1# 2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5). 3# 4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved. 5# 6# See LICENSE for the license. 7# 8 9# This is a comment. 10# Sample configuration file 11 12# options for the nsd server 13server: 14 # uncomment to specify specific interfaces to bind (default wildcard interface). 15 # ip-address: 1.2.3.4 16 # ip-address: 1.2.3.4@5678 17 # ip-address: 12fe::8ef0 18 19 # don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries 20 # hide-version: no 21 22 # enable debug mode, does not fork daemon process into the background. 23 # debug-mode: no 24 25 # listen only on IPv4 connections 26 # ip4-only: no 27 28 # listen only on IPv6 connections 29 # ip6-only: no 30 31 # the database to use 32 # database: "@dbfile@" 33 34 # identify the server (CH TXT ID.SERVER entry). 35 # identity: "unidentified server" 36 37 # NSID identity (hex string). default disabled. 38 # nsid: "aabbccdd" 39 40 # log messages to file. Default to stderr and syslog (with facility LOG_DAEMON). 41 # logfile: "@logfile@" 42 43 # Number of NSD servers to fork. 44 # server-count: 1 45 46 # Maximum number of concurrent TCP connections per server. 47 # This option should have a value below 1000. 48 # tcp-count: 10 49 50 # Maximum number of queries served on a single TCP connection. 51 # By default 0, which means no maximum. 52 # tcp-query-count: 0 53 54 # Override the default (120 seconds) TCP timeout. 55 # tcp-timeout: 120 56 57 # Preferred EDNS buffer size for IPv4. 58 # ipv4-edns-size: 4096 59 60 # Preferred EDNS buffer size for IPv6. 61 # ipv6-edns-size: 4096 62 63 # File to store pid for nsd in. 64 # pidfile: "@pidfile@" 65 66 # port to answer queries on. default is 53. 67 # port: 53 68 69 # statistics are produced every number of seconds. 70 # statistics: 3600 71 72 # Run NSD in a chroot-jail. 73 # make sure to have pidfile and database reachable from there. 74 # by default, no chroot-jail is used. 75 # chroot: "@configdir@" 76 77 # After binding socket, drop user privileges. 78 # can be a username, id or id.gid. 79 # username: @user@ 80 81 # The directory for zonefile: files. 82 # zonesdir: "@zonesdir@" 83 84 # The file where incoming zone transfers are stored. 85 # run nsd-patch to update zone files, then you can safely delete it. 86 # difffile: "@difffile@" 87 88 # The file where secondary zone refresh and expire timeouts are kept. 89 # If you delete this file, all secondary zones are forced to be 90 # 'refreshing' (as if nsd got a notify). 91 # xfrdfile: "@xfrdfile@" 92 93 # Number of seconds between reloads triggered by xfrd. 94 # xfrd-reload-timeout: 10 95 96 # Verbosity level. 97 # verbosity: 0 98 99# key for zone 1 100key: 101 name: mskey 102 algorithm: hmac-md5 103 secret: "K2tf3TRjvQkVCmJF3/Z9vA==" 104 105# Sample zone 1 106zone: 107 name: "example.com" 108 zonefile: "example.com.zone" 109 110 # This is a slave zone. Masters are listed below. 111 # If no access control elements are provided, this zone 112 # will not be served to/from other servers. 113 114 # master 1 115 allow-notify: 168.192.44.42 mskey 116 request-xfr: 168.192.44.42 mskey 117 118 # master 2 119 allow-notify: 10.0.0.11 NOKEY 120 request-xfr: 10.0.0.11 NOKEY 121 122 # By default, a slave will request a zone transfer with IXFR/TCP. 123 # If you want to make use of IXFR/UDP use 124 allow-notify: 10.0.0.12 NOKEY 125 request-xfr: UDP 10.0.0.12 NOKEY 126 127 # for a master that only speaks AXFR (like NSD) use 128 allow-notify: 10.0.0.13 NOKEY 129 request-xfr: AXFR 10.0.0.13 NOKEY 130 131 # Attention: You cannot use UDP and AXFR together. AXFR is always over 132 # TCP. If you use UDP, we higly recommend you to deploy TSIG. 133 134 # Allow AXFR fallback if the master does not support IXFR. Default 135 # is yes. 136 allow-axfr-fallback: "yes" 137 138 # uncomment to provide AXFR to all the world 139 # provide-xfr: 0.0.0.0/0 NOKEY 140 # provide-xfr: ::0/0 NOKEY 141 142 # set local interface for sending zone transfer requests. 143 outgoing-interface: 10.0.0.10 144 145# Sample zone 2 146zone: 147 name: "example.net" 148 zonefile: "example.net.signed.zone" 149 150 # This is a master zone. Slaves are listed below. 151 # If no access control elements are provided, this zone 152 # will not be served to/from other servers. 153 154 # secondary 1. Uses port 5300. 155 notify: 10.0.0.14@5300 sec1_key 156 provide-xfr: 10.0.0.14@5300 sec1_key 157 158 # secondary 2. 159 notify: 10.11.12.14 sec2_key 160 provide-xfr: 10.11.12.14 sec2_key 161 162 # also provide xfr to operator's network. 163 provide-xfr: 169.192.85.0/24 NOKEY 164 # uncomment to disable xfr for the address. 165 # provide-xfr: 169.192.85.66 BLOCKED 166 167 # set the number of retries for notify. 168 notify-retry: 5 169 170 # set local interface for sending notifies 171 outgoing-interface: 10.0.0.15 172 173# keys for zone 2 174key: 175 name: "sec1_key" 176 algorithm: hmac-md5 177 secret: "6KM6qiKfwfEpamEq72HQdA==" 178 179key: 180 name: sec2_key 181 algorithm: hmac-sha1 182 secret: "m83H2x8R0zbDf3yRKhrqgw==" 183 184key: 185 name: sec3_key 186 algorithm: hmac-sha256 187 secret: "m83H2x8R0zbDf3yRKhrqgw==" 188 189