knot.conf(1) Configuration file manual for Knot DNS server.

SYNOPSIS

knot.conf

DESCRIPTION

knot.conf is an overview of all config options for knotc and knotd.

EXAMPLE

#
# There are 8 main sections of this config file:
#   system, interfaces, keys, remotes, groups, zones, control and log
#
# This is a comment.
# Section 'system' contains general options for the server
system {
  # Identity of the server (see RFC 4892).
  # Used for answer to CH TXT 'id.server' or 'hostname.bind'
  # Use string format "text"
  # Or on|off. When 'on', FQDN hostname will be used as default.
  identity off;
  # Version of the server (see RFC 4892).
  # Used for answer to CH TXT 'version.server' or 'version.bind'
  # Use string format "text"
  # Or on|off. When 'on', current server version will be used as default.
  version off;
  # Server identifier
  # Use string format "text"
  # Or hexstring 0x01ab00
  # Or on|off. When 'on', FQDN hostname will be used as default.
  nsid off;
  # Directory for storing run-time data
  # e.g. PID file and control sockets
  # default: ${localstatedir}/run/knot, configured with --with-rundir
  rundir "/var/run/knot";
  # Number of workers per interface
  # This option is used to force number of threads used per interface
  # Default: unset (auto-estimates optimal value from the number of online CPUs)
  # workers 3;
  # Number of background workers
  # This option is used to set number of threads used to execute background
  # operations (e.g., zone loading, zone signing, XFR zone updates, ...)
  # Default: unset (auto-estimates optimal value from the number of online CPUs)
  # background-workers 4;
  # Start server asynchronously
  # When asynchronous startup is enabled, server doesn't wait for the zones to be loaded, and
  # starts responding immediately lame answers until the zone loads. This may be useful in
  # some scenarios, but it is disabled by default.
  # Default: disabled (wait for zones to be loaded before answering)
  asynchronous-start off;
  # User for running server
  # May also specify user.group (e.g. knot.users)
  # user knot.users;
  # Maximum idle time between requests on a TCP connection
  # It is also possible to suffix with unit size [s/m/h/d]
  # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
  # Default: 60s
  max-conn-idle 60s;
  # Maximum time between newly accepted TCP connection and first query
  # This is useful to disconnect inactive connections faster
  # It is also possible to suffix with unit size [s/m/h/d]
  # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
  # Default: 10s
  max-conn-handshake 10s;
  # Maximum time to wait for a reply to SOA query
  # It is also possible to suffix with unit size [s/m/h/d]
  # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
  # Default: 10s
  max-conn-reply 10s;
  # Number of parallel transfers
  # This number also includes pending SOA queries
  # Minimal value is number of CPUs
  # Default: 10
  transfers 10;
  # Rate limit
  # in queries / second
  # Default: off (=0)
  rate-limit 0;
  # Rate limit bucket size
  # Number of hashtable buckets, set to reasonable value as default.
  # We chose a reasonably large prime number as it's used for hashtable size,
  # it is recommended to do so as well due to better distribution.
  # Rule of thumb is to set it to about 1.2 * (maximum_qps)
  # Memory cost is approx. 32B per bucket
  # Default: 393241
  rate-limit-size 393241;
  # Rate limit SLIP
  # Each Nth blocked response will be sent as truncated, this is a way to allow
  # legitimate requests to get a chance to reconnect using TCP
  # Default: 1
  rate-limit-slip 1;
  # Maximum EDNS0 UDP payload size
  # Default value: 4096
  max-udp-payload 4096;
}
# Includes can be placed anywhere at any level in the configuration file. The
# file name can be relative to current file or absolute.
#
# This include includes keys which are commented out in next section.
include "knot.keys.conf";
# Section 'keys' contains list of TSIG keys
#keys {
#
#  # TSIG key
#  #
#  # format: name key-type "<key>";
#  # where key-type may be one of the following:
#  #   hmac-md5
#  #   hmac-sha1
#  #   hmac-sha224
#  #   hmac-sha256
#  #   hmac-sha384
#  #   hmac-sha512
#  # and <key> is the private key
#  key0.server0 hmac-md5 "Wg==";
#
#  # TSIG key for zone
#  key0.example.com hmac-md5 "==gW";
#}
# Section 'interfaces' contains definitions of listening interfaces.
interfaces {
  # Interface entry
  #
  # Format 1: <name> { address <address>; [port <port>;] }
  ipv4 {                # <name> is an arbitrary symbolic name
    address 127.0.0.1;  # <address> may be ither IPv4 or IPv6 address
    port 53531;         # port is required for XFR/IN and NOTIFY/OUT
  }
  # Format 2: <name> { address <address>@<port>; }
  # shortipv4 {
  #   address 127.0.0.1@53532;
  #}
  # Format 1 (IPv6 interface)
  # ipv6 {
  #   address ::1@53533;
  # }
  # Format 2 (IPv6 interface)
  # ipv6b {
  #   address [::1]@53534;
  # }
}
# Section 'remotes' contains symbolic names for remote servers.
# Syntax for 'remotes' is the same as for 'interfaces'.
remotes {
  # Remote entry
  #
  # Format 1: <name> { address <address>; [port <port>;] }
  server0 {             # <name> is an arbitrary symbolic name
    address 127.0.0.1;  # <address> may be ither IPv4 or IPv6 address
    port 53531;         # port is optional (default: 53)
    key key0.server0;   # (optional) specification of TSIG key associated for this remote
    via ipv4;           # (optional) source interface for queries
    via 82.35.64.59;    # (optional) source interface for queries, direct IPv4
    via [::cafe];       # (optional) source interface for queries, direct IPv6
  }
  # Format 2: <name> { address <address>@<port>; }
  server1 {
    address 127.0.0.1@53001;
  }
  admin-alice {
    address 192.168.100.1;
  }
  admin-bob {
    address 192.168.100.2;
  }
}
groups {
  admins { admin-alice, admin-bob }
}
# Section 'control' specifies on which interface to listen for RC commands
control {
  # Default: $(run_dir)/knot.sock
  listen-on "knot.sock";
  # As an alternative, you can use an IPv4/v6 address and port
  # Same syntax as for 'interfaces' items
  # listen-on { address 127.0.0.1@5533; }
  # Specifies ACL list for remote control
  # Same syntax as for ACLs in zones
  # List of remotes or groups delimited by comma
  # Notice: keep in mind that ACLs bear no effect with UNIX sockets
  # allow server0, admins;
}
# Section 'zones' contains information about zones to be served.
zones {
  # Shared options for all listed zones
  #
  # This is a default directory to place slave zone files, journals etc.
  # default: ${localstatedir}/lib/knot, configured with --with-storage
  storage "/var/lib/knot";
  # Build differences from zone file changes. EXPERIMENTAL feature.
  # Possible values: on|off
  # Default value: off
  ixfr-from-differences off;
  # Enable semantic checks for all zones (if 'on')
  # Possible values: on|off
  # Default value: off
  semantic-checks off;
  # Disable ANY type queries for authoritative answers (if 'on')
  # Possible values: on|off
  # Default value: off
  disable-any off;
  # NOTIFY response timeout
  # Possible values: <1,...> (seconds)
  # Default value: 60
  notify-timeout 60;
  # Number of retries for NOTIFY
  # Possible values: <1,...>
  # Default value: 5
  notify-retries 5;
  # Timeout for syncing changes from zone database to zonefile
  # Possible values: <1..INT_MAX> (seconds)
  # Default value: 0s - immediate sync
  # It is also possible to suffix with unit size [s/m/h/d]
  # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
  # Warning: If serving a large zone, set this to a larger value
  #          to keep disk load down.
  zonefile-sync 1h;
  # File size limit for IXFR journal
  # Possible values: <1..INT_MAX>
  # Default value: N/A (infinite)
  # It is also possible to suffix with unit size [k/M/G]
  # f.e. 1k, 100M, 2G
  ixfr-fslimit 1G;
  # Enable DNSSEC online signing (EXPERIMENTAL)
  # Possible values: on | off;
  # Default value: off
  # dnssec-enable off;
  # Location of DNSSEC signing keys (relative to storage dir).
  # Default value: not set
  # dnssec-keydir "keys";
  # Validity period for DNSSEC signatures
  # Possible values: <10801..INT_MAX> (seconds)
  # Default value: 30d (30 days or 2592000 seconds)
  # It is also possible to suffix with unit size [s/m/h/d]
  # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
  # The signatures are refreshed one tenth of the signature lifetime before
  # the signature expiration (i.e., 3 days before by default)
  # signature-lifetime 30d;
  # Serial policy after DDNS and automatic DNSSEC signing.
  # Possible values: increment | unixtime
  # Default value: increment
  # serial-policy increment;
  # Query modules are dynamically loaded modules that can alter query plan processing
  # Configuration is always module-specific, but passed as a simple string here 
  # Query modules listed here are effective for all queries (even those without assigned zone)
  query_module {
    module_name "configuration string";
  }
  # Zone entry
  #
  # Format: <zone-name> { file "<path-to-zone-file>"; }
  example.com {  # <zone-name> is the DNS name of the zone (zone root)
    # Zone specific storage directory (relative to storage in zones section).
    # default: inherited from zones section
    storage "example.com";
    # <path-to-zone-file> may be either absolute or relative, in which case
    #   it is considered relative to the current directory from which the server
    #   was started.
    file "samples/example.com.zone";
    # Build differences from zone file changes
    # Possible values: on|off
    # Default value: off
    ixfr-from-differences off;
    # Disable ANY type queries for authoritative answers (if 'on')
    # Possible values: on|off
    # Default value: off
    disable-any off;
    # Enable zone semantic checks
    # Possible values: on|off
    # Default value: off
    semantic-checks on;
    # NOTIFY response timeout (specific for current zone)
    # Possible values: <1,...> (seconds)
    # Default value: 60
    notify-timeout 60;
    # Number of retries for NOTIFY (specific for current zone)
    # Possible values: <1,...>
    # Default value: 5
    notify-retries 5;
    # Timeout for syncing changes from zone database to zonefile
    # Possible values: <1..INT_MAX> (seconds)
    # Default value: inherited from zones.zonefile-sync
    # It is also possible to suffix with unit size [s/m/h/d]
    # f.e. 1s = 1 second, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
    zonefile-sync 1h;
    # File size limit for IXFR journal
    # Possible values: <1..INT_MAX>
    # Default value: N/A (infinite)
    # It is also possible to suffix with unit size [k/M/G]
    # f.e. 1k, 100M, 2G
    ixfr-fslimit 1G;
    # Location of DNSSEC signing keys (relative to storage directory in zone).
    # Default value: inherited from zones section
    dnssec-keydir "keys";
    # Enable DNSSEC online signing (EXPERIMENTAL)
    # Possible values: on | off;
    # Default value: inherited from zones section
    dnssec-enable off;
    # Validity period for DNSSEC signatures
    # Possible values: <10801..INT_MAX> (seconds)
    # Default value: 30d (30 days or 2592000 seconds)
    # It is also possible to suffix with unit size [s/m/h/d]
    # f.e. 1s = 1 day, 1m = 1 minute, 1h = 1 hour, 1d = 1 day
    # The lower limit is because the server will trigger resign when any of the
    # signatures expires in 7200 seconds or less and it was chosen as a 
    # reasonable value with regard to signing overhead.
    # signature-lifetime 30d;
    # Serial policy after DDNS and automatic DNSSEC signing.
    # Possible values: increment | unixtime
    # Default value: increment
    # serial-policy increment;
    # XFR master server
    xfr-in server0;
    # ACL list of XFR slaves
    xfr-out server0, server1;
    # ACL list of servers allowed to send NOTIFY queries
    notify-in server0;
    # List of servers to send NOTIFY to
    notify-out server0, server1;
    # List of servers to allow UPDATE queries
    update-in server0, admins;
    # Query modules are dynamically loaded modules that can alter query plan processing
    # Configuration is always module-specific, but passed as a simple string here 
    query_module {
        module_one "configuration string";
        module_two "specific configuration string";
    }
  }
}
# Section 'log' configures logging of server messages.
#
# Logging recognizes 3 symbolic names of log devices:
#   stdout    - Standard output
#   stderr    - Standard error output
#   syslog    - Syslog
#
# In addition, arbitrary number of log files may be specified (see below).
#
# Log messages are characterized by severity and category.
# Supported severities:
#   debug     - Debug messages and below. Must be turned on at compile time.
#   info      - Informational messages and below.
#   notice    - Notices and hints and below.
#   warning   - Warnings and below. An action from the operator may be required.
#   error     - Recoverable error and below. Some action should be taken.
#   critical  - Non-recoverable errors resulting in server shutdown.
#               (Not supported yet.)
#
# Categories designate the source of the log message and roughly correspond
#   to server modules
# Supported categories:
#   server    - Messages related to general operation of the server.
#   zone      - Messages related to zones, zone parsing and loading.
#   any       - All categories
#
# Default settings (in case there are no entries in 'log' section or the section
# is missing at all):
#
# stderr { any error; }
# syslog { any error; }
log {
  # Format 1:
  # <log> {
  #   <category1> <severity1>;
  #   <category2> <severity2>;
  #   ...
  # }
  syslog {
    # Log any error or critical to syslog
    any error;
    # Log all (excluding debug) from server to syslog
    server info;
  }
  # Log any warning, error or critical to stderr
  stderr {
    any warning;
  }
  # Format 2:
  # file <path> { # <path> is absolute or relative path to log file
  #   <category1> <severity1>;
  #   <category2> <severity2>;
  # }
  file "/tmp/knot-sample/knotd.debug" {
    server debug;
  }
}