1KNOT.CONF(5) Knot DNS KNOT.CONF(5)
2
6 knot.conf - Knot DNS configuration file
7
9 Configuration files for Knot DNS use simplified YAML format. Simplified
10 means that not all of the features are supported.
11 For the description of configuration items, we have to declare a mean‐
13 ing of the following symbols:
14 · INT – Integer
16 · STR – Textual string
18 · HEXSTR – Hexadecimal string (with 0x prefix)
20 · BOOL – Boolean value (on/off or true/false)
22 · TIME – Number of seconds, an integer with possible time multiplier
24 suffix (s ~ 1, m ~ 60, h ~ 3600 or d ~ 24 * 3600)
25 · SIZE – Number of bytes, an integer with possible size multiplier suf‐
27 fix (B ~ 1, K ~ 1024, M ~ 1024^2 or G ~ 1024^3)
28 · BASE64 – Base64 encoded string
30 · ADDR – IPv4 or IPv6 address
32 · DNAME – Domain name
34 · ... – Multi-valued item, order of the values is preserved
36 · [ ] – Optional value
38 · | – Choice
40 There are 12 main sections (module, server, control, log, statistics,
42 keystore, policy, key, acl, remote, template, and zone) and module sec‐
43 tions with the mod- prefix. Most of the sections (excluding server,
44 control, and statistics) are sequences of settings blocks. Each set‐
45 tings block begins with a unique identifier, which can be used as a
46 reference from other sections (such identifier must be defined in
47 advance).
48 A multi-valued item can be specified either as a YAML sequence:
50 address: [10.0.0.1, 10.0.0.2]
52 or as more single-valued items each on an extra line:
54 address: 10.0.0.1
56 address: 10.0.0.2
57 If an item value contains spaces or other special characters, it is
59 necessary to enclose such value within double quotes " ".
60
62 A comment begins with a # character and is ignored during processing.
63 Also each configuration section or sequence block allows a permanent
64 comment using the comment item which is stored in the server beside the
65 configuration.
66
68 Another configuration file or files, matching a pattern, can be
69 included at the top level in the current file. If the path is not abso‐
70 lute, then it is considered to be relative to the current file. The
71 pattern can be an arbitrary string meeting POSIX glob requirements,
72 e.g. dir/*.conf. Matching files are processed in sorted order.
73 include: STR
75
77 Dynamic modules loading configuration.
78 NOTE:
80 If configured with non-empty `--with-moduledir=path` parameter, all
81 shared modules in this directory will be automatically loaded.
82 module:
84 - id: STR
85 file: STR
86 id
88 A module identifier in the form of the mod- prefix and module name suf‐
89 fix.
90 file
92 A path to a shared library file with the module implementation.
93 Default: ${libdir}/knot/modules-${version}/module_name.so (or
95 ${path}/module_name.so if configured with --with-moduledir=path)
96 WARNING:
98 If the path is not absolute, the library is searched in the set of
99 system directories. See man dlopen for more details.
100
102 General options related to the server.
103 server:
105 identity: [STR]
106 version: [STR]
107 nsid: [STR|HEXSTR]
108 rundir: STR
109 user: STR[:STR]
110 pidfile: STR
111 udp-workers: INT
112 tcp-workers: INT
113 background-workers: INT
114 async-start: BOOL
115 tcp-handshake-timeout: TIME
116 tcp-idle-timeout: TIME
117 tcp-reply-timeout: TIME
118 max-tcp-clients: INT
119 max-udp-payload: SIZE
120 max-ipv4-udp-payload: SIZE
121 max-ipv6-udp-payload: SIZE
122 edns-client-subnet: BOOL
123 answer-rotation: BOOL
124 listen: ADDR[@INT] ...
125 identity
127 An identity of the server returned in the response to the query for TXT
128 record id.server. or hostname.bind. in the CHAOS class (RFC 4892). Set
129 empty value to disable.
130 Default: FQDN hostname
132 version
134 A version of the server software returned in the response to the query
135 for TXT record version.server. or version.bind. in the CHAOS class (RFC
136 4892). Set empty value to disable.
137 Default: server version
139 nsid
141 A DNS name server identifier (RFC 5001). Set empty value to disable.
142 Default: FQDN hostname
144 rundir
146 A path for storing run-time data (PID file, unix sockets, etc.).
147 Default: ${localstatedir}/run/knot (configured with --with-rundir=path)
149 user
151 A system user with an optional system group (user:group) under which
152 the server is run after starting and binding to interfaces. Linux capa‐
153 bilities are employed if supported.
154 Default: root:root
156 pidfile
158 A PID file location.
159 Default: rundir/knot.pid
161 udp-workers
163 A number of UDP workers (threads) used to process incoming queries over
164 UDP.
165 Default: auto-estimated optimal value based on the number of online
167 CPUs
168 tcp-workers
170 A number of TCP workers (threads) used to process incoming queries over
171 TCP.
172 Default: auto-estimated optimal value based on the number of online
174 CPUs
175 background-workers
177 A number of workers (threads) used to execute background operations
178 (zone loading, zone updates, etc.).
179 Default: auto-estimated optimal value based on the number of online
181 CPUs
182 async-start
184 If enabled, server doesn't wait for the zones to be loaded and starts
185 responding immediately with SERVFAIL answers until the zone loads.
186 Default: off
188 tcp-handshake-timeout
190 Maximum time between newly accepted TCP connection and the first query.
191 This is useful to disconnect inactive connections faster than connec‐
192 tions that already made at least 1 meaningful query.
193 Default: 5
195 tcp-idle-timeout
197 Maximum idle time between requests on a TCP connection. This also lim‐
198 its receiving of a single query, each query must be received in this
199 time limit.
200 Default: 20
202 tcp-reply-timeout
204 Maximum time to wait for an outgoing connection or for a reply to an
205 issued request (SOA, NOTIFY, AXFR...).
206 Default: 10
208 max-tcp-clients
210 A maximum number of TCP clients connected in parallel, set this below
211 the file descriptor limit to avoid resource exhaustion.
212 Default: 100
214 max-udp-payload
216 Maximum EDNS0 UDP payload size default for both IPv4 and IPv6.
217 Default: 4096
219 max-ipv4-udp-payload
221 Maximum EDNS0 UDP payload size for IPv4.
222 Default: 4096
224 max-ipv6-udp-payload
226 Maximum EDNS0 UDP payload size for IPv6.
227 Default: 4096
229 edns-client-subnet
231 Enable or disable EDNS Client Subnet support. If enabled, responses to
232 queries containing the EDNS Client Subnet option always contain a valid
233 EDNS Client Subnet option according to RFC 7871.
234 Default: off
236 answer-rotation
238 Enable or disable sorted-rrset rotation in the answer section of normal
239 replies. The rotation shift is simply determined by a query ID.
240 Default: off
242 listen
244 One or more IP addresses where the server listens for incoming queries.
245 Optional port specification (default is 53) can be appended to each
246 address using @ separator. Use 0.0.0.0 for all configured IPv4
247 addresses or :: for all configured IPv6 addresses.
248 Default: not set
250
252 Shared TSIG keys used to authenticate communication with the server.
253 key:
255 - id: DNAME
256 algorithm: hmac-md5 | hmac-sha1 | hmac-sha224 | hmac-sha256 | hmac-sha384 | hmac-sha512
257 secret: BASE64
258 id
260 A key name identifier.
261 NOTE:
263 This value MUST be exactly the same as the name of the TSIG key on
264 the opposite master/slave server(s).
265 algorithm
267 A TSIG key algorithm. See TSIG Algorithm Numbers.
268 Possible values:
270 · hmac-md5
272 · hmac-sha1
274 · hmac-sha224
276 · hmac-sha256
278 · hmac-sha384
280 · hmac-sha512
282 Default: not set
284 secret
286 Shared key secret.
287 Default: not set
289
291 Access control list rule definitions. The ACLs are used to match incom‐
292 ing connections to allow or deny requested operation (zone transfer
293 request, DDNS update, etc.).
294 acl:
296 - id: STR
297 address: ADDR[/INT] | ADDR-ADDR ...
298 key: key_id ...
299 action: notify | transfer | update ...
300 deny: BOOL
301 id
303 An ACL rule identifier.
304 address
306 An ordered list of IP addresses, network subnets, or network ranges.
307 The query must match one of them. Empty value means that address match
308 is not required.
309 Default: not set
311 key
313 An ordered list of references to TSIG keys. The query must match one of
314 them. Empty value means that transaction authentication is not used.
315 Default: not set
317 action
319 An ordered list of allowed (or denied) actions.
320 Possible values:
322 · notify – Allow incoming notify.
324 · transfer – Allow zone transfer.
326 · update – Allow zone updates.
328 Default: not set
330 deny
332 If enabled, instead of allowing, deny the specified action, address,
333 key, or combination if these items. If no action is specified, deny all
334 actions.
335 Default: off
337
339 Configuration of the server control interface.
340 control:
342 listen: STR
343 timeout: TIME
344 listen
346 A UNIX socket path where the server listens for control commands.
347 Default: rundir/knot.sock
349 timeout
351 Maximum time the control socket operations can take. Set 0 for infin‐
352 ity.
353 Default: 5
355
357 Periodic server statistics dumping.
358 statistics:
360 timer: TIME
361 file: STR
362 append: BOOL
363 timer
365 A period after which all available statistics metrics will by written
366 to the file.
367 Default: not set
369 file
371 A file path of statistics output in the YAML format.
372 Default: rundir/stats.yaml
374 append
376 If enabled, the output will be appended to the file instead of file
377 replacement.
378 Default: off
380
382 DNSSEC keystore configuration.
383 keystore:
385 - id: STR
386 backend: pem | pkcs11
387 config: STR
388 id
390 A keystore identifier.
391 backend
393 A key storage backend type.
394 Possible values:
396 · pem – PEM files.
398 · pkcs11 – PKCS #11 storage.
400 Default: pem
402 config
404 A backend specific configuration. A directory with PEM files (the path
405 can be specified as a relative path to kasp-db) or a configuration
406 string for PKCS #11 storage (<pkcs11-url> <module-path>).
407 NOTE:
409 Example configuration string for PKCS #11:
410 "pkcs11:token=knot;pin-value=1234 /usr/lib64/pkcs11/libsofthsm2.so"
412 Default: kasp-db/keys
414
416 Parameters of KSK submission checks.
417 submission:
419 - id: STR
420 parent: remote_id ...
421 check-interval: TIME
422 timeout: TIME
423 id
425 A submission identifier.
426 parent
428 A list of references to parent's DNS servers to be checked for presence
429 of corresponding DS records in the case of KSK submission. All of them
430 must have a corresponding DS for the rollover to continue. If none is
431 specified, the rollover must be pushed forward manually.
432 Default: not set
434 TIP:
436 A DNSSEC-validating resolver can be set as a parent.
437 check-interval
439 Interval for periodic checks of DS presence on parent's DNS servers, in
440 the case of the KSK submission.
441 Default: 1 hour
443 timeout
445 After this period, the KSK submission is automatically considered suc‐
446 cessful, even if all the checks were negative or no parents are config‐
447 ured. Set 0 for infinity.
448 Default: 0
450
452 DNSSEC policy configuration.
453 policy:
455 - id: STR
456 keystore: STR
457 manual: BOOL
458 single-type-signing: BOOL
459 algorithm: rsasha1 | rsasha1-nsec3-sha1 | rsasha256 | rsasha512 | ecdsap256sha256 | ecdsap384sha384 | ed25519
460 ksk-size: SIZE
461 zsk-size: SIZE
462 ksk-shared: BOOL
463 dnskey-ttl: TIME
464 zsk-lifetime: TIME
465 ksk-lifetime: TIME
466 propagation-delay: TIME
467 rrsig-lifetime: TIME
468 rrsig-refresh: TIME
469 nsec3: BOOL
470 nsec3-iterations: INT
471 nsec3-opt-out: BOOL
472 nsec3-salt-length: INT
473 nsec3-salt-lifetime: TIME
474 ksk-submission: submission_id
475 cds-cdnskey-publish: none | delete-dnssec | rollover | always
476 id
478 A policy identifier.
479 keystore
481 A reference to a keystore holding private key material for zones. A
482 special default value can be used for the default keystore settings.
483 Default: default
485 manual
487 If enabled, automatic key management is not used.
488 Default: off
490 single-type-signing
492 If enabled, Single-Type Signing Scheme is used in the automatic key
493 management mode.
494 Default: off
496 algorithm
498 An algorithm of signing keys and issued signatures. See DNSSEC Algo‐
499 rithm Numbers.
500 Possible values:
502 · rsasha1
504 · rsasha1-nsec3-sha1
506 · rsasha256
508 · rsasha512
510 · ecdsap256sha256
512 · ecdsap384sha384
514 · ed25519
516 Default: ecdsap256sha256
518 NOTE:
520 Ed25519 algorithm is only available when compiled with GnuTLS
521 3.6.0+.
522 ksk-size
524 A length of newly generated KSK or CSK keys.
525 Default: 2048 (rsa*), 256 (ecdsap256), 384 (ecdsap384), 256 (ed25519)
527 zsk-size
529 A length of newly generated ZSK keys.
530 Default: see default for ksk-size
532 ksk-shared
534 If enabled, all zones with this policy assigned will share one KSK.
535 Default: off
537 dnskey-ttl
539 A TTL value for DNSKEY records added into zone apex.
540 Default: zone SOA TTL
542 NOTE:
544 Has infuence over ZSK key lifetime.
545 zsk-lifetime
547 A period between ZSK publication and the next rollover initiation.
548 Default: 30 days
550 NOTE:
552 ZSK key lifetime is also infuenced by propagation-delay and
553 dnskey-ttl
554 Zero (aka infinity) value causes no ZSK rollover as a result.
556 ksk-lifetime
558 A period between KSK publication and the next rollover initiation.
559 Default: 0
561 NOTE:
563 KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
564 and KSK submission delay.
565 Zero (aka infinity) value causes no KSK rollover as a result.
567 This applies for CSK lifetime if single-type-signing is enabled.
569 propagation-delay
571 An extra delay added for each key rollover step. This value should be
572 high enough to cover propagation of data from the master server to all
573 slaves.
574 Default: 1 hour
576 NOTE:
578 Has infuence over ZSK key lifetime.
579 rrsig-lifetime
581 A validity period of newly issued signatures.
582 Default: 14 days
584 rrsig-refresh
586 A period how long before a signature expiration the signature will be
587 refreshed.
588 Default: 7 days
590 nsec3
592 Specifies if NSEC3 will be used instead of NSEC.
593 Default: off
595 nsec3-iterations
597 A number of additional times the hashing is performed.
598 Default: 5
600 nsec3-opt-out
602 If set, NSEC3 records won't be created for insecure delegations. This
603 speeds up the zone signing and reduces overall zone size.
604 WARNING:
606 NSEC3 with the Opt-Out bit set no longer works as a proof of
607 non-existence in this zone.
608 Default: off
610 nsec3-salt-length
612 A length of a salt field in octets, which is appended to the original
613 owner name before hashing.
614 Default: 8
616 nsec3-salt-lifetime
618 A validity period of newly issued salt field.
619 Default: 30 days
621 ksk-submission
623 A reference to submission section holding parameters of KSK submittion
624 checks.
625 Default: not set
627 cds-cdnskey-publish
629 Controls if and how shall the CDS and CDNSKEY be published in the zone.
630 NOTE:
632 This only applies if the zone keys are automatically managed by the
633 server.
634 Possible values:
636 · none – Never publish any CDS or CDNSKEY records in the zone.
638 · delete-dnssec – Publish special CDS and CDNSKEY records indicating
640 turning off DNSSEC.
641 · rollover – Publish CDS and CDNSKEY records only in the submission
643 phase of KSK rollover.
644 · always – Always publish CDS and CDNSKEY records for the current KSK.
646 Default: always
648
650 Definitions of remote servers for outgoing connections (source of a
651 zone transfer, target for a notification, etc.).
652 remote:
654 - id: STR
655 address: ADDR[@INT] ...
656 via: ADDR[@INT] ...
657 key: key_id
658 id
660 A remote identifier.
661 address
663 An ordered list of destination IP addresses which are used for communi‐
664 cation with the remote server. The addresses are tried in sequence
665 unless the operation is successful. Optional destination port (default
666 is 53) can be appended to the address using @ separator.
667 Default: not set
669 via
671 An ordered list of source IP addresses. The first address with the same
672 family as the destination address is used. Optional source port
673 (default is random) can be appended to the address using @ separator.
674 Default: not set
676 key
678 A reference to the TSIG key which is used to authenticate the communi‐
679 cation with the remote server.
680 Default: not set
682
684 A template is a shareable zone setting which can be used for configura‐
685 tion of many zones in one place. A special default template (with the
686 default identifier) can be used for global querying configuration or as
687 an implicit configuration if a zone doesn't have another template spec‐
688 ified.
689 template:
691 - id: STR
692 timer-db: STR
693 max-timer-db-size: SIZE
694 journal-db: STR
695 journal-db-mode: robust | asynchronous
696 max-journal-db-size: SIZE
697 kasp-db: STR
698 max-kasp-db-size: SIZE
699 global-module: STR/STR ...
700 # All zone options (excluding 'template' item)
701 id
703 A template identifier.
704 timer-db
706 Specifies a path of the persistent timer database. The path can be
707 specified as a relative path to the default template storage.
708 NOTE:
710 This option is only available in the default template.
711 Default: storage/timers
713 max-timer-db-size
715 Hard limit for the timer database maximum size.
716 NOTE:
718 This option is only available in the default template.
719 Default: 100 MiB
721 journal-db
723 Specifies a path of the persistent journal database. The path can be
724 specified as a relative path to the default template storage.
725 NOTE:
727 This option is only available in the default template.
728 Default: storage/journal
730 journal-db-mode
732 Specifies journal LMDB backend configuration, which influences perfor‐
733 mance and durability.
734 Possible values:
736 · robust – The journal DB disk sychronization ensures DB durability but
738 is generally slower.
739 · asynchronous – The journal DB disk synchronization is optimized for
741 better performance at the expense of lower DB durability; this mode
742 is recommended only on slave nodes with many zones.
743 NOTE:
745 This option is only available in the default template.
746 Default: robust
748 max-journal-db-size
750 Hard limit for the common journal DB. There is no cleanup logic in
751 journal to recover from reaching this limit: journal simply starts
752 refusing changes across all zones. Decreasing this value has no effect
753 if lower than actual DB file size.
754 It is recommended to limit max-journal-usage per-zone instead of
756 max-journal-size in most cases. Please keep this value larger than the
757 sum of all zones' journal usage limits. See more details regarding
758 journal behaviour.
759 This value also influences server's usage of virtual memory.
761 NOTE:
763 This option is only available in the default template.
764 Default: 20 GiB (1 GiB for 32-bit)
766 kasp-db
768 A KASP database path. Non-absolute path is relative to storage.
769 Default: storage/keys
771 NOTE:
773 This option is only available in the default template.
774 max-kasp-db-size
776 Hard limit for the KASP database maximum size.
777 NOTE:
779 This option is only available in the default template.
780 Default: 500 MiB
782 global-module
784 An ordered list of references to query modules in the form of mod‐
785 ule_name or module_name/module_id. These modules apply to all queries.
786 NOTE:
788 This option is only available in the default template.
789 Default: not set
791
793 Definition of zones served by the server.
794 zone:
796 - domain: DNAME
797 template: template_id
798 storage: STR
799 file: STR
800 master: remote_id ...
801 ddns-master: remote_id
802 notify: remote_id ...
803 acl: acl_id ...
804 semantic-checks: BOOL
805 disable-any: BOOL
806 zonefile-sync: TIME
807 zonefile-load: none | difference | difference-no-serial | whole
808 journal-content: none | changes | all
809 max-journal-usage: SIZE
810 max-journal-depth: INT
811 max-zone-size : SIZE
812 dnssec-signing: BOOL
813 dnssec-policy: STR
814 request-edns-option: INT:[HEXSTR]
815 serial-policy: increment | unixtime | dateserial
816 min-refresh-interval: TIME
817 max-refresh-interval: TIME
818 module: STR/STR ...
819 domain
821 A zone name identifier.
822 template
824 A reference to a configuration template.
825 Default: not set or default (if the template exists)
827 storage
829 A data directory for storing zone files, journal database, and timers
830 database.
831 Default: ${localstatedir}/lib/knot (configured with --with-stor‐
833 age=path)
834 file
836 A path to the zone file. Non-absolute path is relative to storage. It
837 is also possible to use the following formatters:
838 · %c[N] or %c[N-M] – Means the Nth character or a sequence of charac‐
840 ters beginning from the Nth and ending with the Mth character of the
841 textual zone name (see %s). The indexes are counted from 0 from the
842 left. All dots (including the terminal one) are considered. If the
843 character is not available, the formatter has no effect.
844 · %l[N] – Means the Nth label of the textual zone name (see %s). The
846 index is counted from 0 from the right (0 ~ TLD). If the label is
847 not available, the formatter has no effect.
848 · %s – Means the current zone name in the textual representation. The
850 zone name doesn't include the terminating dot (the result for the
851 root zone is the empty string!).
852 · %% – Means the % character.
854 WARNING:
856 Beware of special characters which are escaped or encoded in the
857 \DDD form where DDD is corresponding decimal ASCII code.
858 Default: storage/%s.zone
860 master
862 An ordered list of references to zone master servers.
863 Default: not set
865 ddns-master
867 A reference to zone primary master server. If not specified, the first
868 master server is used.
869 Default: not set
871 notify
873 An ordered list of references to remotes to which notify message is
874 sent if the zone changes.
875 Default: not set
877 acl
879 An ordered list of references to ACL rules which can allow or disallow
880 zone transfers, updates or incoming notifies.
881 Default: not set
883 semantic-checks
885 If enabled, extra zone semantic checks are turned on.
886 Several checks are enabled by default and cannot be turned off. An
888 error in mandatory checks causes zone not to be loaded. An error in
889 extra checks is logged only.
890 Mandatory checks:
892 · SOA record missing in the zone (RFC 1034)
894 · An extra record together with CNAME record except for RRSIG and DS (‐
896 RFC 1034)
897 · Multiple CNAME record with the same owner
899 · DNAME record having a record under it (RFC 2672)
901 Extra checks:
903 · Missing NS record at the zone apex
905 · Missing glue A or AAAA record
907 · Invalid DNSKEY, DS, or NSEC3PARAM record
909 · CDS or CDNSKEY inconsistency
911 · Missing, invalid, or unverifiable RRSIG record
913 · Invalid NSEC(3) record
915 · Broken or non-cyclic NSEC(3) chain
917 Default: off
919 disable-any
921 If enabled, all authoritative ANY queries sent over UDP will be
922 answered with an empty response and with the TC bit set. Use this
923 option to minimize the risk of DNS reflection attack.
924 Default: off
926 zonefile-sync
928 The time after which the current zone in memory will be synced with a
929 zone file on the disk (see file). The server will serve the latest zone
930 even after a restart using zone journal, but the zone file on the disk
931 will only be synced after zonefile-sync time has expired (or after man‐
932 ual zone flush). This is applicable when the zone is updated via IXFR,
933 DDNS or automatic DNSSEC signing. In order to completely disable auto‐
934 matic zone file synchronization, set the value to -1. In that case, it
935 is still possible to force a manual zone flush using the -f option.
936 NOTE:
938 If you are serving large zones with frequent updates where the imme‐
939 diate sync with a zone file is not desirable, increase the value.
940 Default: 0 (immediate)
942 zonefile-load
944 Selects how the zone file contents are applied during zone load.
945 Possible values:
947 · none – The zone file is not used at all.
949 · difference – If the zone contents are already available during server
951 start or reload, the difference is computed between them and the con‐
952 tents of the zone file. This difference is then checked for semantic
953 errors and applied to the current zone contents.
954 · difference-no-serial – Same as difference, but the SOA serial in the
956 zone file is ignored, the server takes care of incrementing the
957 serial automatically.
958 · whole – Zone contents are loaded from the zone file.
960 When difference is configured and there are no zone contents yet (cold
962 start of Knot and no zone contents in journal), it behaves the same way
963 like whole.
964 Default: whole
966 journal-content
968 Selects how the journal shall be used to store zone and its changes.
969 Possible values:
971 · none – The journal is not used at all.
973 · changes – Zone changes history is stored in journal.
975 · all – Zone contents and history is stored in journal.
977 Default: changes
979 max-journal-usage
981 Policy how much space in journal DB will the zone's journal occupy.
982 Default: 100 MiB
984 NOTE:
986 Journal DB may grow far above the sum of max-journal-usage across
987 all zones, because of DB free space fragmentation.
988 max-journal-depth
990 Maximum history length of journal.
991 Minimum: 2
993 Default: 2^64
995 max-zone-size
997 Maximum size of the zone. The size is measured as size of the zone
998 records in wire format without compression. The limit is enforced for
999 incoming zone transfers and dynamic updates.
1000 For incremental transfers (IXFR), the effective limit for the total
1002 size of the records in the transfer is twice the configured value. How‐
1003 ever the final size of the zone must satisfy the configured value.
1004 Default: 2^64
1006 dnssec-signing
1008 If enabled, automatic DNSSEC signing for the zone is turned on.
1009 Default: off
1011 dnssec-policy
1013 A reference to DNSSEC signing policy. A special default value can be
1014 used for the default policy settings.
1015 Required
1017 request-edns-option
1019 An arbitrary EDNS0 option which is included into a server request
1020 (AXFR, IXFR, SOA, or NOTIFY). The value is in the
1021 option_code:option_data format.
1022 Default: not set
1024 serial-policy
1026 Specifies how the zone serial is updated after a dynamic update or
1027 automatic DNSSEC signing. If the serial is changed by the dynamic
1028 update, no change is made.
1029 Possible values:
1031 · increment – The serial is incremented according to serial number
1033 arithmetic.
1034 · unixtime – The serial is set to the current unix time.
1036 · dateserial – The 10-digit serial (YYYYMMDDnn) is incremented, the
1038 first 8 digits match the current iso-date.
1039 NOTE:
1041 In case of unixtime, if the resulting serial is lower or equal than
1042 current zone (this happens e.g. in case of migrating from other pol‐
1043 icy or frequent updates) the serial is incremented instead.
1044 Use dateserial only if you expect less than 100 updates per day per
1046 zone.
1047 Default: increment
1049 min-refresh-interval
1051 Forced minimum zone refresh interval to avoid flooding master.
1052 Default: 2
1054 max-refresh-interval
1056 Forced maximum zone refresh interval.
1057 Default: not set
1059 module
1061 An ordered list of references to query modules in the form of mod‐
1062 ule_name or module_name/module_id. These modules apply only to the cur‐
1063 rent zone queries.
1064 Default: not set
1066
1068 Server can be configured to log to the standard output, standard error
1069 output, syslog (or systemd journal if systemd is enabled) or into an
1070 arbitrary file.
1071 There are 6 logging severity levels:
1073 · critical – Non-recoverable error resulting in server shutdown.
1075 · error – Recoverable error, action should be taken.
1077 · warning – Warning that might require user action.
1079 · notice – Server notice or hint.
1081 · info – Informational message.
1083 · debug – Debug messages (must be turned on at compile time).
1085 In the case of missing log section, warning or more serious messages
1087 will be logged to both standard error output and syslog. The info and
1088 notice messages will be logged to standard output.
1089 log:
1091 - target: stdout | stderr | syslog | STR
1092 server: critical | error | warning | notice | info | debug
1093 control: critical | error | warning | notice | info | debug
1094 zone: critical | error | warning | notice | info | debug
1095 any: critical | error | warning | notice | info | debug
1096 target
1098 A logging output.
1099 Possible values:
1101 · stdout – Standard output.
1103 · stderr – Standard error output.
1105 · syslog – Syslog.
1107 · file_name – A specific file.
1109 server
1111 Minimum severity level for messages related to general operation of the
1112 server that are logged.
1113 Default: not set
1115 control
1117 Minimum severity level for messages related to server control that are
1118 logged.
1119 Default: not set
1121 zone
1123 Minimum severity level for messages related to zones that are logged.
1124 Default: not set
1126 any
1128 Minimum severity level for all message types that are logged.
1129 Default: not set
1131
1133 CZ.NIC Labs <https://www.knot-dns.cz>
1134
1136 Copyright 2010–2019, CZ.NIC, z.s.p.o.
11372.7.6 2019-01-23 KNOT.CONF(5)