summaryrefslogtreecommitdiff
path: root/usr.sbin/nsd/nsd.conf.sample.in
blob: f5cd7b1da9aabc9151cff076e0b16766452a59f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#

# This is a comment.
# Sample configuration file
# include: "file" # include that file's text over here.  Globbed, "*.conf"

# options for the nsd server
server:
	# Number of NSD servers to fork.  Put the number of CPUs to use here.
	# server-count: 1

	# uncomment to specify specific interfaces to bind (default are the
	# wildcard interfaces 0.0.0.0 and ::0).
	# For servers with multiple IP addresses, list them one by one,
	# or the source address of replies could be wrong.
	# Use ip-transparent to be able to list addresses that turn on later.
	# ip-address: 1.2.3.4
	# ip-address: 1.2.3.4@5678
	# ip-address: 12fe::8ef0

	# Allow binding to non local addresses. Default no.
	# ip-transparent: no

	# Allow binding to addresses that are down.  Default no.
	# ip-freebind: no

	# use the reuseport socket option for performance. Default no.
	# reuseport: no

	# enable debug mode, does not fork daemon process into the background.
	# debug-mode: no

	# listen on IPv4 connections
	# do-ip4: yes

	# listen on IPv6 connections
	# do-ip6: yes

	# port to answer queries on. default is 53.
	# port: 53

	# Verbosity level.
	# verbosity: 0

	# After binding socket, drop user privileges.
	# can be a username, id or id.gid.
	# username: @user@

	# Run NSD in a chroot-jail.
	# make sure to have pidfile and database reachable from there.
	# by default, no chroot-jail is used.
	# chroot: "@configdir@"

	# The directory for zonefile: files.  The daemon chdirs here.
	# zonesdir: "@zonesdir@"
	
	# the list of dynamically added zones.
	# zonelistfile: "@zonelistfile@"

	# the database to use
	# if set to "" then no disk-database is used, less memory usage.
	# database: "@dbfile@"

	# log messages to file. Default to stderr and syslog (with
	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
	# logfile: "@logfile@"

	# File to store pid for nsd in.
	# pidfile: "@pidfile@"

	# The file where secondary zone refresh and expire timeouts are kept.
	# If you delete this file, all secondary zones are forced to be 
	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
	# xfrdfile: "@xfrdfile@"

	# The directory where zone transfers are stored, in a subdir of it.
	# xfrdir: "@xfrdir@"

	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
	# hide-version: no

	# version string the server responds with for chaos queries.
	# default is 'NSD x.y.z' with the server's version number.
	# version: "NSD"

	# identify the server (CH TXT ID.SERVER entry).
	# identity: "unidentified server"

	# NSID identity (hex string, or "ascii_somestring"). default disabled.
	# nsid: "aabbccdd"

	# Maximum number of concurrent TCP connections per server.
	# tcp-count: 100

	# Maximum number of queries served on a single TCP connection.
	# By default 0, which means no maximum.
	# tcp-query-count: 0

	# Override the default (120 seconds) TCP timeout.
	# tcp-timeout: 120

	# Maximum segment size (MSS) of TCP socket on which the server
	# responds to queries. Default is 0, system default MSS.
	# tcp-mss: 0

	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
	# Default is 0, system default MSS.
	# outgoing-tcp-mss: 0

	# Preferred EDNS buffer size for IPv4.
	# ipv4-edns-size: 4096

	# Preferred EDNS buffer size for IPv6.
	# ipv6-edns-size: 4096

	# statistics are produced every number of seconds. Prints to log.
	# Default is 0, meaning no statistics are produced.
	# statistics: 3600

	# Number of seconds between reloads triggered by xfrd.
	# xfrd-reload-timeout: 1
	
	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
	# log-time-ascii: yes

	# round robin rotation of records in the answer.
	# round-robin: no

	# minimal-responses only emits extra data for referrals.
	# minimal-responses: no

	# refuse queries of type ANY.  For stopping floods.
	# refuse-any: no

	# check mtime of all zone files on start and sighup
	# zonefiles-check: yes
	
	# write changed zonefiles to disk, every N seconds.
	# default is 0(disabled) or 3600(if database is "").
	# zonefiles-write: 3600

	# RRLconfig
	# Response Rate Limiting, size of the hashtable. Default 1000000.
	# rrl-size: 1000000

	# Response Rate Limiting, maximum QPS allowed (from one query source).
	# If set to 0, ratelimiting is disabled. Also set
	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
	# Default is @ratelimit_default@.
	# rrl-ratelimit: 200

	# Response Rate Limiting, number of packets to discard before
	# sending a SLIP response (a truncated one, allowing an honest
	# resolver to retry with TCP). Default is 2 (one half of the
	# queries will receive a SLIP response, 0 disables SLIP (all
	# packets are discarded), 1 means every request will get a
	# SLIP response.  When the ratelimit is hit the traffic is
	# divided by the rrl-slip value.
	# rrl-slip: 2

	# Response Rate Limiting, IPv4 prefix length. Addresses are
	# grouped by netblock. 
	# rrl-ipv4-prefix-length: 24

	# Response Rate Limiting, IPv6 prefix length. Addresses are
	# grouped by netblock. 
	# rrl-ipv6-prefix-length: 64

	# Response Rate Limiting, maximum QPS allowed (from one query source)
	# for whitelisted types. Default is @ratelimit_default@.
	# rrl-whitelist-ratelimit: 2000
	# RRLend

# Remote control config section. 
remote-control:
	# Enable remote control with nsd-control(8) here.
	# set up the keys and certificates with nsd-control-setup.
	# control-enable: no

	# what interfaces are listened to for control, default is on localhost.
	# with an absolute path, a unix local named pipe is used for control
	# (and key and cert files are not needed, use directory permissions).
	# control-interface: 127.0.0.1
	# control-interface: ::1

	# port number for remote control operations (uses TLS over TCP).
	# control-port: 8952

	# nsd server key file for remote control.
	# server-key-file: "@configdir@/nsd_server.key"

	# nsd server certificate file for remote control.
	# server-cert-file: "@configdir@/nsd_server.pem"

	# nsd-control key file.
	# control-key-file: "@configdir@/nsd_control.key"

	# nsd-control certificate file.
	# control-cert-file: "@configdir@/nsd_control.pem"


# Secret keys for TSIGs that secure zone transfers.
# You could include: "secret.keys" and put the 'key:' statements in there,
# and give that file special access control permissions.
#
# key:
	# The key name is sent to the other party, it must be the same
	#name: "keyname"
	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
	#algorithm: sha256
	# secret material, must be the same as the other party uses.
	# base64 encoded random number.
	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="


# Patterns have zone configuration and they are shared by one or more zones.
# 
# pattern:
	# name by which the pattern is referred to
	#name: "myzones"
	# the zonefile for the zones that use this pattern.
	# if relative then from the zonesdir (inside the chroot).
	# the name is processed: %s - zone name (as appears in zone:name).
	# %1 - first character of zone name, %2 second, %3 third.
	# %z - topleveldomain label of zone, %y, %x next labels in name.
	# if label or character does not exist you get a dot '.'.
	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
	#zonefile: "%s.zone"
	
	# If no master and slave access control elements are provided,
	# this zone will not be served to/from other servers.

	# A master zone needs notify: and provide-xfr: lists.  A slave
	# may also allow zone transfer (for debug or other secondaries).
	# notify these slaves when the master zone changes, address TSIG|NOKEY
	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
	#notify: 192.0.2.1 NOKEY
	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
	# set the number of retries for notify.
	#notify-retry: 5

	# uncomment to provide AXFR to all the world
	# provide-xfr: 0.0.0.0/0 NOKEY
	# provide-xfr: ::0/0 NOKEY

	# A slave zone needs allow-notify: and request-xfr: lists.
	#allow-notify: 2001:db8::0/64 my_tsig_key_name
	# By default, a slave will request a zone transfer with IXFR/TCP.
	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
	#request-xfr: 192.0.2.2 the_tsig_key_name
	# Attention: You cannot use UDP and AXFR together. AXFR is always over 
	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
	# Allow AXFR fallback if the master does not support IXFR. Default
	# is yes.
	#allow-axfr-fallback: yes
	# set local interface for sending zone transfer requests.
	# default is let the OS choose.
	#outgoing-interface: 10.0.0.10
	# limit the refresh and retry interval in seconds.
	#max-refresh-time: 2419200
	#min-refresh-time: 0
	#max-retry-time: 1209600
	#min-retry-time: 0
	# Slave server tries zone transfer to all masters and picks highest
	# zone version available, for when masters have different versions.
	#multi-master-check: no

	# limit the zone transfer size (in bytes), stops very large transfers
	# 0 is no limits enforced.
	# size-limit-xfr: 0

	# if compiled with --enable-zone-stats, give name of stat block for
	# this zone (or group of zones).  Output from nsd-control stats.
	# zonestats: "%s"

	# if you give another pattern name here, at this point the settings
	# from that pattern are inserted into this one (as if it were a 
	# macro).  The statement can be given in between other statements,
	# because the order of access control elements can make a difference
	# (which master to request from first, which slave to notify first).
	#include-pattern: "common-masters"


# Fixed zone entries.  Here you can config zones that cannot be deleted.
# Zones that are dynamically added and deleted are put in the zonelist file.
#
# zone:
 	# name: "example.com"
 	# you can give a pattern here, all the settings from that pattern
 	# are then inserted at this point
 	# include-pattern: "master"
 	# You can also specify (additional) options directly for this zone.
 	# zonefile: "example.com.zone"
 	# request-xfr: 192.0.2.1 example.com.key

	# RRLconfig
	# Response Rate Limiting, whitelist types
	# rrl-whitelist: nxdomain
	# rrl-whitelist: error
	# rrl-whitelist: referral
	# rrl-whitelist: any
	# rrl-whitelist: rrsig
	# rrl-whitelist: wildcard
	# rrl-whitelist: nodata
	# rrl-whitelist: dnskey
	# rrl-whitelist: positive
	# rrl-whitelist: all
	# RRLend