"Fossies" - the Fresh Open Source Software Archive

Member "nsd-4.3.6/nsd.conf.sample.in" (6 Apr 2021, 14598 Bytes) of package /linux/misc/dns/nsd-4.3.6.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "nsd.conf.sample.in": 4.3.5_vs_4.3.6.

    1 #
    2 # nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
    3 #
    4 # Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
    5 #
    6 # See LICENSE for the license.
    7 #
    8 
    9 # This is a comment.
   10 # Sample configuration file
   11 # include: "file" # include that file's text over here.  Globbed, "*.conf"
   12 
   13 # options for the nsd server
   14 server:
   15 	# Number of NSD servers to fork.  Put the number of CPUs to use here.
   16 	# server-count: 1
   17 
   18 	# Set overall CPU affinity for NSD processes on Linux and FreeBSD.
   19 	# Any server/xfrd CPU affinity value will be masked by this value.
   20 	# cpu-affinity: 0 1 2 3
   21 
   22 	# Bind NSD server(s), configured by server-count (1-based), to a
   23 	# dedicated core. Single core affinity improves L1/L2 cache hits and
   24 	# reduces pipeline stalls/flushes.
   25 	#
   26 	# server-1-cpu-affinity: 0
   27 	# server-2-cpu-affinity: 1
   28 	# ...
   29 	# server-<N>-cpu-affinity: 2
   30 
   31 	# Bind xfrd to a dedicated core.
   32 	# xfrd-cpu-affinity: 3
   33 
   34 	# Specify specific interfaces to bind (default are the wildcard
   35 	# interfaces 0.0.0.0 and ::0).
   36 	# For servers with multiple IP addresses, list them one by one,
   37 	# or the source address of replies could be wrong.
   38 	# Use ip-transparent to be able to list addresses that turn on later.
   39 	# ip-address: 1.2.3.4
   40 	# ip-address: 1.2.3.4@5678
   41 	# ip-address: 12fe::8ef0
   42 	#
   43 	# IP addresses can be configured per-server to avoid waking up more
   44 	# than one server when a packet comes in (thundering herd problem) or
   45 	# to partition sockets across servers to improve select/poll
   46 	# performance.
   47 	#
   48 	# ip-address: 1.2.3.4       servers="1-2 3"
   49 	# ip-address: 1.2.3.4@5678  servers="4-5 6"
   50 	#
   51 	# When several interfaces are configured to listen on the same subnet,
   52 	# care must be taken to ensure responses go out the same interface the
   53 	# corresponding query came in on to avoid problems with load balancers
   54 	# and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket
   55 	# option to bind a socket to a specified device. For FreeBSD, to
   56 	# achieve the same result, specify the routing table to use after the
   57 	# IP address to use SO_SETFIB.
   58 	#
   59 	# Complement with socket partitioning and CPU affinity for attack
   60 	# mitigation benefits. i.e. only a single core is maxed out if a
   61 	# specific IP address is under attack.
   62 	#
   63 	# ip-address: 1.2.3.4       setfib=0  bindtodevice=yes
   64 	# ip-address: 1.2.3.5@6789  setfib=1  bindtodevice=yes
   65 
   66 	# Allow binding to non local addresses. Default no.
   67 	# ip-transparent: no
   68 
   69 	# Allow binding to addresses that are down. Default no.
   70 	# ip-freebind: no
   71 
   72 	# Use SO_REUSEPORT socket option for performance. Default no.
   73 	# reuseport: no
   74 
   75 	# override maximum socket send buffer size.  Default of 0 results in
   76 	# send buffer size being set to 1048576 (bytes).
   77 	# send-buffer-size: 1048576
   78 
   79 	# override maximum socket receive buffer size. Default of 0 results in
   80 	# receive buffer size being set to 1048576 (bytes).
   81 	# receive-buffer-size: 1048576
   82 
   83 	# enable debug mode, does not fork daemon process into the background.
   84 	# debug-mode: no
   85 
   86 	# listen on IPv4 connections
   87 	# do-ip4: yes
   88 
   89 	# listen on IPv6 connections
   90 	# do-ip6: yes
   91 
   92 	# port to answer queries on. default is 53.
   93 	# port: 53
   94 
   95 	# Verbosity level.
   96 	# verbosity: 0
   97 
   98 	# After binding socket, drop user privileges.
   99 	# can be a username, id or id.gid.
  100 	# username: @user@
  101 
  102 	# Run NSD in a chroot-jail.
  103 	# make sure to have pidfile and database reachable from there.
  104 	# by default, no chroot-jail is used.
  105 	# chroot: "@configdir@"
  106 
  107 	# The directory for zonefile: files.  The daemon chdirs here.
  108 	# zonesdir: "@zonesdir@"
  109 
  110 	# the list of dynamically added zones.
  111 	# zonelistfile: "@zonelistfile@"
  112 
  113 	# the database to use
  114 	# if set to "" then no disk-database is used, less memory usage.
  115 	# database: "@dbfile@"
  116 
  117 	# log messages to file. Default to stderr and syslog (with
  118 	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
  119 	# logfile: "@logfile@"
  120 
  121 	# log only to syslog.
  122 	# log-only-syslog: no
  123 
  124 	# File to store pid for nsd in.
  125 	# pidfile: "@pidfile@"
  126 
  127 	# The file where secondary zone refresh and expire timeouts are kept.
  128 	# If you delete this file, all secondary zones are forced to be
  129 	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
  130 	# xfrdfile: "@xfrdfile@"
  131 
  132 	# The directory where zone transfers are stored, in a subdir of it.
  133 	# xfrdir: "@xfrdir@"
  134 
  135 	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
  136 	# hide-version: no
  137 
  138 	# don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
  139 	# hide-identity: no
  140 
  141 	# Drop UPDATE queries
  142 	# drop-updates: no
  143 
  144 	# version string the server responds with for chaos queries.
  145 	# default is 'NSD x.y.z' with the server's version number.
  146 	# version: "NSD"
  147 
  148 	# identify the server (CH TXT ID.SERVER entry).
  149 	# identity: "unidentified server"
  150 
  151 	# NSID identity (hex string, or "ascii_somestring"). default disabled.
  152 	# nsid: "aabbccdd"
  153 
  154 	# Maximum number of concurrent TCP connections per server.
  155 	# tcp-count: 100
  156 
  157 	# Accept (and immediately close) TCP connections after maximum number
  158 	# of connections is reached to prevent kernel connection queue from
  159 	# growing.
  160 	# tcp-reject-overflow: no
  161 
  162 	# Maximum number of queries served on a single TCP connection.
  163 	# By default 0, which means no maximum.
  164 	# tcp-query-count: 0
  165 
  166 	# Override the default (120 seconds) TCP timeout.
  167 	# tcp-timeout: 120
  168 
  169 	# Maximum segment size (MSS) of TCP socket on which the server
  170 	# responds to queries. Default is 0, system default MSS.
  171 	# tcp-mss: 0
  172 
  173 	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
  174 	# Default is 0, system default MSS.
  175 	# outgoing-tcp-mss: 0
  176 
  177 	# Preferred EDNS buffer size for IPv4.
  178 	# ipv4-edns-size: 1232
  179 
  180 	# Preferred EDNS buffer size for IPv6.
  181 	# ipv6-edns-size: 1232
  182 
  183 	# statistics are produced every number of seconds. Prints to log.
  184 	# Default is 0, meaning no statistics are produced.
  185 	# statistics: 3600
  186 
  187 	# Number of seconds between reloads triggered by xfrd.
  188 	# xfrd-reload-timeout: 1
  189 
  190 	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
  191 	# log-time-ascii: yes
  192 
  193 	# round robin rotation of records in the answer.
  194 	# round-robin: no
  195 
  196 	# minimal-responses only emits extra data for referrals.
  197 	# minimal-responses: no
  198 
  199 	# Do not return additional information if the apex zone of the
  200 	# additional information is configured but does not match the apex zone
  201 	# of the initial query.
  202 	# confine-to-zone: no
  203 
  204 	# refuse queries of type ANY.  For stopping floods.
  205 	# refuse-any: no
  206 
  207 	# check mtime of all zone files on start and sighup
  208 	# zonefiles-check: yes
  209 
  210 	# write changed zonefiles to disk, every N seconds.
  211 	# default is 0(disabled) or 3600(if database is "").
  212 	# zonefiles-write: 3600
  213 
  214 	# RRLconfig
  215 	# Response Rate Limiting, size of the hashtable. Default 1000000.
  216 	# rrl-size: 1000000
  217 
  218 	# Response Rate Limiting, maximum QPS allowed (from one query source).
  219 	# If set to 0, ratelimiting is disabled. Also set
  220 	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
  221 	# Default is @ratelimit_default@.
  222 	# rrl-ratelimit: 200
  223 
  224 	# Response Rate Limiting, number of packets to discard before
  225 	# sending a SLIP response (a truncated one, allowing an honest
  226 	# resolver to retry with TCP). Default is 2 (one half of the
  227 	# queries will receive a SLIP response, 0 disables SLIP (all
  228 	# packets are discarded), 1 means every request will get a
  229 	# SLIP response.  When the ratelimit is hit the traffic is
  230 	# divided by the rrl-slip value.
  231 	# rrl-slip: 2
  232 
  233 	# Response Rate Limiting, IPv4 prefix length. Addresses are
  234 	# grouped by netblock.
  235 	# rrl-ipv4-prefix-length: 24
  236 
  237 	# Response Rate Limiting, IPv6 prefix length. Addresses are
  238 	# grouped by netblock.
  239 	# rrl-ipv6-prefix-length: 64
  240 
  241 	# Response Rate Limiting, maximum QPS allowed (from one query source)
  242 	# for whitelisted types. Default is @ratelimit_default@.
  243 	# rrl-whitelist-ratelimit: 2000
  244 	# RRLend
  245 
  246 	# Service clients over TLS (on the TCP sockets), with plain DNS inside
  247 	# the TLS stream. Give the certificate to use and private key.
  248 	# Default is "" (disabled). Requires restart to take effect.
  249 	# tls-service-key: "path/to/privatekeyfile.key"
  250 	# tls-service-pem: "path/to/publiccertfile.pem"
  251 	# tls-service-ocsp: "path/to/ocsp.pem"
  252 	# tls-port: 853
  253 
  254 # DNSTAP config section, if compiled with that
  255 # dnstap:
  256 	# set this to yes and set one or more of dnstap-log-..-messages to yes.
  257 	# dnstap-enable: no
  258 	# dnstap-socket-path: "@dnstap_socket_path@"
  259 	# dnstap-send-identity: no
  260 	# dnstap-send-version: no
  261 	# dnstap-identity: ""
  262 	# dnstap-version: ""
  263 	# dnstap-log-auth-query-messages: no
  264 	# dnstap-log-auth-response-messages: no
  265 
  266 # Remote control config section. 
  267 remote-control:
  268 	# Enable remote control with nsd-control(8) here.
  269 	# set up the keys and certificates with nsd-control-setup.
  270 	# control-enable: no
  271 
  272 	# what interfaces are listened to for control, default is on localhost.
  273 	# interfaces can be specified by IP address or interface name.
  274 	# with an interface name, all IP addresses associated with that
  275 	# interface are used.
  276 	# with an absolute path, a unix local named pipe is used for control
  277 	# (and key and cert files are not needed, use directory permissions).
  278 	# control-interface: 127.0.0.1
  279 	# control-interface: ::1
  280 	# control-interface: lo
  281 
  282 	# port number for remote control operations (uses TLS over TCP).
  283 	# control-port: 8952
  284 
  285 	# nsd server key file for remote control.
  286 	# server-key-file: "@configdir@/nsd_server.key"
  287 
  288 	# nsd server certificate file for remote control.
  289 	# server-cert-file: "@configdir@/nsd_server.pem"
  290 
  291 	# nsd-control key file.
  292 	# control-key-file: "@configdir@/nsd_control.key"
  293 
  294 	# nsd-control certificate file.
  295 	# control-cert-file: "@configdir@/nsd_control.pem"
  296 
  297 
  298 # Secret keys for TSIGs that secure zone transfers.
  299 # You could include: "secret.keys" and put the 'key:' statements in there,
  300 # and give that file special access control permissions.
  301 #
  302 # key:
  303 	# The key name is sent to the other party, it must be the same
  304 	#name: "keyname"
  305 	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
  306 	#algorithm: sha256
  307 	# secret material, must be the same as the other party uses.
  308 	# base64 encoded random number.
  309 	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
  310 	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
  311 
  312 
  313 # Patterns have zone configuration and they are shared by one or more zones.
  314 #
  315 # pattern:
  316 	# name by which the pattern is referred to
  317 	#name: "myzones"
  318 	# the zonefile for the zones that use this pattern.
  319 	# if relative then from the zonesdir (inside the chroot).
  320 	# the name is processed: %s - zone name (as appears in zone:name).
  321 	# %1 - first character of zone name, %2 second, %3 third.
  322 	# %z - topleveldomain label of zone, %y, %x next labels in name.
  323 	# if label or character does not exist you get a dot '.'.
  324 	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
  325 	#zonefile: "%s.zone"
  326 	
  327 	# The allow-query allows an access control list to be specified
  328 	# for a zone to be queried. Without an allow-query option, any
  329 	# IP address is allowed to send queries for the zone.
  330 	# This could be useful for example to not leak content from a zone
  331 	# which is only offered for transfer to secondaries over TLS.
  332 	#allow-query: 192.0.2.0/24 NOKEY
  333 
  334 	# If no master and slave access control elements are provided,
  335 	# this zone will not be served to/from other servers.
  336 
  337 	# A master zone needs notify: and provide-xfr: lists.  A slave
  338 	# may also allow zone transfer (for debug or other secondaries).
  339 	# notify these slaves when the master zone changes, address TSIG|NOKEY
  340 	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
  341 	#notify: 192.0.2.1 NOKEY
  342 	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
  343 	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
  344 	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
  345 	# set the number of retries for notify.
  346 	#notify-retry: 5
  347 
  348 	# uncomment to provide AXFR to all the world
  349 	# provide-xfr: 0.0.0.0/0 NOKEY
  350 	# provide-xfr: ::0/0 NOKEY
  351 
  352 	# A slave zone needs allow-notify: and request-xfr: lists.
  353 	#allow-notify: 2001:db8::0/64 my_tsig_key_name
  354 	# By default, a slave will request a zone transfer with IXFR/TCP.
  355 	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
  356 	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
  357 	#request-xfr: 192.0.2.2 the_tsig_key_name
  358 	# Attention: You cannot use UDP and AXFR together. AXFR is always over
  359 	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
  360 	# Allow AXFR fallback if the master does not support IXFR. Default
  361 	# is yes.
  362 	#allow-axfr-fallback: yes
  363 	# set local interface for sending zone transfer requests.
  364 	# default is let the OS choose.
  365 	#outgoing-interface: 10.0.0.10
  366 	# limit the refresh and retry interval in seconds.
  367 	#max-refresh-time: 2419200
  368 	#min-refresh-time: 0
  369 	#max-retry-time: 1209600
  370 	#min-retry-time: 0
  371 	# Lower bound of expire interval in seconds.  The value can be "refresh+retry+1"
  372 	# in which case the lower bound of expire interval is the sum of the refresh and
  373 	# retry values (limited to the bounds given with the above parameters), plus 1.
  374 	#min-expire-time: 0
  375 
  376 	# Slave server tries zone transfer to all masters and picks highest
  377 	# zone version available, for when masters have different versions.
  378 	#multi-master-check: no
  379 
  380 	# limit the zone transfer size (in bytes), stops very large transfers
  381 	# 0 is no limits enforced.
  382 	# size-limit-xfr: 0
  383 
  384 	# if compiled with --enable-zone-stats, give name of stat block for
  385 	# this zone (or group of zones).  Output from nsd-control stats.
  386 	# zonestats: "%s"
  387 
  388 	# if you give another pattern name here, at this point the settings
  389 	# from that pattern are inserted into this one (as if it were a
  390 	# macro).  The statement can be given in between other statements,
  391 	# because the order of access control elements can make a difference
  392 	# (which master to request from first, which slave to notify first).
  393 	#include-pattern: "common-masters"
  394 
  395 
  396 # Fixed zone entries.  Here you can config zones that cannot be deleted.
  397 # Zones that are dynamically added and deleted are put in the zonelist file.
  398 #
  399 # zone:
  400 	# name: "example.com"
  401 	# you can give a pattern here, all the settings from that pattern
  402 	# are then inserted at this point
  403 	# include-pattern: "master"
  404 	# You can also specify (additional) options directly for this zone.
  405 	# zonefile: "example.com.zone"
  406 	# request-xfr: 192.0.2.1 example.com.key
  407 
  408 	# RRLconfig
  409 	# Response Rate Limiting, whitelist types
  410 	# rrl-whitelist: nxdomain
  411 	# rrl-whitelist: error
  412 	# rrl-whitelist: referral
  413 	# rrl-whitelist: any
  414 	# rrl-whitelist: rrsig
  415 	# rrl-whitelist: wildcard
  416 	# rrl-whitelist: nodata
  417 	# rrl-whitelist: dnskey
  418 	# rrl-whitelist: positive
  419 	# rrl-whitelist: all
  420 	# RRLend
  421