xref: /openbsd/usr.sbin/nsd/nsd.conf.sample.in (revision 76d0caae) 
1#
2# nsd.conf -- the NSD(8) configuration file, nsd.conf(5).
3#
4# Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
5#
6# See LICENSE for the license.
7#
8
9# This is a comment.
10# Sample configuration file
11# include: "file" # include that file's text over here.  Globbed, "*.conf"
12
13# options for the nsd server
14server:
15	# Number of NSD servers to fork.  Put the number of CPUs to use here.
16	# server-count: 1
17
18	# Set overall CPU affinity for NSD processes on Linux and FreeBSD.
19	# Any server/xfrd CPU affinity value will be masked by this value.
20	# cpu-affinity: 0 1 2 3
21
22	# Bind NSD server(s), configured by server-count (1-based), to a
23	# dedicated core. Single core affinity improves L1/L2 cache hits and
24	# reduces pipeline stalls/flushes.
25	#
26	# server-1-cpu-affinity: 0
27	# server-2-cpu-affinity: 1
28	# ...
29	# server-<N>-cpu-affinity: 2
30
31	# Bind xfrd to a dedicated core.
32	# xfrd-cpu-affinity: 3
33
34	# Specify specific interfaces to bind (default are the wildcard
35	# interfaces 0.0.0.0 and ::0).
36	# For servers with multiple IP addresses, list them one by one,
37	# or the source address of replies could be wrong.
38	# Use ip-transparent to be able to list addresses that turn on later.
39	# ip-address: 1.2.3.4
40	# ip-address: 1.2.3.4@5678
41	# ip-address: 12fe::8ef0
42	#
43	# IP addresses can be configured per-server to avoid waking up more
44	# than one server when a packet comes in (thundering herd problem) or
45	# to partition sockets across servers to improve select/poll
46	# performance.
47	#
48	# ip-address: 1.2.3.4       servers="1-2 3"
49	# ip-address: 1.2.3.4@5678  servers="4-5 6"
50	#
51	# When several interfaces are configured to listen on the same subnet,
52	# care must be taken to ensure responses go out the same interface the
53	# corresponding query came in on to avoid problems with load balancers
54	# and VLAN tagged interfaces. Linux offers the SO_BINDTODEVICE socket
55	# option to bind a socket to a specified device. For FreeBSD, to
56	# achieve the same result, specify the routing table to use after the
57	# IP address to use SO_SETFIB.
58	#
59	# Complement with socket partitioning and CPU affinity for attack
60	# mitigation benefits. i.e. only a single core is maxed out if a
61	# specific IP address is under attack.
62	#
63	# ip-address: 1.2.3.4       setfib=0  bindtodevice=yes
64	# ip-address: 1.2.3.5@6789  setfib=1  bindtodevice=yes
65
66	# Allow binding to non local addresses. Default no.
67	# ip-transparent: no
68
69	# Allow binding to addresses that are down. Default no.
70	# ip-freebind: no
71
72	# Use SO_REUSEPORT socket option for performance. Default no.
73	# reuseport: no
74
75	# override maximum socket send buffer size.  Default of 0 results in
76	# send buffer size being set to 1048576 (bytes).
77	# send-buffer-size: 1048576
78
79	# override maximum socket receive buffer size. Default of 0 results in
80	# receive buffer size being set to 1048576 (bytes).
81	# receive-buffer-size: 1048576
82
83	# enable debug mode, does not fork daemon process into the background.
84	# debug-mode: no
85
86	# listen on IPv4 connections
87	# do-ip4: yes
88
89	# listen on IPv6 connections
90	# do-ip6: yes
91
92	# port to answer queries on. default is 53.
93	# port: 53
94
95	# Verbosity level.
96	# verbosity: 0
97
98	# After binding socket, drop user privileges.
99	# can be a username, id or id.gid.
100	# username: @user@
101
102	# Run NSD in a chroot-jail.
103	# make sure to have pidfile and database reachable from there.
104	# by default, no chroot-jail is used.
105	# chroot: "@configdir@"
106
107	# The directory for zonefile: files.  The daemon chdirs here.
108	# zonesdir: "@zonesdir@"
109
110	# the list of dynamically added zones.
111	# zonelistfile: "@zonelistfile@"
112
113	# the database to use
114	# if set to "" then no disk-database is used, less memory usage.
115	# database: "@dbfile@"
116
117	# log messages to file. Default to stderr and syslog (with
118	# facility LOG_DAEMON).  stderr disappears when daemon goes to bg.
119	# logfile: "@logfile@"
120
121	# log only to syslog.
122	# log-only-syslog: no
123
124	# File to store pid for nsd in.
125	# pidfile: "@pidfile@"
126
127	# The file where secondary zone refresh and expire timeouts are kept.
128	# If you delete this file, all secondary zones are forced to be
129	# 'refreshing' (as if nsd got a notify).  Set to "" to disable.
130	# xfrdfile: "@xfrdfile@"
131
132	# The directory where zone transfers are stored, in a subdir of it.
133	# xfrdir: "@xfrdir@"
134
135	# don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
136	# hide-version: no
137
138	# don't answer HOSTNAME.BIND and ID.SERVER CHAOS class queries
139	# hide-identity: no
140
141	# Drop UPDATE queries
142	# drop-updates: no
143
144	# version string the server responds with for chaos queries.
145	# default is 'NSD x.y.z' with the server's version number.
146	# version: "NSD"
147
148	# identify the server (CH TXT ID.SERVER entry).
149	# identity: "unidentified server"
150
151	# NSID identity (hex string, or "ascii_somestring"). default disabled.
152	# nsid: "aabbccdd"
153
154	# Maximum number of concurrent TCP connections per server.
155	# tcp-count: 100
156
157	# Accept (and immediately close) TCP connections after maximum number
158	# of connections is reached to prevent kernel connection queue from
159	# growing.
160	# tcp-reject-overflow: no
161
162	# Maximum number of queries served on a single TCP connection.
163	# By default 0, which means no maximum.
164	# tcp-query-count: 0
165
166	# Override the default (120 seconds) TCP timeout.
167	# tcp-timeout: 120
168
169	# Maximum segment size (MSS) of TCP socket on which the server
170	# responds to queries. Default is 0, system default MSS.
171	# tcp-mss: 0
172
173	# Maximum segment size (MSS) of TCP socket for outgoing AXFR request.
174	# Default is 0, system default MSS.
175	# outgoing-tcp-mss: 0
176
177	# Preferred EDNS buffer size for IPv4.
178	# ipv4-edns-size: 1232
179
180	# Preferred EDNS buffer size for IPv6.
181	# ipv6-edns-size: 1232
182
183	# statistics are produced every number of seconds. Prints to log.
184	# Default is 0, meaning no statistics are produced.
185	# statistics: 3600
186
187	# Number of seconds between reloads triggered by xfrd.
188	# xfrd-reload-timeout: 1
189
190	# log timestamp in ascii (y-m-d h:m:s.msec), yes is default.
191	# log-time-ascii: yes
192
193	# round robin rotation of records in the answer.
194	# round-robin: no
195
196	# minimal-responses only emits extra data for referrals.
197	# minimal-responses: no
198
199	# Do not return additional information if the apex zone of the
200	# additional information is configured but does not match the apex zone
201	# of the initial query.
202	# confine-to-zone: no
203
204	# refuse queries of type ANY.  For stopping floods.
205	# refuse-any: no
206
207	# check mtime of all zone files on start and sighup
208	# zonefiles-check: yes
209
210	# write changed zonefiles to disk, every N seconds.
211	# default is 0(disabled) or 3600(if database is "").
212	# zonefiles-write: 3600
213
214	# RRLconfig
215	# Response Rate Limiting, size of the hashtable. Default 1000000.
216	# rrl-size: 1000000
217
218	# Response Rate Limiting, maximum QPS allowed (from one query source).
219	# If set to 0, ratelimiting is disabled. Also set
220	# rrl-whitelist-ratelimit to 0 to disable ratelimit processing.
221	# Default is @ratelimit_default@.
222	# rrl-ratelimit: 200
223
224	# Response Rate Limiting, number of packets to discard before
225	# sending a SLIP response (a truncated one, allowing an honest
226	# resolver to retry with TCP). Default is 2 (one half of the
227	# queries will receive a SLIP response, 0 disables SLIP (all
228	# packets are discarded), 1 means every request will get a
229	# SLIP response.  When the ratelimit is hit the traffic is
230	# divided by the rrl-slip value.
231	# rrl-slip: 2
232
233	# Response Rate Limiting, IPv4 prefix length. Addresses are
234	# grouped by netblock.
235	# rrl-ipv4-prefix-length: 24
236
237	# Response Rate Limiting, IPv6 prefix length. Addresses are
238	# grouped by netblock.
239	# rrl-ipv6-prefix-length: 64
240
241	# Response Rate Limiting, maximum QPS allowed (from one query source)
242	# for whitelisted types. Default is @ratelimit_default@.
243	# rrl-whitelist-ratelimit: 2000
244	# RRLend
245
246	# Service clients over TLS (on the TCP sockets), with plain DNS inside
247	# the TLS stream. Give the certificate to use and private key.
248	# Default is "" (disabled). Requires restart to take effect.
249	# tls-service-key: "path/to/privatekeyfile.key"
250	# tls-service-pem: "path/to/publiccertfile.pem"
251	# tls-service-ocsp: "path/to/ocsp.pem"
252	# tls-port: 853
253
254	# Certificates used to authenticate connections made upstream for
255	# Transfers over TLS (XoT). Default is "" (default verify locations).
256	# tls-cert-bundle: "path/to/ca-bundle.pem"
257
258# DNSTAP config section, if compiled with that
259# dnstap:
260	# set this to yes and set one or more of dnstap-log-..-messages to yes.
261	# dnstap-enable: no
262	# dnstap-socket-path: "@dnstap_socket_path@"
263	# dnstap-send-identity: no
264	# dnstap-send-version: no
265	# dnstap-identity: ""
266	# dnstap-version: ""
267	# dnstap-log-auth-query-messages: no
268	# dnstap-log-auth-response-messages: no
269
270# Remote control config section.
271remote-control:
272	# Enable remote control with nsd-control(8) here.
273	# set up the keys and certificates with nsd-control-setup.
274	# control-enable: no
275
276	# what interfaces are listened to for control, default is on localhost.
277	# interfaces can be specified by IP address or interface name.
278	# with an interface name, all IP addresses associated with that
279	# interface are used.
280	# with an absolute path, a unix local named pipe is used for control
281	# (and key and cert files are not needed, use directory permissions).
282	# control-interface: 127.0.0.1
283	# control-interface: ::1
284	# control-interface: lo
285
286	# port number for remote control operations (uses TLS over TCP).
287	# control-port: 8952
288
289	# nsd server key file for remote control.
290	# server-key-file: "@configdir@/nsd_server.key"
291
292	# nsd server certificate file for remote control.
293	# server-cert-file: "@configdir@/nsd_server.pem"
294
295	# nsd-control key file.
296	# control-key-file: "@configdir@/nsd_control.key"
297
298	# nsd-control certificate file.
299	# control-cert-file: "@configdir@/nsd_control.pem"
300
301
302# Secret keys for TSIGs that secure zone transfers.
303# You could include: "secret.keys" and put the 'key:' statements in there,
304# and give that file special access control permissions.
305#
306# key:
307	# The key name is sent to the other party, it must be the same
308	#name: "keyname"
309	# algorithm hmac-md5, or sha1, sha256, sha224, sha384, sha512
310	#algorithm: sha256
311	# secret material, must be the same as the other party uses.
312	# base64 encoded random number.
313	# e.g. from dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
314	#secret: "K2tf3TRjvQkVCmJF3/Z9vA=="
315
316# The tls-auth clause establishes authentication attributes to use when
317# authenticating the far end of an outgoing TLS connection in access control
318# lists used for XFR-over-TLS. If authentication fails, the XFR request will not
319# be made. Support for TLS 1.3 is required for XFR-over-TLS. It has the
320# following attributes:
321#
322# tls-auth:
323	# The tls-auth name. Used to refer to this TLS auth information in the access control list.
324	#name: "tls-authname"
325	# The authentication domain name as defined in RFC8310.
326	#auth-domain-name: "example.com"
327
328	# Client certificate and private key for Mutual TLS authentication
329	#client-cert: "path/to/clientcert.pem"
330	#client-key: "path/to/clientkey.key"
331	#client-key-pw: "password"
332
333# Patterns have zone configuration and they are shared by one or more zones.
334#
335# pattern:
336	# name by which the pattern is referred to
337	#name: "myzones"
338	# the zonefile for the zones that use this pattern.
339	# if relative then from the zonesdir (inside the chroot).
340	# the name is processed: %s - zone name (as appears in zone:name).
341	# %1 - first character of zone name, %2 second, %3 third.
342	# %z - topleveldomain label of zone, %y, %x next labels in name.
343	# if label or character does not exist you get a dot '.'.
344	# for example "%s.zone" or "zones/%1/%2/%3/%s" or "secondary/%z/%s"
345	#zonefile: "%s.zone"
346
347	# The allow-query allows an access control list to be specified
348	# for a zone to be queried. Without an allow-query option, any
349	# IP address is allowed to send queries for the zone.
350	# This could be useful for example to not leak content from a zone
351	# which is only offered for transfer to secondaries over TLS.
352	#allow-query: 192.0.2.0/24 NOKEY
353
354	# If no master and slave access control elements are provided,
355	# this zone will not be served to/from other servers.
356
357	# A master zone needs notify: and provide-xfr: lists.  A slave
358	# may also allow zone transfer (for debug or other secondaries).
359	# notify these slaves when the master zone changes, address TSIG|NOKEY
360	# IP can be ipv4 and ipv6, with @port for a nondefault port number.
361	#notify: 192.0.2.1 NOKEY
362	# allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
363	# address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
364	#provide-xfr: 192.0.2.0/24 my_tsig_key_name
365	# set the number of retries for notify.
366	#notify-retry: 5
367
368	# uncomment to provide AXFR to all the world
369	# provide-xfr: 0.0.0.0/0 NOKEY
370	# provide-xfr: ::0/0 NOKEY
371
372	# A slave zone needs allow-notify: and request-xfr: lists.
373	#allow-notify: 2001:db8::0/64 my_tsig_key_name
374	# By default, a slave will request a zone transfer with IXFR/TCP.
375	# If you want to make use of IXFR/UDP use: UDP addr tsigkey
376	# for a master that only speaks AXFR (like NSD) use AXFR addr tsigkey
377	# If you want to require use of XFR-over-TLS use: addr tsigkey tlsauthname
378	#request-xfr: 192.0.2.2 the_tsig_key_name
379	#request-xfr: 192.0.2.2 the_tsig_key_name the_tls_auth_name
380	# Attention: You cannot use UDP and AXFR together. AXFR is always over
381	# TCP. If you use UDP, we higly recommend you to deploy TSIG.
382	# Allow AXFR fallback if the master does not support IXFR. Default
383	# is yes.
384	#allow-axfr-fallback: yes
385	# set local interface for sending zone transfer requests.
386	# default is let the OS choose.
387	#outgoing-interface: 10.0.0.10
388	# limit the refresh and retry interval in seconds.
389	#max-refresh-time: 2419200
390	#min-refresh-time: 0
391	#max-retry-time: 1209600
392	#min-retry-time: 0
393	# Lower bound of expire interval in seconds.  The value can be "refresh+retry+1"
394	# in which case the lower bound of expire interval is the sum of the refresh and
395	# retry values (limited to the bounds given with the above parameters), plus 1.
396	#min-expire-time: 0
397
398	# Slave server tries zone transfer to all masters and picks highest
399	# zone version available, for when masters have different versions.
400	#multi-master-check: no
401
402	# limit the zone transfer size (in bytes), stops very large transfers
403	# 0 is no limits enforced.
404	# size-limit-xfr: 0
405
406	# if compiled with --enable-zone-stats, give name of stat block for
407	# this zone (or group of zones).  Output from nsd-control stats.
408	# zonestats: "%s"
409
410	# if you give another pattern name here, at this point the settings
411	# from that pattern are inserted into this one (as if it were a
412	# macro).  The statement can be given in between other statements,
413	# because the order of access control elements can make a difference
414	# (which master to request from first, which slave to notify first).
415	#include-pattern: "common-masters"
416
417
418# Fixed zone entries.  Here you can config zones that cannot be deleted.
419# Zones that are dynamically added and deleted are put in the zonelist file.
420#
421# zone:
422	# name: "example.com"
423	# you can give a pattern here, all the settings from that pattern
424	# are then inserted at this point
425	# include-pattern: "master"
426	# You can also specify (additional) options directly for this zone.
427	# zonefile: "example.com.zone"
428	# request-xfr: 192.0.2.1 example.com.key
429
430	# RRLconfig
431	# Response Rate Limiting, whitelist types
432	# rrl-whitelist: nxdomain
433	# rrl-whitelist: error
434	# rrl-whitelist: referral
435	# rrl-whitelist: any
436	# rrl-whitelist: rrsig
437	# rrl-whitelist: wildcard
438	# rrl-whitelist: nodata
439	# rrl-whitelist: dnskey
440	# rrl-whitelist: positive
441	# rrl-whitelist: all
442	# RRLend
443
444