1547 \fBcritical\fP – Non\-recoverable error resulting in server shutdown.
 1548 .IP \(bu 2
 1549 \fBerror\fP – Recoverable error, action should be taken.
 1550 .IP \(bu 2
 1551 \fBwarning\fP – Warning that might require user action.
 1552 .IP \(bu 2
 1553 \fBnotice\fP – Server notice or hint.
 1554 .IP \(bu 2
 1555 \fBinfo\fP – Informational message.
 1556 .IP \(bu 2
 1557 \fBdebug\fP – Debug or detailed message.
 1558 .UNINDENT
 1559 .sp
 1560 In the case of missing log section, \fBwarning\fP or more serious messages
 1561 will be logged to both standard error output and syslog. The \fBinfo\fP and
 1562 \fBnotice\fP messages will be logged to standard output.
 1563 .INDENT 0.0
 1564 .INDENT 3.5
 1565 .sp
 1566 .nf
 1567 .ft C
 1568 log:
 1569   \- target: stdout | stderr | syslog | STR
 1570     server: critical | error | warning | notice | info | debug
 1571     control: critical | error | warning | notice | info | debug
 1572     zone: critical | error | warning | notice | info | debug
 1573     any: critical | error | warning | notice | info | debug
 1574 .ft P
 1575 .fi
 1576 .UNINDENT
 1577 .UNINDENT
 1578 .SS target
 1579 .sp
 1580 A logging output.
 1581 .sp
 1582 Possible values:
 1583 .INDENT 0.0
 1584 .IP \(bu 2
 1585 \fBstdout\fP – Standard output.
 1586 .IP \(bu 2
 1587 \fBstderr\fP – Standard error output.
 1588 .IP \(bu 2
 1589 \fBsyslog\fP – Syslog or systemd journal.
 1590 .IP \(bu 2
 1591 \fIfile_name\fP – A specific file.
 1592 .UNINDENT
 1593 .sp
 1594 With \fBsyslog\fP target, syslog service is used. However, if Knot DNS has been compiled
 1595 with systemd support and operating system has been booted with systemd, systemd journal
 1596 is used for logging instead of syslog.
 1597 .SS server
 1598 .sp
 1599 Minimum severity level for messages related to general operation of the server to be
 1600 logged.
 1601 .sp
 1602 \fIDefault:\fP not set
 1603 .SS control
 1604 .sp
 1605 Minimum severity level for messages related to server control to be logged.
 1606 .sp
 1607 \fIDefault:\fP not set
 1608 .SS zone
 1609 .sp
 1610 Minimum severity level for messages related to zones to be logged.
 1611 .sp
 1612 \fIDefault:\fP not set
 1613 .SS any
 1614 .sp
 1615 Minimum severity level for all message types to be logged.
 1616 .sp
 1617 \fIDefault:\fP not set
 1618 .SH AUTHOR
 1619 CZ.NIC Labs <https://www.knot-dns.cz>
 1620 .SH COPYRIGHT
 1621 Copyright 2010–2019, CZ.NIC, z.s.p.o.
 1622 .\" Generated by docutils manpage writer.
 1623 .