1nsd.conf(5) nsd 4.1.24 nsd.conf(5)
2
6 nsd.conf - NSD configuration file
7
9 nsd.conf
10
12 Nsd.conf is used to configure nsd(8). The file format has attributes
13 and values. Some attributes have attributes inside them. The notation
14 is: attribute: value.
15 Comments start with # and last to the end of line. Empty lines are
17 ignored as is whitespace at the beginning of a line. Quotes can be
18 used, for names with spaces, eg. "file name.zone".
19 Nsd.conf specifies options for the nsd server, zone files, primaries
21 and secondaries.
22
24 An example of a short nsd.conf file is below.
25 # Example.com nsd.conf file
27 # This is a comment.
28 server:
30 server-count: 1 # use this number of cpu cores
31 database: "" # or use ""
32 zonelistfile: "/var/lib/nsd/zone.list"
33 username: nsd
34 logfile: "/var/log/nsd.log"
35 pidfile: "/var/run/nsd/nsd.pid"
36 xfrdfile: "/var/lib/nsd/ixfr.state"
37 zone:
39 name: example.com
40 zonefile: /etc/nsd/example.com.zone
41 zone:
43 # this server is master, 192.0.2.1 is the secondary.
44 name: masterzone.com
45 zonefile: /etc/nsd/masterzone.com.zone
46 notify: 192.0.2.1 NOKEY
47 provide-xfr: 192.0.2.1 NOKEY
48 zone:
50 # this server is secondary, 192.0.2.2 is master.
51 name: secondzone.com
52 zonefile: /etc/nsd/secondzone.com.zone
53 allow-notify: 192.0.2.2 NOKEY
54 request-xfr: 192.0.2.2 NOKEY
55 Then, use kill -HUP to reload changes from master zone files. And use
57 kill -TERM to stop the server.
58
60 There must be whitespace between keywords. Attribute keywords end with
61 a colon ':'. An attribute is followed by its containing attributes, or
62 a value.
63 At the top level only server: and key: and pattern: and zone: are
65 allowed. These are followed by their attributes or the start of a new
66 server: or key: or pattern: or zone: clause. The zone: attribute is
67 followed by zone options. The server: attribute is followed by global
68 options for the NSD server. A key: attribute is used to define keys for
69 authentication. The pattern: attribute is followed by the zone options
70 for zones that use the pattern.
71 Files can be included using the include: directive. It can appear any‐
73 where, and takes a single filename as an argument. Processing continues
74 as if the text from the included file was copied into the config file
75 at that point. If a chroot is used an absolute filename is needed
76 (with the chroot prepended), so that the include can be parsed before
77 and after application of the chroot (and the knowledge of what that
78 chroot is). You can use '*' to include a wildcard match of files, eg.
79 "foo/nsd.d/*.conf". Also '?', '{}', '[]', and '~' work, see glob(7).
80 If no files match the pattern, this is not an error.
81 Server Options
83 The global options (if not overridden from the NSD commandline) are
84 taken from the server: clause. There may only be one server: clause.
85 ip-address: <ip4 or ip6>[@port]
87 NSD will bind to the listed ip-address. Can be give multiple
88 times to bind multiple ip-addresses. Optionally, a port number
89 can be given. If none are given NSD listens to the wildcard
90 interface. Same as commandline option -a. For servers with mul‐
91 tiple IP addresses that can be used to send traffic to the
92 internet, list them one by one, or the source address of replies
93 could be wrong. This is because if the udp socket associates a
94 source address of 0.0.0.0 then the kernel picks an ip-address
95 with which to send to the internet, and it picks the wrong one.
96 Typically needed for anycast instances. Use ip-transparent to
97 be able to list addresses that turn on later (typical for cer‐
98 tain load-balancing).
99 interface: <ip4 or ip6>[@port]
101 Same as ip-address (for easy of compatibility with
102 unbound.conf).
103 ip-transparent: <yes or no>
105 Allows NSD to bind to non local addresses. This is useful to
106 have NSD listen to IP addresses that are not (yet) added to the
107 network interface, so that it can answer immediately when the
108 address is added. Default is no.
109 ip-freebind: <yes or no>
111 Set the IP_FREEBIND option to bind to nonlocal addresses and
112 interfaces that are down. Similar to ip-transparent. Default
113 is no.
114 reuseport: <yes or no>
116 Use the SO_REUSEPORT socket option, and create file descriptors
117 for every server in the server-count. This improves performance
118 of the network stack. Only really useful if you also configure
119 a server-count higher than 1 (such as, equal to the number of
120 cpus). The default is no. It works on Linux, but does not work
121 on FreeBSD, and likely does not work on other systems.
122 debug-mode: <yes or no>
124 Turns on debugging mode for nsd, does not fork a daemon process.
125 Default is no. Same as commandline option -d. If set to yes it
126 does not fork and stays in the foreground, which can be helpful
127 for commandline debugging, but is also used by certain server
128 supervisor processes to ascertain that the server is running.
129 use-systemd: <yes or no>
131 Enable or disable systemd readiness signalling. Default is no.
132 do-ip4: <yes or no>
134 If yes, NSD listens to IPv4 connections. Default yes.
135 do-ip6: <yes or no>
137 If yes, NSD listens to IPv6 connections. Default yes.
138 database: <filename>
140 By default '' is used. The specified file is used to store the
141 compiled zone information. Same as commandline option -f. If
142 set to "" then no database is used. This uses less memory but
143 zone updates are not (immediately) spooled to disk.
144 zonelistfile: <filename>
146 By default /var/lib/nsd/zone.list is used. The specified file is
147 used to store the dynamically added list of zones. The list is
148 written to by NSD to add and delete zones. It is a text file
149 with a zone-name and pattern-name on each line. This file is
150 used for the nsd-control addzone and delzone commands.
151 identity: <string>
153 Returns the specified identity when asked for CH TXT ID.SERVER.
154 Default is the name as returned by gethostname(3). Same as com‐
155 mandline option -i.
156 version: <string>
158 Returns the specified version string when asked for CH TXT ver‐
159 sion.server, and version.bind queries. Default is the compiled
160 package version. See hide-version to set the server to not
161 respond to such queries.
162 nsid: <string>
164 Add the specified nsid to the EDNS section of the answer when
165 queried with an NSID EDNS enabled packet. As a sequence of hex
166 characters or with ascii_ prefix and then an ascii string. Same
167 as commandline option -I.
168 logfile: <filename>
170 Log messages to the logfile. The default is to log to stderr and
171 syslog (with facility LOG_DAEMON). Same as commandline option
172 -l.
173 server-count: <number>
175 Start this many NSD servers. Default is 1. Same as commandline
176 option -N.
177 tcp-count: <number>
179 The maximum number of concurrent, active TCP connections by each
180 server. Default is 100. Same as commandline option -n.
181 tcp-query-count: <number>
183 The maximum number of queries served on a single TCP connection.
184 Default is 0, meaning there is no maximum.
185 tcp-timeout: <number>
187 Overrides the default TCP timeout. This also affects zone trans‐
188 fers over TCP.
189 tcp-mss: <number>
191 Maximum segment size (MSS) of TCP socket on which the server
192 responds to queries. Value lower than common MSS on Ethernet
193 (1220 for example) will address path MTU problem. Note that not
194 all platform supports socket option to set MSS (TCP_MAXSEG).
195 Default is system default MSS determined by interface MTU and
196 negotiation between server and client.
197 outgoing-tcp-mss: <number>
199 Maximum segment size (MSS) of TCP socket for outgoing XFR
200 request to other namesevers. Value lower than common MSS on Eth‐
201 ernet (1220 for example) will address path MTU problem. Note
202 that not all platform supports socket option to set MSS
203 (TCP_MAXSEG). Default is system default MSS determined by
204 interface MTU and negotiation between NSD and other servers.
205 ipv4-edns-size: <number>
207 Preferred EDNS buffer size for IPv4. Default 4096.
208 ipv6-edns-size: <number>
210 Preferred EDNS buffer size for IPv6. Default 4096.
211 pidfile: <filename>
213 Use the pid file instead of the platform specific default, usu‐
214 ally /var/run/nsd/nsd.pid. Same as commandline option -P.
215 port: <number>
217 Answer queries on the specified port. Default is 53. Same as
218 commandline option -p.
219 statistics: <number>
221 If not present no statistics are dumped. Statistics are produced
222 every number seconds. Same as commandline option -s.
223 chroot: <directory>
225 NSD will chroot on startup to the specified directory. Note that
226 if elsewhere in the configuration you specify an absolute path‐
227 name to a file inside the chroot, you have to prepend the chroot
228 path. That way, you can switch the chroot option on and off
229 without having to modify anything else in the configuration. Set
230 the value to "" (the empty string) to disable the chroot. By
231 default "" is used. Same as commandline option -t.
232 username: <username>
234 After binding the socket, drop user privileges and assume the
235 username. Can be username, id or id.gid. Same as commandline
236 option -u.
237 zonesdir: <directory>
239 Change the working directory to the specified directory before
240 accessing zone files. Also, NSD will access database, zonelist‐
241 file, logfile, pidfile, xfrdfile, xfrdir, server-key-file,
242 server-cert-file, control-key-file and control-cert-file rela‐
243 tive to this directory. Set the value to "" (the empty string)
244 to disable the change of working directory. By default
245 "/etc/nsd" is used.
246 difffile: <filename>
248 Ignored, for compatibility with NSD3 config files.
249 xfrdfile: <filename>
251 The soa timeout and zone transfer daemon in NSD will save its
252 state to this file. State is read back after a restart. The
253 state file can be deleted without too much harm, but timestamps
254 of zones will be gone. If it is configured as "", the state
255 file is not used, all slave zones are checked for updates upon
256 startup. For more details see the section on zone expiry behav‐
257 ior of NSD. Default is /var/lib/nsd/ixfr.state.
258 xfrdir: <directory>
260 The zone transfers are stored here before they are processed. A
261 directory is created here that is removed when NSD exits.
262 Default is /tmp.
263 xfrd-reload-timeout: <number>
265 If this value is -1, xfrd will not trigger a reload after a zone
266 transfer. If positive xfrd will trigger a reload after a zone
267 transfer, then it will wait for the number of seconds before it
268 will trigger a new reload. Setting this value throttles the
269 reloads to once per the number of seconds. The default is 1 sec‐
270 ond.
271 verbosity: <level>
273 This value specifies the verbosity level for (non-debug) log‐
274 ging. Default is 0. 1 gives more information about incoming
275 notifies and zone transfers. 2 lists soft warnings that are
276 encountered. 3 prints more information.
277 Verbosity 0 will print warnings and errors, and other events
279 that are important to keep NSD running.
280 Verbosity 1 prints additionally messages of interest. Success‐
282 ful notifies, successful incoming zone transfer (the zone is
283 updated), failed incoming zone transfers or the inability to
284 process zone updates.
285 Verbosity 2 prints additionally soft errors, like connection
287 resets over TCP. And notify refusal, and axfr request refusals.
288 hide-version: <yes or no>
290 Prevent NSD from replying with the version string on CHAOS class
291 queries. Default is no.
292 log-time-ascii: <yes or no>
294 Log time in ascii, if "no" then in seconds epoch. Default is
295 yes. This chooses the format when logging to file. The print‐
296 out via syslog has a timestamp formatted by syslog.
297 round-robin: <yes or no>
299 Enable round robin rotation of records in the answer. This
300 changes the order of records in the answer and this may balance
301 load across them. The default is no.
302 minimal-responses: <yes or no>
304 Enable minimal responses for smaller answers. This makes pack‐
305 ets smaller. Extra data is only added for referrals, when it is
306 really necessary. This is different from the --enable-minimal-
307 responses configure time option, that reduces packets, but
308 exactly to the fragmentation length, the nsd.conf option reduces
309 packets as small as possible. The default is no.
310 refuse-any: <yes or no>
312 Refuse queries of type ANY. This is useful to stop query floods
313 trying to get large responses. Note that rrl ratelimiting also
314 has type ANY as a ratelimiting type. It sends truncation in
315 response to UDP type ANY queries, and it allows TCP type ANY
316 queries like normal. The default is no.
317 zonefiles-check: <yes or no>
319 Make NSD check the mtime of zone files on start and sighup. If
320 you disable it it starts faster (less disk activity in case of a
321 lot of zones). The default is yes. The nsd-control reload com‐
322 mand reloads zone files regardless of this option.
323 zonefiles-write: <seconds>
325 Write changed secondary zones to their zonefile every N seconds.
326 If the zone (pattern) configuration has "" zonefile, it is not
327 written. Zones that have received zone transfer updates are
328 written to their zonefile. Default is 0 (disabled) when there
329 is a database, and 3600 (1 hour) when database is "". The data‐
330 base also commits zone transfer contents. You can configure it
331 away from the default by putting the config statement for zone‐
332 files-write: after the database: statement in the config file.
333 rrl-size: <numbuckets>
335 This option gives the size of the hashtable. Default 1000000.
336 More buckets use more memory, and reduce the chance of hash col‐
337 lisions.
338 rrl-ratelimit: <qps>
340 The max qps allowed (from one query source). Default is on (with
341 a suggested 200 qps). If set to 0 then it is disabled (unlimited
342 rate), also set the whitelist-ratelimit to 0 to disable rate‐
343 limit processing. If you set verbosity to 2 the blocked and
344 unblocked subnets are logged. Blocked queries are blocked and
345 some receive TCP fallback replies. Once the rate limit is
346 reached, NSD begins dropping responses. However, one in every
347 "rrl-slip" number of responses is allowed, with the TC bit set.
348 If slip is set to 2, the outgoing response rate will be halved.
349 If it's set to 3, the outgoing response rate will be one-third,
350 and so on. If you set rrl-slip to 10, traffic is reduced to
351 1/10th. Ratelimit options rrl-ratelimit, rrl-size and
352 rrl-whitelist-ratelimit are updated when nsd-control reconfig is
353 done (also the zone-specific ratelimit options are updated).
354 rrl-slip: <numpackets>
356 This option controls the number of packets discarded before we
357 send back a SLIP response (a response with "truncated" bit set
358 to one). 0 disables the sending of SLIP packets, 1 means every
359 query will get a SLIP response. Default is 2, cuts traffic in
360 half and legit users have a fair chance to get a +TC response.
361 rrl-ipv4-prefix-length: <subnet>
363 IPv4 prefix length. Addresses are grouped by netblock. Default
364 24.
365 rrl-ipv6-prefix-length: <subnet>
367 IPv6 prefix length. Addresses are grouped by netblock. Default
368 64.
369 rrl-whitelist-ratelimit: <qps>
371 The max qps for query sorts for a source, which have been
372 whitelisted. Default on (with a suggested 2000 qps). With the
373 rrl-whitelist option you can set specific queries to receive
374 this qps limit instead of the normal limit. With the value 0
375 the rate is unlimited.
376 Remote Control
378 The remote-control: clause is used to set options for using the
379 nsd-control(8) tool to give commands to the running NSD server. It is
380 disabled by default, and listens for localhost by default. It uses TLS
381 over TCP where the server and client authenticate to each other with
382 self-signed certificates. The self-signed certificates can be gener‐
383 ated with the nsd-control-setup tool. The key files are read by NSD
384 before the chroot and before dropping user permissions, so they can be
385 outside the chroot and readable by the superuser only.
386 control-enable: <yes or no>
388 Enable remote control, default is no.
389 control-interface: <ip4 or ip6>
391 NSD will bind to the listed addresses to service control
392 requests (on TCP). Can be given multiple times to bind multiple
393 ip-addresses. Use 0.0.0.0 and ::0 to service the wildcard
394 interface. If none are given NSD listens to the localhost
395 127.0.0.1 and ::1 interfaces for control, if control is enabled
396 with control-enable.
397 With an absolute path, a unix local named pipe is used for con‐
399 trol. The file is created with user and group that is config‐
400 ured and access bits are set to allow members of the group
401 access. Further access can be controlled by setting permissions
402 on the directory containing the control socket file. The key
403 and cert files are not used when control is via the named pipe,
404 because access control is via file and directory permission.
405 control-port: <number>
407 The port number for remote control service. 8952 by default.
408 server-key-file: <filename>
410 Path to the server private key, by default
411 /etc/nsd/nsd_server.key. This file is generated by the nsd-con‐
412 trol-setup utility. This file is used by the nsd server, but
413 not by nsd-control.
414 server-cert-file: <filename>
416 Path to the server self signed certificate, by default
417 /etc/nsd/nsd_server.pem. This file is generated by the nsd-con‐
418 trol-setup utility. This file is used by the nsd server, and
419 also by nsd-control.
420 control-key-file: <filename>
422 Path to the control client private key, by default
423 /etc/nsd/nsd_control.key. This file is generated by the
424 nsd-control-setup utility. This file is used by nsd-control.
425 control-cert-file: <filename>
427 Path to the control client certificate, by default
428 /etc/nsd/nsd_control.pem. This certificate has to be signed
429 with the server certificate. This file is generated by the
430 nsd-control-setup utility. This file is used by nsd-control.
431 Pattern Options
433 The pattern: clause is used to denote a set of options to apply to some
434 zones. The same zone options as for a zone are allowed.
435 name: <string>
437 The name of the pattern. This is a (case sensitive) string.
438 The pattern names that start with "_implicit_" are used inter‐
439 nally for zones that have no pattern (they are defined in
440 nsd.conf directly).
441 include-pattern: <pattern-name>
443 The options from the given pattern are included at this point in
444 this pattern. The referenced pattern must be defined above this
445 one.
446 <zone option>: <value>
448 The zone options such as zonefile, allow-notify, request-xfr,
449 allow-axfr-fallback, notify, notify-retry, provide-xfr, zones‐
450 tats, and outgoing-interface can be given. They are applied to
451 the patterns and zones that include this pattern.
452 Zone Options
454 For every zone the options need to be specified in one zone: clause.
455 The access control list elements can be given multiple times to add
456 multiple servers. These elements need to be added explicitly.
457 For zones that are configured in the nsd.conf config file their set‐
459 tings are hardcoded (in an implicit pattern for themselves only) and
460 they cannot be deleted via delzone, but remove them from the config
461 file and repattern.
462 name: <string>
464 The name of the zone. This is the domain name of the apex of the
465 zone. May end with a '.' (in FQDN notation). For example "exam‐
466 ple.com", "sub.example.net.". This attribute must be present in
467 each zone.
468 zonefile: <filename>
470 The file containing the zone information. If this attribute is
471 present it is used to read and write the zone contents. If the
472 attribute is absent it prevents writing out of the zone.
473 The string is processed so that one string can be used (in a
475 pattern) for a lot of different zones. If the label or charac‐
476 ter does not exist the percent-character is replaced with a
477 period for output (i.e. for the third character in a two letter
478 domain name).
479 %s is replaced with the zone name.
481 %1 is replaced with the first character of the zone name.
483 %2 is replaced with the second character of the zone name.
485 %3 is replaced with the third character of the zone name.
487 %z is replaced with the toplevel domain name of the zone.
489 %y is replaced with the next label under the toplevel domain.
491 %x is replaced with the next-next label under the toplevel
493 domain.
494 allow-notify: <ip-spec> <key-name | NOKEY | BLOCKED>
496 Access control list. The listed (primary) address is allowed to
497 send notifies to this (secondary) server. Notifies from unlisted
498 or specifically BLOCKED addresses are discarded. If NOKEY is
499 given no TSIG signature is required. BLOCKED supersedes other
500 entries, other entries are scanned for a match in the order of
501 the statements.
502 The ip-spec is either a plain IP address (IPv4 or IPv6), or can
504 be a subnet of the form 1.2.3.4/24, or masked like
505 1.2.3.4&255.255.255.0 or a range of the form 1.2.3.4-1.2.3.25.
506 A port number can be added using a suffix of @number, for exam‐
507 ple 1.2.3.4@5300 or 1.2.3.4/24@5300 for port 5300. Note the
508 ip-spec ranges do not use spaces around the /, &, @ and - sym‐
509 bols.
510 request-xfr: [AXFR|UDP] <ip-address> <key-name | NOKEY>
512 Access control list. The listed address (the master) is queried
513 for AXFR/IXFR on update. A port number can be added using a suf‐
514 fix of @number, for example 1.2.3.4@5300. The specified key is
515 used during AXFR/IXFR.
516 If the AXFR option is given, the server will not be contacted
518 with IXFR queries but only AXFR requests will be made to the
519 server. This allows an NSD secondary to have a master server
520 that runs NSD. If the AXFR option is left out then both IXFR and
521 AXFR requests are made to the master server.
522 If the UDP option is given, the secondary will use UDP to trans‐
524 mit the IXFR requests. You should deploy TSIG when allowing UDP
525 transport, to authenticate notifies and zone transfers. Other‐
526 wise, NSD is more vulnerable for Kaminsky-style attacks. If the
527 UDP option is left out then IXFR will be transmitted using TCP.
528 allow-axfr-fallback: <yes or no>
530 This option should be accompanied by request-xfr. It (dis)allows
531 NSD (as secondary) to fallback to AXFR if the primary name
532 server does not support IXFR. Default is yes.
533 size-limit-xfr: <number>
535 This option should be accompanied by request-xfr. It specifies
536 XFR temporary file size limit. It can be used to stop very
537 large zone retrieval, that could otherwise use up a lot of mem‐
538 ory and disk space. If this option is 0, unlimited. Default
539 value is 0.
540 notify: <ip-address> <key-name | NOKEY>
542 Access control list. The listed address (a secondary) is noti‐
543 fied of updates to this zone. A port number can be added using a
544 suffix of @number, for example 1.2.3.4@5300. The specified key
545 is used to sign the notify. Only on secondary configurations
546 will NSD be able to detect zone updates (as it gets notified
547 itself, or refreshes after a time).
548 notify-retry: <number>
550 This option should be accompanied by notify. It sets the number
551 of retries when sending notifies.
552 provide-xfr: <ip-spec> <key-name | NOKEY | BLOCKED>
554 Access control list. The listed address (a secondary) is allowed
555 to request AXFR from this server. Zone data will be provided to
556 the address. The specified key is used during AXFR. For unlisted
557 or BLOCKED addresses no data is provided, requests are dis‐
558 carded. BLOCKED supersedes other entries, other entries are
559 scanned for a match in the order of the statements. NSD pro‐
560 vides AXFR for its secondaries, but IXFR is not implemented
561 (IXFR is implemented for request-xfr, but not for provide-xfr).
562 The ip-spec is either a plain IP address (IPv4 or IPv6), or can
564 be a subnet of the form 1.2.3.4/24, or masked like
565 1.2.3.4&255.255.255.0 or a range of the form 1.2.3.4-1.2.3.25.
566 A port number can be added using a suffix of @number, for exam‐
567 ple 1.2.3.4@5300 or 1.2.3.4/24@5300 for port 5300. Note the
568 ip-spec ranges do not use spaces around the /, &, @ and - sym‐
569 bols.
570 outgoing-interface: <ip-address>
572 Access control list. The listed address is used to request
573 AXFR|IXFR (in case of a secondary) or used to send notifies (in
574 case of a primary).
575 The ip-address is a plain IP address (IPv4 or IPv6). A port
577 number can be added using a suffix of @number, for example
578 1.2.3.4@5300.
579 max-refresh-time: <seconds>
581 Limit refresh time for secondary zones. This is the timer which
582 checks to see if the zone has to be refetched when it expires.
583 Normally the value from the SOA record is used, but this option
584 restricts that value.
585 min-refresh-time: <seconds>
587 Limit refresh time for secondary zones.
588 max-retry-time: <seconds>
590 Limit retry time for secondary zones. This is the timeout after
591 a failed fetch attempt for the zone. Normally the value from
592 the SOA record is used, but this option restricts that value.
593 min-retry-time: <seconds>
595 Limit retry time for secondary zones.
596 zonestats: <name>
598 When compiled with --enable-zone-stats NSD can collect statis‐
599 tics per zone. This name gives the group where statistics are
600 added to. The groups are output from nsd-control stats and
601 stats_noreset. Default is "". You can use "%s" to use the name
602 of the zone to track its statistics. If not compiled in, the
603 option can be given but is ignored.
604 include-pattern: <pattern-name>
606 The options from the given pattern are included at this point.
607 The referenced pattern must be defined above this zone.
608 rrl-whitelist: <rrltype>
610 This option causes queries of this rrltype to be whitelisted,
611 for this zone. They receive the whitelist-ratelimit. You can
612 give multiple lines, each enables a new rrltype to be
613 whitelisted for the zone. Default has none whitelisted. The rrl‐
614 type is the query classification that the NSD RRL employs to
615 make different types not interfere with one another. The types
616 are logged in the loglines when a subnet is blocked (in ver‐
617 bosity 2). The RRL classification types are: nxdomain, error,
618 referral, any, rrsig, wildcard, nodata, dnskey, positive, all.
619 multi-master-check: <yes or no>
621 Default no. If enabled, checks all masters for the last ver‐
622 sion. It uses the higher version of all the configured masters.
623 Useful if you have multiple masters that have different version
624 numbers served.
625 Key Declarations
627 The key: clause establishes a key for use in access control lists. It
628 has the following attributes.
629 name: <string>
631 The key name. Used to refer to this key in the access control
632 list. The key name has to be correct for tsig to work. This is
633 because the key name is output on the wire.
634 algorithm: <string>
636 Authentication algorithm for this key. Such as hmac-md5,
637 hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384 and
638 hmac-sha512. Can also be abbreviated as 'sha1', 'sha256'.
639 Default is sha256. Algorithms are only available when they were
640 compiled in (available in the crypto library).
641 secret: <base64 blob>
643 The base64 encoded shared secret. It is possible to put the
644 secret: declaration (and base64 blob) into a different file, and
645 then to include: that file. In this way the key secret and the
646 rest of the configuration file, which may have different secu‐
647 rity policies, can be split apart. The content of the secret is
648 the agreed base64 secret content. To make it up, enter a pass‐
649 word (its length must be a multiple of 4 characters, A-Za-z0-9),
650 or use dev-random output through a base64 encode filter.
651
653 BIND9 is a name server implementation with its own configuration file
654 format, named.conf(5). BIND9 types zones as 'Master' or 'Slave'.
655 Slave zones
657 For a slave zone, the master servers are listed. The master servers are
658 queried for zone data, and are listened to for update notifications.
659 In NSD these two properties need to be configured separately, by list‐
660 ing the master address in allow-notify and request-xfr statements.
661 In BIND9 you only need to provide allow-notify elements for any extra
663 sources of notifications (i.e. the operators), NSD needs to have
664 allow-notify for both masters and operators. BIND9 allows additional
665 transfer sources, in NSD you list those as request-xfr.
666 Here is an example of a slave zone in BIND9 syntax.
668 # Config file for example.org options {
670 dnssec-enable yes;
671 };
672 key tsig.example.org. {
674 algorithm hmac-md5;
675 secret "aaaaaabbbbbbccccccdddddd";
676 };
677 server 162.0.4.49 {
679 keys { tsig.example.org. ; };
680 };
681 zone "example.org" {
683 type slave;
684 file "secondary/example.org.signed";
685 masters { 162.0.4.49; };
686 };
687 For NSD, DNSSEC is enabled automatically for zones that are signed. The
689 dnssec-enable statement in the options clause is not needed. In NSD
690 keys are associated with an IP address in the access control list
691 statement, therefore the server{} statement is not needed. Below is the
692 same example in an NSD config file.
693 # Config file for example.org
695 key:
696 name: tsig.example.org.
697 algorithm: hmac-md5
698 secret: "aaaaaabbbbbbccccccdddddd"
699 zone:
701 name: "example.org"
702 zonefile: "secondary/example.org.signed"
703 # the master is allowed to notify and will provide zone data.
704 allow-notify: 162.0.4.49 NOKEY
705 request-xfr: 162.0.4.49 tsig.example.org.
706 Notice that the master is listed twice, once to allow it to send noti‐
708 fies to this slave server and once to tell the slave server where to
709 look for updates zone data. More allow-notify and request-xfr lines can
710 be added to specify more masters.
711 It is possible to specify extra allow-notify lines for addresses that
713 are also allowed to send notifications to this slave server.
714 Master zones
716 For a master zone in BIND9, the slave servers are listed. These slave
717 servers are sent notifications of updated and are allowed to request
718 transfer of the zone data. In NSD these two properties need to be con‐
719 figured separately.
720 Here is an example of a master zone in BIND9 syntax.
722 zone "example.nl" {
724 type master;
725 file "example.nl";
726 };
727 In NSD syntax this becomes:
729 zone:
731 name: "example.nl"
732 zonefile: "example.nl"
733 # allow anybody to request xfr.
734 provide-xfr: 0.0.0.0/0 NOKEY
735 provide-xfr: ::0/0 NOKEY
736 # to list a slave server you would in general give
738 # provide-xfr: 1.2.3.4 tsig-key.name.
739 # notify: 1.2.3.4 NOKEY
740 Other
742 NSD is an authoritative only DNS server. This means that it is meant as
743 a primary or secondary server for zones, providing DNS data to DNS
744 resolvers and caches. BIND9 can function as an authoritative DNS
745 server, the configuration options for that are compared with those for
746 NSD in this section. However, BIND9 can also function as a resolver or
747 cache. The configuration options that BIND9 has for the resolver or
748 caching thus have no equivalents for NSD.
749
751 "" default NSD database
752 /etc/nsd/nsd.conf
754 default NSD configuration file
755
757 nsd(8), nsd-checkconf(8), nsd-control(8)
758
760 NSD was written by NLnet Labs and RIPE NCC joint team. Please see CRED‐
761 ITS file in the distribution for further details.
762
764 nsd.conf is parsed by a primitive parser, error messages may not be to
765 the point.
766NLnet Labs Aug 13, 2018 nsd.conf(5)