#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#
# This is a comment.
# Sample configuration file
# include: "file" # include that file's text over here. Globbed, "*.conf"
# options for the nsd server
server:
# Number of NSD servers to fork. Put the number of CPUs to use here.
# server-count: 1
# Set overall CPU affinity for NSD processes on Linux and FreeBSD.
# Any server/xfrd CPU affinity value will be masked by this value.
# cpu-affinity: 0 1 2 3
# Bind NSD server(s), configured by server-count (1-based), to a
# dedicated core. Single core affinity improves L1/L2 cache hits and
# reduces pipeline stalls/flushes.
#
# server-1-cpu-affinity: 0
# server-2-cpu-affinity: 1
# ...
# server-<N>-cpu-affinity: 2
# Bind xfrd to a dedicated core.
# xfrd-cpu-affinity: 3
# Specify specific interfaces to bind (default are the wildcard
# interfaces 0.0.0.0 and ::0).
# For servers with multiple IP addresses, list them one by one,
# or the source address of replies could be wrong.
# Use ip-transparent to be able to list addresses that turn on later.
# ip-address: 1.2.3.4
# ip-address: 1.2.3.4@5678
# ip-address: 12fe::8ef0
#
# IP addresses can be configured per-server to avoid waking up more
# than one server when a packet comes in (thundering herd problem) or
# to partition sockets across servers to improve select/poll
# performance.
#
# ip-address: 1.2.3.4 servers="1-2 3"
# ip-address: 1.2.3.4@5678 servers="4-5 6"
#
# When several interfaces are configured to listen on the same subnet,
# care must be taken to ensure responses go out the same interface the
# corresponding query came in on to avoid problems with load balancers
# and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket
# option to bind a socket to a specified device. For FreeBSD, to
# achieve the same result, specify the routing table to use after the
# IP address to use SO_SETFIB.
#
# Complement with socket partitioning and CPU affinity for attack
# mitigation benefits. i.e. only a single core is maxed out if a
# specific IP address is under attack.
#
# ip-address: 1.2.3.4 setfib=0 bindtodevice=yes
# ip-address: 1.2.3.5@6789 setfib=1 bindtodevice=yes
# Allow binding to non local addresses. Default no.
# ip-transparent: no
# Allow binding to addresses that are down. Default no.
# ip-freebind: no
# Use SO_REUSEPORT socket option for performance. Default no.
# reuseport: no
# override maximum socket send buffer size. Default of 0 results in
# send buffer size being set to 1048576 (bytes).
# send-buffer-size: 1048576
# override maximum socket receive buffer size. Default of 0 results in
# receive buffer size being set to 1048576 (bytes).
# receive-buffer-size: 1048576
# enable debug mode, does not fork daemon process into the background.
# debug-mode: no
# listen on IPv4 connections
# do-ip4: yes
# listen on IPv6 connections
# do-ip6: yes
# port to answer queries on. default is 53.
# port: 53
# Verbosity level.
# verbosity: 0
# After binding socket, drop user privileges.
# can be a username, id or id.gid.
# username: @user@
# Run NSD in a chroot-jail.
# make sure to have pidfile reachable from there.
# by default, no chroot-jail is used.
# chroot: "@configdir@"
# The directory for zonefile: files. The daemon chdirs here.
# zonesdir: "@zonesdir@"
# the list of dynamically added zones.
# zonelistfile: "@zonelistfile@"
# log messages to file. Default to stderr and syslog (with
# facility LOG_DAEMON). stderr disappears when daemon goes to bg.
# logfile: "@logfile@"
# log only to syslog.
# log-only-syslog: no
# File to store pid for nsd in.
# pidfile: "@pidfile@"
# The file where secondary zone refresh and expire timeouts are kept.
# If you delete this file, all secondary zones are forced to be
# 'refreshing' (as if nsd got a notify). Set to "" to disable.
# xfrdfile: "@xfrdfile@"
# The directory where zone transfers are stored, in a subdir of it.
# xfrdir: "@xfrdir@"
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
# hide-version: no
# don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
# hide-identity: no
# Drop UPDATE queries
# drop-updates: no
# version string the server responds with for chaos queries.
# default is 'NSD x.y.z' with the server's version number.
# version: "NSD"
# identify the server (CH TXT ID.SERVER entry).
# identity: "unidentified server"
# Maximum number of concurrent TCP connections per server.
# tcp-count: 100
# Accept (and immediately close) TCP connections after maximum number
# of connections is reached to prevent kernel connection queue from
# growing.
# tcp-reject-overflow: no
# Maximum number of queries served on a single TCP connection.
# By default 0, which means no maximum.
# tcp-query-count: 0
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
# tcp-mss: 0
# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
# Default is 0, system default MSS.
# outgoing-tcp-mss: 0
# reduce these settings to save memory for NSD, to about
# xfrd-tcp-max: 32 and xfrd-tcp-pipeline: 128, also rrl-size: 1000
# other memory is determined by server-count, tcp-count and zone data
# max number of sockets used for outgoing zone transfers.
# Increase this to allow more sockets for zone transfers.
# xfrd-tcp-max: 128
# max number of simultaneous outgoing zone transfers over one socket.
# xfrd-tcp-pipeline: 128
# Preferred EDNS buffer size for IPv4.
# ipv4-edns-size: 1232
# Preferred EDNS buffer size for IPv6.
# ipv6-edns-size: 1232
# statistics are produced every number of seconds. Prints to log.
# Default is 0, meaning no statistics are produced.
# statistics: 3600
# Number of seconds between reloads triggered by xfrd.
# xfrd-reload-timeout: 1
# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
# log-time-ascii: yes
# round robin rotation of records in the answer.
# round-robin: no
# minimal-responses only emits extra data for referrals.
# minimal-responses: no
# Do not return additional information if the apex zone of the
# additional information is configured but does not match the apex zone
# of the initial query.
# confine-to-zone: no
# refuse queries of type ANY. For stopping floods.
# refuse-any: no
# check mtime of all zone files on start and sighup
# zonefiles-check: yes
# write changed zonefiles to disk, every N seconds.
# default is 3600.
# zonefiles-write: 3600
# RRLconfig
# Response Rate Limiting, size of the hashtable. Default 1000000.
# rrl-size: 1000000
# Response Rate Limiting, maximum QPS allowed (from one query source).
# If set to 0, ratelimiting is disabled. Also set
# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
# Default is @ratelimit_default@.
# rrl-ratelimit: 200
# Response Rate Limiting, number of packets to discard before
# sending a SLIP response (a truncated one, allowing an honest
# resolver to retry with TCP). Default is 2 (one half of the
# queries will receive a SLIP response, 0 disables SLIP (all
# packets are discarded), 1 means every request will get a
# SLIP response. When the ratelimit is hit the traffic is
# divided by the rrl-slip value.
# rrl-slip: 2
# Response Rate Limiting, IPv4 prefix length. Addresses are
# grouped by netblock.
# rrl-ipv4-prefix-length: 24
# Response Rate Limiting, IPv6 prefix length. Addresses are
# grouped by netblock.
# rrl-ipv6-prefix-length: 64
# Response Rate Limiting, maximum QPS allowed (from one query source)
# for whitelisted types. Default is @ratelimit_default@.
# rrl-whitelist-ratelimit: 2000
# RRLend
# Service clients over TLS (on the TCP sockets), with plain DNS inside
# the TLS stream. Give the certificate to use and private key.
# Default is "" (disabled). Requires restart to take effect.
# tls-service-key: "path/to/privatekeyfile.key"
# tls-service-pem: "path/to/publiccertfile.pem"
# tls-service-ocsp: "path/to/ocsp.pem"
# tls-port: 853
# Certificates used to authenticate connections made upstream for
# Transfers over TLS (XoT). Default is "" (default verify locations).
# tls-cert-bundle: "path/to/ca-bundle.pem"
# The interfaces that use these listed port numbers will support and
# expect PROXYv2. For UDP and TCP/TLS interfaces.
# proxy-protocol-port: portno for each of the port numbers.
verify:
# Enable zone verification. Default is no.
# enable: no
# Port to answer verifier queries on. Default is 5347.
# port: 5347
# Interfaces to bind for zone verification (default are the localhost
# interfaces, usually 127.0.0.1 and ::1). To bind to to multiple IP
# addresses, list them one by one. Socket options cannot be specified
# for verify ip-address options.
# ip-address: 127.0.0.1
# ip-address: 127.0.0.1@5347
# ip-address: ::1
# Verify zones by default. Default is yes.
# verify-zones: yes
# Command to execute for zone verification.
# verifier: ldns-verify-zone
# verifier: validns -
# verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA
# Maximum number of verifiers to run concurrently. Default is 1.
# verifier-count: 1
# Feed updated zone to verifier over standard input. Default is yes.
# verifier-feed-zone: yes
# Number of seconds before verifier is killed (0 is forever).
# verifier-timeout: 0
# DNSTAP config section, if compiled with that
# dnstap:
# set this to yes and set one or more of dnstap-log-..-messages to yes.
# dnstap-enable: no
# dnstap-socket-path: "@dnstap_socket_path@"
# for dnstap-ip, "" is disabled, use TCP or TLS with like 127.0.0.1@3333
# dnstap-ip: ""
# dnstap-tls: yes
# dnstap-tls-server-name: ""
# dnstap-tls-cert-bundle: "path/to/bundle.pem"
# dnstap-tls-client-key-file: ""
# dnstap-tls-client-cert-file: ""
# dnstap-send-identity: no
# dnstap-send-version: no
# dnstap-identity: ""
# dnstap-version: ""
# dnstap-log-auth-query-messages: no
# dnstap-log-auth-response-messages: no
# Remote control config section.
remote-control:
# Enable remote control with nsd-control(8) here.
# set up the keys and certificates with nsd-control-setup.
# control-enable: no
# what interfaces are listened to for control, default is on localhost.
# interfaces can be specified by IP address or interface name.
# with an interface name, all IP addresses associated with that
# interface are used.
# with an absolute path, a unix local named pipe is used for control
# (and key and cert files are not needed, use directory permissions).
# control-interface: 127.0.0.1
# control-interface: ::1
# control-interface: lo
# port number for remote control operations (uses TLS over TCP).
# control-port: 8952
# nsd server key file for remote control.
# server-key-file: "@configdir@/nsd_server.key"
# nsd server certificate file for remote control.
# server-cert-file: "@configdir@/nsd_server.pem"
# Secret keys for TSIGs that secure zone transfers.
# You could include: "secret.keys" and put the 'key:' statements in there,
# and give that file special access control permissions.
#
# key:
# The key name is sent to the other party, it must be the same
#name: "keyname"
# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
#algorithm: sha256
# secret material, must be the same as the other party uses.
# base64 encoded random number.
# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
# The tls-auth clause establishes authentication attributes to use when
# authenticating the far end of an outgoing TLS connection in access control
# lists used for XFR-over-TLS. If authentication fails, the XFR request will not
# be made. Support for TLS 1.3 is required for XFR-over-TLS. It has the
# following attributes:
#
# tls-auth:
# The tls-auth name. Used to refer to this TLS auth information in the access control list.
#name: "tls-authname"
# The authentication domain name as defined in RFC8310.
#auth-domain-name: "example.com"
# Client certificate and private key for Mutual TLS authentication
#client-cert: "path/to/clientcert.pem"
#client-key: "path/to/clientkey.key"
#client-key-pw: "password"
# Patterns have zone configuration and they are shared by one or more zones.
#
# pattern:
# name by which the pattern is referred to
#name: "myzones"
# the zonefile for the zones that use this pattern.
# if relative then from the zonesdir (inside the chroot).
# the name is processed: %s - zone name (as appears in zone:name).
# %1 - first character of zone name, %2 second, %3 third.
# %z - topleveldomain label of zone, %y, %x next labels in name.
# if label or character does not exist you get a dot '.'.
# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
#zonefile: "%s.zone"
# The allow-query allows an access control list to be specified
# for a zone to be queried. Without an allow-query option, any
# IP address is allowed to send queries for the zone.
# This could be useful for example to not leak content from a zone
# which is only offered for transfer to secondaries over TLS.
#allow-query: 192.0.2.0/24 NOKEY
# If no master and slave access control elements are provided,
# this zone will not be served to/from other servers.
# A master zone needs notify: and provide-xfr: lists. A slave
# may also allow zone transfer (for debug or other secondaries).
# notify these slaves when the master zone changes, address TSIG|NOKEY
# IP can be ipv4 and ipv6, with @port for a nondefault port number.
#notify: 192.0.2.1 NOKEY
# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
#provide-xfr: 192.0.2.0/24 my_tsig_key_name
# set the number of retries for notify.
#notify-retry: 5
# if yes, store and provide IXFRs.
#store-ixfr: no
# number of IXFR versions to store, at most.
#ixfr-number: 5
# size in bytes of max storage to use for IXFR versions.
#ixfr-size: 1048576
# if yes, create IXFR when a zonefile is read by the server.
#create-ixfr: no
# uncomment to provide AXFR to all the world
# provide-xfr: 0.0.0.0/0 NOKEY
# provide-xfr: ::0/0 NOKEY
# A slave zone needs allow-notify: and request-xfr: lists.
#allow-notify: 2001:db8::0/64 my_tsig_key_name
# By default, a slave will request a zone transfer with IXFR/TCP.
# If you want to make use of IXFR/UDP use: UDP addr tsigkey
# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
# If you want to require use of XFR-over-TLS use: addr tsigkey tlsauthname
#request-xfr: 192.0.2.2 the_tsig_key_name
#request-xfr: 192.0.2.2 the_tsig_key_name the_tls_auth_name
# Attention: You cannot use UDP and AXFR together. AXFR is always over
# TCP. If you use UDP, we highly recommend you to deploy TSIG.
# Allow AXFR fallback if the master does not support IXFR. Default
# is yes.
#allow-axfr-fallback: yes
# set local interface for sending zone transfer requests.
# default is let the OS choose.
#outgoing-interface: 10.0.0.10
# limit the refresh and retry interval in seconds.
#max-refresh-time: 2419200
#min-refresh-time: 0
#max-retry-time: 1209600
#min-retry-time: 0
# Lower bound of expire interval in seconds. The value can be "refresh+retry+1"
# in which case the lower bound of expire interval is the sum of the refresh and
# retry values (limited to the bounds given with the above parameters), plus 1.
#min-expire-time: 0
# Slave server tries zone transfer to all masters and picks highest
# zone version available, for when masters have different versions.
#multi-master-check: no
# limit the zone transfer size (in bytes), stops very large transfers
# 0 is no limits enforced.
# size-limit-xfr: 0
# if compiled with --enable-zone-stats, give name of stat block for
# this zone (or group of zones). Output from nsd-control stats.
# zonestats: "%s"
# if you give another pattern name here, at this point the settings
# from that pattern are inserted into this one (as if it were a
# macro). The statement can be given in between other statements,
# because the order of access control elements can make a difference
# (which master to request from first, which slave to notify first).
#include-pattern: "common-masters"
# Verify zone before publishing.
# Default is value of verify-zones in verify.
# verify-zone: yes
# Command to execute for zone verification.
# Default is verifier in verify.
# verifier: ldns-verify-zone
# verifier: validns -
# verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA
# Feed updated zone to verifier over standard input.
# Default is value of verifier-feed-zone in verify.
# verifier-feed-zone: yes
# Number of seconds before verifier is killed (0 is forever).
# Default is verifier-timeout in verify.
# verifier-timeout: 0
# Fixed zone entries. Here you can config zones that cannot be deleted.
# Zones that are dynamically added and deleted are put in the zonelist file.
#
# zone:
# name: "example.com"
# you can give a pattern here, all the settings from that pattern
# are then inserted at this point
# include-pattern: "master"
# You can also specify (additional) options directly for this zone.
# zonefile: "example.com.zone"
# request-xfr: 192.0.2.1 example.com.key
