1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14 · INT – Integer
16 · STR – Textual string
18 · HEXSTR – Hexadecimal string (with 0x prefix)
20 · BOOL – Boolean value (on/off or true/false)
22 · TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25 · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28 · BASE64 – Base64 encoded string
30 · ADDR – IPv4 or IPv6 address
32 · DNAME – Domain name
34 · ... – Multi-valued item, order of the values is preserved
36 · [ ] – Optional value
38 · | – Choice
40 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 14 fixed sections (module, server, key, acl,
43 control, statistics, database, keystore, submission, policy, remote,
44 template, zone, log). Module sections are prefixed with the mod- pre‐
45 fix (e.g. mod-stats).
46 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51 A multi-valued item can be specified either as a YAML sequence:
53 address: [10.0.0.1, 10.0.0.2]
55 or as more single-valued items each on an extra line:
57 address: 10.0.0.1
59 address: 10.0.0.2
60 If an item value contains spaces or other special characters, it is
62 necessary to enclose such value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be
72 included at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76 include: STR
78
80 Dynamic modules loading configuration.
81 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85 module:
87 - id: STR
88 file: STR
89 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93 file
95 A path to a shared library file with the module implementation.
96 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 udp-max-payload: SIZE
124 udp-max-payload-ipv4: SIZE
125 udp-max-payload-ipv6: SIZE
126 edns-client-subnet: BOOL
127 answer-rotation: BOOL
128 listen: ADDR[@INT] ...
129 CAUTION:
131 When you change configuration parameters dynamically or via configu‐
132 ration file reload, some parameters in the Server section require
133 restarting the Knot server so as the change take effect. See below
134 for the details.
135 identity
137 An identity of the server returned in the response to the query for TXT
138 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
139 to an empty value to disable.
140 Default: FQDN hostname
142 version
144 A version of the server software returned in the response to the query
145 for TXT record version.server. or version.bind. in the CHAOS class (RFC
146 4892). Set to an empty value to disable.
147 Default: server version
149 nsid
151 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
152 able.
153 Default: FQDN hostname
155 rundir
157 A path for storing run-time data (PID file, unix sockets, etc.).
158 Depending on the usage of this parameter, its change may require
160 restart of the Knot server to take effect.
161 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
163 user
165 A system user with an optional system group (user:group) under which
166 the server is run after starting and binding to interfaces. Linux capa‐
167 bilities are employed if supported.
168 Change of this parameter requires restart of the Knot server to take
170 effect.
171 Default: root:root
173 pidfile
175 A PID file location.
176 Change of this parameter requires restart of the Knot server to take
178 effect.
179 Default: rundir/knot.pid
181 udp-workers
183 A number of UDP workers (threads) used to process incoming queries over
184 UDP.
185 Change of this parameter requires restart of the Knot server to take
187 effect.
188 Default: equal to the number of online CPUs
190 tcp-workers
192 A number of TCP workers (threads) used to process incoming queries over
193 TCP.
194 Change of this parameter requires restart of the Knot server to take
196 effect.
197 Default: equal to the number of online CPUs, default value is at least
199 10
200 background-workers
202 A number of workers (threads) used to execute background operations
203 (zone loading, zone updates, etc.).
204 Change of this parameter requires restart of the Knot server to take
206 effect.
207 Default: equal to the number of online CPUs, default value is at most
209 10
210 async-start
212 If enabled, server doesn't wait for the zones to be loaded and starts
213 responding immediately with SERVFAIL answers until the zone loads.
214 Default: off
216 tcp-idle-timeout
218 Maximum idle time (in seconds) between requests on an inbound TCP con‐
219 nection. It means if there is no activity on an inbound TCP connection
220 during this limit, the connection is closed by the server.
221 Minimum: 1 s
223 Default: 10 s
225 tcp-io-timeout
227 Maximum time (in milliseconds) to receive or send one DNS message over
228 an inbound TCP connection. It means this limit applies to normal DNS
229 queries and replies, incoming DDNS, and outgoing zone transfers. Set
230 to 0 for infinity.
231 Default: 200 ms
233 tcp-remote-io-timeout
235 Maximum time (in milliseconds) to receive or send one DNS message over
236 an outbound TCP connection which has already been established to a con‐
237 figured remote server. It means this limit applies to incoming zone
238 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
239 timeout includes the time needed for a network round-trip and for a
240 query processing by the remote. Set to 0 for infinity.
241 Default: 5000 ms
243 tcp-reuseport
245 If enabled, each TCP worker listens on its own socket and the OS kernel
246 socket load balancing is emloyed using SO_REUSEPORT (or SO_REUSEPORT_LB
247 on FreeBSD). Due to the lack of one shared socket, the server can offer
248 higher response rate processing over TCP. However, in the case of
249 time-consuming requests (e.g. zone transfers of a TLD zone), enabled
250 reuseport may result in delayed or not being responded client requests.
251 So it is advisable to use this option on slave servers.
252 Change of this parameter requires restart of the Knot server to take
254 effect.
255 Default: off
257 tcp-max-clients
259 A maximum number of TCP clients connected in parallel, set this below
260 the file descriptor limit to avoid resource exhaustion.
261 NOTE:
263 It is advisable to adjust the maximum number of open files per
264 process in your operating system configuration.
265 Default: one half of the file descriptor limit for the server process
267 udp-max-payload
269 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
270 Default: 1232
272 udp-max-payload-ipv4
274 Maximum EDNS0 UDP payload size for IPv4.
275 Default: 1232
277 udp-max-payload-ipv6
279 Maximum EDNS0 UDP payload size for IPv6.
280 Default: 1232
282 edns-client-subnet
284 Enable or disable EDNS Client Subnet support. If enabled, responses to
285 queries containing the EDNS Client Subnet option always contain a valid
286 EDNS Client Subnet option according to RFC 7871.
287 Default: off
289 answer-rotation
291 Enable or disable sorted-rrset rotation in the answer section of normal
292 replies. The rotation shift is simply determined by a query ID.
293 Default: off
295 listen
297 One or more IP addresses where the server listens for incoming queries.
298 Optional port specification (default is 53) can be appended to each
299 address using @ separator. Use 0.0.0.0 for all configured IPv4
300 addresses or :: for all configured IPv6 addresses. Non-local address
301 binding is automatically enabled if supported by the operating system.
302 Change of this parameter requires restart of the Knot server to take
304 effect.
305 Default: not set
307
309 Shared TSIG keys used to authenticate communication with the server.
310 key:
312 - id: DNAME
313 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
314 secret: BASE64
315 id
317 A key name identifier.
318 NOTE:
320 This value MUST be exactly the same as the name of the TSIG key on
321 the opposite master/slave server(s).
322 algorithm
324 A TSIG key algorithm. See TSIG Algorithm Numbers.
325 Possible values:
327 · hmac-md5
329 · hmac-sha1
331 · hmac-sha224
333 · hmac-sha256
335 · hmac-sha384
337 · hmac-sha512
339 Default: not set
341 secret
343 Shared key secret.
344 Default: not set
346
348 Access control list rule definitions. The ACLs are used to match incom‐
349 ing connections to allow or deny requested operation (zone transfer
350 request, DDNS update, etc.).
351 acl:
353 - id: STR
354 address: ADDR[/INT] | ADDR-ADDR ...
355 key: key_id ...
356 action: notify | transfer | update ...
357 deny: BOOL
358 update-type: STR ...
359 update-owner: key | zone | name
360 update-owner-match: sub-or-equal | equal | sub
361 update-owner-name: STR ...
362 id
364 An ACL rule identifier.
365 address
367 An ordered list of IP addresses, network subnets, or network ranges.
368 The query must match one of them. Empty value means that address match
369 is not required.
370 Default: not set
372 key
374 An ordered list of references to TSIG keys. The query must match one of
375 them. Empty value means that transaction authentication is not used.
376 Default: not set
378 action
380 An ordered list of allowed (or denied) actions.
381 Possible values:
383 · notify – Allow incoming notify.
385 · transfer – Allow zone transfer.
387 · update – Allow zone updates.
389 Default: not set
391 deny
393 If enabled, instead of allowing, deny the specified action, address,
394 key, or combination if these items. If no action is specified, deny all
395 actions.
396 Default: off
398 update-type
400 A list of allowed types of Resource Records in a zone update. Every
401 record in an update must match one of the specified types.
402 Default: not set
404 update-owner
406 This option restricts possible owners of Resource Records in a zone
407 update by comparing them to either the TSIG key identity, the current
408 zone name, or to a list of domain names given by the update-owner-name
409 option. The comparison method is given by the update-owner-match
410 option.
411 Possible values:
413 · key — The owner of each updated RR must match the identity of the
415 TSIG key if used.
416 · name — The owner of each updated RR must match at least one name in
418 the update-owner-name list.
419 · zone — The owner of each updated RR must match the current zone name.
421 Default: not set
423 update-owner-match
425 This option defines how the owners of Resource Records in an update are
426 matched to the domain name(s) set by the update-owner option.
427 Possible values:
429 · sub-or-equal — The owner of each Resource Record in an update must
431 either be equal to or be a subdomain of at least one domain set by
432 update-owner.
433 · equal — The owner of each updated RR must be equal to at least one
435 domain set by update-owner.
436 · sub — The owner of each updated RR must be a subdomain of, but MUST
438 NOT be equal to at least one domain set by update-owner.
439 Default: sub-or-equal
441 update-owner-name
443 A list of allowed owners of RRs in a zone update used with update-owner
444 set to name.
445 Default: not set
447
449 Configuration of the server control interface.
450 control:
452 listen: STR
453 timeout: TIME
454 listen
456 A UNIX socket path where the server listens for control commands.
457 Default: rundir/knot.sock
459 timeout
461 Maximum time (in seconds) the control socket operations can take. Set
462 to 0 for infinity.
463 Default: 5
465
467 Periodic server statistics dumping.
468 statistics:
470 timer: TIME
471 file: STR
472 append: BOOL
473 timer
475 A period after which all available statistics metrics will by written
476 to the file.
477 Default: not set
479 file
481 A file path of statistics output in the YAML format.
482 Default: rundir/stats.yaml
484 append
486 If enabled, the output will be appended to the file instead of file
487 replacement.
488 Default: off
490
492 Configuration of databases for zone contents, DNSSEC metadata, or event
493 timers.
494 database:
496 storage: STR
497 journal-db: STR
498 journal-db-mode: robust | asynchronous
499 journal-db-max-size: SIZE
500 kasp-db: STR
501 kasp-db-max-size: SIZE
502 timer-db: STR
503 timer-db-max-size: SIZE
504 storage
506 A data directory for storing journal, KASP, and timer databases.
507 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
509 age=path)
510 journal-db
512 An explicit specification of the persistent journal database directory.
513 Non-absolute path (i.e. not starting with /) is relative to storage.
514 Default: storage/journal
516 journal-db-mode
518 Specifies journal LMDB backend configuration, which influences perfor‐
519 mance and durability.
520 Possible values:
522 · robust – The journal database disk sychronization ensures database
524 durability but is generally slower.
525 · asynchronous – The journal database disk synchronization is optimized
527 for better performance at the expense of lower database durability in
528 the case of a crash. This mode is recommended on slave nodes with
529 many zones.
530 Default: robust
532 journal-db-max-size
534 The hard limit for the journal database maximum size. There is no
535 cleanup logic in journal to recover from reaching this limit. Journal
536 simply starts refusing changes across all zones. Decreasing this value
537 has no effect if it is lower than the actual database file size.
538 It is recommended to limit journal-max-usage per-zone instead of
540 journal-db-max-size in most cases. Please keep this value larger than
541 the sum of all zones' journal usage limits. See more details regarding
542 journal behaviour.
543 NOTE:
545 This value also influences server's usage of virtual memory.
546 Default: 20 GiB (1 GiB for 32-bit)
548 kasp-db
550 An explicit specification of the KASP database directory. Non-absolute
551 path (i.e. not starting with /) is relative to storage.
552 Default: storage/keys
554 kasp-db-max-size
556 The hard limit for the KASP database maximum size.
557 NOTE:
559 This value also influences server's usage of virtual memory.
560 Default: 500 MiB
562 timer-db
564 An explicit specification of the persistent timer database directory.
565 Non-absolute path (i.e. not starting with /) is relative to storage.
566 Default: storage/timers
568 timer-db-max-size
570 The hard limit for the timer database maximum size.
571 NOTE:
573 This value also influences server's usage of virtual memory.
574 Default: 100 MiB
576
578 DNSSEC keystore configuration.
579 keystore:
581 - id: STR
582 backend: pem | pkcs11
583 config: STR
584 id
586 A keystore identifier.
587 backend
589 A key storage backend type.
590 Possible values:
592 · pem – PEM files.
594 · pkcs11 – PKCS #11 storage.
596 Default: pem
598 config
600 A backend specific configuration. A directory with PEM files (the path
601 can be specified as a relative path to kasp-db) or a configuration
602 string for PKCS #11 storage (<pkcs11-url> <module-path>).
603 NOTE:
605 Example configuration string for PKCS #11:
606 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
608 Default: kasp-db/keys
610
612 Parameters of KSK submission checks.
613 submission:
615 - id: STR
616 parent: remote_id ...
617 check-interval: TIME
618 timeout: TIME
619 id
621 A submission identifier.
622 parent
624 A list of references to parent's DNS servers to be checked for presence
625 of corresponding DS records in the case of KSK submission. All of them
626 must have a corresponding DS for the rollover to continue. If none is
627 specified, the rollover must be pushed forward manually.
628 Default: not set
630 TIP:
632 A DNSSEC-validating resolver can be set as a parent.
633 check-interval
635 Interval for periodic checks of DS presence on parent's DNS servers, in
636 the case of the KSK submission.
637 Default: 1 hour
639 timeout
641 After this time period (in seconds) the KSK submission is automatically
642 considered successful, even if all the checks were negative or no par‐
643 ents are configured. Set to 0 for infinity.
644 Default: 0
646
648 DNSSEC policy configuration.
649 policy:
651 - id: STR
652 keystore: STR
653 manual: BOOL
654 single-type-signing: BOOL
655 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
656 ksk-size: SIZE
657 zsk-size: SIZE
658 ksk-shared: BOOL
659 dnskey-ttl: TIME
660 zone-max-ttl: TIME
661 zsk-lifetime: TIME
662 ksk-lifetime: TIME
663 propagation-delay: TIME
664 rrsig-lifetime: TIME
665 rrsig-refresh: TIME
666 rrsig-pre-refresh: TIME
667 nsec3: BOOL
668 nsec3-iterations: INT
669 nsec3-opt-out: BOOL
670 nsec3-salt-length: INT
671 nsec3-salt-lifetime: TIME
672 signing-threads: INT
673 ksk-submission: submission_id
674 ds-push: remote_id
675 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
676 offline-ksk: BOOL
677 id
679 A policy identifier.
680 keystore
682 A reference to a keystore holding private key material for zones.
683 Default: an imaginary keystore with all default values
685 NOTE:
687 A configured keystore called "default" won't be used unless explic‐
688 itly referenced.
689 manual
691 If enabled, automatic key management is not used.
692 Default: off
694 single-type-signing
696 If enabled, Single-Type Signing Scheme is used in the automatic key
697 management mode.
698 Default: off
700 algorithm
702 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
703 rithm Numbers.
704 Possible values:
706 · rsasha1
708 · rsasha1-nsec3-sha1
710 · rsasha256
712 · rsasha512
714 · ecdsap256sha256
716 · ecdsap384sha384
718 · ed25519
720 NOTE:
722 Ed25519 algorithm is only available when compiled with GnuTLS
723 3.6.0+.
724 Default: ecdsap256sha256
726 ksk-size
728 A length of newly generated KSK or CSK keys.
729 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
731 zsk-size
733 A length of newly generated ZSK keys.
734 Default: see default for ksk-size
736 ksk-shared
738 If enabled, all zones with this policy assigned will share one KSK.
739 Default: off
741 dnskey-ttl
743 A TTL value for DNSKEY records added into zone apex.
744 NOTE:
746 Has infuence over ZSK key lifetime.
747 WARNING:
749 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
750 quent DNSKEY rollover starts.
751 Default: zone SOA TTL
753 zone-max-ttl
755 Declare (override) maximal TTL value among all the records in zone.
756 NOTE:
758 It's generally recommended to override the maximal TTL computation
759 by setting this explicitly whenever possible. It's required for
760 DNSSEC Offline KSK and really reasonable when records are generated
761 dynamically (e.g. by a module).
762 Default: computed after zone is loaded
764 zsk-lifetime
766 A period between ZSK activation and the next rollover initiation.
767 NOTE:
769 More exactly, this period is measured since a ZSK is activated, and
770 after this, a new ZSK is generated to replace it within following
771 roll-over.
772 ZSK key lifetime is also infuenced by propagation-delay and
774 dnskey-ttl
775 Zero (aka infinity) value causes no ZSK rollover as a result.
777 Default: 30 days
779 ksk-lifetime
781 A period between KSK activation and the next rollover initiation.
782 NOTE:
784 KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
785 and KSK submission delay.
786 Zero (aka infinity) value causes no KSK rollover as a result.
788 This applies for CSK lifetime if single-type-signing is enabled.
790 Default: 0
792 propagation-delay
794 An extra delay added for each key rollover step. This value should be
795 high enough to cover propagation of data from the master server to all
796 slaves.
797 NOTE:
799 Has infuence over ZSK key lifetime.
800 Default: 1 hour
802 rrsig-lifetime
804 A validity period of newly issued signatures.
805 NOTE:
807 The RRSIG's signature inception time is set to 90 minutes in the
808 past. This time period is not counted to the signature lifetime.
809 Default: 14 days
811 rrsig-refresh
813 A period how long at least before a signature expiration the signature
814 will be refreshed, in order to prevent expired RRSIGs on slaves or
815 resolvers' caches.
816 Default: 7 days
818 rrsig-pre-refresh
820 A period how long at most before a signature refresh time the signature
821 might be refreshed, in order to refresh RRSIGs in bigger batches on a
822 frequently updated zone (avoid re-sign event too often).
823 Default: 1 hour
825 nsec3
827 Specifies if NSEC3 will be used instead of NSEC.
828 Default: off
830 nsec3-iterations
832 A number of additional times the hashing is performed.
833 Default: 5
835 nsec3-opt-out
837 If set, NSEC3 records won't be created for insecure delegations. This
838 speeds up the zone signing and reduces overall zone size.
839 WARNING:
841 NSEC3 with the Opt-Out bit set no longer works as a proof of
842 non-existence in this zone.
843 Default: off
845 nsec3-salt-length
847 A length of a salt field in octets, which is appended to the original
848 owner name before hashing.
849 Default: 8
851 nsec3-salt-lifetime
853 A validity period of newly issued salt field.
854 Zero value means infinity.
856 Default: 30 days
858 ksk-submission
860 A reference to submission section holding parameters of KSK submission
861 checks.
862 Default: not set
864 ds-push
866 An optional reference to authoritative DNS server of the parent's zone.
867 The remote server must be configured to accept DS record updates via
868 DDNS. Whenever a CDS record in the local zone is changed, the corre‐
869 sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
870 server. All previous DS records are deleted within the DDNS message.
871 It's possible to manage both child and parent zones by the same Knot
872 DNS server.
873 NOTE:
875 This feature requires cds-cdnskey-publish not to be set to none.
876 NOTE:
878 Module Onlinesign doesn't support DS push.
879 Default: not set
881 signing-threads
883 When signing zone or update, use this number of threads for parallel
884 signing.
885 Those are extra threads independent of Background workers.
887 NOTE:
889 Some steps of the DNSSEC signing operation are not parallelized.
890 Default: 1 (no extra threads)
892 cds-cdnskey-publish
894 Controls if and how shall the CDS and CDNSKEY be published in the zone.
895 Possible values:
897 · none – Never publish any CDS or CDNSKEY records in the zone.
899 · delete-dnssec – Publish special CDS and CDNSKEY records indicating
901 turning off DNSSEC.
902 · rollover – Publish CDS and CDNSKEY records only in the submission
904 phase of KSK rollover.
905 · always – Always publish one CDS and one CDNSKEY records for the cur‐
907 rent KSK.
908 · double-ds – Always publish up to two CDS and two CDNSKEY records for
910 ready and/or active KSKs.
911 NOTE:
913 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
914 may contain more records depending on the keys available.
915 Default: rollover
917 offline-ksk
919 Specifies if Offline KSK feature is enabled.
920 Default: off
922
924 Definitions of remote servers for outgoing connections (source of a
925 zone transfer, target for a notification, etc.).
926 remote:
928 - id: STR
929 address: ADDR[@INT] ...
930 via: ADDR[@INT] ...
931 key: key_id
932 id
934 A remote identifier.
935 address
937 An ordered list of destination IP addresses which are used for communi‐
938 cation with the remote server. The addresses are tried in sequence
939 until the remote is reached. Optional destination port (default is 53)
940 can be appended to the address using @ separator.
941 Default: not set
943 NOTE:
945 If the remote is contacted and it refuses to perform requested
946 action, no more addresses will be tried for this remote.
947 via
949 An ordered list of source IP addresses. The first address with the same
950 family as the destination address is used. Optional source port
951 (default is random) can be appended to the address using @ separator.
952 Default: not set
954 key
956 A reference to the TSIG key which is used to authenticate the communi‐
957 cation with the remote server.
958 Default: not set
960
962 A template is shareable zone settings, which can simplify configuration
963 by reducing duplicates. A special default template (with the default
964 identifier) can be used for global zone configuration or as an implicit
965 configuration if a zone doesn't have another template specified.
966 template:
968 - id: STR
969 global-module: STR/STR ...
970 # All zone options (excluding 'template' item)
971 id
973 A template identifier.
974 global-module
976 An ordered list of references to query modules in the form of mod‐
977 ule_name or module_name/module_id. These modules apply to all queries.
978 NOTE:
980 This option is only available in the default template.
981 Default: not set
983
985 Definition of zones served by the server.
986 zone:
988 - domain: DNAME
989 template: template_id
990 storage: STR
991 file: STR
992 master: remote_id ...
993 ddns-master: remote_id
994 notify: remote_id ...
995 acl: acl_id ...
996 semantic-checks: BOOL
997 disable-any: BOOL
998 zonefile-sync: TIME
999 zonefile-load: none | difference | difference-no-serial | whole
1000 journal-content: none | changes | all
1001 journal-max-usage: SIZE
1002 journal-max-depth: INT
1003 zone-max-size : SIZE
1004 dnssec-signing: BOOL
1005 dnssec-policy: STR
1006 serial-policy: increment | unixtime | dateserial
1007 refresh-min-interval: TIME
1008 refresh-max-interval: TIME
1009 module: STR/STR ...
1010 domain
1012 A zone name identifier.
1013 template
1015 A reference to a configuration template.
1016 Default: not set or default (if the template exists)
1018 storage
1020 A data directory for storing zone files.
1021 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1023 age=path)
1024 file
1026 A path to the zone file. Non-absolute path (i.e. not starting with /)
1027 is relative to storage. It is also possible to use the following for‐
1028 matters:
1029 · %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1031 ters beginning from the Nth and ending with the Mth character of the
1032 textual zone name (see %s). The indexes are counted from 0 from the
1033 left. All dots (including the terminal one) are considered. If the
1034 character is not available, the formatter has no effect.
1035 · %l[N] – Means the Nth label of the textual zone name (see %s). The
1037 index is counted from 0 from the right (0 ~ TLD). If the label is
1038 not available, the formatter has no effect.
1039 · %s – Means the current zone name in the textual representation. The
1041 zone name doesn't include the terminating dot (the result for the
1042 root zone is the empty string!).
1043 · %% – Means the % character.
1045 WARNING:
1047 Beware of special characters which are escaped or encoded in the
1048 \DDD form where DDD is corresponding decimal ASCII code.
1049 Default: storage/%s.zone
1051 master
1053 An ordered list of references to zone master servers.
1054 Default: not set
1056 ddns-master
1058 A reference to zone primary master server. If not specified, the first
1059 master server is used.
1060 Default: not set
1062 notify
1064 An ordered list of references to remotes to which notify message is
1065 sent if the zone changes.
1066 Default: not set
1068 acl
1070 An ordered list of references to ACL rules which can allow or disallow
1071 zone transfers, updates or incoming notifies.
1072 Default: not set
1074 semantic-checks
1076 If enabled, extra zone semantic checks are turned on.
1077 Several checks are enabled by default and cannot be turned off. An
1079 error in mandatory checks causes zone not to be loaded. An error in
1080 extra checks is logged only.
1081 Mandatory checks:
1083 · SOA record missing in the zone (RFC 1034)
1085 · An extra record together with CNAME record except for RRSIG and DS (‐
1087 RFC 1034)
1088 · Multiple CNAME record with the same owner
1090 · DNAME record having a record under it (RFC 2672)
1092 Extra checks:
1094 · Missing NS record at the zone apex
1096 · Missing glue A or AAAA record
1098 · Invalid DNSKEY, DS, or NSEC3PARAM record
1100 · CDS or CDNSKEY inconsistency
1102 · Missing, invalid, or unverifiable RRSIG record
1104 · Invalid NSEC(3) record
1106 · Broken or non-cyclic NSEC(3) chain
1108 Default: off
1110 disable-any
1112 If enabled, all authoritative ANY queries sent over UDP will be
1113 answered with an empty response and with the TC bit set. Use this
1114 option to minimize the risk of DNS reflection attack.
1115 Default: off
1117 zonefile-sync
1119 The time after which the current zone in memory will be synced with a
1120 zone file on the disk (see file). The server will serve the latest zone
1121 even after a restart using zone journal, but the zone file on the disk
1122 will only be synced after zonefile-sync time has expired (or after man‐
1123 ual zone flush). This is applicable when the zone is updated via IXFR,
1124 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1125 matic zone file synchronization, set the value to -1. In that case, it
1126 is still possible to force a manual zone flush using the -f option.
1127 NOTE:
1129 If you are serving large zones with frequent updates where the imme‐
1130 diate sync with a zone file is not desirable, increase the value.
1131 Default: 0 (immediate)
1133 zonefile-load
1135 Selects how the zone file contents are applied during zone load.
1136 Possible values:
1138 · none – The zone file is not used at all.
1140 · difference – If the zone contents are already available during server
1142 start or reload, the difference is computed between them and the con‐
1143 tents of the zone file. This difference is then checked for semantic
1144 errors and applied to the current zone contents.
1145 · difference-no-serial – Same as difference, but the SOA serial in the
1147 zone file is ignored, the server takes care of incrementing the
1148 serial automatically.
1149 · whole – Zone contents are loaded from the zone file.
1151 When difference is configured and there are no zone contents yet (cold
1153 start of Knot and no zone contents in journal), it behaves the same way
1154 like whole.
1155 Default: whole
1157 journal-content
1159 Selects how the journal shall be used to store zone and its changes.
1160 Possible values:
1162 · none – The journal is not used at all.
1164 · changes – Zone changes history is stored in journal.
1166 · all – Zone contents and history is stored in journal.
1168 Default: changes
1170 journal-max-usage
1172 Policy how much space in journal DB will the zone's journal occupy.
1173 NOTE:
1175 Journal DB may grow far above the sum of journal-max-usage across
1176 all zones, because of DB free space fragmentation.
1177 Default: 100 MiB
1179 journal-max-depth
1181 Maximum history length of journal.
1182 Minimum: 2
1184 Default: 2^64
1186 zone-max-size
1188 Maximum size of the zone. The size is measured as size of the zone
1189 records in wire format without compression. The limit is enforced for
1190 incoming zone transfers and dynamic updates.
1191 For incremental transfers (IXFR), the effective limit for the total
1193 size of the records in the transfer is twice the configured value. How‐
1194 ever the final size of the zone must satisfy the configured value.
1195 Default: 2^64
1197 dnssec-signing
1199 If enabled, automatic DNSSEC signing for the zone is turned on.
1200 Default: off
1202 dnssec-policy
1204 A reference to DNSSEC signing policy.
1205 Default: an imaginary policy with all default values
1207 NOTE:
1209 A configured policy called "default" won't be used unless explicitly
1210 referenced.
1211 serial-policy
1213 Specifies how the zone serial is updated after a dynamic update or
1214 automatic DNSSEC signing. If the serial is changed by the dynamic
1215 update, no change is made.
1216 Possible values:
1218 · increment – The serial is incremented according to serial number
1220 arithmetic.
1221 · unixtime – The serial is set to the current unix time.
1223 · dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1225 first 8 digits match the current iso-date.
1226 NOTE:
1228 In case of unixtime, if the resulting serial is lower or equal than
1229 current zone (this happens e.g. in case of migrating from other pol‐
1230 icy or frequent updates) the serial is incremented instead.
1231 Use dateserial only if you expect less than 100 updates per day per
1233 zone.
1234 Default: increment
1236 refresh-min-interval
1238 Forced minimum zone refresh interval to avoid flooding master.
1239 Default: 2
1241 refresh-max-interval
1243 Forced maximum zone refresh interval.
1244 Default: not set
1246 module
1248 An ordered list of references to query modules in the form of mod‐
1249 ule_name or module_name/module_id. These modules apply only to the cur‐
1250 rent zone queries.
1251 Default: not set
1253
1255 Server can be configured to log to the standard output, standard error
1256 output, syslog (or systemd journal if systemd is enabled) or into an
1257 arbitrary file.
1258 There are 6 logging severity levels:
1260 · critical – Non-recoverable error resulting in server shutdown.
1262 · error – Recoverable error, action should be taken.
1264 · warning – Warning that might require user action.
1266 · notice – Server notice or hint.
1268 · info – Informational message.
1270 · debug – Debug or detailed message.
1272 In the case of missing log section, warning or more serious messages
1274 will be logged to both standard error output and syslog. The info and
1275 notice messages will be logged to standard output.
1276 log:
1278 - target: stdout | stderr | syslog | STR
1279 server: critical | error | warning | notice | info | debug
1280 control: critical | error | warning | notice | info | debug
1281 zone: critical | error | warning | notice | info | debug
1282 any: critical | error | warning | notice | info | debug
1283 target
1285 A logging output.
1286 Possible values:
1288 · stdout – Standard output.
1290 · stderr – Standard error output.
1292 · syslog – Syslog or systemd journal.
1294 · file_name – A specific file.
1296 With syslog target, syslog service is used. However, if Knot DNS has
1298 been compiled with systemd support and operating system has been booted
1299 with systemd, systemd journal is used for logging instead of syslog.
1300 server
1302 Minimum severity level for messages related to general operation of the
1303 server to be logged.
1304 Default: not set
1306 control
1308 Minimum severity level for messages related to server control to be
1309 logged.
1310 Default: not set
1312 zone
1314 Minimum severity level for messages related to zones to be logged.
1315 Default: not set
1317 any
1319 Minimum severity level for all message types to be logged.
1320 Default: not set
1322
1324 CZ.NIC Labs <https://www.knot-dns.cz>
1325
1327 Copyright 2010–2019, CZ.NIC, z.s.p.o.
13282.9.2 2019-12-12 KNOT.CONF(5)