1KNOT.CONF(5)                       Knot DNS                       KNOT.CONF(5)
2
3
4

NAME

6       knot.conf - Knot DNS configuration file
7

DESCRIPTION

9       Configuration files for Knot DNS use simplified YAML format. Simplified
10       means that not all of the features are supported.
11
12       For the description of configuration items, we have to declare a  mean‐
13       ing of the following symbols:
14
15       · INT – Integer
16
17       · STR – Textual string
18
19       · HEXSTR – Hexadecimal string (with 0x prefix)
20
21       · BOOL – Boolean value (on/off or true/false)
22
23       · TIME  –  Number  of seconds, an integer with possible time multiplier
24         suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25
26       · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27         fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28
29       · BASE64 – Base64 encoded string
30
31       · ADDR – IPv4 or IPv6 address
32
33       · DNAME – Domain name
34
35       · ... – Multi-valued item, order of the values is preserved
36
37       · [ ] – Optional value
38
39       · | – Choice
40
41       There  are  12 main sections (module, server, control, log, statistics,
42       keystore, policy, key, acl, remote, template, and zone) and module sec‐
43       tions  with  the  mod- prefix.  Most of the sections (excluding server,
44       control, and statistics) are sequences of settings  blocks.  Each  set‐
45       tings  block  begins  with  a unique identifier, which can be used as a
46       reference from other sections  (such  identifier  must  be  defined  in
47       advance).
48
49       A multi-valued item can be specified either as a YAML sequence:
50
51          address: [10.0.0.1, 10.0.0.2]
52
53       or as more single-valued items each on an extra line:
54
55          address: 10.0.0.1
56          address: 10.0.0.2
57
58       If  an  item  value  contains spaces or other special characters, it is
59       necessary to enclose such value within double quotes " ".
60

COMMENTS

62       A comment begins with a # character and is ignored  during  processing.
63       Also  each  configuration  section or sequence block allows a permanent
64       comment using the comment item which is stored in the server beside the
65       configuration.
66

INCLUDES

68       Another  configuration  file  or  files,  matching  a  pattern,  can be
69       included at the top level in the current file. If the path is not abso‐
70       lute,  then  it  is  considered to be relative to the current file. The
71       pattern can be an arbitrary string  meeting  POSIX  glob  requirements,
72       e.g. dir/*.conf.  Matching files are processed in sorted order.
73
74          include: STR
75

MODULE SECTION

77       Dynamic modules loading configuration.
78
79       NOTE:
80          If  configured with non-empty `--with-moduledir=path` parameter, all
81          shared modules in this directory will be automatically loaded.
82
83          module:
84            - id: STR
85              file: STR
86
87   id
88       A module identifier in the form of the mod- prefix and module name suf‐
89       fix.
90
91   file
92       A path to a shared library file with the module implementation.
93
94       Default:      ${libdir}/knot/modules-${version}/module_name.so      (or
95       ${path}/module_name.so if configured with --with-moduledir=path)
96
97       WARNING:
98          If the path is not absolute, the library is searched in the  set  of
99          system directories. See man dlopen for more details.
100

SERVER SECTION

102       General options related to the server.
103
104          server:
105              identity: [STR]
106              version: [STR]
107              nsid: [STR|HEXSTR]
108              rundir: STR
109              user: STR[:STR]
110              pidfile: STR
111              udp-workers: INT
112              tcp-workers: INT
113              background-workers: INT
114              async-start: BOOL
115              tcp-handshake-timeout: TIME
116              tcp-idle-timeout: TIME
117              tcp-reply-timeout: TIME
118              max-tcp-clients: INT
119              max-udp-payload: SIZE
120              max-ipv4-udp-payload: SIZE
121              max-ipv6-udp-payload: SIZE
122              edns-client-subnet: BOOL
123              answer-rotation: BOOL
124              listen: ADDR[@INT] ...
125
126   identity
127       An identity of the server returned in the response to the query for TXT
128       record id.server. or hostname.bind. in the CHAOS class (RFC 4892).  Set
129       empty value to disable.
130
131       Default: FQDN hostname
132
133   version
134       A  version of the server software returned in the response to the query
135       for TXT record version.server. or version.bind. in the CHAOS class (RFC
136       4892). Set empty value to disable.
137
138       Default: server version
139
140   nsid
141       A DNS name server identifier (RFC 5001). Set empty value to disable.
142
143       Default: FQDN hostname
144
145   rundir
146       A path for storing run-time data (PID file, unix sockets, etc.).
147
148       Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
149
150   user
151       A  system  user  with an optional system group (user:group) under which
152       the server is run after starting and binding to interfaces. Linux capa‐
153       bilities are employed if supported.
154
155       Default: root:root
156
157   pidfile
158       A PID file location.
159
160       Default: rundir/knot.pid
161
162   udp-workers
163       A number of UDP workers (threads) used to process incoming queries over
164       UDP.
165
166       Default: auto-estimated optimal value based on  the  number  of  online
167       CPUs
168
169   tcp-workers
170       A number of TCP workers (threads) used to process incoming queries over
171       TCP.
172
173       Default: auto-estimated optimal value based on  the  number  of  online
174       CPUs
175
176   background-workers
177       A  number  of  workers  (threads) used to execute background operations
178       (zone loading, zone updates, etc.).
179
180       Default: auto-estimated optimal value based on  the  number  of  online
181       CPUs
182
183   async-start
184       If  enabled,  server doesn't wait for the zones to be loaded and starts
185       responding immediately with SERVFAIL answers until the zone loads.
186
187       Default: off
188
189   tcp-handshake-timeout
190       Maximum time between newly accepted TCP connection and the first query.
191       This  is  useful to disconnect inactive connections faster than connec‐
192       tions that already made at least 1 meaningful query.
193
194       Default: 5
195
196   tcp-idle-timeout
197       Maximum idle time between requests on a TCP connection. This also  lim‐
198       its  receiving  of  a single query, each query must be received in this
199       time limit.
200
201       Default: 20
202
203   tcp-reply-timeout
204       Maximum time to wait for an outgoing connection or for a  reply  to  an
205       issued request (SOA, NOTIFY, AXFR...).
206
207       Default: 10
208
209   max-tcp-clients
210       A  maximum  number of TCP clients connected in parallel, set this below
211       the file descriptor limit to avoid resource exhaustion.
212
213       Default: 100
214
215   max-udp-payload
216       Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
217
218       Default: 4096
219
220   max-ipv4-udp-payload
221       Maximum EDNS0 UDP payload size for IPv4.
222
223       Default: 4096
224
225   max-ipv6-udp-payload
226       Maximum EDNS0 UDP payload size for IPv6.
227
228       Default: 4096
229
230   edns-client-subnet
231       Enable or disable EDNS Client Subnet support. If enabled, responses  to
232       queries containing the EDNS Client Subnet option always contain a valid
233       EDNS Client Subnet option according to RFC 7871.
234
235       Default: off
236
237   answer-rotation
238       Enable or disable sorted-rrset rotation in the answer section of normal
239       replies.  The rotation shift is simply determined by a query ID.
240
241       Default: off
242
243   listen
244       One or more IP addresses where the server listens for incoming queries.
245       Optional port specification (default is 53) can  be  appended  to  each
246       address  using  @  separator.  Use  0.0.0.0  for  all  configured  IPv4
247       addresses or :: for all configured IPv6 addresses.
248
249       Default: not set
250

KEY SECTION

252       Shared TSIG keys used to authenticate communication with the server.
253
254          key:
255            - id: DNAME
256              algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
257              secret: BASE64
258
259   id
260       A key name identifier.
261
262       NOTE:
263          This value MUST be exactly the same as the name of the TSIG  key  on
264          the opposite master/slave server(s).
265
266   algorithm
267       A TSIG key algorithm. See TSIG Algorithm Numbers.
268
269       Possible values:
270
271       · hmac-md5
272
273       · hmac-sha1
274
275       · hmac-sha224
276
277       · hmac-sha256
278
279       · hmac-sha384
280
281       · hmac-sha512
282
283       Default: not set
284
285   secret
286       Shared key secret.
287
288       Default: not set
289

ACL SECTION

291       Access control list rule definitions. The ACLs are used to match incom‐
292       ing connections to allow or deny  requested  operation  (zone  transfer
293       request, DDNS update, etc.).
294
295          acl:
296            - id: STR
297              address: ADDR[/INT] | ADDR-ADDR ...
298              key: key_id ...
299              action: notify | transfer | update ...
300              deny: BOOL
301
302   id
303       An ACL rule identifier.
304
305   address
306       An  ordered  list  of IP addresses, network subnets, or network ranges.
307       The query must match one of them. Empty value means that address  match
308       is not required.
309
310       Default: not set
311
312   key
313       An ordered list of references to TSIG keys. The query must match one of
314       them. Empty value means that transaction authentication is not used.
315
316       Default: not set
317
318   action
319       An ordered list of allowed (or denied) actions.
320
321       Possible values:
322
323       · notify – Allow incoming notify.
324
325       · transfer – Allow zone transfer.
326
327       · update – Allow zone updates.
328
329       Default: not set
330
331   deny
332       If enabled, instead of allowing, deny the  specified  action,  address,
333       key, or combination if these items. If no action is specified, deny all
334       actions.
335
336       Default: off
337

CONTROL SECTION

339       Configuration of the server control interface.
340
341          control:
342              listen: STR
343              timeout: TIME
344
345   listen
346       A UNIX socket path where the server listens for control commands.
347
348       Default: rundir/knot.sock
349
350   timeout
351       Maximum time the control socket operations can take. Set 0  for  infin‐
352       ity.
353
354       Default: 5
355

STATISTICS SECTION

357       Periodic server statistics dumping.
358
359          statistics:
360              timer: TIME
361              file: STR
362              append: BOOL
363
364   timer
365       A  period  after which all available statistics metrics will by written
366       to the file.
367
368       Default: not set
369
370   file
371       A file path of statistics output in the YAML format.
372
373       Default: rundir/stats.yaml
374
375   append
376       If enabled, the output will be appended to the  file  instead  of  file
377       replacement.
378
379       Default: off
380

KEYSTORE SECTION

382       DNSSEC keystore configuration.
383
384          keystore:
385            - id: STR
386              backend: pem | pkcs11
387              config: STR
388
389   id
390       A keystore identifier.
391
392   backend
393       A key storage backend type.
394
395       Possible values:
396
397       · pem – PEM files.
398
399       · pkcs11 – PKCS #11 storage.
400
401       Default: pem
402
403   config
404       A  backend specific configuration. A directory with PEM files (the path
405       can be specified as a relative path  to  kasp-db)  or  a  configuration
406       string for PKCS #11 storage (<pkcs11-url> <module-path>).
407
408       NOTE:
409          Example configuration string for PKCS #11:
410
411              "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
412
413       Default: kasp-db/keys
414

SUBMISSION SECTION

416       Parameters of KSK submission checks.
417
418          submission:
419            - id: STR
420              parent: remote_id ...
421              check-interval: TIME
422              timeout: TIME
423
424   id
425       A submission identifier.
426
427   parent
428       A list of references to parent's DNS servers to be checked for presence
429       of corresponding DS records in the case of KSK submission. All of  them
430       must  have  a corresponding DS for the rollover to continue. If none is
431       specified, the rollover must be pushed forward manually.
432
433       Default: not set
434
435       TIP:
436          A DNSSEC-validating resolver can be set as a parent.
437
438   check-interval
439       Interval for periodic checks of DS presence on parent's DNS servers, in
440       the case of the KSK submission.
441
442       Default: 1 hour
443
444   timeout
445       After  this period, the KSK submission is automatically considered suc‐
446       cessful, even if all the checks were negative or no parents are config‐
447       ured. Set 0 for infinity.
448
449       Default: 0
450

POLICY SECTION

452       DNSSEC policy configuration.
453
454          policy:
455            - id: STR
456              keystore: STR
457              manual: BOOL
458              single-type-signing: BOOL
459              algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
460              ksk-size: SIZE
461              zsk-size: SIZE
462              ksk-shared: BOOL
463              dnskey-ttl: TIME
464              zsk-lifetime: TIME
465              ksk-lifetime: TIME
466              propagation-delay: TIME
467              rrsig-lifetime: TIME
468              rrsig-refresh: TIME
469              nsec3: BOOL
470              nsec3-iterations: INT
471              nsec3-opt-out: BOOL
472              nsec3-salt-length: INT
473              nsec3-salt-lifetime: TIME
474              ksk-submission: submission_id
475              cds-cdnskey-publish: none | delete-dnssec | rollover | always
476
477   id
478       A policy identifier.
479
480   keystore
481       A  reference  to  a  keystore holding private key material for zones. A
482       special default value can be used for the default keystore settings.
483
484       Default: default
485
486   manual
487       If enabled, automatic key management is not used.
488
489       Default: off
490
491   single-type-signing
492       If enabled, Single-Type Signing Scheme is used  in  the  automatic  key
493       management mode.
494
495       Default: off
496
497   algorithm
498       An  algorithm  of  signing keys and issued signatures. See DNSSEC Algo‐
499       rithm Numbers.
500
501       Possible values:
502
503       · rsasha1
504
505       · rsasha1-nsec3-sha1
506
507       · rsasha256
508
509       · rsasha512
510
511       · ecdsap256sha256
512
513       · ecdsap384sha384
514
515       · ed25519
516
517       Default: ecdsap256sha256
518
519       NOTE:
520          Ed25519 algorithm  is  only  available  when  compiled  with  GnuTLS
521          3.6.0+.
522
523   ksk-size
524       A length of newly generated KSK or CSK keys.
525
526       Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
527
528   zsk-size
529       A length of newly generated ZSK keys.
530
531       Default: see default for ksk-size
532
533   ksk-shared
534       If enabled, all zones with this policy assigned will share one KSK.
535
536       Default: off
537
538   dnskey-ttl
539       A TTL value for DNSKEY records added into zone apex.
540
541       Default: zone SOA TTL
542
543       NOTE:
544          Has infuence over ZSK key lifetime.
545
546   zsk-lifetime
547       A period between ZSK publication and the next rollover initiation.
548
549       Default: 30 days
550
551       NOTE:
552          ZSK   key  lifetime  is  also  infuenced  by  propagation-delay  and
553          dnskey-ttl
554
555          Zero (aka infinity) value causes no ZSK rollover as a result.
556
557   ksk-lifetime
558       A period between KSK publication and the next rollover initiation.
559
560       Default: 0
561
562       NOTE:
563          KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
564          and KSK submission delay.
565
566          Zero (aka infinity) value causes no KSK rollover as a result.
567
568          This applies for CSK lifetime if single-type-signing is enabled.
569
570   propagation-delay
571       An  extra  delay added for each key rollover step. This value should be
572       high enough to cover propagation of data from the master server to  all
573       slaves.
574
575       Default: 1 hour
576
577       NOTE:
578          Has infuence over ZSK key lifetime.
579
580   rrsig-lifetime
581       A validity period of newly issued signatures.
582
583       Default: 14 days
584
585   rrsig-refresh
586       A  period  how long before a signature expiration the signature will be
587       refreshed.
588
589       Default: 7 days
590
591   nsec3
592       Specifies if NSEC3 will be used instead of NSEC.
593
594       Default: off
595
596   nsec3-iterations
597       A number of additional times the hashing is performed.
598
599       Default: 5
600
601   nsec3-opt-out
602       If set, NSEC3 records won't be created for insecure delegations.   This
603       speeds up the zone signing and reduces overall zone size.
604
605       WARNING:
606          NSEC3  with  the  Opt-Out  bit  set  no  longer  works as a proof of
607          non-existence in this zone.
608
609       Default: off
610
611   nsec3-salt-length
612       A length of a salt field in octets, which is appended to  the  original
613       owner name before hashing.
614
615       Default: 8
616
617   nsec3-salt-lifetime
618       A validity period of newly issued salt field.
619
620       Default: 30 days
621
622   ksk-submission
623       A  reference to submission section holding parameters of KSK submittion
624       checks.
625
626       Default: not set
627
628   cds-cdnskey-publish
629       Controls if and how shall the CDS and CDNSKEY be published in the zone.
630
631       NOTE:
632          This only applies if the zone keys are automatically managed by  the
633          server.
634
635       Possible values:
636
637       · none – Never publish any CDS or CDNSKEY records in the zone.
638
639       · delete-dnssec  –  Publish  special CDS and CDNSKEY records indicating
640         turning off DNSSEC.
641
642       · rollover – Publish CDS and CDNSKEY records  only  in  the  submission
643         phase of KSK rollover.
644
645       · always – Always publish CDS and CDNSKEY records for the current KSK.
646
647       Default: always
648

REMOTE SECTION

650       Definitions  of  remote  servers  for outgoing connections (source of a
651       zone transfer, target for a notification, etc.).
652
653          remote:
654            - id: STR
655              address: ADDR[@INT] ...
656              via: ADDR[@INT] ...
657              key: key_id
658
659   id
660       A remote identifier.
661
662   address
663       An ordered list of destination IP addresses which are used for communi‐
664       cation  with  the  remote  server.  The addresses are tried in sequence
665       unless the operation is successful. Optional destination port  (default
666       is 53) can be appended to the address using @ separator.
667
668       Default: not set
669
670   via
671       An ordered list of source IP addresses. The first address with the same
672       family as  the  destination  address  is  used.  Optional  source  port
673       (default is random) can be appended to the address using @ separator.
674
675       Default: not set
676
677   key
678       A  reference to the TSIG key which is used to authenticate the communi‐
679       cation with the remote server.
680
681       Default: not set
682

TEMPLATE SECTION

684       A template is a shareable zone setting which can be used for configura‐
685       tion  of  many zones in one place. A special default template (with the
686       default identifier) can be used for global querying configuration or as
687       an implicit configuration if a zone doesn't have another template spec‐
688       ified.
689
690          template:
691            - id: STR
692              timer-db: STR
693              max-timer-db-size: SIZE
694              journal-db: STR
695              journal-db-mode: robust | asynchronous
696              max-journal-db-size: SIZE
697              kasp-db: STR
698              max-kasp-db-size: SIZE
699              global-module: STR/STR ...
700              # All zone options (excluding 'template' item)
701
702   id
703       A template identifier.
704
705   timer-db
706       Specifies a path of the persistent timer  database.  The  path  can  be
707       specified as a relative path to the default template storage.
708
709       NOTE:
710          This option is only available in the default template.
711
712       Default: storage/timers
713
714   max-timer-db-size
715       Hard limit for the timer database maximum size.
716
717       NOTE:
718          This option is only available in the default template.
719
720       Default: 100 MiB
721
722   journal-db
723       Specifies  a  path  of the persistent journal database. The path can be
724       specified as a relative path to the default template storage.
725
726       NOTE:
727          This option is only available in the default template.
728
729       Default: storage/journal
730
731   journal-db-mode
732       Specifies journal LMDB backend configuration, which influences  perfor‐
733       mance and durability.
734
735       Possible values:
736
737       · robust – The journal DB disk sychronization ensures DB durability but
738         is generally slower.
739
740       · asynchronous – The journal DB disk synchronization is  optimized  for
741         better  performance  at the expense of lower DB durability; this mode
742         is recommended only on slave nodes with many zones.
743
744       NOTE:
745          This option is only available in the default template.
746
747       Default: robust
748
749   max-journal-db-size
750       Hard limit for the common journal DB. There  is  no  cleanup  logic  in
751       journal  to  recover  from  reaching  this limit: journal simply starts
752       refusing changes across all zones. Decreasing this value has no  effect
753       if lower than actual DB file size.
754
755       It  is  recommended  to  limit  max-journal-usage  per-zone  instead of
756       max-journal-size in most cases. Please keep this value larger than  the
757       sum  of  all  zones'  journal  usage limits. See more details regarding
758       journal behaviour.
759
760       This value also influences server's usage of virtual memory.
761
762       NOTE:
763          This option is only available in the default template.
764
765       Default: 20 GiB (1 GiB for 32-bit)
766
767   kasp-db
768       A KASP database path. Non-absolute path is relative to storage.
769
770       Default: storage/keys
771
772       NOTE:
773          This option is only available in the default template.
774
775   max-kasp-db-size
776       Hard limit for the KASP database maximum size.
777
778       NOTE:
779          This option is only available in the default template.
780
781       Default: 500 MiB
782
783   global-module
784       An ordered list of references to query modules  in  the  form  of  mod‐
785       ule_name or module_name/module_id. These modules apply to all queries.
786
787       NOTE:
788          This option is only available in the default template.
789
790       Default: not set
791

ZONE SECTION

793       Definition of zones served by the server.
794
795          zone:
796            - domain: DNAME
797              template: template_id
798              storage: STR
799              file: STR
800              master: remote_id ...
801              ddns-master: remote_id
802              notify: remote_id ...
803              acl: acl_id ...
804              semantic-checks: BOOL
805              disable-any: BOOL
806              zonefile-sync: TIME
807              zonefile-load: none | difference | difference-no-serial | whole
808              journal-content: none | changes | all
809              max-journal-usage: SIZE
810              max-journal-depth: INT
811              max-zone-size : SIZE
812              dnssec-signing: BOOL
813              dnssec-policy: STR
814              request-edns-option: INT:[HEXSTR]
815              serial-policy: increment | unixtime | dateserial
816              min-refresh-interval: TIME
817              max-refresh-interval: TIME
818              module: STR/STR ...
819
820   domain
821       A zone name identifier.
822
823   template
824       A reference to a configuration template.
825
826       Default: not set or default (if the template exists)
827
828   storage
829       A  data  directory for storing zone files, journal database, and timers
830       database.
831
832       Default:  ${localstatedir}/lib/knot   (configured   with   --with-stor‐
833       age=path)
834
835   file
836       A  path  to the zone file. Non-absolute path is relative to storage. It
837       is also possible to use the following formatters:
838
839       · %c[N] or %c[N-M] – Means the Nth character or a sequence  of  charac‐
840         ters  beginning from the Nth and ending with the Mth character of the
841         textual zone name (see %s). The indexes are counted from 0  from  the
842         left.  All  dots  (including the terminal one) are considered. If the
843         character is not available, the formatter has no effect.
844
845       · %l[N] – Means the Nth label of the textual zone name  (see  %s).  The
846         index  is  counted  from 0 from the right (0 ~ TLD).  If the label is
847         not available, the formatter has no effect.
848
849       · %s – Means the current zone name in the textual representation.   The
850         zone  name  doesn't  include  the terminating dot (the result for the
851         root zone is the empty string!).
852
853       · %% – Means the % character.
854
855       WARNING:
856          Beware of special characters which are escaped  or  encoded  in  the
857          \DDD form where DDD is corresponding decimal ASCII code.
858
859       Default: storage/%s.zone
860
861   master
862       An ordered list of references to zone master servers.
863
864       Default: not set
865
866   ddns-master
867       A reference to zone primary master server.  If not specified, the first
868       master server is used.
869
870       Default: not set
871
872   notify
873       An ordered list of references to remotes to  which  notify  message  is
874       sent if the zone changes.
875
876       Default: not set
877
878   acl
879       An  ordered list of references to ACL rules which can allow or disallow
880       zone transfers, updates or incoming notifies.
881
882       Default: not set
883
884   semantic-checks
885       If enabled, extra zone semantic checks are turned on.
886
887       Several checks are enabled by default and  cannot  be  turned  off.  An
888       error  in  mandatory  checks  causes zone not to be loaded. An error in
889       extra checks is logged only.
890
891       Mandatory checks:
892
893       · SOA record missing in the zone (RFC 1034)
894
895       · An extra record together with CNAME record except for RRSIG and DS (‐
896         RFC 1034)
897
898       · Multiple CNAME record with the same owner
899
900       · DNAME record having a record under it (RFC 2672)
901
902       Extra checks:
903
904       · Missing NS record at the zone apex
905
906       · Missing glue A or AAAA record
907
908       · Invalid DNSKEY, DS, or NSEC3PARAM record
909
910       · CDS or CDNSKEY inconsistency
911
912       · Missing, invalid, or unverifiable RRSIG record
913
914       · Invalid NSEC(3) record
915
916       · Broken or non-cyclic NSEC(3) chain
917
918       Default: off
919
920   disable-any
921       If  enabled,  all  authoritative  ANY  queries  sent  over  UDP will be
922       answered with an empty response and with  the  TC  bit  set.  Use  this
923       option to minimize the risk of DNS reflection attack.
924
925       Default: off
926
927   zonefile-sync
928       The  time  after which the current zone in memory will be synced with a
929       zone file on the disk (see file). The server will serve the latest zone
930       even  after a restart using zone journal, but the zone file on the disk
931       will only be synced after zonefile-sync time has expired (or after man‐
932       ual  zone flush). This is applicable when the zone is updated via IXFR,
933       DDNS or automatic DNSSEC signing. In order to completely disable  auto‐
934       matic  zone file synchronization, set the value to -1. In that case, it
935       is still possible to force a manual zone flush using the -f option.
936
937       NOTE:
938          If you are serving large zones with frequent updates where the imme‐
939          diate sync with a zone file is not desirable, increase the value.
940
941       Default: 0 (immediate)
942
943   zonefile-load
944       Selects how the zone file contents are applied during zone load.
945
946       Possible values:
947
948       · none – The zone file is not used at all.
949
950       · difference – If the zone contents are already available during server
951         start or reload, the difference is computed between them and the con‐
952         tents  of the zone file. This difference is then checked for semantic
953         errors and applied to the current zone contents.
954
955       · difference-no-serial – Same as difference, but the SOA serial in  the
956         zone  file  is  ignored,  the  server  takes care of incrementing the
957         serial automatically.
958
959       · whole – Zone contents are loaded from the zone file.
960
961       When difference is configured and there are no zone contents yet  (cold
962       start of Knot and no zone contents in journal), it behaves the same way
963       like whole.
964
965       Default: whole
966
967   journal-content
968       Selects how the journal shall be used to store zone and its changes.
969
970       Possible values:
971
972       · none – The journal is not used at all.
973
974       · changes – Zone changes history is stored in journal.
975
976       · all – Zone contents and history is stored in journal.
977
978       Default: changes
979
980   max-journal-usage
981       Policy how much space in journal DB will the zone's journal occupy.
982
983       Default: 100 MiB
984
985       NOTE:
986          Journal DB may grow far above the sum  of  max-journal-usage  across
987          all zones, because of DB free space fragmentation.
988
989   max-journal-depth
990       Maximum history length of journal.
991
992       Minimum: 2
993
994       Default: 2^64
995
996   max-zone-size
997       Maximum  size  of  the  zone.  The size is measured as size of the zone
998       records in wire format without compression. The limit is  enforced  for
999       incoming zone transfers and dynamic updates.
1000
1001       For  incremental  transfers  (IXFR),  the effective limit for the total
1002       size of the records in the transfer is twice the configured value. How‐
1003       ever the final size of the zone must satisfy the configured value.
1004
1005       Default: 2^64
1006
1007   dnssec-signing
1008       If enabled, automatic DNSSEC signing for the zone is turned on.
1009
1010       Default: off
1011
1012   dnssec-policy
1013       A  reference  to  DNSSEC signing policy. A special default value can be
1014       used for the default policy settings.
1015
1016       Required
1017
1018   request-edns-option
1019       An arbitrary EDNS0 option which  is  included  into  a  server  request
1020       (AXFR,    IXFR,    SOA,    or    NOTIFY).   The   value   is   in   the
1021       option_code:option_data format.
1022
1023       Default: not set
1024
1025   serial-policy
1026       Specifies how the zone serial is updated  after  a  dynamic  update  or
1027       automatic  DNSSEC  signing.  If  the  serial  is changed by the dynamic
1028       update, no change is made.
1029
1030       Possible values:
1031
1032       · increment – The serial is  incremented  according  to  serial  number
1033         arithmetic.
1034
1035       · unixtime – The serial is set to the current unix time.
1036
1037       · dateserial  –  The  10-digit  serial (YYYYMMDDnn) is incremented, the
1038         first 8 digits match the current iso-date.
1039
1040       NOTE:
1041          In case of unixtime, if the resulting serial is lower or equal  than
1042          current zone (this happens e.g. in case of migrating from other pol‐
1043          icy or frequent updates) the serial is incremented instead.
1044
1045          Use dateserial only if you expect less than 100 updates per day  per
1046          zone.
1047
1048       Default: increment
1049
1050   min-refresh-interval
1051       Forced minimum zone refresh interval to avoid flooding master.
1052
1053       Default: 2
1054
1055   max-refresh-interval
1056       Forced maximum zone refresh interval.
1057
1058       Default: not set
1059
1060   module
1061       An  ordered  list  of  references  to query modules in the form of mod‐
1062       ule_name or module_name/module_id. These modules apply only to the cur‐
1063       rent zone queries.
1064
1065       Default: not set
1066

LOGGING SECTION

1068       Server  can be configured to log to the standard output, standard error
1069       output, syslog (or systemd journal if systemd is enabled)  or  into  an
1070       arbitrary file.
1071
1072       There are 6 logging severity levels:
1073
1074       · critical – Non-recoverable error resulting in server shutdown.
1075
1076       · error – Recoverable error, action should be taken.
1077
1078       · warning – Warning that might require user action.
1079
1080       · notice – Server notice or hint.
1081
1082       · info – Informational message.
1083
1084       · debug – Debug messages (must be turned on at compile time).
1085
1086       In  the  case  of missing log section, warning or more serious messages
1087       will be logged to both standard error output and syslog. The  info  and
1088       notice messages will be logged to standard output.
1089
1090          log:
1091            - target: stdout | stderr | syslog | STR
1092              server: critical | error | warning | notice | info | debug
1093              control: critical | error | warning | notice | info | debug
1094              zone: critical | error | warning | notice | info | debug
1095              any: critical | error | warning | notice | info | debug
1096
1097   target
1098       A logging output.
1099
1100       Possible values:
1101
1102       · stdout – Standard output.
1103
1104       · stderr – Standard error output.
1105
1106       · syslog – Syslog.
1107
1108       · file_name – A specific file.
1109
1110   server
1111       Minimum severity level for messages related to general operation of the
1112       server that are logged.
1113
1114       Default: not set
1115
1116   control
1117       Minimum severity level for messages related to server control that  are
1118       logged.
1119
1120       Default: not set
1121
1122   zone
1123       Minimum severity level for messages related to zones that are logged.
1124
1125       Default: not set
1126
1127   any
1128       Minimum severity level for all message types that are logged.
1129
1130       Default: not set
1131

AUTHOR

1133       CZ.NIC Labs <https://www.knot-dns.cz>
1134
1136       Copyright 2010–2019, CZ.NIC, z.s.p.o.
1137
1138
1139
1140
11412.7.6                             2019-01-23                      KNOT.CONF(5)
Impressum