1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
3
4
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11
12 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14
15 · INT – Integer
16
17 · STR – Textual string
18
19 · HEXSTR – Hexadecimal string (with 0x prefix)
20
21 · BOOL – Boolean value (on/off or true/false)
22
23 · TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25
26 · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28
29 · BASE64 – Base64 encoded string
30
31 · ADDR – IPv4 or IPv6 address
32
33 · DNAME – Domain name
34
35 · ... – Multi-valued item, order of the values is preserved
36
37 · [ ] – Optional value
38
39 · | – Choice
40
41 The configuration consists of several fixed sections and optional mod‐
42 ule sections. There are 14 fixed sections (module, server, key, acl,
43 control, statistics, database, keystore, submission, policy, remote,
44 template, zone, log). Module sections are prefixed with the mod- pre‐
45 fix (e.g. mod-stats).
46
47 Most of the sections (e.g. zone) are sequences of settings blocks. Each
48 settings block begins with a unique identifier, which can be used as a
49 reference from other sections (such an identifier must be defined in
50 advance).
51
52 A multi-valued item can be specified either as a YAML sequence:
53
54 address: [10.0.0.1, 10.0.0.2]
55
56 or as more single-valued items each on an extra line:
57
58 address: 10.0.0.1
59 address: 10.0.0.2
60
61 If an item value contains spaces or other special characters, it is
62 necessary to enclose such value within double quotes " ".
63
65 A comment begins with a # character and is ignored during processing.
66 Also each configuration section or sequence block allows a permanent
67 comment using the comment item which is stored in the server beside the
68 configuration.
69
71 Another configuration file or files, matching a pattern, can be
72 included at the top level in the current file. If the path is not abso‐
73 lute, then it is considered to be relative to the current file. The
74 pattern can be an arbitrary string meeting POSIX glob requirements,
75 e.g. dir/*.conf. Matching files are processed in sorted order.
76
77 include: STR
78
80 Dynamic modules loading configuration.
81
82 NOTE:
83 If configured with non-empty `--with-moduledir=path` parameter, all
84 shared modules in this directory will be automatically loaded.
85
86 module:
87 - id: STR
88 file: STR
89
90 id
91 A module identifier in the form of the mod- prefix and module name suf‐
92 fix.
93
94 file
95 A path to a shared library file with the module implementation.
96
97 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100
101 Default: ${libdir}/knot/modules-${version}/module_name.so (or
102 ${path}/module_name.so if configured with --with-moduledir=path)
103
105 General options related to the server.
106
107 server:
108 identity: [STR]
109 version: [STR]
110 nsid: [STR|HEXSTR]
111 rundir: STR
112 user: STR[:STR]
113 pidfile: STR
114 udp-workers: INT
115 tcp-workers: INT
116 background-workers: INT
117 async-start: BOOL
118 tcp-idle-timeout: TIME
119 tcp-io-timeout: INT
120 tcp-remote-io-timeout: INT
121 tcp-max-clients: INT
122 tcp-reuseport: BOOL
123 udp-max-payload: SIZE
124 udp-max-payload-ipv4: SIZE
125 udp-max-payload-ipv6: SIZE
126 edns-client-subnet: BOOL
127 answer-rotation: BOOL
128 listen: ADDR[@INT] ...
129
130 CAUTION:
131 When you change configuration parameters dynamically or via configu‐
132 ration file reload, some parameters in the Server section require
133 restarting the Knot server so as the change take effect. See below
134 for the details.
135
136 identity
137 An identity of the server returned in the response to the query for TXT
138 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
139 to an empty value to disable.
140
141 Default: FQDN hostname
142
143 version
144 A version of the server software returned in the response to the query
145 for TXT record version.server. or version.bind. in the CHAOS class (RFC
146 4892). Set to an empty value to disable.
147
148 Default: server version
149
150 nsid
151 A DNS name server identifier (RFC 5001). Set to an empty value to dis‐
152 able.
153
154 Default: FQDN hostname
155
156 rundir
157 A path for storing run-time data (PID file, unix sockets, etc.).
158
159 Depending on the usage of this parameter, its change may require
160 restart of the Knot server to take effect.
161
162 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
163
164 user
165 A system user with an optional system group (user:group) under which
166 the server is run after starting and binding to interfaces. Linux capa‐
167 bilities are employed if supported.
168
169 Change of this parameter requires restart of the Knot server to take
170 effect.
171
172 Default: root:root
173
174 pidfile
175 A PID file location.
176
177 Change of this parameter requires restart of the Knot server to take
178 effect.
179
180 Default: rundir/knot.pid
181
182 udp-workers
183 A number of UDP workers (threads) used to process incoming queries over
184 UDP.
185
186 Change of this parameter requires restart of the Knot server to take
187 effect.
188
189 Default: equal to the number of online CPUs
190
191 tcp-workers
192 A number of TCP workers (threads) used to process incoming queries over
193 TCP.
194
195 Change of this parameter requires restart of the Knot server to take
196 effect.
197
198 Default: equal to the number of online CPUs, default value is at least
199 10
200
201 background-workers
202 A number of workers (threads) used to execute background operations
203 (zone loading, zone updates, etc.).
204
205 Change of this parameter requires restart of the Knot server to take
206 effect.
207
208 Default: equal to the number of online CPUs, default value is at most
209 10
210
211 async-start
212 If enabled, server doesn't wait for the zones to be loaded and starts
213 responding immediately with SERVFAIL answers until the zone loads.
214
215 Default: off
216
217 tcp-idle-timeout
218 Maximum idle time (in seconds) between requests on an inbound TCP con‐
219 nection. It means if there is no activity on an inbound TCP connection
220 during this limit, the connection is closed by the server.
221
222 Minimum: 1 s
223
224 Default: 10 s
225
226 tcp-io-timeout
227 Maximum time (in milliseconds) to receive or send one DNS message over
228 an inbound TCP connection. It means this limit applies to normal DNS
229 queries and replies, incoming DDNS, and outgoing zone transfers. The
230 timeout is measured since some data is already available for process‐
231 ing. Set to 0 for infinity.
232
233 Default: 500 ms
234
235 CAUTION:
236 In order to reduce the risk of Slow Loris attacks, it's recommended
237 setting this limit as low as possible on public servers.
238
239 tcp-remote-io-timeout
240 Maximum time (in milliseconds) to receive or send one DNS message over
241 an outbound TCP connection which has already been established to a con‐
242 figured remote server. It means this limit applies to incoming zone
243 transfers, sending NOTIFY, DDNS forwarding, and DS check or push. This
244 timeout includes the time needed for a network round-trip and for a
245 query processing by the remote. Set to 0 for infinity.
246
247 Default: 5000 ms
248
249 tcp-reuseport
250 If enabled, each TCP worker listens on its own socket and the OS kernel
251 socket load balancing is emloyed using SO_REUSEPORT (or SO_REUSEPORT_LB
252 on FreeBSD). Due to the lack of one shared socket, the server can offer
253 higher response rate processing over TCP. However, in the case of
254 time-consuming requests (e.g. zone transfers of a TLD zone), enabled
255 reuseport may result in delayed or not being responded client requests.
256 So it is advisable to use this option on slave servers.
257
258 Change of this parameter requires restart of the Knot server to take
259 effect.
260
261 Default: off
262
263 tcp-max-clients
264 A maximum number of TCP clients connected in parallel, set this below
265 the file descriptor limit to avoid resource exhaustion.
266
267 NOTE:
268 It is advisable to adjust the maximum number of open files per
269 process in your operating system configuration.
270
271 Default: one half of the file descriptor limit for the server process
272
273 udp-max-payload
274 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
275
276 Default: 1232
277
278 udp-max-payload-ipv4
279 Maximum EDNS0 UDP payload size for IPv4.
280
281 Default: 1232
282
283 udp-max-payload-ipv6
284 Maximum EDNS0 UDP payload size for IPv6.
285
286 Default: 1232
287
288 edns-client-subnet
289 Enable or disable EDNS Client Subnet support. If enabled, responses to
290 queries containing the EDNS Client Subnet option always contain a valid
291 EDNS Client Subnet option according to RFC 7871.
292
293 Default: off
294
295 answer-rotation
296 Enable or disable sorted-rrset rotation in the answer section of normal
297 replies. The rotation shift is simply determined by a query ID.
298
299 Default: off
300
301 listen
302 One or more IP addresses where the server listens for incoming queries.
303 Optional port specification (default is 53) can be appended to each
304 address using @ separator. Use 0.0.0.0 for all configured IPv4
305 addresses or :: for all configured IPv6 addresses. Non-local address
306 binding is automatically enabled if supported by the operating system.
307
308 Change of this parameter requires restart of the Knot server to take
309 effect.
310
311 Default: not set
312
314 Shared TSIG keys used to authenticate communication with the server.
315
316 key:
317 - id: DNAME
318 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
319 secret: BASE64
320
321 id
322 A key name identifier.
323
324 NOTE:
325 This value MUST be exactly the same as the name of the TSIG key on
326 the opposite master/slave server(s).
327
328 algorithm
329 A TSIG key algorithm. See TSIG Algorithm Numbers.
330
331 Possible values:
332
333 · hmac-md5
334
335 · hmac-sha1
336
337 · hmac-sha224
338
339 · hmac-sha256
340
341 · hmac-sha384
342
343 · hmac-sha512
344
345 Default: not set
346
347 secret
348 Shared key secret.
349
350 Default: not set
351
353 Access control list rule definitions. The ACLs are used to match incom‐
354 ing connections to allow or deny requested operation (zone transfer
355 request, DDNS update, etc.).
356
357 acl:
358 - id: STR
359 address: ADDR[/INT] | ADDR-ADDR ...
360 key: key_id ...
361 action: notify | transfer | update ...
362 deny: BOOL
363 update-type: STR ...
364 update-owner: key | zone | name
365 update-owner-match: sub-or-equal | equal | sub
366 update-owner-name: STR ...
367
368 id
369 An ACL rule identifier.
370
371 address
372 An ordered list of IP addresses, network subnets, or network ranges.
373 The query must match one of them. Empty value means that address match
374 is not required.
375
376 Default: not set
377
378 key
379 An ordered list of references to TSIG keys. The query must match one of
380 them. Empty value means that transaction authentication is not used.
381
382 Default: not set
383
384 action
385 An ordered list of allowed (or denied) actions.
386
387 Possible values:
388
389 · notify – Allow incoming notify.
390
391 · transfer – Allow zone transfer.
392
393 · update – Allow zone updates.
394
395 Default: not set
396
397 deny
398 If enabled, instead of allowing, deny the specified action, address,
399 key, or combination if these items. If no action is specified, deny all
400 actions.
401
402 Default: off
403
404 update-type
405 A list of allowed types of Resource Records in a zone update. Every
406 record in an update must match one of the specified types.
407
408 Default: not set
409
410 update-owner
411 This option restricts possible owners of Resource Records in a zone
412 update by comparing them to either the TSIG key identity, the current
413 zone name, or to a list of domain names given by the update-owner-name
414 option. The comparison method is given by the update-owner-match
415 option.
416
417 Possible values:
418
419 · key — The owner of each updated RR must match the identity of the
420 TSIG key if used.
421
422 · name — The owner of each updated RR must match at least one name in
423 the update-owner-name list.
424
425 · zone — The owner of each updated RR must match the current zone name.
426
427 Default: not set
428
429 update-owner-match
430 This option defines how the owners of Resource Records in an update are
431 matched to the domain name(s) set by the update-owner option.
432
433 Possible values:
434
435 · sub-or-equal — The owner of each Resource Record in an update must
436 either be equal to or be a subdomain of at least one domain set by
437 update-owner.
438
439 · equal — The owner of each updated RR must be equal to at least one
440 domain set by update-owner.
441
442 · sub — The owner of each updated RR must be a subdomain of, but MUST
443 NOT be equal to at least one domain set by update-owner.
444
445 Default: sub-or-equal
446
447 update-owner-name
448 A list of allowed owners of RRs in a zone update used with update-owner
449 set to name.
450
451 Default: not set
452
454 Configuration of the server control interface.
455
456 control:
457 listen: STR
458 timeout: TIME
459
460 listen
461 A UNIX socket path where the server listens for control commands.
462
463 Default: rundir/knot.sock
464
465 timeout
466 Maximum time (in seconds) the control socket operations can take. Set
467 to 0 for infinity.
468
469 Default: 5
470
472 Periodic server statistics dumping.
473
474 statistics:
475 timer: TIME
476 file: STR
477 append: BOOL
478
479 timer
480 A period after which all available statistics metrics will by written
481 to the file.
482
483 Default: not set
484
485 file
486 A file path of statistics output in the YAML format.
487
488 Default: rundir/stats.yaml
489
490 append
491 If enabled, the output will be appended to the file instead of file
492 replacement.
493
494 Default: off
495
497 Configuration of databases for zone contents, DNSSEC metadata, or event
498 timers.
499
500 database:
501 storage: STR
502 journal-db: STR
503 journal-db-mode: robust | asynchronous
504 journal-db-max-size: SIZE
505 kasp-db: STR
506 kasp-db-max-size: SIZE
507 timer-db: STR
508 timer-db-max-size: SIZE
509
510 storage
511 A data directory for storing journal, KASP, and timer databases.
512
513 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
514 age=path)
515
516 journal-db
517 An explicit specification of the persistent journal database directory.
518 Non-absolute path (i.e. not starting with /) is relative to storage.
519
520 Default: storage/journal
521
522 journal-db-mode
523 Specifies journal LMDB backend configuration, which influences perfor‐
524 mance and durability.
525
526 Possible values:
527
528 · robust – The journal database disk sychronization ensures database
529 durability but is generally slower.
530
531 · asynchronous – The journal database disk synchronization is optimized
532 for better performance at the expense of lower database durability in
533 the case of a crash. This mode is recommended on slave nodes with
534 many zones.
535
536 Default: robust
537
538 journal-db-max-size
539 The hard limit for the journal database maximum size. There is no
540 cleanup logic in journal to recover from reaching this limit. Journal
541 simply starts refusing changes across all zones. Decreasing this value
542 has no effect if it is lower than the actual database file size.
543
544 It is recommended to limit journal-max-usage per-zone instead of
545 journal-db-max-size in most cases. Please keep this value larger than
546 the sum of all zones' journal usage limits. See more details regarding
547 journal behaviour.
548
549 NOTE:
550 This value also influences server's usage of virtual memory.
551
552 Default: 20 GiB (512 MiB for 32-bit)
553
554 kasp-db
555 An explicit specification of the KASP database directory. Non-absolute
556 path (i.e. not starting with /) is relative to storage.
557
558 Default: storage/keys
559
560 kasp-db-max-size
561 The hard limit for the KASP database maximum size.
562
563 NOTE:
564 This value also influences server's usage of virtual memory.
565
566 Default: 500 MiB
567
568 timer-db
569 An explicit specification of the persistent timer database directory.
570 Non-absolute path (i.e. not starting with /) is relative to storage.
571
572 Default: storage/timers
573
574 timer-db-max-size
575 The hard limit for the timer database maximum size.
576
577 NOTE:
578 This value also influences server's usage of virtual memory.
579
580 Default: 100 MiB
581
583 DNSSEC keystore configuration.
584
585 keystore:
586 - id: STR
587 backend: pem | pkcs11
588 config: STR
589
590 id
591 A keystore identifier.
592
593 backend
594 A key storage backend type.
595
596 Possible values:
597
598 · pem – PEM files.
599
600 · pkcs11 – PKCS #11 storage.
601
602 Default: pem
603
604 config
605 A backend specific configuration. A directory with PEM files (the path
606 can be specified as a relative path to kasp-db) or a configuration
607 string for PKCS #11 storage (<pkcs11-url> <module-path>).
608
609 NOTE:
610 Example configuration string for PKCS #11:
611
612 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
613
614 Default: kasp-db/keys
615
617 Parameters of KSK submission checks.
618
619 submission:
620 - id: STR
621 parent: remote_id ...
622 check-interval: TIME
623 timeout: TIME
624
625 id
626 A submission identifier.
627
628 parent
629 A list of references to parent's DNS servers to be checked for presence
630 of corresponding DS records in the case of KSK submission. All of them
631 must have a corresponding DS for the rollover to continue. If none is
632 specified, the rollover must be pushed forward manually.
633
634 Default: not set
635
636 TIP:
637 A DNSSEC-validating resolver can be set as a parent.
638
639 check-interval
640 Interval for periodic checks of DS presence on parent's DNS servers, in
641 the case of the KSK submission.
642
643 Default: 1 hour
644
645 timeout
646 After this time period (in seconds) the KSK submission is automatically
647 considered successful, even if all the checks were negative or no par‐
648 ents are configured. Set to 0 for infinity.
649
650 Default: 0
651
653 DNSSEC policy configuration.
654
655 policy:
656 - id: STR
657 keystore: STR
658 manual: BOOL
659 single-type-signing: BOOL
660 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519 | ed448
661 ksk-size: SIZE
662 zsk-size: SIZE
663 ksk-shared: BOOL
664 dnskey-ttl: TIME
665 zone-max-ttl: TIME
666 zsk-lifetime: TIME
667 ksk-lifetime: TIME
668 propagation-delay: TIME
669 rrsig-lifetime: TIME
670 rrsig-refresh: TIME
671 rrsig-pre-refresh: TIME
672 nsec3: BOOL
673 nsec3-iterations: INT
674 nsec3-opt-out: BOOL
675 nsec3-salt-length: INT
676 nsec3-salt-lifetime: TIME
677 signing-threads: INT
678 ksk-submission: submission_id
679 ds-push: remote_id
680 cds-cdnskey-publish: none | delete-dnssec | rollover | always | double-ds
681 offline-ksk: BOOL
682
683 id
684 A policy identifier.
685
686 keystore
687 A reference to a keystore holding private key material for zones.
688
689 Default: an imaginary keystore with all default values
690
691 NOTE:
692 A configured keystore called "default" won't be used unless explic‐
693 itly referenced.
694
695 manual
696 If enabled, automatic key management is not used.
697
698 Default: off
699
700 single-type-signing
701 If enabled, Single-Type Signing Scheme is used in the automatic key
702 management mode.
703
704 Default: off
705
706 algorithm
707 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
708 rithm Numbers.
709
710 Possible values:
711
712 · rsasha1
713
714 · rsasha1-nsec3-sha1
715
716 · rsasha256
717
718 · rsasha512
719
720 · ecdsap256sha256
721
722 · ecdsap384sha384
723
724 · ed25519
725
726 · ed448
727
728 NOTE:
729 Ed25519 algorithm is only available if compiled with GnuTLS 3.6.0+.
730
731 Ed448 algorithm is only available if compiled with GnuTLS 3.6.12+
732 and Nettle 3.6+.
733
734 Default: ecdsap256sha256
735
736 ksk-size
737 A length of newly generated KSK or CSK keys.
738
739 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519),
740 456 (ed448)
741
742 zsk-size
743 A length of newly generated ZSK keys.
744
745 Default: see default for ksk-size
746
747 ksk-shared
748 If enabled, all zones with this policy assigned will share one KSK.
749
750 Default: off
751
752 dnskey-ttl
753 A TTL value for DNSKEY records added into zone apex.
754
755 NOTE:
756 Has infuence over ZSK key lifetime.
757
758 WARNING:
759 Ensure all DNSKEYs with updated TTL are propagated before any subse‐
760 quent DNSKEY rollover starts.
761
762 Default: zone SOA TTL
763
764 zone-max-ttl
765 Declare (override) maximal TTL value among all the records in zone.
766
767 NOTE:
768 It's generally recommended to override the maximal TTL computation
769 by setting this explicitly whenever possible. It's required for
770 DNSSEC Offline KSK and really reasonable when records are generated
771 dynamically (e.g. by a module).
772
773 Default: computed after zone is loaded
774
775 zsk-lifetime
776 A period between ZSK activation and the next rollover initiation.
777
778 NOTE:
779 More exactly, this period is measured since a ZSK is activated, and
780 after this, a new ZSK is generated to replace it within following
781 roll-over.
782
783 ZSK key lifetime is also infuenced by propagation-delay and
784 dnskey-ttl
785
786 Zero (aka infinity) value causes no ZSK rollover as a result.
787
788 Default: 30 days
789
790 ksk-lifetime
791 A period between KSK activation and the next rollover initiation.
792
793 NOTE:
794 KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
795 and KSK submission delay.
796
797 Zero (aka infinity) value causes no KSK rollover as a result.
798
799 This applies for CSK lifetime if single-type-signing is enabled.
800
801 Default: 0
802
803 propagation-delay
804 An extra delay added for each key rollover step. This value should be
805 high enough to cover propagation of data from the master server to all
806 slaves.
807
808 NOTE:
809 Has infuence over ZSK key lifetime.
810
811 Default: 1 hour
812
813 rrsig-lifetime
814 A validity period of newly issued signatures.
815
816 NOTE:
817 The RRSIG's signature inception time is set to 90 minutes in the
818 past. This time period is not counted to the signature lifetime.
819
820 Default: 14 days
821
822 rrsig-refresh
823 A period how long at least before a signature expiration the signature
824 will be refreshed, in order to prevent expired RRSIGs on slaves or
825 resolvers' caches.
826
827 Default: 7 days
828
829 rrsig-pre-refresh
830 A period how long at most before a signature refresh time the signature
831 might be refreshed, in order to refresh RRSIGs in bigger batches on a
832 frequently updated zone (avoid re-sign event too often).
833
834 Default: 1 hour
835
836 nsec3
837 Specifies if NSEC3 will be used instead of NSEC.
838
839 Default: off
840
841 nsec3-iterations
842 A number of additional times the hashing is performed.
843
844 Default: 5
845
846 nsec3-opt-out
847 If set, NSEC3 records won't be created for insecure delegations. This
848 speeds up the zone signing and reduces overall zone size.
849
850 WARNING:
851 NSEC3 with the Opt-Out bit set no longer works as a proof of
852 non-existence in this zone.
853
854 Default: off
855
856 nsec3-salt-length
857 A length of a salt field in octets, which is appended to the original
858 owner name before hashing.
859
860 Default: 8
861
862 nsec3-salt-lifetime
863 A validity period of newly issued salt field.
864
865 Zero value means infinity.
866
867 Default: 30 days
868
869 ksk-submission
870 A reference to submission section holding parameters of KSK submission
871 checks.
872
873 Default: not set
874
875 ds-push
876 An optional reference to authoritative DNS server of the parent's zone.
877 The remote server must be configured to accept DS record updates via
878 DDNS. Whenever a CDS record in the local zone is changed, the corre‐
879 sponding DS record is sent as a dynamic update (DDNS) to the parent DNS
880 server. All previous DS records are deleted within the DDNS message.
881 It's possible to manage both child and parent zones by the same Knot
882 DNS server.
883
884 NOTE:
885 This feature requires cds-cdnskey-publish not to be set to none.
886
887 NOTE:
888 Module Onlinesign doesn't support DS push.
889
890 Default: not set
891
892 signing-threads
893 When signing zone or update, use this number of threads for parallel
894 signing.
895
896 Those are extra threads independent of Background workers.
897
898 NOTE:
899 Some steps of the DNSSEC signing operation are not parallelized.
900
901 Default: 1 (no extra threads)
902
903 cds-cdnskey-publish
904 Controls if and how shall the CDS and CDNSKEY be published in the zone.
905
906 Possible values:
907
908 · none – Never publish any CDS or CDNSKEY records in the zone.
909
910 · delete-dnssec – Publish special CDS and CDNSKEY records indicating
911 turning off DNSSEC.
912
913 · rollover – Publish CDS and CDNSKEY records only in the submission
914 phase of KSK rollover.
915
916 · always – Always publish one CDS and one CDNSKEY records for the cur‐
917 rent KSK.
918
919 · double-ds – Always publish up to two CDS and two CDNSKEY records for
920 ready and/or active KSKs.
921
922 NOTE:
923 If the zone keys are managed manually, the CDS and CDNSKEY rrsets
924 may contain more records depending on the keys available.
925
926 Default: rollover
927
928 offline-ksk
929 Specifies if Offline KSK feature is enabled.
930
931 Default: off
932
934 Definitions of remote servers for outgoing connections (source of a
935 zone transfer, target for a notification, etc.).
936
937 remote:
938 - id: STR
939 address: ADDR[@INT] ...
940 via: ADDR[@INT] ...
941 key: key_id
942 block-notify-after-transfer: BOOL
943
944 id
945 A remote identifier.
946
947 address
948 An ordered list of destination IP addresses which are used for communi‐
949 cation with the remote server. The addresses are tried in sequence
950 until the remote is reached. Optional destination port (default is 53)
951 can be appended to the address using @ separator.
952
953 Default: not set
954
955 NOTE:
956 If the remote is contacted and it refuses to perform requested
957 action, no more addresses will be tried for this remote.
958
959 via
960 An ordered list of source IP addresses. The first address with the same
961 family as the destination address is used. Optional source port
962 (default is random) can be appended to the address using @ separator.
963
964 Default: not set
965
966 key
967 A reference to the TSIG key which is used to authenticate the communi‐
968 cation with the remote server.
969
970 Default: not set
971
972 block-notify-after-transfer
973 When incoming AXFR/IXFR from this remote (as a master), suppress send‐
974 ing NOTIFY messages to all configured slaves.
975
976 Default: off
977
979 A template is shareable zone settings, which can simplify configuration
980 by reducing duplicates. A special default template (with the default
981 identifier) can be used for global zone configuration or as an implicit
982 configuration if a zone doesn't have another template specified.
983
984 template:
985 - id: STR
986 global-module: STR/STR ...
987 # All zone options (excluding 'template' item)
988
989 id
990 A template identifier.
991
992 global-module
993 An ordered list of references to query modules in the form of mod‐
994 ule_name or module_name/module_id. These modules apply to all queries.
995
996 NOTE:
997 This option is only available in the default template.
998
999 Default: not set
1000
1002 Definition of zones served by the server.
1003
1004 zone:
1005 - domain: DNAME
1006 template: template_id
1007 storage: STR
1008 file: STR
1009 master: remote_id ...
1010 ddns-master: remote_id
1011 notify: remote_id ...
1012 acl: acl_id ...
1013 semantic-checks: BOOL
1014 disable-any: BOOL
1015 zonefile-sync: TIME
1016 zonefile-load: none | difference | difference-no-serial | whole
1017 journal-content: none | changes | all
1018 journal-max-usage: SIZE
1019 journal-max-depth: INT
1020 zone-max-size : SIZE
1021 dnssec-signing: BOOL
1022 dnssec-policy: STR
1023 serial-policy: increment | unixtime | dateserial
1024 refresh-min-interval: TIME
1025 refresh-max-interval: TIME
1026 module: STR/STR ...
1027
1028 domain
1029 A zone name identifier.
1030
1031 template
1032 A reference to a configuration template.
1033
1034 Default: not set or default (if the template exists)
1035
1036 storage
1037 A data directory for storing zone files.
1038
1039 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
1040 age=path)
1041
1042 file
1043 A path to the zone file. Non-absolute path (i.e. not starting with /)
1044 is relative to storage. It is also possible to use the following for‐
1045 matters:
1046
1047 · %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
1048 ters beginning from the Nth and ending with the Mth character of the
1049 textual zone name (see %s). The indexes are counted from 0 from the
1050 left. All dots (including the terminal one) are considered. If the
1051 character is not available, the formatter has no effect.
1052
1053 · %l[N] – Means the Nth label of the textual zone name (see %s). The
1054 index is counted from 0 from the right (0 ~ TLD). If the label is
1055 not available, the formatter has no effect.
1056
1057 · %s – Means the current zone name in the textual representation. The
1058 zone name doesn't include the terminating dot (the result for the
1059 root zone is the empty string!).
1060
1061 · %% – Means the % character.
1062
1063 WARNING:
1064 Beware of special characters which are escaped or encoded in the
1065 \DDD form where DDD is corresponding decimal ASCII code.
1066
1067 Default: storage/%s.zone
1068
1069 master
1070 An ordered list of references to zone master servers.
1071
1072 Default: not set
1073
1074 ddns-master
1075 A reference to zone primary master server. If not specified, the first
1076 master server is used.
1077
1078 Default: not set
1079
1080 notify
1081 An ordered list of references to remotes to which notify message is
1082 sent if the zone changes.
1083
1084 Default: not set
1085
1086 acl
1087 An ordered list of references to ACL rules which can allow or disallow
1088 zone transfers, updates or incoming notifies.
1089
1090 Default: not set
1091
1092 semantic-checks
1093 If enabled, extra zone semantic checks are turned on.
1094
1095 Several checks are enabled by default and cannot be turned off. An
1096 error in mandatory checks causes zone not to be loaded. An error in
1097 extra checks is logged only.
1098
1099 Mandatory checks:
1100
1101 · SOA record missing in the zone (RFC 1034)
1102
1103 · An extra record together with CNAME record except for RRSIG and DS (‐
1104 RFC 1034)
1105
1106 · Multiple CNAME record with the same owner
1107
1108 · DNAME record having a record under it (RFC 2672)
1109
1110 Extra checks:
1111
1112 · Missing NS record at the zone apex
1113
1114 · Missing glue A or AAAA record
1115
1116 · Invalid DNSKEY, DS, or NSEC3PARAM record
1117
1118 · CDS or CDNSKEY inconsistency
1119
1120 · Missing, invalid, or unverifiable RRSIG record
1121
1122 · Invalid NSEC(3) record
1123
1124 · Broken or non-cyclic NSEC(3) chain
1125
1126 Default: off
1127
1128 disable-any
1129 If enabled, all authoritative ANY queries sent over UDP will be
1130 answered with an empty response and with the TC bit set. Use this
1131 option to minimize the risk of DNS reflection attack.
1132
1133 Default: off
1134
1135 zonefile-sync
1136 The time after which the current zone in memory will be synced with a
1137 zone file on the disk (see file). The server will serve the latest zone
1138 even after a restart using zone journal, but the zone file on the disk
1139 will only be synced after zonefile-sync time has expired (or after man‐
1140 ual zone flush). This is applicable when the zone is updated via IXFR,
1141 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
1142 matic zone file synchronization, set the value to -1. In that case, it
1143 is still possible to force a manual zone flush using the -f option.
1144
1145 NOTE:
1146 If you are serving large zones with frequent updates where the imme‐
1147 diate sync with a zone file is not desirable, increase the value.
1148
1149 Default: 0 (immediate)
1150
1151 zonefile-load
1152 Selects how the zone file contents are applied during zone load.
1153
1154 Possible values:
1155
1156 · none – The zone file is not used at all.
1157
1158 · difference – If the zone contents are already available during server
1159 start or reload, the difference is computed between them and the con‐
1160 tents of the zone file. This difference is then checked for semantic
1161 errors and applied to the current zone contents.
1162
1163 · difference-no-serial – Same as difference, but the SOA serial in the
1164 zone file is ignored, the server takes care of incrementing the
1165 serial automatically.
1166
1167 · whole – Zone contents are loaded from the zone file.
1168
1169 When difference is configured and there are no zone contents yet (cold
1170 start of Knot and no zone contents in journal), it behaves the same way
1171 like whole.
1172
1173 Default: whole
1174
1175 journal-content
1176 Selects how the journal shall be used to store zone and its changes.
1177
1178 Possible values:
1179
1180 · none – The journal is not used at all.
1181
1182 · changes – Zone changes history is stored in journal.
1183
1184 · all – Zone contents and history is stored in journal.
1185
1186 Default: changes
1187
1188 journal-max-usage
1189 Policy how much space in journal DB will the zone's journal occupy.
1190
1191 NOTE:
1192 Journal DB may grow far above the sum of journal-max-usage across
1193 all zones, because of DB free space fragmentation.
1194
1195 Default: 100 MiB
1196
1197 journal-max-depth
1198 Maximum history length of journal.
1199
1200 Minimum: 2
1201
1202 Default: 2^64
1203
1204 zone-max-size
1205 Maximum size of the zone. The size is measured as size of the zone
1206 records in wire format without compression. The limit is enforced for
1207 incoming zone transfers and dynamic updates.
1208
1209 For incremental transfers (IXFR), the effective limit for the total
1210 size of the records in the transfer is twice the configured value. How‐
1211 ever the final size of the zone must satisfy the configured value.
1212
1213 Default: 2^64
1214
1215 dnssec-signing
1216 If enabled, automatic DNSSEC signing for the zone is turned on.
1217
1218 Default: off
1219
1220 dnssec-policy
1221 A reference to DNSSEC signing policy.
1222
1223 Default: an imaginary policy with all default values
1224
1225 NOTE:
1226 A configured policy called "default" won't be used unless explicitly
1227 referenced.
1228
1229 serial-policy
1230 Specifies how the zone serial is updated after a dynamic update or
1231 automatic DNSSEC signing. If the serial is changed by the dynamic
1232 update, no change is made.
1233
1234 Possible values:
1235
1236 · increment – The serial is incremented according to serial number
1237 arithmetic.
1238
1239 · unixtime – The serial is set to the current unix time.
1240
1241 · dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1242 first 8 digits match the current iso-date.
1243
1244 NOTE:
1245 In case of unixtime, if the resulting serial is lower or equal than
1246 current zone (this happens e.g. in case of migrating from other pol‐
1247 icy or frequent updates) the serial is incremented instead.
1248
1249 Use dateserial only if you expect less than 100 updates per day per
1250 zone.
1251
1252 Default: increment
1253
1254 refresh-min-interval
1255 Forced minimum zone refresh interval to avoid flooding master.
1256
1257 Default: 2
1258
1259 refresh-max-interval
1260 Forced maximum zone refresh interval.
1261
1262 Default: not set
1263
1264 module
1265 An ordered list of references to query modules in the form of mod‐
1266 ule_name or module_name/module_id. These modules apply only to the cur‐
1267 rent zone queries.
1268
1269 Default: not set
1270
1272 Server can be configured to log to the standard output, standard error
1273 output, syslog (or systemd journal if systemd is enabled) or into an
1274 arbitrary file.
1275
1276 There are 6 logging severity levels:
1277
1278 · critical – Non-recoverable error resulting in server shutdown.
1279
1280 · error – Recoverable error, action should be taken.
1281
1282 · warning – Warning that might require user action.
1283
1284 · notice – Server notice or hint.
1285
1286 · info – Informational message.
1287
1288 · debug – Debug or detailed message.
1289
1290 In the case of missing log section, warning or more serious messages
1291 will be logged to both standard error output and syslog. The info and
1292 notice messages will be logged to standard output.
1293
1294 log:
1295 - target: stdout | stderr | syslog | STR
1296 server: critical | error | warning | notice | info | debug
1297 control: critical | error | warning | notice | info | debug
1298 zone: critical | error | warning | notice | info | debug
1299 any: critical | error | warning | notice | info | debug
1300
1301 target
1302 A logging output.
1303
1304 Possible values:
1305
1306 · stdout – Standard output.
1307
1308 · stderr – Standard error output.
1309
1310 · syslog – Syslog or systemd journal.
1311
1312 · file_name – A specific file.
1313
1314 With syslog target, syslog service is used. However, if Knot DNS has
1315 been compiled with systemd support and operating system has been booted
1316 with systemd, systemd journal is used for logging instead of syslog.
1317
1318 server
1319 Minimum severity level for messages related to general operation of the
1320 server to be logged.
1321
1322 Default: not set
1323
1324 control
1325 Minimum severity level for messages related to server control to be
1326 logged.
1327
1328 Default: not set
1329
1330 zone
1331 Minimum severity level for messages related to zones to be logged.
1332
1333 Default: not set
1334
1335 any
1336 Minimum severity level for all message types to be logged.
1337
1338 Default: not set
1339
1341 CZ.NIC Labs <https://www.knot-dns.cz>
1342
1344 Copyright 2010–2020, CZ.NIC, z.s.p.o.
1345
1346
1347
1348
13492.9.3 2020-03-03 KNOT.CONF(5)