diff options
Diffstat (limited to 'usr.sbin/nsd/nsd.conf.sample.in')
| -rw-r--r-- | usr.sbin/nsd/nsd.conf.sample.in | 321 |
1 files changed, 109 insertions, 212 deletions
diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index e3d1ff70fd8..442031b96fb 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -1,96 +1,47 @@ # # nsd.conf -- the NSD(8) configuration file, nsd.conf(5). # -# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. +# Copyright (c) 2001-2006, NLnet Labs. All rights reserved. # # See LICENSE for the license. # # This is a comment. # Sample configuration file -# include: "file" # include that file's text over here. Globbed, "*.conf" # options for the nsd server server: - # Number of NSD servers to fork. Put the number of CPUs to use here. - # server-count: 1 - - # uncomment to specify specific interfaces to bind (default are the - # wildcard interfaces 0.0.0.0 and ::0). - # For servers with multiple IP addresses, list them one by one, - # or the source address of replies could be wrong. - # Use ip-transparent to be able to list addresses that turn on later. + # uncomment to specify specific interfaces to bind (default all). # ip-address: 1.2.3.4 - # ip-address: 1.2.3.4@5678 # ip-address: 12fe::8ef0 - # Allow binding to non local addresses. Default no. - # ip-transparent: no - - # use the reuseport socket option for performance. - # The default is yes on linux, no for others. - # reuseport: no + # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries + # hide-version: no # enable debug mode, does not fork daemon process into the background. # debug-mode: no - # listen on IPv4 connections - # do-ip4: yes - - # listen on IPv6 connections - # do-ip6: yes - - # port to answer queries on. default is 53. - # port: 53 - - # Verbosity level. - # verbosity: 0 - - # After binding socket, drop user privileges. - # can be a username, id or id.gid. - # username: @user@ - - # Run NSD in a chroot-jail. - # make sure to have pidfile and database reachable from there. - # by default, no chroot-jail is used. - # chroot: "@configdir@" + # listen only on IPv4 connections + # ip4-only: no - # The directory for zonefile: files. The daemon chdirs here. - # zonesdir: "@zonesdir@" + # listen only on IPv6 connections + # ip6-only: no - # the list of dynamically added zones. - # zonelistfile: "@zonelistfile@" - # the database to use - # if set to "" then no disk-database is used, less memory usage. # database: "@dbfile@" - # log messages to file. Default to stderr and syslog (with - # facility LOG_DAEMON). stderr disappears when daemon goes to bg. - # logfile: "@logfile@" - - # File to store pid for nsd in. - # pidfile: "@pidfile@" - - # The file where secondary zone refresh and expire timeouts are kept. - # If you delete this file, all secondary zones are forced to be - # 'refreshing' (as if nsd got a notify). Set to "" to disable. - # xfrdfile: "@xfrdfile@" - - # The directory where zone transfers are stored, in a subdir of it. - # xfrdir: "@xfrdir@" - - # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries - # hide-version: no - # identify the server (CH TXT ID.SERVER entry). # identity: "unidentified server" - # NSID identity (hex string, or "ascii_somestring"). default disabled. - # nsid: "aabbccdd" + # log messages to file. Default to stderr and syslog. + # logfile: "/var/log/nsd.log" + + # Number of NSD servers to fork. + # server-count: 1 # Maximum number of concurrent TCP connections per server. - # tcp-count: 100 + # This option should have a value below 1000. + # tcp-count: 10 # Maximum number of queries served on a single TCP connection. # By default 0, which means no maximum. @@ -105,179 +56,125 @@ server: # Preferred EDNS buffer size for IPv6. # ipv6-edns-size: 4096 - # statistics are produced every number of seconds. Prints to log. - # Default is 0, meaning no statistics are produced. - # statistics: 3600 + # File to store pid for nsd in. + # pidfile: "@pidfile@" - # Number of seconds between reloads triggered by xfrd. - # xfrd-reload-timeout: 1 - - # log timestamp in ascii (y-m-d h:m:s.msec), yes is default. - # log-time-ascii: yes + # port to answer queries on. default is 53. + # port: 53 - # round robin rotation of records in the answer. - # round-robin: no + # statistics are produced every number of seconds. + # statistics: 3600 - # check mtime of all zone files on start and sighup - # zonefiles-check: yes - - # write changed zonefiles to disk, every N seconds. - # default is 0(disabled) or 3600(if database is ""). - # zonefiles-write: 3600 + # Run NSD in a chroot-jail. + # make sure to have pidfile and database reachable from there. + # by default, no chroot-jail is used. + # chroot: "@configdir@" - # RRLconfig - # Response Rate Limiting, size of the hashtable. Default 1000000. - # rrl-size: 1000000 + # After binding socket, drop user privileges. + # can be a username, id or id.gid. + # username: @user@ + + # The directory for zonefile: files. + # zonesdir: "@zonesdir@" - # Response Rate Limiting, maximum QPS allowed (from one query source). - # Default 200. If set to 0, ratelimiting is disabled. Also set - # rrl-whitelist-ratelimit to 0 to disable ratelimit processing. - # rrl-ratelimit: 200 + # The file where incoming zone transfers are stored. + # run nsd-patch to update zone files, then you can safely delete it. + # difffile: "@difffile@" - # Response Rate Limiting, number of packets to discard before - # sending a SLIP response (a truncated one, allowing an honest - # resolver to retry with TCP). Default is 2 (one half of the - # queries will receive a SLIP response, 0 disables SLIP (all - # packets are discarded), 1 means every request will get a - # SLIP response. - # rrl-slip: 2 + # The file where secondary zone refresh and expire timeouts are kept. + # If you delete this file, all secondary zones are forced to be + # 'refreshing' (as if nsd got a notify). + # xfrdfile: "@xfrdfile@" - # Response Rate Limiting, IPv4 prefix length. Addresses are - # grouped by netblock. - # rrl-ipv4-prefix-length: 24 + # Number of seconds between reloads triggered by xfrd. + # xfrd-reload-timeout: 10 - # Response Rate Limiting, IPv6 prefix length. Addresses are - # grouped by netblock. - # rrl-ipv6-prefix-length: 64 + # Verbosity level. + # verbosity: 0 - # Response Rate Limiting, maximum QPS allowed (from one query source) - # for whitelisted types. Default 2000. - # rrl-whitelist-ratelimit: 2000 - # RRLend +# key for zone 1 +key: + name: mskey + algorithm: hmac-md5 + secret: "K2tf3TRjvQkVCmJF3/Z9vA==" -# Remote control config section. -remote-control: - # Enable remote control with nsd-control(8) here. - # set up the keys and certificates with nsd-control-setup. - # control-enable: no +# Sample zone 1 +zone: + name: "example.com" + zonefile: "example.com.zone" - # what interfaces are listened to for control, default is on localhost. - # control-interface: 127.0.0.1 - # control-interface: ::1 + # This is a slave zone. Masters are listed below. - # port number for remote control operations (uses TLS over TCP). - # control-port: 8952 + # master 1 + allow-notify: 168.192.44.42 mskey + request-xfr: 168.192.44.42 mskey - # nsd server key file for remote control. - # server-key-file: "@configdir@/nsd_server.key" + # set local interface for sending zone transfer requests. + outgoing-interface: 10.0.0.10 - # nsd server certificate file for remote control. - # server-cert-file: "@configdir@/nsd_server.pem" + # master 2 + allow-notify: 10.0.0.11 NOKEY + request-xfr: 10.0.0.11 NOKEY - # nsd-control key file. - # control-key-file: "@configdir@/nsd_control.key" + # By default, a slave will request a zone transfer with IXFR/TCP. + # If you want to make use of IXFR/UDP use + allow-notify: 10.0.0.12 NOKEY + request-xfr: UDP 10.0.0.12 NOKEY - # nsd-control certificate file. - # control-cert-file: "@configdir@/nsd_control.pem" + # for a master that only speaks AXFR (like NSD) use + allow-notify: 10.0.0.13 NOKEY + request-xfr: AXFR 10.0.0.13 NOKEY + # Attention: You cannot use UDP and AXFR together. AXFR is always over + # TCP. If you use UDP, we higly recommend you to deploy TSIG. -# Secret keys for TSIGs that secure zone transfers. -# You could include: "secret.keys" and put the 'key:' statements in there, -# and give that file special access control permissions. -# -# key: - # The key name is sent to the other party, it must be the same - #name: "keyname" - # algorithm hmac-md5, or hmac-sha1, or hmac-sha256 (if compiled in) - #algorithm: hmac-sha256 - # secret material, must be the same as the other party uses. - # base64 encoded random number. - # e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64 - #secret: "K2tf3TRjvQkVCmJF3/Z9vA==" - - -# Patterns have zone configuration and they are shared by one or more zones. -# -# pattern: - # name by which the pattern is referred to - #name: "myzones" - # the zonefile for the zones that use this pattern. - # if relative then from the zonesdir (inside the chroot). - # the name is processed: %s - zone name (as appears in zone:name). - # %1 - first character of zone name, %2 second, %3 third. - # %z - topleveldomain label of zone, %y, %x next labels in name. - # if label or character does not exist you get a dot '.'. - # for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s" - #zonefile: "%s.zone" - - # If no master and slave access control elements are provided, - # this zone will not be served to/from other servers. - - # A master zone needs notify: and provide-xfr: lists. A slave - # may also allow zone transfer (for debug or other secondaries). - # notify these slaves when the master zone changes, address TSIG|NOKEY - # IP can be ipv4 and ipv6, with @port for a nondefault port number. - #notify: 192.0.2.1 NOKEY - # allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED - # address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40 - #provide-xfr: 192.0.2.0/24 my_tsig_key_name - # set the number of retries for notify. - #notify-retry: 5 + # Allow AXFR fallback if the master does not support IXFR. Default + # is yes. + allow-axfr-fallback: "yes" # uncomment to provide AXFR to all the world # provide-xfr: 0.0.0.0/0 NOKEY # provide-xfr: ::0/0 NOKEY - # A slave zone needs allow-notify: and request-xfr: lists. - #allow-notify: 2001:db8::0/64 my_tsig_key_name - # By default, a slave will request a zone transfer with IXFR/TCP. - # If you want to make use of IXFR/UDP use: UDP addr tsigkey - # for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey - #request-xfr: 192.0.2.2 the_tsig_key_name - # Attention: You cannot use UDP and AXFR together. AXFR is always over - # TCP. If you use UDP, we higly recommend you to deploy TSIG. - # Allow AXFR fallback if the master does not support IXFR. Default - # is yes. - #allow-axfr-fallback: yes - # set local interface for sending zone transfer requests. - # default is let the OS choose. - #outgoing-interface: 10.0.0.10 +# Sample zone 2 +zone: + name: "example.net" + zonefile: "example.net.signed.zone" - # if compiled with --enable-zone-stats, give name of stat block for - # this zone (or group of zones). Output from nsd-control stats. - # zonestats: "%s" + # This is a master zone. Slaves are listed below. - # if you give another pattern name here, at this point the settings - # from that pattern are inserted into this one (as if it were a - # macro). The statement can be given in between other statements, - # because the order of access control elements can make a difference - # (which master to request from first, which slave to notify first). - #include-pattern: "common-masters" + # secondary 1. Uses port 5300. + notify: 10.0.0.14@5300 sec1_key + provide-xfr: 10.0.0.14@5300 sec1_key + # set local interface for sending notifies + outgoing-interface: 10.0.0.15 -# Fixed zone entries. Here you can config zones that cannot be deleted. -# Zones that are dynamically added and deleted are put in the zonelist file. -# -# zone: - # name: "example.com" - # you can give a pattern here, all the settings from that pattern - # are then inserted at this point - # include-pattern: "master" - # You can also specify (additional) options directly for this zone. - # zonefile: "example.com.zone" - # request-xfr: 192.0.2.1 example.com.key - - # RRLconfig - # Response Rate Limiting, whitelist types - # rrl-whitelist: nxdomain - # rrl-whitelist: error - # rrl-whitelist: referral - # rrl-whitelist: any - # rrl-whitelist: rrsig - # rrl-whitelist: wildcard - # rrl-whitelist: nodata - # rrl-whitelist: dnskey - # rrl-whitelist: positive - # rrl-whitelist: all - # RRLend + # secondary 2. + notify: 10.11.12.14 sec2_key + provide-xfr: 10.11.12.14 sec2_key + + # also provide xfr to operator's network. + provide-xfr: 169.192.85.0/24 NOKEY + # uncomment to disable xfr for the address. + # provide-xfr: 169.192.85.66 BLOCKED + + # set the number of retries for notify. + notify-retry: 5 + +# keys for zone 2 +key: + name: "sec1_key" + algorithm: hmac-md5 + secret: "6KM6qiKfwfEpamEq72HQdA==" + +key: + name: sec2_key + algorithm: hmac-sha1 + secret: "m83H2x8R0zbDf3yRKhrqgw==" + +key: + name: sec3_key + algorithm: hmac-sha256 + secret: "m83H2x8R0zbDf3yRKhrqgw==" |