1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14 · INT – Integer
16 · STR – Textual string
18 · HEXSTR – Hexadecimal string (with 0x prefix)
20 · BOOL – Boolean value (on/off or true/false)
22 · TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25 · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28 · BASE64 – Base64 encoded string
30 · ADDR – IPv4 or IPv6 address
32 · DNAME – Domain name
34 · ... – Multi-valued item, order of the values is preserved
36 · [ ] – Optional value
38 · | – Choice
40 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 14 fixed sections (module, server, key, acl,
43 control, statistics, database, keystore, submission, policy, remote,
44 template, zone, log). Module sections are prefixed with the mod- pre‐
45 fix (e.g. mod-stats).
46 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51 A multi-valued item can be specified either as a YAML sequence:
53 address: [10.0.0.1, 10.0.0.2]
55 or as more single-valued items each on an extra line:
57 address: 10.0.0.1
59 address: 10.0.0.2
60 If an item value contains spaces or other special characters, it is
62 necessary to enclose such value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be
72 included at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76 include: STR
78
80 Dynamic modules loading configuration.
81 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85 module:
87 - id: STR
88 file: STR
89 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93 file
95 A path to a shared library file with the module implementation.
96 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 udp-max-payload: SIZE
124 udp-max-payload-ipv4: SIZE
125 udp-max-payload-ipv6: SIZE
126 edns-client-subnet: BOOL
127 answer-rotation: BOOL
128 listen: ADDR[@INT] ...
129 CAUTION:
131 When you change configuration parameters dynamically or via configu‐
132 ration file reload, some parameters in the Server section require
133 restarting the Knot server so as the change take effect. See below
134 for the details.
135 identity
137 An identity of the server returned in the response to the query for TXT
138 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
139 to an empty value to disable.
140 Default: FQDN hostname
142 version
144 A version of the server software returned in the response to the query
145 for TXT record version.server. or version.bind. in the CHAOS class (RFC
146 4892). Set to an empty value to disable.
147 Default: server version
149 nsid
151 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
152 able.
153 Default: FQDN hostname
155 rundir
157 A path for storing run-time data (PID file, unix sockets, etc.).
158 Depending on the usage of this parameter, its change may require
160 restart of the Knot server to take effect.
161 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
163 user
165 A system user with an optional system group (user:group) under which
166 the server is run after starting and binding to interfaces. Linux capa‐
167 bilities are employed if supported.
168 Change of this parameter requires restart of the Knot server to take
170 effect.
171 Default: root:root
173 pidfile
175 A PID file location.
176 Change of this parameter requires restart of the Knot server to take
178 effect.
179 Default: rundir/knot.pid
181 udp-workers
183 A number of UDP workers (threads) used to process incoming queries over
184 UDP.
185 Change of this parameter requires restart of the Knot server to take
187 effect.
188 Default: equal to the number of online CPUs
190 tcp-workers
192 A number of TCP workers (threads) used to process incoming queries over
193 TCP.
194 Change of this parameter requires restart of the Knot server to take
196 effect.
197 Default: equal to the number of online CPUs, default value is at least
199 10
200 background-workers
202 A number of workers (threads) used to execute background operations
203 (zone loading, zone updates, etc.).
204 Change of this parameter requires restart of the Knot server to take
206 effect.
207 Default: equal to the number of online CPUs, default value is at most
209 10
210 async-start
212 If enabled, server doesn't wait for the zones to be loaded and starts
213 responding immediately with SERVFAIL answers until the zone loads.
214 Default: off
216 tcp-idle-timeout
218 Maximum idle time (in seconds) between requests on an inbound TCP con‐
219 nection. It means if there is no activity on an inbound TCP connection
220 during this limit, the connection is closed by the server.
221 Minimum: 1 s
223 Default: 10 s
225 tcp-io-timeout
227 Maximum time (in milliseconds) to receive or send one DNS message over
228 an inbound TCP connection. It means this limit applies to normal DNS
229 queries and replies, incoming DDNS, and outgoing zone transfers. The
230 timeout is measured since some data is already available for process‐
231 ing. Set to 0 for infinity.
232 Default: 500 ms
234 CAUTION:
236 In order to reduce the risk of Slow Loris attacks, it's recommended
237 setting this limit as low as possible on public servers.
238 tcp-remote-io-timeout
240 Maximum time (in milliseconds) to receive or send one DNS message over
241 an outbound TCP connection which has already been established to a con‐
242 figured remote server. It means this limit applies to incoming zone
243 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
244 timeout includes the time needed for a network round-trip and for a
245 query processing by the remote. Set to 0 for infinity.
246 Default: 5000 ms
248 tcp-reuseport
250 If enabled, each TCP worker listens on its own socket and the OS kernel
251 socket load balancing is emloyed using SO_REUSEPORT (or SO_REUSEPORT_LB
252 on FreeBSD). Due to the lack of one shared socket, the server can offer
253 higher response rate processing over TCP. However, in the case of
254 time-consuming requests (e.g. zone transfers of a TLD zone), enabled
255 reuseport may result in delayed or not being responded client requests.
256 So it is advisable to use this option on slave servers.
257 Change of this parameter requires restart of the Knot server to take
259 effect.
260 Default: off
262 tcp-max-clients
264 A maximum number of TCP clients connected in parallel, set this below
265 the file descriptor limit to avoid resource exhaustion.
266 NOTE:
268 It is advisable to adjust the maximum number of open files per
269 process in your operating system configuration.
270 Default: one half of the file descriptor limit for the server process
272 udp-max-payload
274 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
275 Default: 1232
277 udp-max-payload-ipv4
279 Maximum EDNS0 UDP payload size for IPv4.
280 Default: 1232
282 udp-max-payload-ipv6
284 Maximum EDNS0 UDP payload size for IPv6.
285 Default: 1232
287 edns-client-subnet
289 Enable or disable EDNS Client Subnet support. If enabled, responses to
290 queries containing the EDNS Client Subnet option always contain a valid
291 EDNS Client Subnet option according to RFC 7871.
292 Default: off
294 answer-rotation
296 Enable or disable sorted-rrset rotation in the answer section of normal
297 replies. The rotation shift is simply determined by a query ID.
298 Default: off
300 listen
302 One or more IP addresses where the server listens for incoming queries.
303 Optional port specification (default is 53) can be appended to each
304 address using @ separator. Use 0.0.0.0 for all configured IPv4
305 addresses or :: for all configured IPv6 addresses. Non-local address
306 binding is automatically enabled if supported by the operating system.
307 Change of this parameter requires restart of the Knot server to take
309 effect.
310 Default: not set
312
314 Shared TSIG keys used to authenticate communication with the server.
315 key:
317 - id: DNAME
318 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
319 secret: BASE64
320 id
322 A key name identifier.
323 NOTE:
325 This value MUST be exactly the same as the name of the TSIG key on
326 the opposite master/slave server(s).
327 algorithm
329 A TSIG key algorithm. See TSIG Algorithm Numbers.
330 Possible values:
332 · hmac-md5
334 · hmac-sha1
336 · hmac-sha224
338 · hmac-sha256
340 · hmac-sha384
342 · hmac-sha512
344 Default: not set
346 secret
348 Shared key secret.
349 Default: not set
351
353 Access control list rule definitions. The ACLs are used to match incom‐
354 ing connections to allow or deny requested operation (zone transfer
355 request, DDNS update, etc.).
356 acl:
358 - id: STR
359 address: ADDR[/INT] | ADDR-ADDR ...
360 key: key_id ...
361 action: notify | transfer | update ...
362 deny: BOOL
363 update-type: STR ...
364 update-owner: key | zone | name
365 update-owner-match: sub-or-equal | equal | sub
366 update-owner-name: STR ...
367 id
369 An ACL rule identifier.
370 address
372 An ordered list of IP addresses, network subnets, or network ranges.
373 The query must match one of them. Empty value means that address match
374 is not required.
375 Default: not set
377 key
379 An ordered list of references to TSIG keys. The query must match one of
380 them. Empty value means that transaction authentication is not used.
381 Default: not set
383 action
385 An ordered list of allowed (or denied) actions.
386 Possible values:
388 · notify – Allow incoming notify.
390 · transfer – Allow zone transfer.
392 · update – Allow zone updates.
394 Default: not set
396 deny
398 If enabled, instead of allowing, deny the specified action, address,
399 key, or combination if these items. If no action is specified, deny all
400 actions.
401 Default: off
403 update-type
405 A list of allowed types of Resource Records in a zone update. Every
406 record in an update must match one of the specified types.
407 Default: not set
409 update-owner
411 This option restricts possible owners of Resource Records in a zone
412 update by comparing them to either the TSIG key identity, the current
413 zone name, or to a list of domain names given by the update-owner-name
414 option. The comparison method is given by the update-owner-match
415 option.
416 Possible values:
418 · key — The owner of each updated RR must match the identity of the
420 TSIG key if used.
421 · name — The owner of each updated RR must match at least one name in
423 the update-owner-name list.
424 · zone — The owner of each updated RR must match the current zone name.
426 Default: not set
428 update-owner-match
430 This option defines how the owners of Resource Records in an update are
431 matched to the domain name(s) set by the update-owner option.
432 Possible values:
434 · sub-or-equal — The owner of each Resource Record in an update must
436 either be equal to or be a subdomain of at least one domain set by
437 update-owner.
438 · equal — The owner of each updated RR must be equal to at least one
440 domain set by update-owner.
441 · sub — The owner of each updated RR must be a subdomain of, but MUST
443 NOT be equal to at least one domain set by update-owner.
444 Default: sub-or-equal
446 update-owner-name
448 A list of allowed owners of RRs in a zone update used with update-owner
449 set to name.
450 Default: not set
452
454 Configuration of the server control interface.
455 control:
457 listen: STR
458 timeout: TIME
459 listen
461 A UNIX socket path where the server listens for control commands.
462 Default: rundir/knot.sock
464 timeout
466 Maximum time (in seconds) the control socket operations can take. Set
467 to 0 for infinity.
468 Default: 5
470
472 Periodic server statistics dumping.
473 statistics:
475 timer: TIME
476 file: STR
477 append: BOOL
478 timer
480 A period after which all available statistics metrics will by written
481 to the file.
482 Default: not set
484 file
486 A file path of statistics output in the YAML format.
487 Default: rundir/stats.yaml
489 append
491 If enabled, the output will be appended to the file instead of file
492 replacement.
493 Default: off
495
497 Configuration of databases for zone contents, DNSSEC metadata, or event
498 timers.
499 database:
501 storage: STR
502 journal-db: STR
503 journal-db-mode: robust | asynchronous
504 journal-db-max-size: SIZE
505 kasp-db: STR
506 kasp-db-max-size: SIZE
507 timer-db: STR
508 timer-db-max-size: SIZE
509 storage
511 A data directory for storing journal, KASP, and timer databases.
512 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
514 age=path)
515 journal-db
517 An explicit specification of the persistent journal database directory.
518 Non-absolute path (i.e. not starting with /) is relative to storage.
519 Default: storage/journal
521 journal-db-mode
523 Specifies journal LMDB backend configuration, which influences perfor‐
524 mance and durability.
525 Possible values:
527 · robust – The journal database disk sychronization ensures database
529 durability but is generally slower.
530 · asynchronous – The journal database disk synchronization is optimized
532 for better performance at the expense of lower database durability in
533 the case of a crash. This mode is recommended on slave nodes with
534 many zones.
535 Default: robust
537 journal-db-max-size
539 The hard limit for the journal database maximum size. There is no
540 cleanup logic in journal to recover from reaching this limit. Journal
541 simply starts refusing changes across all zones. Decreasing this value
542 has no effect if it is lower than the actual database file size.
543 It is recommended to limit journal-max-usage per-zone instead of
545 journal-db-max-size in most cases. Please keep this value larger than
546 the sum of all zones' journal usage limits. See more details regarding
547 journal behaviour.
548 NOTE:
550 This value also influences server's usage of virtual memory.
551 Default: 20 GiB (512 MiB for 32-bit)
553 kasp-db
555 An explicit specification of the KASP database directory. Non-absolute
556 path (i.e. not starting with /) is relative to storage.
557 Default: storage/keys
559 kasp-db-max-size
561 The hard limit for the KASP database maximum size.
562 NOTE:
564 This value also influences server's usage of virtual memory.
565 Default: 500 MiB
567 timer-db
569 An explicit specification of the persistent timer database directory.
570 Non-absolute path (i.e. not starting with /) is relative to storage.
571 Default: storage/timers
573 timer-db-max-size
575 The hard limit for the timer database maximum size.
576 NOTE:
578 This value also influences server's usage of virtual memory.
579 Default: 100 MiB
581
583 DNSSEC keystore configuration.
584 keystore:
586 - id: STR
587 backend: pem | pkcs11
588 config: STR
589 id
591 A keystore identifier.
592 backend
594 A key storage backend type.
595 Possible values:
597 · pem – PEM files.
599 · pkcs11 – PKCS #11 storage.
601 Default: pem
603 config
605 A backend specific configuration. A directory with PEM files (the path
606 can be specified as a relative path to kasp-db) or a configuration
607 string for PKCS #11 storage (<pkcs11-url> <module-path>).
608 NOTE:
610 Example configuration string for PKCS #11:
611 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
613 Default: kasp-db/keys
615
617 Parameters of KSK submission checks.
618 submission:
620 - id: STR
621 parent: remote_id ...
622 check-interval: TIME
623 timeout: TIME
624 id
626 A submission identifier.
627 parent
629 A list of references to parent's DNS servers to be checked for presence
630 of corresponding DS records in the case of KSK submission. All of them
631 must have a corresponding DS for the rollover to continue. If none is
632 specified, the rollover must be pushed forward manually.
633 Default: not set
635 TIP:
637 A DNSSEC-validating resolver can be set as a parent.
638 check-interval
640 Interval for periodic checks of DS presence on parent's DNS servers, in
641 the case of the KSK submission.
642 Default: 1 hour
644 timeout
646 After this time period (in seconds) the KSK submission is automatically
647 considered successful, even if all the checks were negative or no par‐
648 ents are configured. Set to 0 for infinity.
649 Default: 0
651
653 DNSSEC policy configuration.
654 policy:
656 - id: STR
657 keystore: STR
658 manual: BOOL
659 single-type-signing: BOOL
660 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
661 ksk-size: SIZE
662 zsk-size: SIZE
663 ksk-shared: BOOL
664 dnskey-ttl: TIME
665 zone-max-ttl: TIME
666 zsk-lifetime: TIME
667 ksk-lifetime: TIME
668 propagation-delay: TIME
669 rrsig-lifetime: TIME
670 rrsig-refresh: TIME
671 rrsig-pre-refresh: TIME
672 nsec3: BOOL
673 nsec3-iterations: INT
674 nsec3-opt-out: BOOL
675 nsec3-salt-length: INT
676 nsec3-salt-lifetime: TIME
677 signing-threads: INT
678 ksk-submission: submission_id
679 ds-push: remote_id
680 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
681 offline-ksk: BOOL
682 id
684 A policy identifier.
685 keystore
687 A reference to a keystore holding private key material for zones.
688 Default: an imaginary keystore with all default values
690 NOTE:
692 A configured keystore called "default" won't be used unless explic‐
693 itly referenced.
694 manual
696 If enabled, automatic key management is not used.
697 Default: off
699 single-type-signing
701 If enabled, Single-Type Signing Scheme is used in the automatic key
702 management mode.
703 Default: off
705 algorithm
707 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
708 rithm Numbers.
709 Possible values:
711 · rsasha1
713 · rsasha1-nsec3-sha1
715 · rsasha256
717 · rsasha512
719 · ecdsap256sha256
721 · ecdsap384sha384
723 · ed25519
725 · ed448
727 NOTE:
729 Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
730 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+
732 and Nettle 3.6+.
733 Default: ecdsap256sha256
735 ksk-size
737 A length of newly generated KSK or CSK keys.
738 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
740 456 (ed448)
741 zsk-size
743 A length of newly generated ZSK keys.
744 Default: see default for ksk-size
746 ksk-shared
748 If enabled, all zones with this policy assigned will share one KSK.
749 Default: off
751 dnskey-ttl
753 A TTL value for DNSKEY records added into zone apex.
754 NOTE:
756 Has infuence over ZSK key lifetime.
757 WARNING:
759 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
760 quent DNSKEY rollover starts.
761 Default: zone SOA TTL
763 zone-max-ttl
765 Declare (override) maximal TTL value among all the records in zone.
766 NOTE:
768 It's generally recommended to override the maximal TTL computation
769 by setting this explicitly whenever possible. It's required for
770 DNSSEC Offline KSK and really reasonable when records are generated
771 dynamically (e.g. by a module).
772 Default: computed after zone is loaded
774 zsk-lifetime
776 A period between ZSK activation and the next rollover initiation.
777 NOTE:
779 More exactly, this period is measured since a ZSK is activated, and
780 after this, a new ZSK is generated to replace it within following
781 roll-over.
782 ZSK key lifetime is also infuenced by propagation-delay and
784 dnskey-ttl
785 Zero (aka infinity) value causes no ZSK rollover as a result.
787 Default: 30 days
789 ksk-lifetime
791 A period between KSK activation and the next rollover initiation.
792 NOTE:
794 KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
795 and KSK submission delay.
796 Zero (aka infinity) value causes no KSK rollover as a result.
798 This applies for CSK lifetime if single-type-signing is enabled.
800 Default: 0
802 propagation-delay
804 An extra delay added for each key rollover step. This value should be
805 high enough to cover propagation of data from the master server to all
806 slaves.
807 NOTE:
809 Has infuence over ZSK key lifetime.
810 Default: 1 hour
812 rrsig-lifetime
814 A validity period of newly issued signatures.
815 NOTE:
817 The RRSIG's signature inception time is set to 90 minutes in the
818 past. This time period is not counted to the signature lifetime.
819 Default: 14 days
821 rrsig-refresh
823 A period how long at least before a signature expiration the signature
824 will be refreshed, in order to prevent expired RRSIGs on slaves or
825 resolvers' caches.
826 Default: 7 days
828 rrsig-pre-refresh
830 A period how long at most before a signature refresh time the signature
831 might be refreshed, in order to refresh RRSIGs in bigger batches on a
832 frequently updated zone (avoid re-sign event too often).
833 Default: 1 hour
835 nsec3
837 Specifies if NSEC3 will be used instead of NSEC.
838 Default: off
840 nsec3-iterations
842 A number of additional times the hashing is performed.
843 Default: 5
845 nsec3-opt-out
847 If set, NSEC3 records won't be created for insecure delegations. This
848 speeds up the zone signing and reduces overall zone size.
849 WARNING:
851 NSEC3 with the Opt-Out bit set no longer works as a proof of
852 non-existence in this zone.
853 Default: off
855 nsec3-salt-length
857 A length of a salt field in octets, which is appended to the original
858 owner name before hashing.
859 Default: 8
861 nsec3-salt-lifetime
863 A validity period of newly issued salt field.
864 Zero value means infinity.
866 Default: 30 days
868 ksk-submission
870 A reference to submission section holding parameters of KSK submission
871 checks.
872 Default: not set
874 ds-push
876 An optional reference to authoritative DNS server of the parent's zone.
877 The remote server must be configured to accept DS record updates via
878 DDNS. Whenever a CDS record in the local zone is changed, the corre‐
879 sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
880 server. All previous DS records are deleted within the DDNS message.
881 It's possible to manage both child and parent zones by the same Knot
882 DNS server.
883 NOTE:
885 This feature requires cds-cdnskey-publish not to be set to none.
886 NOTE:
888 Module Onlinesign doesn't support DS push.
889 Default: not set
891 signing-threads
893 When signing zone or update, use this number of threads for parallel
894 signing.
895 Those are extra threads independent of Background workers.
897 NOTE:
899 Some steps of the DNSSEC signing operation are not parallelized.
900 Default: 1 (no extra threads)
902 cds-cdnskey-publish
904 Controls if and how shall the CDS and CDNSKEY be published in the zone.
905 Possible values:
907 · none – Never publish any CDS or CDNSKEY records in the zone.
909 · delete-dnssec – Publish special CDS and CDNSKEY records indicating
911 turning off DNSSEC.
912 · rollover – Publish CDS and CDNSKEY records only in the submission
914 phase of KSK rollover.
915 · always – Always publish one CDS and one CDNSKEY records for the cur‐
917 rent KSK.
918 · double-ds – Always publish up to two CDS and two CDNSKEY records for
920 ready and/or active KSKs.
921 NOTE:
923 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
924 may contain more records depending on the keys available.
925 Default: rollover
927 offline-ksk
929 Specifies if Offline KSK feature is enabled.
930 Default: off
932
934 Definitions of remote servers for outgoing connections (source of a
935 zone transfer, target for a notification, etc.).
936 remote:
938 - id: STR
939 address: ADDR[@INT] ...
940 via: ADDR[@INT] ...
941 key: key_id
942 block-notify-after-transfer: BOOL
943 id
945 A remote identifier.
946 address
948 An ordered list of destination IP addresses which are used for communi‐
949 cation with the remote server. The addresses are tried in sequence
950 until the remote is reached. Optional destination port (default is 53)
951 can be appended to the address using @ separator.
952 Default: not set
954 NOTE:
956 If the remote is contacted and it refuses to perform requested
957 action, no more addresses will be tried for this remote.
958 via
960 An ordered list of source IP addresses. The first address with the same
961 family as the destination address is used. Optional source port
962 (default is random) can be appended to the address using @ separator.
963 Default: not set
965 key
967 A reference to the TSIG key which is used to authenticate the communi‐
968 cation with the remote server.
969 Default: not set
971 block-notify-after-transfer
973 When incoming AXFR/IXFR from this remote (as a master), suppress send‐
974 ing NOTIFY messages to all configured slaves.
975 Default: off
977
979 A template is shareable zone settings, which can simplify configuration
980 by reducing duplicates. A special default template (with the default
981 identifier) can be used for global zone configuration or as an implicit
982 configuration if a zone doesn't have another template specified.
983 template:
985 - id: STR
986 global-module: STR/STR ...
987 # All zone options (excluding 'template' item)
988 id
990 A template identifier.
991 global-module
993 An ordered list of references to query modules in the form of mod‐
994 ule_name or module_name/module_id. These modules apply to all queries.
995 NOTE:
997 This option is only available in the default template.
998 Default: not set
1000
1002 Definition of zones served by the server.
1003 zone:
1005 - domain: DNAME
1006 template: template_id
1007 storage: STR
1008 file: STR
1009 master: remote_id ...
1010 ddns-master: remote_id
1011 notify: remote_id ...
1012 acl: acl_id ...
1013 semantic-checks: BOOL
1014 disable-any: BOOL
1015 zonefile-sync: TIME
1016 zonefile-load: none | difference | difference-no-serial | whole
1017 journal-content: none | changes | all
1018 journal-max-usage: SIZE
1019 journal-max-depth: INT
1020 zone-max-size : SIZE
1021 dnssec-signing: BOOL
1022 dnssec-policy: STR
1023 serial-policy: increment | unixtime | dateserial
1024 refresh-min-interval: TIME
1025 refresh-max-interval: TIME
1026 module: STR/STR ...
1027 domain
1029 A zone name identifier.
1030 template
1032 A reference to a configuration template.
1033 Default: not set or default (if the template exists)
1035 storage
1037 A data directory for storing zone files.
1038 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1040 age=path)
1041 file
1043 A path to the zone file. Non-absolute path (i.e. not starting with /)
1044 is relative to storage. It is also possible to use the following for‐
1045 matters:
1046 · %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1048 ters beginning from the Nth and ending with the Mth character of the
1049 textual zone name (see %s). The indexes are counted from 0 from the
1050 left. All dots (including the terminal one) are considered. If the
1051 character is not available, the formatter has no effect.
1052 · %l[N] – Means the Nth label of the textual zone name (see %s). The
1054 index is counted from 0 from the right (0 ~ TLD). If the label is
1055 not available, the formatter has no effect.
1056 · %s – Means the current zone name in the textual representation. The
1058 zone name doesn't include the terminating dot (the result for the
1059 root zone is the empty string!).
1060 · %% – Means the % character.
1062 WARNING:
1064 Beware of special characters which are escaped or encoded in the
1065 \DDD form where DDD is corresponding decimal ASCII code.
1066 Default: storage/%s.zone
1068 master
1070 An ordered list of references to zone master servers.
1071 Default: not set
1073 ddns-master
1075 A reference to zone primary master server. If not specified, the first
1076 master server is used.
1077 Default: not set
1079 notify
1081 An ordered list of references to remotes to which notify message is
1082 sent if the zone changes.
1083 Default: not set
1085 acl
1087 An ordered list of references to ACL rules which can allow or disallow
1088 zone transfers, updates or incoming notifies.
1089 Default: not set
1091 semantic-checks
1093 If enabled, extra zone semantic checks are turned on.
1094 Several checks are enabled by default and cannot be turned off. An
1096 error in mandatory checks causes zone not to be loaded. An error in
1097 extra checks is logged only.
1098 Mandatory checks:
1100 · SOA record missing in the zone (RFC 1034)
1102 · An extra record together with CNAME record except for RRSIG and DS (‐
1104 RFC 1034)
1105 · Multiple CNAME record with the same owner
1107 · DNAME record having a record under it (RFC 2672)
1109 Extra checks:
1111 · Missing NS record at the zone apex
1113 · Missing glue A or AAAA record
1115 · Invalid DNSKEY, DS, or NSEC3PARAM record
1117 · CDS or CDNSKEY inconsistency
1119 · Missing, invalid, or unverifiable RRSIG record
1121 · Invalid NSEC(3) record
1123 · Broken or non-cyclic NSEC(3) chain
1125 Default: off
1127 disable-any
1129 If enabled, all authoritative ANY queries sent over UDP will be
1130 answered with an empty response and with the TC bit set. Use this
1131 option to minimize the risk of DNS reflection attack.
1132 Default: off
1134 zonefile-sync
1136 The time after which the current zone in memory will be synced with a
1137 zone file on the disk (see file). The server will serve the latest zone
1138 even after a restart using zone journal, but the zone file on the disk
1139 will only be synced after zonefile-sync time has expired (or after man‐
1140 ual zone flush). This is applicable when the zone is updated via IXFR,
1141 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1142 matic zone file synchronization, set the value to -1. In that case, it
1143 is still possible to force a manual zone flush using the -f option.
1144 NOTE:
1146 If you are serving large zones with frequent updates where the imme‐
1147 diate sync with a zone file is not desirable, increase the value.
1148 Default: 0 (immediate)
1150 zonefile-load
1152 Selects how the zone file contents are applied during zone load.
1153 Possible values:
1155 · none – The zone file is not used at all.
1157 · difference – If the zone contents are already available during server
1159 start or reload, the difference is computed between them and the con‐
1160 tents of the zone file. This difference is then checked for semantic
1161 errors and applied to the current zone contents.
1162 · difference-no-serial – Same as difference, but the SOA serial in the
1164 zone file is ignored, the server takes care of incrementing the
1165 serial automatically.
1166 · whole – Zone contents are loaded from the zone file.
1168 When difference is configured and there are no zone contents yet (cold
1170 start of Knot and no zone contents in journal), it behaves the same way
1171 like whole.
1172 Default: whole
1174 journal-content
1176 Selects how the journal shall be used to store zone and its changes.
1177 Possible values:
1179 · none – The journal is not used at all.
1181 · changes – Zone changes history is stored in journal.
1183 · all – Zone contents and history is stored in journal.
1185 Default: changes
1187 journal-max-usage
1189 Policy how much space in journal DB will the zone's journal occupy.
1190 NOTE:
1192 Journal DB may grow far above the sum of journal-max-usage across
1193 all zones, because of DB free space fragmentation.
1194 Default: 100 MiB
1196 journal-max-depth
1198 Maximum history length of journal.
1199 Minimum: 2
1201 Default: 2^64
1203 zone-max-size
1205 Maximum size of the zone. The size is measured as size of the zone
1206 records in wire format without compression. The limit is enforced for
1207 incoming zone transfers and dynamic updates.
1208 For incremental transfers (IXFR), the effective limit for the total
1210 size of the records in the transfer is twice the configured value. How‐
1211 ever the final size of the zone must satisfy the configured value.
1212 Default: 2^64
1214 dnssec-signing
1216 If enabled, automatic DNSSEC signing for the zone is turned on.
1217 Default: off
1219 dnssec-policy
1221 A reference to DNSSEC signing policy.
1222 Default: an imaginary policy with all default values
1224 NOTE:
1226 A configured policy called "default" won't be used unless explicitly
1227 referenced.
1228 serial-policy
1230 Specifies how the zone serial is updated after a dynamic update or
1231 automatic DNSSEC signing. If the serial is changed by the dynamic
1232 update, no change is made.
1233 Possible values:
1235 · increment – The serial is incremented according to serial number
1237 arithmetic.
1238 · unixtime – The serial is set to the current unix time.
1240 · dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1242 first 8 digits match the current iso-date.
1243 NOTE:
1245 In case of unixtime, if the resulting serial is lower or equal than
1246 current zone (this happens e.g. in case of migrating from other pol‐
1247 icy or frequent updates) the serial is incremented instead.
1248 Use dateserial only if you expect less than 100 updates per day per
1250 zone.
1251 Default: increment
1253 refresh-min-interval
1255 Forced minimum zone refresh interval to avoid flooding master.
1256 Default: 2
1258 refresh-max-interval
1260 Forced maximum zone refresh interval.
1261 Default: not set
1263 module
1265 An ordered list of references to query modules in the form of mod‐
1266 ule_name or module_name/module_id. These modules apply only to the cur‐
1267 rent zone queries.
1268 Default: not set
1270
1272 Server can be configured to log to the standard output, standard error
1273 output, syslog (or systemd journal if systemd is enabled) or into an
1274 arbitrary file.
1275 There are 6 logging severity levels:
1277 · critical – Non-recoverable error resulting in server shutdown.
1279 · error – Recoverable error, action should be taken.
1281 · warning – Warning that might require user action.
1283 · notice – Server notice or hint.
1285 · info – Informational message.
1287 · debug – Debug or detailed message.
1289 In the case of missing log section, warning or more serious messages
1291 will be logged to both standard error output and syslog. The info and
1292 notice messages will be logged to standard output.
1293 log:
1295 - target: stdout | stderr | syslog | STR
1296 server: critical | error | warning | notice | info | debug
1297 control: critical | error | warning | notice | info | debug
1298 zone: critical | error | warning | notice | info | debug
1299 any: critical | error | warning | notice | info | debug
1300 target
1302 A logging output.
1303 Possible values:
1305 · stdout – Standard output.
1307 · stderr – Standard error output.
1309 · syslog – Syslog or systemd journal.
1311 · file_name – A specific file.
1313 With syslog target, syslog service is used. However, if Knot DNS has
1315 been compiled with systemd support and operating system has been booted
1316 with systemd, systemd journal is used for logging instead of syslog.
1317 server
1319 Minimum severity level for messages related to general operation of the
1320 server to be logged.
1321 Default: not set
1323 control
1325 Minimum severity level for messages related to server control to be
1326 logged.
1327 Default: not set
1329 zone
1331 Minimum severity level for messages related to zones to be logged.
1332 Default: not set
1334 any
1336 Minimum severity level for all message types to be logged.
1337 Default: not set
1339
1341 CZ.NIC Labs <https://www.knot-dns.cz>
1342
1344 Copyright 2010–2020, CZ.NIC, z.s.p.o.
13452.9.3 2020-03-03 KNOT.CONF(5)