1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
|
#
# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
#
# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
#
# See LICENSE for the license.
#
# This is a comment.
# Sample configuration file
# include: "file" # include that file's text over here. Globbed, "*.conf"
# options for the nsd server
server:
# Number of NSD servers to fork. Put the number of CPUs to use here.
# server-count: 1
# Set overall CPU affinity for NSD processes on Linux and FreeBSD.
# Any server/xfrd CPU affinity value will be masked by this value.
# cpu-affinity: 0 1 2 3
# Bind NSD server(s), configured by server-count (1-based), to a
# dedicated core. Single core affinity improves L1/L2 cache hits and
# reduces pipeline stalls/flushes.
#
# server-1-cpu-affinity: 0
# server-2-cpu-affinity: 1
# ...
# server-<N>-cpu-affinity: 2
# Bind xfrd to a dedicated core.
# xfrd-cpu-affinity: 3
# Specify specific interfaces to bind (default are the wildcard
# interfaces 0.0.0.0 and ::0).
# For servers with multiple IP addresses, list them one by one,
# or the source address of replies could be wrong.
# Use ip-transparent to be able to list addresses that turn on later.
# ip-address: 1.2.3.4
# ip-address: 1.2.3.4@5678
# ip-address: 12fe::8ef0
#
# IP addresses can be configured per-server to avoid waking up more
# than one server when a packet comes in (thundering herd problem) or
# to partition sockets across servers to improve select/poll
# performance.
#
# ip-address: 1.2.3.4 servers="1-2 3"
# ip-address: 1.2.3.4@5678 servers="4-5 6"
#
# When several interfaces are configured to listen on the same subnet,
# care must be taken to ensure responses go out the same interface the
# corresponding query came in on to avoid problems with load balancers
# and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket
# option to bind a socket to a specified device. For FreeBSD, to
# achieve the same result, specify the routing table to use after the
# IP address to use SO_SETFIB.
#
# Complement with socket partitioning and CPU affinity for attack
# mitigation benefits. i.e. only a single core is maxed out if a
# specific IP address is under attack.
#
# ip-address: 1.2.3.4 setfib=0 bindtodevice=yes
# ip-address: 1.2.3.5@6789 setfib=1 bindtodevice=yes
# Allow binding to non local addresses. Default no.
# ip-transparent: no
# Allow binding to addresses that are down. Default no.
# ip-freebind: no
# Use SO_REUSEPORT socket option for performance. Default no.
# reuseport: no
# override maximum socket send buffer size. Default of 0 results in
# send buffer size being set to 1048576 (bytes).
# send-buffer-size: 1048576
# override maximum socket receive buffer size. Default of 0 results in
# receive buffer size being set to 1048576 (bytes).
# receive-buffer-size: 1048576
# enable debug mode, does not fork daemon process into the background.
# debug-mode: no
# listen on IPv4 connections
# do-ip4: yes
# listen on IPv6 connections
# do-ip6: yes
# port to answer queries on. default is 53.
# port: 53
# Verbosity level.
# verbosity: 0
# After binding socket, drop user privileges.
# can be a username, id or id.gid.
# username: @user@
# Run NSD in a chroot-jail.
# make sure to have pidfile reachable from there.
# by default, no chroot-jail is used.
# chroot: "@configdir@"
# The directory for zonefile: files. The daemon chdirs here.
# zonesdir: "@zonesdir@"
# the list of dynamically added zones.
# zonelistfile: "@zonelistfile@"
# log messages to file. Default to stderr and syslog (with
# facility LOG_DAEMON). stderr disappears when daemon goes to bg.
# logfile: "@logfile@"
# log only to syslog.
# log-only-syslog: no
# File to store pid for nsd in.
# pidfile: "@pidfile@"
# The file where secondary zone refresh and expire timeouts are kept.
# If you delete this file, all secondary zones are forced to be
# 'refreshing' (as if nsd got a notify). Set to "" to disable.
# xfrdfile: "@xfrdfile@"
# The directory where zone transfers are stored, in a subdir of it.
# xfrdir: "@xfrdir@"
# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
# hide-version: no
# don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
# hide-identity: no
# Drop UPDATE queries
# drop-updates: no
# version string the server responds with for chaos queries.
# default is 'NSD x.y.z' with the server's version number.
# version: "NSD"
# identify the server (CH TXT ID.SERVER entry).
# identity: "unidentified server"
# NSID identity (hex string, or "ascii_somestring"). default disabled.
# nsid: "aabbccdd"
# Maximum number of concurrent TCP connections per server.
# tcp-count: 100
# Accept (and immediately close) TCP connections after maximum number
# of connections is reached to prevent kernel connection queue from
# growing.
# tcp-reject-overflow: no
# Maximum number of queries served on a single TCP connection.
# By default 0, which means no maximum.
# tcp-query-count: 0
# Override the default (120 seconds) TCP timeout.
# tcp-timeout: 120
# Maximum segment size (MSS) of TCP socket on which the server
# responds to queries. Default is 0, system default MSS.
# tcp-mss: 0
# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
# Default is 0, system default MSS.
# outgoing-tcp-mss: 0
# reduce these settings to save memory for NSD, to about
# xfrd-tcp-max: 32 and xfrd-tcp-pipeline: 128, also rrl-size: 1000
# other memory is determined by server-count, tcp-count and zone data
# max number of sockets used for outgoing zone transfers.
# Increase this to allow more sockets for zone transfers.
# xfrd-tcp-max: 128
# max number of simultaneous outgoing zone transfers over one socket.
# xfrd-tcp-pipeline: 128
# Preferred EDNS buffer size for IPv4.
# ipv4-edns-size: 1232
# Preferred EDNS buffer size for IPv6.
# ipv6-edns-size: 1232
# statistics are produced every number of seconds. Prints to log.
# Default is 0, meaning no statistics are produced.
# statistics: 3600
# Number of seconds between reloads triggered by xfrd.
# xfrd-reload-timeout: 1
# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
# log-time-ascii: yes
# round robin rotation of records in the answer.
# round-robin: no
# minimal-responses only emits extra data for referrals.
# minimal-responses: no
# Do not return additional information if the apex zone of the
# additional information is configured but does not match the apex zone
# of the initial query.
# confine-to-zone: no
# refuse queries of type ANY. For stopping floods.
# refuse-any: no
# check mtime of all zone files on start and sighup
# zonefiles-check: yes
# write changed zonefiles to disk, every N seconds.
# default is 3600.
# zonefiles-write: 3600
# RRLconfig
# Response Rate Limiting, size of the hashtable. Default 1000000.
# rrl-size: 1000000
# Response Rate Limiting, maximum QPS allowed (from one query source).
# If set to 0, ratelimiting is disabled. Also set
# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
# Default is @ratelimit_default@.
# rrl-ratelimit: 200
# Response Rate Limiting, number of packets to discard before
# sending a SLIP response (a truncated one, allowing an honest
# resolver to retry with TCP). Default is 2 (one half of the
# queries will receive a SLIP response, 0 disables SLIP (all
# packets are discarded), 1 means every request will get a
# SLIP response. When the ratelimit is hit the traffic is
# divided by the rrl-slip value.
# rrl-slip: 2
# Response Rate Limiting, IPv4 prefix length. Addresses are
# grouped by netblock.
# rrl-ipv4-prefix-length: 24
# Response Rate Limiting, IPv6 prefix length. Addresses are
# grouped by netblock.
# rrl-ipv6-prefix-length: 64
# Response Rate Limiting, maximum QPS allowed (from one query source)
# for whitelisted types. Default is @ratelimit_default@.
# rrl-whitelist-ratelimit: 2000
# RRLend
# Service clients over TLS (on the TCP sockets), with plain DNS inside
# the TLS stream. Give the certificate to use and private key.
# Default is "" (disabled). Requires restart to take effect.
# tls-service-key: "path/to/privatekeyfile.key"
# tls-service-pem: "path/to/publiccertfile.pem"
# tls-service-ocsp: "path/to/ocsp.pem"
# tls-port: 853
# Certificates used to authenticate connections made upstream for
# Transfers over TLS (XoT). Default is "" (default verify locations).
# tls-cert-bundle: "path/to/ca-bundle.pem"
# The interfaces that use these listed port numbers will support and
# expect PROXYv2. For UDP and TCP/TLS interfaces.
# proxy-protocol-port: portno for each of the port numbers.
verify:
# Enable zone verification. Default is no.
# enable: no
# Port to answer verifier queries on. Default is 5347.
# port: 5347
# Interfaces to bind for zone verification (default are the localhost
# interfaces, usually 127.0.0.1 and ::1). To bind to to multiple IP
# addresses, list them one by one. Socket options cannot be specified
# for verify ip-address options.
# ip-address: 127.0.0.1
# ip-address: 127.0.0.1@5347
# ip-address: ::1
# Verify zones by default. Default is yes.
# verify-zones: yes
# Command to execute for zone verification.
# verifier: ldns-verify-zone
# verifier: validns -
# verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA
# Maximum number of verifiers to run concurrently. Default is 1.
# verifier-count: 1
# Feed updated zone to verifier over standard input. Default is yes.
# verifier-feed-zone: yes
# Number of seconds before verifier is killed (0 is forever).
# verifier-timeout: 0
# DNSTAP config section, if compiled with that
# dnstap:
# set this to yes and set one or more of dnstap-log-..-messages to yes.
# dnstap-enable: no
# dnstap-socket-path: "@dnstap_socket_path@"
# for dnstap-ip, "" is disabled, use TCP or TLS with like 127.0.0.1@3333
# dnstap-ip: ""
# dnstap-tls: yes
# dnstap-tls-server-name: ""
# dnstap-tls-cert-bundle: "path/to/bundle.pem"
# dnstap-tls-client-key-file: ""
# dnstap-tls-client-cert-file: ""
# dnstap-send-identity: no
# dnstap-send-version: no
# dnstap-identity: ""
# dnstap-version: ""
# dnstap-log-auth-query-messages: no
# dnstap-log-auth-response-messages: no
# Remote control config section.
remote-control:
# Enable remote control with nsd-control(8) here.
# set up the keys and certificates with nsd-control-setup.
# control-enable: no
# what interfaces are listened to for control, default is on localhost.
# interfaces can be specified by IP address or interface name.
# with an interface name, all IP addresses associated with that
# interface are used.
# with an absolute path, a unix local named pipe is used for control
# (and key and cert files are not needed, use directory permissions).
# control-interface: 127.0.0.1
# control-interface: ::1
# control-interface: lo
# port number for remote control operations (uses TLS over TCP).
# control-port: 8952
# nsd server key file for remote control.
# server-key-file: "@configdir@/nsd_server.key"
# nsd server certificate file for remote control.
# server-cert-file: "@configdir@/nsd_server.pem"
# nsd-control key file.
# control-key-file: "@configdir@/nsd_control.key"
# nsd-control certificate file.
# control-cert-file: "@configdir@/nsd_control.pem"
# Secret keys for TSIGs that secure zone transfers.
# You could include: "secret.keys" and put the 'key:' statements in there,
# and give that file special access control permissions.
#
# key:
# The key name is sent to the other party, it must be the same
#name: "keyname"
# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
#algorithm: sha256
# secret material, must be the same as the other party uses.
# base64 encoded random number.
# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
# The tls-auth clause establishes authentication attributes to use when
# authenticating the far end of an outgoing TLS connection in access control
# lists used for XFR-over-TLS. If authentication fails, the XFR request will not
# be made. Support for TLS 1.3 is required for XFR-over-TLS. It has the
# following attributes:
#
# tls-auth:
# The tls-auth name. Used to refer to this TLS auth information in the access control list.
#name: "tls-authname"
# The authentication domain name as defined in RFC8310.
#auth-domain-name: "example.com"
# Client certificate and private key for Mutual TLS authentication
#client-cert: "path/to/clientcert.pem"
#client-key: "path/to/clientkey.key"
#client-key-pw: "password"
# Patterns have zone configuration and they are shared by one or more zones.
#
# pattern:
# name by which the pattern is referred to
#name: "myzones"
# the zonefile for the zones that use this pattern.
# if relative then from the zonesdir (inside the chroot).
# the name is processed: %s - zone name (as appears in zone:name).
# %1 - first character of zone name, %2 second, %3 third.
# %z - topleveldomain label of zone, %y, %x next labels in name.
# if label or character does not exist you get a dot '.'.
# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
#zonefile: "%s.zone"
# The allow-query allows an access control list to be specified
# for a zone to be queried. Without an allow-query option, any
# IP address is allowed to send queries for the zone.
# This could be useful for example to not leak content from a zone
# which is only offered for transfer to secondaries over TLS.
#allow-query: 192.0.2.0/24 NOKEY
# If no primary and secondary access control elements are provided,
# this zone will not be served to/from other servers.
# A primary zone needs notify: and provide-xfr: lists. A secondary
# may also allow zone transfer (for debug or other secondaries).
# notify these secondaries when the primary zone changes, address TSIG|NOKEY
# IP can be ipv4 and ipv6, with @port for a nondefault port number.
#notify: 192.0.2.1 NOKEY
# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
#provide-xfr: 192.0.2.0/24 my_tsig_key_name
# set the number of retries for notify.
#notify-retry: 5
# if yes, store and provide IXFRs.
#store-ixfr: no
# number of IXFR versions to store, at most.
#ixfr-number: 5
# size in bytes of max storage to use for IXFR versions.
#ixfr-size: 1048576
# if yes, create IXFR when a zonefile is read by the server.
#create-ixfr: no
# uncomment to provide AXFR to all the world
# provide-xfr: 0.0.0.0/0 NOKEY
# provide-xfr: ::0/0 NOKEY
# A secondary zone needs allow-notify: and request-xfr: lists.
#allow-notify: 2001:db8::0/64 my_tsig_key_name
# By default, a secondary will request a zone transfer with IXFR/TCP.
# If you want to make use of IXFR/UDP use: UDP addr tsigkey
# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
# If you want to require use of XFR-over-TLS use: addr tsigkey tlsauthname
#request-xfr: 192.0.2.2 the_tsig_key_name
#request-xfr: 192.0.2.2 the_tsig_key_name the_tls_auth_name
# Attention: You cannot use UDP and AXFR together. AXFR is always over
# TCP. If you use UDP, we highly recommend you to deploy TSIG.
# Allow AXFR fallback if the master does not support IXFR. Default
# is yes.
#allow-axfr-fallback: yes
# set local interface for sending zone transfer requests.
# default is let the OS choose.
#outgoing-interface: 10.0.0.10
# limit the refresh and retry interval in seconds.
#max-refresh-time: 2419200
#min-refresh-time: 0
#max-retry-time: 1209600
#min-retry-time: 0
# Lower bound of expire interval in seconds. The value can be "refresh+retry+1"
# in which case the lower bound of expire interval is the sum of the refresh and
# retry values (limited to the bounds given with the above parameters), plus 1.
#min-expire-time: 0
# Secondary server tries zone transfer to all primaries and picks highest
# zone version available, for when primaries have different versions.
#multi-primary-check: no
# limit the zone transfer size (in bytes), stops very large transfers
# 0 is no limits enforced.
# size-limit-xfr: 0
# if compiled with --enable-zone-stats, give name of stat block for
# this zone (or group of zones). Output from nsd-control stats.
# zonestats: "%s"
# if you give another pattern name here, at this point the settings
# from that pattern are inserted into this one (as if it were a
# macro). The statement can be given in between other statements,
# because the order of access control elements can make a difference
# (which master to request from first, which secondary to notify first).
#include-pattern: "common-masters"
# Verify zone before publishing.
# Default is value of verify-zones in verify.
# verify-zone: yes
# Command to execute for zone verification.
# Default is verifier in verify.
# verifier: ldns-verify-zone
# verifier: validns -
# verifier: drill -k <keyfile> @127.0.0.1 -p 5347 example.com SOA
# Feed updated zone to verifier over standard input.
# Default is value of verifier-feed-zone in verify.
# verifier-feed-zone: yes
# Number of seconds before verifier is killed (0 is forever).
# Default is verifier-timeout in verify.
# verifier-timeout: 0
# Turn this zone into a catalog consumer zone.
# The catalog-member-pattern option is the default pattern that
# will be used for members without or with invalid group property.
# catalog: consumer
# catalog-member-pattern: "example-pattern"
# Turn this zone into a catalog producer zone.
# Member zones can be added using nsd-control addzone <zone> <pattern>
# where <pattern> is a pattern containing a catalog-producer-zone
# option pointing to this zone.
# catalog: producer
# Use this pattern to add catalog producer members. "catalog1.invalid"
# needs to be a valid catalog producer zone; i.e. a primary zone
# without a request-xfr option and with and catalog option set to
# producer.
# catalog-producer-member: "catalog1.invalid"
# Fixed zone entries. Here you can config zones that cannot be deleted.
# Zones that are dynamically added and deleted are put in the zonelist file.
#
# zone:
# name: "example.com"
# you can give a pattern here, all the settings from that pattern
# are then inserted at this point
# include-pattern: "master"
# You can also specify (additional) options directly for this zone.
# zonefile: "example.com.zone"
# request-xfr: 192.0.2.1 example.com.key
# RRLconfig
# Response Rate Limiting, whitelist types
# rrl-whitelist: nxdomain
# rrl-whitelist: error
# rrl-whitelist: referral
# rrl-whitelist: any
# rrl-whitelist: rrsig
# rrl-whitelist: wildcard
# rrl-whitelist: nodata
# rrl-whitelist: dnskey
# rrl-whitelist: positive
# rrl-whitelist: all
# RRLend
|