1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
3
4
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11
12 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14
15 · INT – Integer
16
17 · STR – Textual string
18
19 · HEXSTR – Hexadecimal string (with 0x prefix)
20
21 · BOOL – Boolean value (on/off or true/false)
22
23 · TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25
26 · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28
29 · BASE64 – Base64 encoded string
30
31 · ADDR – IPv4 or IPv6 address
32
33 · DNAME – Domain name
34
35 · ... – Multi-valued item, order of the values is preserved
36
37 · [ ] – Optional value
38
39 · | – Choice
40
41 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 14 fixed sections (module, server, key, acl,
43 control, statistics, database, keystore, submission, policy, remote,
44 template, zone, log). Module sections are prefixed with the mod- pre‐
45 fix (e.g. mod-stats).
46
47 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51
52 A multi-valued item can be specified either as a YAML sequence:
53
54 address: [10.0.0.1, 10.0.0.2]
55
56 or as more single-valued items each on an extra line:
57
58 address: 10.0.0.1
59 address: 10.0.0.2
60
61 If an item value contains spaces or other special characters, it is
62 necessary to enclose such value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be
72 included at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76
77 include: STR
78
80 Dynamic modules loading configuration.
81
82 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85
86 module:
87 - id: STR
88 file: STR
89
90 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93
94 file
95 A path to a shared library file with the module implementation.
96
97 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100
101 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106
107 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 udp-max-payload: SIZE
124 udp-max-payload-ipv4: SIZE
125 udp-max-payload-ipv6: SIZE
126 edns-client-subnet: BOOL
127 answer-rotation: BOOL
128 listen: ADDR[@INT] ...
129
130 CAUTION:
131 When you change configuration parameters dynamically or via configu‐
132 ration file reload, some parameters in the Server section require
133 restarting the Knot server so as the change take effect. See below
134 for the details.
135
136 identity
137 An identity of the server returned in the response to the query for TXT
138 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
139 to an empty value to disable.
140
141 Default: FQDN hostname
142
143 version
144 A version of the server software returned in the response to the query
145 for TXT record version.server. or version.bind. in the CHAOS class (RFC
146 4892). Set to an empty value to disable.
147
148 Default: server version
149
150 nsid
151 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
152 able.
153
154 Default: FQDN hostname
155
156 rundir
157 A path for storing run-time data (PID file, unix sockets, etc.).
158
159 Depending on the usage of this parameter, its change may require
160 restart of the Knot server to take effect.
161
162 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
163
164 user
165 A system user with an optional system group (user:group) under which
166 the server is run after starting and binding to interfaces. Linux capa‐
167 bilities are employed if supported.
168
169 Change of this parameter requires restart of the Knot server to take
170 effect.
171
172 Default: root:root
173
174 pidfile
175 A PID file location.
176
177 Change of this parameter requires restart of the Knot server to take
178 effect.
179
180 Default: rundir/knot.pid
181
182 udp-workers
183 A number of UDP workers (threads) used to process incoming queries over
184 UDP.
185
186 Change of this parameter requires restart of the Knot server to take
187 effect.
188
189 Default: equal to the number of online CPUs
190
191 tcp-workers
192 A number of TCP workers (threads) used to process incoming queries over
193 TCP.
194
195 Change of this parameter requires restart of the Knot server to take
196 effect.
197
198 Default: equal to the number of online CPUs, default value is at least
199 10
200
201 background-workers
202 A number of workers (threads) used to execute background operations
203 (zone loading, zone updates, etc.).
204
205 Change of this parameter requires restart of the Knot server to take
206 effect.
207
208 Default: equal to the number of online CPUs, default value is at most
209 10
210
211 async-start
212 If enabled, server doesn't wait for the zones to be loaded and starts
213 responding immediately with SERVFAIL answers until the zone loads.
214
215 Default: off
216
217 tcp-idle-timeout
218 Maximum idle time (in seconds) between requests on an inbound TCP con‐
219 nection. It means if there is no activity on an inbound TCP connection
220 during this limit, the connection is closed by the server.
221
222 Minimum: 1 s
223
224 Default: 10 s
225
226 tcp-io-timeout
227 Maximum time (in milliseconds) to receive or send one DNS message over
228 an inbound TCP connection. It means this limit applies to normal DNS
229 queries and replies, incoming DDNS, and outgoing zone transfers. Set
230 to 0 for infinity.
231
232 Default: 200 ms
233
234 tcp-remote-io-timeout
235 Maximum time (in milliseconds) to receive or send one DNS message over
236 an outbound TCP connection which has already been established to a con‐
237 figured remote server. It means this limit applies to incoming zone
238 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
239 timeout includes the time needed for a network round-trip and for a
240 query processing by the remote. Set to 0 for infinity.
241
242 Default: 5000 ms
243
244 tcp-reuseport
245 If enabled, each TCP worker listens on its own socket and the OS kernel
246 socket load balancing is emloyed using SO_REUSEPORT (or SO_REUSEPORT_LB
247 on FreeBSD). Due to the lack of one shared socket, the server can offer
248 higher response rate processing over TCP. However, in the case of
249 time-consuming requests (e.g. zone transfers of a TLD zone), enabled
250 reuseport may result in delayed or not being responded client requests.
251 So it is advisable to use this option on slave servers.
252
253 Change of this parameter requires restart of the Knot server to take
254 effect.
255
256 Default: off
257
258 tcp-max-clients
259 A maximum number of TCP clients connected in parallel, set this below
260 the file descriptor limit to avoid resource exhaustion.
261
262 NOTE:
263 It is advisable to adjust the maximum number of open files per
264 process in your operating system configuration.
265
266 Default: one half of the file descriptor limit for the server process
267
268 udp-max-payload
269 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
270
271 Default: 1232
272
273 udp-max-payload-ipv4
274 Maximum EDNS0 UDP payload size for IPv4.
275
276 Default: 1232
277
278 udp-max-payload-ipv6
279 Maximum EDNS0 UDP payload size for IPv6.
280
281 Default: 1232
282
283 edns-client-subnet
284 Enable or disable EDNS Client Subnet support. If enabled, responses to
285 queries containing the EDNS Client Subnet option always contain a valid
286 EDNS Client Subnet option according to RFC 7871.
287
288 Default: off
289
290 answer-rotation
291 Enable or disable sorted-rrset rotation in the answer section of normal
292 replies. The rotation shift is simply determined by a query ID.
293
294 Default: off
295
296 listen
297 One or more IP addresses where the server listens for incoming queries.
298 Optional port specification (default is 53) can be appended to each
299 address using @ separator. Use 0.0.0.0 for all configured IPv4
300 addresses or :: for all configured IPv6 addresses. Non-local address
301 binding is automatically enabled if supported by the operating system.
302
303 Change of this parameter requires restart of the Knot server to take
304 effect.
305
306 Default: not set
307
309 Shared TSIG keys used to authenticate communication with the server.
310
311 key:
312 - id: DNAME
313 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
314 secret: BASE64
315
316 id
317 A key name identifier.
318
319 NOTE:
320 This value MUST be exactly the same as the name of the TSIG key on
321 the opposite master/slave server(s).
322
323 algorithm
324 A TSIG key algorithm. See TSIG Algorithm Numbers.
325
326 Possible values:
327
328 · hmac-md5
329
330 · hmac-sha1
331
332 · hmac-sha224
333
334 · hmac-sha256
335
336 · hmac-sha384
337
338 · hmac-sha512
339
340 Default: not set
341
342 secret
343 Shared key secret.
344
345 Default: not set
346
348 Access control list rule definitions. The ACLs are used to match incom‐
349 ing connections to allow or deny requested operation (zone transfer
350 request, DDNS update, etc.).
351
352 acl:
353 - id: STR
354 address: ADDR[/INT] | ADDR-ADDR ...
355 key: key_id ...
356 action: notify | transfer | update ...
357 deny: BOOL
358 update-type: STR ...
359 update-owner: key | zone | name
360 update-owner-match: sub-or-equal | equal | sub
361 update-owner-name: STR ...
362
363 id
364 An ACL rule identifier.
365
366 address
367 An ordered list of IP addresses, network subnets, or network ranges.
368 The query must match one of them. Empty value means that address match
369 is not required.
370
371 Default: not set
372
373 key
374 An ordered list of references to TSIG keys. The query must match one of
375 them. Empty value means that transaction authentication is not used.
376
377 Default: not set
378
379 action
380 An ordered list of allowed (or denied) actions.
381
382 Possible values:
383
384 · notify – Allow incoming notify.
385
386 · transfer – Allow zone transfer.
387
388 · update – Allow zone updates.
389
390 Default: not set
391
392 deny
393 If enabled, instead of allowing, deny the specified action, address,
394 key, or combination if these items. If no action is specified, deny all
395 actions.
396
397 Default: off
398
399 update-type
400 A list of allowed types of Resource Records in a zone update. Every
401 record in an update must match one of the specified types.
402
403 Default: not set
404
405 update-owner
406 This option restricts possible owners of Resource Records in a zone
407 update by comparing them to either the TSIG key identity, the current
408 zone name, or to a list of domain names given by the update-owner-name
409 option. The comparison method is given by the update-owner-match
410 option.
411
412 Possible values:
413
414 · key — The owner of each updated RR must match the identity of the
415 TSIG key if used.
416
417 · name — The owner of each updated RR must match at least one name in
418 the update-owner-name list.
419
420 · zone — The owner of each updated RR must match the current zone name.
421
422 Default: not set
423
424 update-owner-match
425 This option defines how the owners of Resource Records in an update are
426 matched to the domain name(s) set by the update-owner option.
427
428 Possible values:
429
430 · sub-or-equal — The owner of each Resource Record in an update must
431 either be equal to or be a subdomain of at least one domain set by
432 update-owner.
433
434 · equal — The owner of each updated RR must be equal to at least one
435 domain set by update-owner.
436
437 · sub — The owner of each updated RR must be a subdomain of, but MUST
438 NOT be equal to at least one domain set by update-owner.
439
440 Default: sub-or-equal
441
442 update-owner-name
443 A list of allowed owners of RRs in a zone update used with update-owner
444 set to name.
445
446 Default: not set
447
449 Configuration of the server control interface.
450
451 control:
452 listen: STR
453 timeout: TIME
454
455 listen
456 A UNIX socket path where the server listens for control commands.
457
458 Default: rundir/knot.sock
459
460 timeout
461 Maximum time (in seconds) the control socket operations can take. Set
462 to 0 for infinity.
463
464 Default: 5
465
467 Periodic server statistics dumping.
468
469 statistics:
470 timer: TIME
471 file: STR
472 append: BOOL
473
474 timer
475 A period after which all available statistics metrics will by written
476 to the file.
477
478 Default: not set
479
480 file
481 A file path of statistics output in the YAML format.
482
483 Default: rundir/stats.yaml
484
485 append
486 If enabled, the output will be appended to the file instead of file
487 replacement.
488
489 Default: off
490
492 Configuration of databases for zone contents, DNSSEC metadata, or event
493 timers.
494
495 database:
496 storage: STR
497 journal-db: STR
498 journal-db-mode: robust | asynchronous
499 journal-db-max-size: SIZE
500 kasp-db: STR
501 kasp-db-max-size: SIZE
502 timer-db: STR
503 timer-db-max-size: SIZE
504
505 storage
506 A data directory for storing journal, KASP, and timer databases.
507
508 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
509 age=path)
510
511 journal-db
512 An explicit specification of the persistent journal database directory.
513 Non-absolute path (i.e. not starting with /) is relative to storage.
514
515 Default: storage/journal
516
517 journal-db-mode
518 Specifies journal LMDB backend configuration, which influences perfor‐
519 mance and durability.
520
521 Possible values:
522
523 · robust – The journal database disk sychronization ensures database
524 durability but is generally slower.
525
526 · asynchronous – The journal database disk synchronization is optimized
527 for better performance at the expense of lower database durability in
528 the case of a crash. This mode is recommended on slave nodes with
529 many zones.
530
531 Default: robust
532
533 journal-db-max-size
534 The hard limit for the journal database maximum size. There is no
535 cleanup logic in journal to recover from reaching this limit. Journal
536 simply starts refusing changes across all zones. Decreasing this value
537 has no effect if it is lower than the actual database file size.
538
539 It is recommended to limit journal-max-usage per-zone instead of
540 journal-db-max-size in most cases. Please keep this value larger than
541 the sum of all zones' journal usage limits. See more details regarding
542 journal behaviour.
543
544 NOTE:
545 This value also influences server's usage of virtual memory.
546
547 Default: 20 GiB (1 GiB for 32-bit)
548
549 kasp-db
550 An explicit specification of the KASP database directory. Non-absolute
551 path (i.e. not starting with /) is relative to storage.
552
553 Default: storage/keys
554
555 kasp-db-max-size
556 The hard limit for the KASP database maximum size.
557
558 NOTE:
559 This value also influences server's usage of virtual memory.
560
561 Default: 500 MiB
562
563 timer-db
564 An explicit specification of the persistent timer database directory.
565 Non-absolute path (i.e. not starting with /) is relative to storage.
566
567 Default: storage/timers
568
569 timer-db-max-size
570 The hard limit for the timer database maximum size.
571
572 NOTE:
573 This value also influences server's usage of virtual memory.
574
575 Default: 100 MiB
576
578 DNSSEC keystore configuration.
579
580 keystore:
581 - id: STR
582 backend: pem | pkcs11
583 config: STR
584
585 id
586 A keystore identifier.
587
588 backend
589 A key storage backend type.
590
591 Possible values:
592
593 · pem – PEM files.
594
595 · pkcs11 – PKCS #11 storage.
596
597 Default: pem
598
599 config
600 A backend specific configuration. A directory with PEM files (the path
601 can be specified as a relative path to kasp-db) or a configuration
602 string for PKCS #11 storage (<pkcs11-url> <module-path>).
603
604 NOTE:
605 Example configuration string for PKCS #11:
606
607 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
608
609 Default: kasp-db/keys
610
612 Parameters of KSK submission checks.
613
614 submission:
615 - id: STR
616 parent: remote_id ...
617 check-interval: TIME
618 timeout: TIME
619
620 id
621 A submission identifier.
622
623 parent
624 A list of references to parent's DNS servers to be checked for presence
625 of corresponding DS records in the case of KSK submission. All of them
626 must have a corresponding DS for the rollover to continue. If none is
627 specified, the rollover must be pushed forward manually.
628
629 Default: not set
630
631 TIP:
632 A DNSSEC-validating resolver can be set as a parent.
633
634 check-interval
635 Interval for periodic checks of DS presence on parent's DNS servers, in
636 the case of the KSK submission.
637
638 Default: 1 hour
639
640 timeout
641 After this time period (in seconds) the KSK submission is automatically
642 considered successful, even if all the checks were negative or no par‐
643 ents are configured. Set to 0 for infinity.
644
645 Default: 0
646
648 DNSSEC policy configuration.
649
650 policy:
651 - id: STR
652 keystore: STR
653 manual: BOOL
654 single-type-signing: BOOL
655 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
656 ksk-size: SIZE
657 zsk-size: SIZE
658 ksk-shared: BOOL
659 dnskey-ttl: TIME
660 zone-max-ttl: TIME
661 zsk-lifetime: TIME
662 ksk-lifetime: TIME
663 propagation-delay: TIME
664 rrsig-lifetime: TIME
665 rrsig-refresh: TIME
666 rrsig-pre-refresh: TIME
667 nsec3: BOOL
668 nsec3-iterations: INT
669 nsec3-opt-out: BOOL
670 nsec3-salt-length: INT
671 nsec3-salt-lifetime: TIME
672 signing-threads: INT
673 ksk-submission: submission_id
674 ds-push: remote_id
675 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
676 offline-ksk: BOOL
677
678 id
679 A policy identifier.
680
681 keystore
682 A reference to a keystore holding private key material for zones.
683
684 Default: an imaginary keystore with all default values
685
686 NOTE:
687 A configured keystore called "default" won't be used unless explic‐
688 itly referenced.
689
690 manual
691 If enabled, automatic key management is not used.
692
693 Default: off
694
695 single-type-signing
696 If enabled, Single-Type Signing Scheme is used in the automatic key
697 management mode.
698
699 Default: off
700
701 algorithm
702 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
703 rithm Numbers.
704
705 Possible values:
706
707 · rsasha1
708
709 · rsasha1-nsec3-sha1
710
711 · rsasha256
712
713 · rsasha512
714
715 · ecdsap256sha256
716
717 · ecdsap384sha384
718
719 · ed25519
720
721 NOTE:
722 Ed25519 algorithm is only available when compiled with GnuTLS
723 3.6.0+.
724
725 Default: ecdsap256sha256
726
727 ksk-size
728 A length of newly generated KSK or CSK keys.
729
730 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
731
732 zsk-size
733 A length of newly generated ZSK keys.
734
735 Default: see default for ksk-size
736
737 ksk-shared
738 If enabled, all zones with this policy assigned will share one KSK.
739
740 Default: off
741
742 dnskey-ttl
743 A TTL value for DNSKEY records added into zone apex.
744
745 NOTE:
746 Has infuence over ZSK key lifetime.
747
748 WARNING:
749 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
750 quent DNSKEY rollover starts.
751
752 Default: zone SOA TTL
753
754 zone-max-ttl
755 Declare (override) maximal TTL value among all the records in zone.
756
757 NOTE:
758 It's generally recommended to override the maximal TTL computation
759 by setting this explicitly whenever possible. It's required for
760 DNSSEC Offline KSK and really reasonable when records are generated
761 dynamically (e.g. by a module).
762
763 Default: computed after zone is loaded
764
765 zsk-lifetime
766 A period between ZSK activation and the next rollover initiation.
767
768 NOTE:
769 More exactly, this period is measured since a ZSK is activated, and
770 after this, a new ZSK is generated to replace it within following
771 roll-over.
772
773 ZSK key lifetime is also infuenced by propagation-delay and
774 dnskey-ttl
775
776 Zero (aka infinity) value causes no ZSK rollover as a result.
777
778 Default: 30 days
779
780 ksk-lifetime
781 A period between KSK activation and the next rollover initiation.
782
783 NOTE:
784 KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
785 and KSK submission delay.
786
787 Zero (aka infinity) value causes no KSK rollover as a result.
788
789 This applies for CSK lifetime if single-type-signing is enabled.
790
791 Default: 0
792
793 propagation-delay
794 An extra delay added for each key rollover step. This value should be
795 high enough to cover propagation of data from the master server to all
796 slaves.
797
798 NOTE:
799 Has infuence over ZSK key lifetime.
800
801 Default: 1 hour
802
803 rrsig-lifetime
804 A validity period of newly issued signatures.
805
806 NOTE:
807 The RRSIG's signature inception time is set to 90 minutes in the
808 past. This time period is not counted to the signature lifetime.
809
810 Default: 14 days
811
812 rrsig-refresh
813 A period how long at least before a signature expiration the signature
814 will be refreshed, in order to prevent expired RRSIGs on slaves or
815 resolvers' caches.
816
817 Default: 7 days
818
819 rrsig-pre-refresh
820 A period how long at most before a signature refresh time the signature
821 might be refreshed, in order to refresh RRSIGs in bigger batches on a
822 frequently updated zone (avoid re-sign event too often).
823
824 Default: 1 hour
825
826 nsec3
827 Specifies if NSEC3 will be used instead of NSEC.
828
829 Default: off
830
831 nsec3-iterations
832 A number of additional times the hashing is performed.
833
834 Default: 5
835
836 nsec3-opt-out
837 If set, NSEC3 records won't be created for insecure delegations. This
838 speeds up the zone signing and reduces overall zone size.
839
840 WARNING:
841 NSEC3 with the Opt-Out bit set no longer works as a proof of
842 non-existence in this zone.
843
844 Default: off
845
846 nsec3-salt-length
847 A length of a salt field in octets, which is appended to the original
848 owner name before hashing.
849
850 Default: 8
851
852 nsec3-salt-lifetime
853 A validity period of newly issued salt field.
854
855 Zero value means infinity.
856
857 Default: 30 days
858
859 ksk-submission
860 A reference to submission section holding parameters of KSK submission
861 checks.
862
863 Default: not set
864
865 ds-push
866 An optional reference to authoritative DNS server of the parent's zone.
867 The remote server must be configured to accept DS record updates via
868 DDNS. Whenever a CDS record in the local zone is changed, the corre‐
869 sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
870 server. All previous DS records are deleted within the DDNS message.
871 It's possible to manage both child and parent zones by the same Knot
872 DNS server.
873
874 NOTE:
875 This feature requires cds-cdnskey-publish not to be set to none.
876
877 NOTE:
878 Module Onlinesign doesn't support DS push.
879
880 Default: not set
881
882 signing-threads
883 When signing zone or update, use this number of threads for parallel
884 signing.
885
886 Those are extra threads independent of Background workers.
887
888 NOTE:
889 Some steps of the DNSSEC signing operation are not parallelized.
890
891 Default: 1 (no extra threads)
892
893 cds-cdnskey-publish
894 Controls if and how shall the CDS and CDNSKEY be published in the zone.
895
896 Possible values:
897
898 · none – Never publish any CDS or CDNSKEY records in the zone.
899
900 · delete-dnssec – Publish special CDS and CDNSKEY records indicating
901 turning off DNSSEC.
902
903 · rollover – Publish CDS and CDNSKEY records only in the submission
904 phase of KSK rollover.
905
906 · always – Always publish one CDS and one CDNSKEY records for the cur‐
907 rent KSK.
908
909 · double-ds – Always publish up to two CDS and two CDNSKEY records for
910 ready and/or active KSKs.
911
912 NOTE:
913 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
914 may contain more records depending on the keys available.
915
916 Default: rollover
917
918 offline-ksk
919 Specifies if Offline KSK feature is enabled.
920
921 Default: off
922
924 Definitions of remote servers for outgoing connections (source of a
925 zone transfer, target for a notification, etc.).
926
927 remote:
928 - id: STR
929 address: ADDR[@INT] ...
930 via: ADDR[@INT] ...
931 key: key_id
932
933 id
934 A remote identifier.
935
936 address
937 An ordered list of destination IP addresses which are used for communi‐
938 cation with the remote server. The addresses are tried in sequence
939 until the remote is reached. Optional destination port (default is 53)
940 can be appended to the address using @ separator.
941
942 Default: not set
943
944 NOTE:
945 If the remote is contacted and it refuses to perform requested
946 action, no more addresses will be tried for this remote.
947
948 via
949 An ordered list of source IP addresses. The first address with the same
950 family as the destination address is used. Optional source port
951 (default is random) can be appended to the address using @ separator.
952
953 Default: not set
954
955 key
956 A reference to the TSIG key which is used to authenticate the communi‐
957 cation with the remote server.
958
959 Default: not set
960
962 A template is shareable zone settings, which can simplify configuration
963 by reducing duplicates. A special default template (with the default
964 identifier) can be used for global zone configuration or as an implicit
965 configuration if a zone doesn't have another template specified.
966
967 template:
968 - id: STR
969 global-module: STR/STR ...
970 # All zone options (excluding 'template' item)
971
972 id
973 A template identifier.
974
975 global-module
976 An ordered list of references to query modules in the form of mod‐
977 ule_name or module_name/module_id. These modules apply to all queries.
978
979 NOTE:
980 This option is only available in the default template.
981
982 Default: not set
983
985 Definition of zones served by the server.
986
987 zone:
988 - domain: DNAME
989 template: template_id
990 storage: STR
991 file: STR
992 master: remote_id ...
993 ddns-master: remote_id
994 notify: remote_id ...
995 acl: acl_id ...
996 semantic-checks: BOOL
997 disable-any: BOOL
998 zonefile-sync: TIME
999 zonefile-load: none | difference | difference-no-serial | whole
1000 journal-content: none | changes | all
1001 journal-max-usage: SIZE
1002 journal-max-depth: INT
1003 zone-max-size : SIZE
1004 dnssec-signing: BOOL
1005 dnssec-policy: STR
1006 serial-policy: increment | unixtime | dateserial
1007 refresh-min-interval: TIME
1008 refresh-max-interval: TIME
1009 module: STR/STR ...
1010
1011 domain
1012 A zone name identifier.
1013
1014 template
1015 A reference to a configuration template.
1016
1017 Default: not set or default (if the template exists)
1018
1019 storage
1020 A data directory for storing zone files.
1021
1022 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1023 age=path)
1024
1025 file
1026 A path to the zone file. Non-absolute path (i.e. not starting with /)
1027 is relative to storage. It is also possible to use the following for‐
1028 matters:
1029
1030 · %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1031 ters beginning from the Nth and ending with the Mth character of the
1032 textual zone name (see %s). The indexes are counted from 0 from the
1033 left. All dots (including the terminal one) are considered. If the
1034 character is not available, the formatter has no effect.
1035
1036 · %l[N] – Means the Nth label of the textual zone name (see %s). The
1037 index is counted from 0 from the right (0 ~ TLD). If the label is
1038 not available, the formatter has no effect.
1039
1040 · %s – Means the current zone name in the textual representation. The
1041 zone name doesn't include the terminating dot (the result for the
1042 root zone is the empty string!).
1043
1044 · %% – Means the % character.
1045
1046 WARNING:
1047 Beware of special characters which are escaped or encoded in the
1048 \DDD form where DDD is corresponding decimal ASCII code.
1049
1050 Default: storage/%s.zone
1051
1052 master
1053 An ordered list of references to zone master servers.
1054
1055 Default: not set
1056
1057 ddns-master
1058 A reference to zone primary master server. If not specified, the first
1059 master server is used.
1060
1061 Default: not set
1062
1063 notify
1064 An ordered list of references to remotes to which notify message is
1065 sent if the zone changes.
1066
1067 Default: not set
1068
1069 acl
1070 An ordered list of references to ACL rules which can allow or disallow
1071 zone transfers, updates or incoming notifies.
1072
1073 Default: not set
1074
1075 semantic-checks
1076 If enabled, extra zone semantic checks are turned on.
1077
1078 Several checks are enabled by default and cannot be turned off. An
1079 error in mandatory checks causes zone not to be loaded. An error in
1080 extra checks is logged only.
1081
1082 Mandatory checks:
1083
1084 · SOA record missing in the zone (RFC 1034)
1085
1086 · An extra record together with CNAME record except for RRSIG and DS (‐
1087 RFC 1034)
1088
1089 · Multiple CNAME record with the same owner
1090
1091 · DNAME record having a record under it (RFC 2672)
1092
1093 Extra checks:
1094
1095 · Missing NS record at the zone apex
1096
1097 · Missing glue A or AAAA record
1098
1099 · Invalid DNSKEY, DS, or NSEC3PARAM record
1100
1101 · CDS or CDNSKEY inconsistency
1102
1103 · Missing, invalid, or unverifiable RRSIG record
1104
1105 · Invalid NSEC(3) record
1106
1107 · Broken or non-cyclic NSEC(3) chain
1108
1109 Default: off
1110
1111 disable-any
1112 If enabled, all authoritative ANY queries sent over UDP will be
1113 answered with an empty response and with the TC bit set. Use this
1114 option to minimize the risk of DNS reflection attack.
1115
1116 Default: off
1117
1118 zonefile-sync
1119 The time after which the current zone in memory will be synced with a
1120 zone file on the disk (see file). The server will serve the latest zone
1121 even after a restart using zone journal, but the zone file on the disk
1122 will only be synced after zonefile-sync time has expired (or after man‐
1123 ual zone flush). This is applicable when the zone is updated via IXFR,
1124 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1125 matic zone file synchronization, set the value to -1. In that case, it
1126 is still possible to force a manual zone flush using the -f option.
1127
1128 NOTE:
1129 If you are serving large zones with frequent updates where the imme‐
1130 diate sync with a zone file is not desirable, increase the value.
1131
1132 Default: 0 (immediate)
1133
1134 zonefile-load
1135 Selects how the zone file contents are applied during zone load.
1136
1137 Possible values:
1138
1139 · none – The zone file is not used at all.
1140
1141 · difference – If the zone contents are already available during server
1142 start or reload, the difference is computed between them and the con‐
1143 tents of the zone file. This difference is then checked for semantic
1144 errors and applied to the current zone contents.
1145
1146 · difference-no-serial – Same as difference, but the SOA serial in the
1147 zone file is ignored, the server takes care of incrementing the
1148 serial automatically.
1149
1150 · whole – Zone contents are loaded from the zone file.
1151
1152 When difference is configured and there are no zone contents yet (cold
1153 start of Knot and no zone contents in journal), it behaves the same way
1154 like whole.
1155
1156 Default: whole
1157
1158 journal-content
1159 Selects how the journal shall be used to store zone and its changes.
1160
1161 Possible values:
1162
1163 · none – The journal is not used at all.
1164
1165 · changes – Zone changes history is stored in journal.
1166
1167 · all – Zone contents and history is stored in journal.
1168
1169 Default: changes
1170
1171 journal-max-usage
1172 Policy how much space in journal DB will the zone's journal occupy.
1173
1174 NOTE:
1175 Journal DB may grow far above the sum of journal-max-usage across
1176 all zones, because of DB free space fragmentation.
1177
1178 Default: 100 MiB
1179
1180 journal-max-depth
1181 Maximum history length of journal.
1182
1183 Minimum: 2
1184
1185 Default: 2^64
1186
1187 zone-max-size
1188 Maximum size of the zone. The size is measured as size of the zone
1189 records in wire format without compression. The limit is enforced for
1190 incoming zone transfers and dynamic updates.
1191
1192 For incremental transfers (IXFR), the effective limit for the total
1193 size of the records in the transfer is twice the configured value. How‐
1194 ever the final size of the zone must satisfy the configured value.
1195
1196 Default: 2^64
1197
1198 dnssec-signing
1199 If enabled, automatic DNSSEC signing for the zone is turned on.
1200
1201 Default: off
1202
1203 dnssec-policy
1204 A reference to DNSSEC signing policy.
1205
1206 Default: an imaginary policy with all default values
1207
1208 NOTE:
1209 A configured policy called "default" won't be used unless explicitly
1210 referenced.
1211
1212 serial-policy
1213 Specifies how the zone serial is updated after a dynamic update or
1214 automatic DNSSEC signing. If the serial is changed by the dynamic
1215 update, no change is made.
1216
1217 Possible values:
1218
1219 · increment – The serial is incremented according to serial number
1220 arithmetic.
1221
1222 · unixtime – The serial is set to the current unix time.
1223
1224 · dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1225 first 8 digits match the current iso-date.
1226
1227 NOTE:
1228 In case of unixtime, if the resulting serial is lower or equal than
1229 current zone (this happens e.g. in case of migrating from other pol‐
1230 icy or frequent updates) the serial is incremented instead.
1231
1232 Use dateserial only if you expect less than 100 updates per day per
1233 zone.
1234
1235 Default: increment
1236
1237 refresh-min-interval
1238 Forced minimum zone refresh interval to avoid flooding master.
1239
1240 Default: 2
1241
1242 refresh-max-interval
1243 Forced maximum zone refresh interval.
1244
1245 Default: not set
1246
1247 module
1248 An ordered list of references to query modules in the form of mod‐
1249 ule_name or module_name/module_id. These modules apply only to the cur‐
1250 rent zone queries.
1251
1252 Default: not set
1253
1255 Server can be configured to log to the standard output, standard error
1256 output, syslog (or systemd journal if systemd is enabled) or into an
1257 arbitrary file.
1258
1259 There are 6 logging severity levels:
1260
1261 · critical – Non-recoverable error resulting in server shutdown.
1262
1263 · error – Recoverable error, action should be taken.
1264
1265 · warning – Warning that might require user action.
1266
1267 · notice – Server notice or hint.
1268
1269 · info – Informational message.
1270
1271 · debug – Debug or detailed message.
1272
1273 In the case of missing log section, warning or more serious messages
1274 will be logged to both standard error output and syslog. The info and
1275 notice messages will be logged to standard output.
1276
1277 log:
1278 - target: stdout | stderr | syslog | STR
1279 server: critical | error | warning | notice | info | debug
1280 control: critical | error | warning | notice | info | debug
1281 zone: critical | error | warning | notice | info | debug
1282 any: critical | error | warning | notice | info | debug
1283
1284 target
1285 A logging output.
1286
1287 Possible values:
1288
1289 · stdout – Standard output.
1290
1291 · stderr – Standard error output.
1292
1293 · syslog – Syslog or systemd journal.
1294
1295 · file_name – A specific file.
1296
1297 With syslog target, syslog service is used. However, if Knot DNS has
1298 been compiled with systemd support and operating system has been booted
1299 with systemd, systemd journal is used for logging instead of syslog.
1300
1301 server
1302 Minimum severity level for messages related to general operation of the
1303 server to be logged.
1304
1305 Default: not set
1306
1307 control
1308 Minimum severity level for messages related to server control to be
1309 logged.
1310
1311 Default: not set
1312
1313 zone
1314 Minimum severity level for messages related to zones to be logged.
1315
1316 Default: not set
1317
1318 any
1319 Minimum severity level for all message types to be logged.
1320
1321 Default: not set
1322
1324 CZ.NIC Labs <https://www.knot-dns.cz>
1325
1327 Copyright 2010–2019, CZ.NIC, z.s.p.o.
1328
1329
1330
1331
13322.9.2 2019-12-12 KNOT.CONF(5)